
Kobielczak napisał(a):en wpis:
C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs
Wrzucic do Combofix
nie! sfixować w hijack this!
poza tym świeży log z Combofixa daj

Kobielczak napisał(a):en wpis:
C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs
Wrzucic do Combofix


 
	
 
	
FILE::
C:\WINDOWS\svchost.exe 
C:\WINDOWS\pagefile.sys.vbs 
 
 mowilem wstawiaj logi na forum
 mowilem wstawiaj logi na forum  
 
 dalej
 dalej
 
 

 
	
ComboFix 08-06-16.5 - Administrator 2008-06-19 21:18:21.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.530 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\pagefile.sys.vbs
C:\WINDOWS\svchost.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\WINDOWS\pagefile.sys.vbs
D:\Autorun.inf
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.
2008-06-19 14:13 . 2008-06-19 14:13 651,368 --a------ C:\WINDOWS\system32\WLTRAY.EXE
2008-06-19 14:13 . 2008-06-19 14:13 192,512 --a------ C:\WINDOWS\system32\AegisI5.exe
2008-06-19 14:13 . 2008-06-19 14:13 184,320 --a------ C:\WINDOWS\system32\BCMWLU00.EXE
2008-06-19 14:12 . 2008-06-19 14:12 2,157,568 --a------ C:\WINDOWS\MicCal.exe
2008-06-19 14:12 . 2008-06-19 14:12 1,191,936 --a------ C:\WINDOWS\RtlUpd.exe
2008-06-19 14:12 . 2008-06-19 14:12 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-06-19 09:42 . 2008-06-19 21:16 3,478 -rahs---- C:\pagefile.sys.vbs
2008-06-18 23:11 . 2008-06-18 23:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-18 23:11 . 2008-06-18 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-18 14:05 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-18 11:52 . 2008-06-19 19:36 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Hamachi
2008-06-18 11:51 . 2008-06-18 11:51 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-06-18 09:30 . 2008-06-18 09:30 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Sports Interactive
2008-06-17 21:59 . 2008-06-19 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Vso
2008-06-17 21:22 . 2008-06-17 21:24 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-06-17 21:22 . 2008-06-17 21:22 <DIR> d--h----- C:\Documents and Settings\Administrator\InstallAnywhere
2008-06-17 21:18 . 2008-06-17 21:18 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-06-17 21:18 . 2008-06-17 21:18 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-06-17 21:18 . 2008-06-17 21:18 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-06-17 21:14 . 2008-06-17 21:14 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\acccore
2008-06-17 21:13 . 2008-06-17 21:13 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-17 21:13 . 2008-06-17 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Viewpoint
2008-06-17 21:13 . 2008-06-17 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\AOL OCP
2008-06-17 21:13 . 2008-06-17 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\AOL
2008-06-17 21:13 . 2008-06-17 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\acccore
2008-06-17 21:12 . 2008-06-17 21:12 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-17 21:12 . 2008-06-19 14:11 <DIR> d-------- C:\Program Files\AIM6
2008-06-17 21:12 . 2008-06-17 21:13 407 --ah----- C:\IPH.PH
2008-06-17 20:49 . 2008-06-17 20:49 <DIR> d-------- C:\Program Files\Realtek
2008-06-17 20:44 . 2008-06-17 20:44 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-17 20:43 . 2008-06-17 20:43 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\DAEMON Tools
2008-06-17 20:13 . 2008-06-19 14:11 <DIR> d-------- C:\Program Files\Media Player Classic
2008-06-17 20:13 . 2008-06-17 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-17 20:12 . 2006-12-10 23:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-06-17 20:12 . 2006-12-10 23:32 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-06-17 20:12 . 2007-04-24 17:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-06-17 20:12 . 2007-05-08 20:23 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-06-17 20:12 . 2007-05-08 20:22 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-06-17 20:12 . 2006-12-10 23:32 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-06-17 20:06 . 2008-06-17 20:06 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-17 20:06 . 2006-10-30 15:42 2,181,504 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-06-17 20:06 . 2006-10-30 15:42 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-06-17 20:06 . 2006-10-30 15:42 2,058,880 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-06-17 20:06 . 2006-10-30 15:42 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-06-17 20:03 . 2008-06-17 20:03 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ATI
2008-06-17 20:01 . 2008-06-17 20:01 1,824 --a------ C:\WINDOWS\Status.mif
2008-06-17 20:00 . 2008-06-17 20:01 <DIR> d-------- C:\Program Files\ATI Technologies
2008-06-17 19:56 . 2008-06-17 19:56 <DIR> d-------- C:\Program Files\DIFX
2008-06-17 19:56 . 2004-12-22 01:32 1,433,708 --------- C:\WINDOWS\system32\BCMWLCPL.CPL
2008-06-17 19:56 . 2004-12-22 01:32 1,396,831 --------- C:\WINDOWS\system32\AegisE5.dll
2008-06-17 19:56 . 2004-12-22 01:32 827,499 --------- C:\WINDOWS\system32\BCMWLTRY.EXE
2008-06-17 19:56 . 2004-12-22 01:32 369,024 --------- C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-06-17 19:56 . 2004-12-22 01:32 172,032 --------- C:\WINDOWS\system32\BCMLogon.dll
2008-06-17 19:56 . 2004-12-22 01:32 81,920 --------- C:\WINDOWS\system32\wltrynt.dll
2008-06-17 19:56 . 2004-12-22 01:32 69,632 --------- C:\WINDOWS\system32\BCMWLD2K.EXE
2008-06-17 19:56 . 2004-12-22 01:32 65,536 --------- C:\WINDOWS\system32\WLTRYSVC.EXE
2008-06-17 19:56 . 2008-06-17 19:56 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-17 19:55 . 2008-06-17 19:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-17 19:55 . 2008-06-17 20:49 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-17 19:55 . 2008-06-17 20:00 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-17 19:55 . 2006-06-18 23:51 43,520 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-06-17 14:04 . 2008-06-17 14:04 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-06-17 14:04 . 2008-06-19 21:18 <DIR> d--h----- C:\Documents and Settings\NetworkService\Ustawienia lokalne
2008-06-17 14:04 . 2008-06-17 14:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Dane aplikacji
2008-06-17 14:04 . 2008-06-17 14:04 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-06-17 14:04 . 2008-06-19 21:18 <DIR> d--h----- C:\Documents and Settings\LocalService\Ustawienia lokalne
2008-06-17 14:04 . 2008-06-17 14:04 <DIR> d-------- C:\Documents and Settings\LocalService\Dane aplikacji
2008-06-17 14:04 . 2008-06-17 14:04 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-06-17 14:04 . 2008-06-19 21:18 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-06-17 14:04 . 2008-06-17 14:04 <DIR> dr------- C:\Documents and Settings\Administrator\Ulubione
2008-06-17 14:04 . 2008-06-17 13:55 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-06-17 14:04 . 2008-06-19 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-06-17 14:04 . 2008-06-18 23:39 <DIR> dr------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-06-17 14:04 . 2008-06-17 15:48 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-17 14:04 . 2008-06-19 11:48 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-06-17 14:04 . 2008-06-19 08:13 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-17 14:04 . 2008-06-17 14:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-06-17 14:03 . 2008-06-19 21:18 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne
2008-06-17 14:03 . 2008-06-17 15:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Ulubione
2008-06-17 14:03 . 2008-06-17 13:55 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Szablony
2008-06-17 14:03 . 2008-06-17 15:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Pulpit
2008-06-17 14:03 . 2008-06-17 15:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Moje dokumenty
2008-06-17 14:03 . 2008-06-17 15:48 <DIR> dr------- C:\WINDOWS\system32\config\systemprofile\Menu Start
2008-06-17 14:03 . 2008-06-17 15:48 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Dane aplikacji
2008-06-17 14:02 . 2001-07-22 02:23 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-06-17 14:01 . 2001-10-26 21:28 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-17 14:00 . 2008-06-17 14:00 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-17 14:00 . 2008-06-17 14:00 <DIR> d-------- C:\Program Files\microsoft frontpage
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 11:58 --------- d-----w C:\Program Files\Usługi online
.
((((((((((((((((((((((((((((( snapshot@2008-06-19_ 8.09.26,59 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-01-19 19:30:18 252,640 ----a-w C:\WINDOWS\$hf_mig$\KB896256\spuninst.exe
+ 2008-06-19 12:12:28 216,288 ----a-w C:\WINDOWS\$hf_mig$\KB896256\spuninst.exe
- 2006-01-19 19:30:18 760,032 ----a-w C:\WINDOWS\$hf_mig$\KB896256\update\update.exe
+ 2008-06-19 12:12:28 723,680 ----a-w C:\WINDOWS\$hf_mig$\KB896256\update\update.exe
- 2004-11-18 08:44:50 245,984 -c----w C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
- 2006-01-19 19:30:18 252,640 -c----w C:\WINDOWS\$NtUninstallKB896256$\spuninst\spuninst.exe
- 2008-06-19 06:06:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 19:02:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2005-09-23 05:01:16 645,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
+ 2008-06-19 12:13:05 609,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
- 2008-03-25 03:21:20 254,848 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-06-19 12:14:32 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2007-05-02 10:31:46 419,568 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020022.exe
+ 2008-06-19 12:14:33 383,216 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020022.exe
- 1999-06-25 08:55:30 185,856 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
+ 2008-06-19 12:14:33 149,504 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"MSRegInfo"="C:\WINDOWS\pagefile.sys.vbs" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^hamachi.lnk]
path=C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-06-12 22:47 50528 C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2006-05-04 16:26 2808832 C:\WINDOWS\alcwzrd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 02:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-06-19 14:20 486856 D:\Programy\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]
--a------ 2008-01-15 17:09 6290944 D:\Programy\Tlen\Tlen.pl\tlen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Programy\\Tlen\\Tlen.pl\\tlen.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"D:\\Gry\\Football Manager 08\\fm.exe"=
"D:\\Gry\\Fifa\\FIFA08.exe"=
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 23:38]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadced6c-3c97-11dd-9236-0014a5973f5a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 21:19:02
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-19 21:19:31
ComboFix-quarantined-files.txt 2008-06-19 19:19:29
ComboFix2.txt 2008-06-19 18:58:31
ComboFix3.txt 2008-06-19 06:09:35
Pre-Run: 30,399,135,744 bajtów wolnych
Post-Run: 30,392,803,328 bajtów wolnych
195
 
	
Windows Registry Editor Version 5.00 
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadced6c-3c97-11dd-9236-0014a5973f5a}] 

 
	
FILE::
C:\pagefile.sys.vbs 
 
 

 
	


 
	
 
C:\pagefile.sys.vbs     Zainfekowanych: Worm.VBS.Solow.b     pominięty
C:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    pominięty
C:\System Volume Information\_restore{3CB8C82D-C83A-4290-A466-309917AAB366}\RP1\A0000006.exe    Zainfekowanych: Virus.Win32.Hidrag.a    pominięty
C:\System Volume Information\_restore{3CB8C82D-C83A-4290-A466-309917AAB366}\RP1\A0000054.vbs    Zainfekowanych: Worm.VBS.Solow.b    pominięty
C:\System Volume Information\_restore{3CB8C82D-C83A-4290-A466-309917AAB366}\RP1\A0000055.vbs    Zainfekowanych: Worm.VBS.Solow.b    pominięty
C:\System Volume Information\_restore{3CB8C82D-C83A-4290-A466-309917AAB366}\RP1\A0000062.vbs    Zainfekowanych: Worm.VBS.Solow.b    pominięty
C:\System Volume Information\_restore{3CB8C82D-C83A-4290-A466-309917AAB366}\RP1\A0000063.vbs    Zainfekowanych: Worm.VBS.Solow.b    pominięty
C:\System Volume Information\_restore{3CB8C82D-C83A-4290-A466-309917AAB366}\RP3\A0000114.vbs    Zainfekowanych: Worm.VBS.Solow.b 
 
	
 
 

 
	
 
	
Kobielczak napisał(a):No wlasnie ze...
w Menu Przywracanie sytemu jest napisane:
[] Wylacz przywracanie systemu (wylaczone przez zasady grupy) Jest to odznaczone i nie aktywne..
Folders to delete:
C:\System Volume Information\_restore{3CB8C82D-C83A-4290-A466-309917AAB366}\RP1 Execute
  Execute   dajesz restart
  dajesz restart
 
 

 
	
Użytkownicy przeglądający to forum: Brak zarejestrowanych użytkowników oraz 6 gości