Aktualizacje na programosy.pl: ChrisPC RAM Booster GridinSoft Anti-MalwareLoaris Trojan RemoverPotPlayerFab's AutoBackup ProWindows Repair Toolbox PortableWindows Repair ToolboxChromiumKaspersky Rescue Disk  

  • Ogłoszenie:

Mulący internet i programy informujące o wirusie

Bezpieczeństwo systemów, usuwanie wirusów, dobieranie programów antywirusowych. Obowiązkowe logi w tym dziale: trzy z FRST + Gmer.
Wyślij odpowiedź

Mulący internet i programy informujące o wirusie

Postprzez Melonix 21 Wrz 2008, 18:40

reklama
Mój problem polega na tym, że Internet bardzo muli (często kończy się na komunikacie "Nie można wyświetlić strony") a programy typu Total Comander czy Nero pokazują komunikaty w stylu "WARNING: The TOTALCMD executable file is corrupted, possible VIRUS! Totalcmd will close"

Log z hijackthis:
Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 18:13:57, on 2008-09-21
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\services.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Windows Media Player\wmplayer.exe
D:\INSTALKI CD4\Anti Spyware - różne progsy\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {1EB445B0-3E7A-4F34-A39F-8FC9CF0B1FCC} - C:\WINDOWS\System32\browsew.dll
O2 - BHO: (no name) - {45080112-43D4-4B43-A8BC-7F1DFBFDCEAF} - C:\WINDOWS\System32\MYBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
O4 - HKLM\..\Run: [baaamrrz] %systemroot%\baaamrrz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll



Log z Sillent Runers

Kod: Zaznacz wszystko
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RamBooster" = "C:\Program Files\RamBooster\Rambooster.exe" [null data]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Web Offer" = "C:\WINDOWS\System32\smmss.exe" ["PubID139WO"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = ""C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Advanced Tools Check" = "C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"shell32" = "C:\WINDOWS\System32\wuauclt10.exe" [null data]
"Client Server Runtime Process" = "C:\WINDOWS\System32\smmss.exe" ["PubID139WO"]
"Windows update" = "C:\WINDOWS\System32\wudupdate.exe" [null data]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"(Default)" = (empty string)
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{6A373B7E-496E-424f-A9BE-486A5E9AB018}\(Default) = "BitComet Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{D00900BC-23F7-4FD6-BFA2-8232112C5C49}" = "NRadExt extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\RADLIN~1\NRad.dll" [empty string]
"{5380C14E-C0A1-4D66-87DB-5995E6FF4623}" = "Rad Prop Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\RADLIN~1\Rad.dll" [empty string]
"{D2FD83AE-994A-4D4B-9097-2C9E11ED85F0}" = "Display CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\RADLIN~1\RadClkR.dll" [empty string]
"{C6844A1E-2C59-415A-84B3-C6A458372779}" = "Text file icon extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\RADLIN~1\RadType.dll" [empty string]
"{FEF55715-74BD-47F0-B417-67EE5ADF3BC5}" = "RadExec Prop Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\RADLIN~1\RadExec.dll" [empty string]
"{C60969A9-EE99-4958-9603-F351F5473555}" = "NRadExeExt extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\RADLIN~1\NRadExe.dll" [empty string]
"{A4D78B20-6E05-1069-8758-4E73FD83DEAD}" = "QCopy"
  -> {CLSID}\InProcServer32\(Default) = "dropcpyr.dll" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{35B2861B-2B26-4691-9FF0-09083722C736}" = "RadExe Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\RADLIN~1\RadExe.dll" [empty string]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "run" = "hpfsched" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\Webshots.scr" ["Auralis, Inc."]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]
"GetRight - Tray Icon" -> shortcut to: "C:\Program Files\GetRight\getright.exe" ["Headlight Software, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2E608F70-C430-4BC5-96F6-608E02EBA5B2}" = "BitComet Toolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2E608F70-C430-4BC5-96F6-608E02EBA5B2}" = "BitComet Toolbar"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apache2, Apache2, ""C:\usr\apache2\Apache2\bin\Apache.exe" -k runservice" ["Apache Software Foundation"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
OLFax Ports\Driver = "OLFMNT40.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 504 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 30 seconds.
---------- (total run time: 641 seconds)


Melonix
~user
 
Posty: 16
Dołączenie: 05 Mar 2006, 14:46
Miejscowość: Koszalin


Góra

Mulący internet i programy informujące o wirusie

Postprzez wojtas 21 Wrz 2008, 18:44

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka
Image
Awatar użytkownika
wojtas
*mod
 
Posty: 18165
Dołączenie: 13 Sty 2006, 16:00
Miejscowość: Krzeszyce
Pochwały: 1656


Góra

Re: mulący internet i programy informujące o wirusie

Postprzez Melonix 30 Wrz 2008, 11:44

Wszystko wykonałem zgodnie z polecaniami. WWDC zablokowałem porty. Zastosowałem też SDFix. Na koniec pracy programu wyświetlił mi się co prawda raport ale niestety na dysku C aktualnie go nie ma (na pulpicie miałem też plik catchme który po zastosowaniu combofixa mi zniknął).
Zamieszczam więc logi z ComboFixa i HiJackThis

Combofix
Kod: Zaznacz wszystko
ComboFix 08-09-28.03 - admin 2008-09-30 11:29:56.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.110 [GMT 2:00]
Uruchomiony z: C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania

[color=red][b]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\mdm.exe

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-08-28 do 2008-09-30  )))))))))))))))))))))))))))))))
.

2008-09-30 11:08 . 2008-09-30 11:09   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-09-30 09:41 . 2008-09-30 09:41   427   --a------   C:\WINDOWS\ODBC.INI
2008-09-30 09:41 . 2008-09-30 09:41   63   --a------   C:\WINDOWS\mdm.ini
2008-09-30 09:41 . 2008-09-30 09:41   0   --a------   C:\WINDOWS\NSREX.INI
2008-09-30 09:30 . 2008-09-30 09:31   <DIR>   d--------   C:\Program Files\CDex_150
2008-09-30 09:28 . 2008-09-30 09:28   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-09-30 09:28 . 2008-09-30 09:28   <DIR>   d--------   C:\WINDOWS\Profiles
2008-09-30 09:28 . 2008-09-30 09:28   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-09-30 09:28 . 2008-09-30 09:28   <DIR>   d--------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Dane aplikacji\InterTrust
2008-09-30 09:27 . 2008-09-30 09:27   <DIR>   d--------   C:\Documents and Settings\ADMIN~1~A-T\USTAWI~1
2008-09-30 09:27 . 2008-09-30 09:27   <DIR>   d--------   C:\Documents and Settings\ADMIN~1~A-T
2008-09-30 09:27 . 1998-10-07 13:54   336,896   --a------   C:\WINDOWS\IsUn0415.exe
2008-09-30 09:22 . 2008-09-30 09:22   <DIR>   d--------   C:\Program Files\BitComet Toolbar
2008-09-30 09:22 . 2008-09-30 09:22   <DIR>   d--------   C:\Program Files\BitComet
2008-09-30 09:22 . 2008-09-30 09:22   254,179   --a------   C:\WINDOWS\BitComet_Toolbar_Uninstaller_3218.exe
2008-09-30 09:18 . 2008-09-30 09:18   <DIR>   d--------   C:\Program Files\FileZilla FTP Client
2008-09-30 09:17 . 2008-09-30 09:17   <DIR>   d--------   C:\Program Files\BearShare Applications
2008-09-30 09:17 . 2008-09-30 09:17   <DIR>   d--------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Dane aplikacji\BearShare
2008-09-30 09:17 . 2006-11-12 11:39   483,328   --a------   C:\WINDOWS\system32\actskn45.ocx
2008-09-30 09:16 . 2008-09-30 09:16   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\ashampoo
2008-09-30 09:13 . 2008-09-30 09:13   104   --a------   C:\WINDOWS\WINCMD.INI
2008-09-30 09:04 . 2008-09-30 09:04   <DIR>   d--------   C:\Program Files\Mjcore
2008-09-30 09:01 . 2003-08-25 18:06   182,880   --a------   C:\WINDOWS\system32\iuengine.dll
2008-09-30 09:01 . 2008-09-30 09:01   112,640   --a------   C:\WINDOWS\faceback.exe.tmp
2008-09-30 09:00 . 2005-03-05 02:10   157,696   -ra------   C:\WINDOWS\system32\drivers\e100b325.sys
2008-09-30 09:00 . 2005-03-10 08:22   139,264   -ra------   C:\WINDOWS\system32\Prounstl.exe
2008-09-30 09:00 . 2005-02-25 03:03   36,864   -ra------   C:\WINDOWS\system32\e100bmsg.dll
2008-09-30 09:00 . 2005-03-09 10:26   23,040   -ra------   C:\WINDOWS\system32\IntelNic.dll
2008-09-30 09:00 . 2004-12-18 00:29   5,110   -ra------   C:\WINDOWS\system32\e100b325.din
2008-09-29 23:37 . 2008-09-29 22:04   261   --a------   C:\WINDOWS\system32\$winnt$.inf
2008-09-29 22:39 . 2008-09-30 11:21   763,990   --a------   C:\WINDOWS\system32\PerfStringBackup.INI
2008-09-29 22:39 . 2002-04-19 19:20   66,082   --a------   C:\WINDOWS\system32\c_28603.nls
2008-09-29 22:39 . 2008-09-29 22:00   4,293   --a------   C:\WINDOWS\ODBCINST.INI
2008-09-29 22:38 . 2008-09-30 11:30   <DIR>   dr-h-----   C:\Documents and Settings\Default User.WINDOWS\Ustawienia lokalne
2008-09-29 22:38 . 2008-09-29 22:38   <DIR>   d--------   C:\Documents and Settings\Default User.WINDOWS\Ulubione
2008-09-29 22:38 . 2008-09-29 21:57   <DIR>   d--h-----   C:\Documents and Settings\Default User.WINDOWS\Szablony
2008-09-29 22:38 . 2008-09-29 22:38   <DIR>   d--------   C:\Documents and Settings\Default User.WINDOWS\Pulpit
2008-09-29 22:38 . 2008-09-29 22:38   <DIR>   d--------   C:\Documents and Settings\Default User.WINDOWS\Moje dokumenty
2008-09-29 22:38 . 2008-09-29 22:38   <DIR>   dr-------   C:\Documents and Settings\Default User.WINDOWS\Menu Start
2008-09-29 22:38 . 2008-09-29 22:38   <DIR>   dr-h-----   C:\Documents and Settings\Default User.WINDOWS\Dane aplikacji
2008-09-29 22:38 . 2008-09-29 22:38   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Ulubione
2008-09-29 22:38 . 2008-09-29 22:38   <DIR>   d--h-----   C:\Documents and Settings\All Users.WINDOWS\Szablony
2008-09-29 22:38 . 2008-09-30 09:35   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Pulpit
2008-09-29 22:38 . 2008-09-30 09:40   <DIR>   dr-------   C:\Documents and Settings\All Users.WINDOWS\Menu Start
2008-09-29 22:38 . 2008-09-29 21:57   <DIR>   dr-------   C:\Documents and Settings\All Users.WINDOWS\Dokumenty
2008-09-29 22:38 . 2008-09-30 09:16   <DIR>   dr-h-----   C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji
2008-09-29 22:37 . 2008-09-30 11:29   <DIR>   d--h-----   C:\Documents and Settings\Default User.WINDOWS
2008-09-29 22:37 . 2008-09-29 21:59   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS
2008-09-29 22:06 . 2008-09-30 11:30   <DIR>   d--h-----   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Ustawienia lokalne
2008-09-29 22:06 . 2008-09-29 22:09   <DIR>   dr-------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Ulubione
2008-09-29 22:06 . 2008-09-29 21:57   <DIR>   d--h-----   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Szablony
2008-09-29 22:06 . 2008-09-30 11:31   <DIR>   d--------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Pulpit
2008-09-29 22:06 . 2008-09-29 22:14   <DIR>   dr-------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Moje dokumenty
2008-09-29 22:06 . 2008-09-30 09:35   <DIR>   dr-------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Menu Start
2008-09-29 22:06 . 2008-09-30 09:33   <DIR>   dr-h-----   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Dane aplikacji
2008-09-29 22:06 . 2008-09-29 22:09   <DIR>   d--------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ
2008-09-29 22:05 . 2008-09-30 11:30   <DIR>   d--h-----   C:\Documents and Settings\NetworkService.ZARZ¤DZANIE NT\Ustawienia lokalne
2008-09-29 22:05 . 2008-09-29 22:05   <DIR>   d--------   C:\Documents and Settings\NetworkService.ZARZ¤DZANIE NT\Dane aplikacji
2008-09-29 22:05 . 2008-09-29 22:05   <DIR>   d--hs----   C:\Documents and Settings\NetworkService.ZARZ¤DZANIE NT
2008-09-29 22:05 .    <DIR>      C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\Ustawienia lokalne
2008-09-29 22:05 .    <DIR>      C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\Dane aplikacji
2008-09-29 22:05 .    <DIR>      C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\Cookies
2008-09-29 22:05 . 2008-09-30 11:30   <DIR>   d--h-----   C:\Documents and Settings\LocalService.ZARZ¤DZANIE NT\Ustawienia lokalne
2008-09-29 22:05 . 2008-09-29 22:05   <DIR>   d--------   C:\Documents and Settings\LocalService.ZARZ¤DZANIE NT\Dane aplikacji
2008-09-29 22:05 . 2008-09-29 22:05   <DIR>   d--hs----   C:\Documents and Settings\LocalService.ZARZ¤DZANIE NT
2008-09-29 22:05 .    <DIR>      C:\Documents and Settings\LocalService.ZARZąDZANIE NT\Ustawienia lokalne
2008-09-29 22:05 .    <DIR>      C:\Documents and Settings\LocalService.ZARZąDZANIE NT\Dane aplikacji
2008-09-29 22:05 .    <DIR>      C:\Documents and Settings\LocalService.ZARZąDZANIE NT\Cookies
2008-09-29 22:05 .    262,144      C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-09-29 22:05 .    262,144      C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-09-29 22:05 . 2008-09-29 22:05   8,192   --a------   C:\WINDOWS\REGLOCS.OLD
2008-09-29 22:03 . 2001-07-22 00:23   1,875,968   --a--c---   C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-09-29 22:02 . 2001-10-26 19:28   13,463,552   --a--c---   C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-09-29 22:01 . 2001-10-26 17:29   2,134,528   --a--c---   C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-09-29 22:00 . 2008-09-29 22:00   299,552   --a------   C:\WINDOWS\WMSysPrx.prx
2008-09-29 22:00 . 2008-09-29 22:06   25,065   --a------   C:\WINDOWS\system32\wmpscheme.xml
2008-09-29 22:00 . 2008-09-29 22:00   23,392   --a------   C:\WINDOWS\system32\nscompat.tlb
2008-09-29 22:00 . 2008-09-29 22:00   16,832   --a------   C:\WINDOWS\system32\amcompat.tlb
2008-09-29 22:00 . 2008-09-29 22:00   2,596   --a------   C:\WINDOWS\system32\CONFIG.NT
2008-09-29 22:00 . 2008-09-29 22:00   0   --a------   C:\WINDOWS\control.ini
2008-09-29 21:59 . 2008-09-29 22:00   <DIR>   d--hs----   C:\Documents and Settings\All Users.WINDOWS\DRM
2008-09-29 21:58 . 2002-09-20 19:05   1,003,520   --a--c---   C:\WINDOWS\system32\dllcache\conf.exe
2008-09-29 21:57 . 2001-10-26 19:29   494,592   --a------   C:\WINDOWS\system32\hypertrm.dll
2008-09-29 21:56 . 2002-09-20 19:03   1,268,224   --a--c---   C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-09-24 20:41 . 2008-09-26 21:11   <DIR>   d--------   C:\filmy2
2008-09-22 15:09 . 2008-09-22 15:09   <DIR>   d--------   C:\Program Files\Cool PDF Reader
2008-09-22 10:22 . 2008-09-22 10:22   <DIR>   d--------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Dane aplikacji\Ashampoo
2008-09-22 10:21 . 2008-09-22 10:21   <DIR>   d--------   C:\Program Files\Ashampoo
2008-09-17 21:29 . 2008-09-17 21:29   <DIR>   d--------   C:\Program Files\Watchtower
2008-09-09 23:32 . 2008-09-09 23:32   <DIR>   dr-h-----   C:\Documents and Settings\Default User\Ustawienia lokalne
2008-09-09 23:32 . 2008-09-09 23:32   <DIR>   d--------   C:\Documents and Settings\Default User\Ulubione
2008-09-09 23:32 . 2008-09-09 21:37   <DIR>   d--h-----   C:\Documents and Settings\Default User\Szablony
2008-09-09 23:32 . 2008-09-09 23:32   <DIR>   d--------   C:\Documents and Settings\Default User\Pulpit
2008-09-09 23:32 . 2008-09-09 23:32   <DIR>   d--------   C:\Documents and Settings\Default User\Moje dokumenty
2008-09-09 23:32 . 2008-09-09 23:32   <DIR>   dr-------   C:\Documents and Settings\Default User\Menu Start
2008-09-09 23:32 . 2008-09-09 23:32   <DIR>   dr-h-----   C:\Documents and Settings\Default User\Dane aplikacji
2008-09-09 23:32 . 2008-09-09 23:32   <DIR>   d--------   C:\Documents and Settings\All Users\Ulubione
2008-09-09 23:32 . 2008-09-09 23:32   <DIR>   d--h-----   C:\Documents and Settings\All Users\Szablony
2008-09-09 23:32 . 2008-09-22 10:21   <DIR>   d--------   C:\Documents and Settings\All Users\Pulpit
2008-09-09 23:32 . 2008-09-09 23:12   <DIR>   dr-------   C:\Documents and Settings\All Users\Menu Start
2008-09-09 23:32 . 2008-09-09 21:38   <DIR>   dr-------   C:\Documents and Settings\All Users\Dokumenty
2008-09-09 23:32 . 2008-09-22 10:22   <DIR>   dr-h-----   C:\Documents and Settings\All Users\Dane aplikacji
2008-09-09 23:31 . 2008-09-09 21:40   <DIR>   d--h-----   C:\Documents and Settings\Default User
2008-09-09 23:31 . 2008-09-09 21:39   <DIR>   d--------   C:\Documents and Settings\All Users
2008-09-09 23:31 . 2008-09-30 09:27   <DIR>   d--------   C:\Documents and Settings
2008-09-09 23:27 . 2008-09-09 23:27   <DIR>   d--------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Dane aplikacji\Gadu-Gadu
2008-09-09 23:24 . 2008-09-09 23:24   <DIR>   d--------   C:\totalcmd
2008-09-09 23:21 . 2008-09-09 23:21   <DIR>   d--------   C:\Program Files\Common Files\ACD Systems
2008-09-09 23:21 . 2008-09-30 09:26   <DIR>   d--------   C:\Program Files\ACD Systems
2008-09-09 23:20 . 2008-09-09 23:20   <DIR>   d--------   C:\Program Files\Dziobas Rar Player
2008-09-09 23:18 . 2008-09-09 23:18   <DIR>   d--------   C:\Program Files\Gadu-Gadu
2008-09-09 23:18 . 2008-09-09 23:18   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-09-09 23:18 . 2008-09-09 23:18   <DIR>   d--------   C:\Program Files\Ahead
2008-09-09 23:18 . 2008-09-10 23:13   <DIR>   d--------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Gadu-Gadu
2008-09-09 23:17 . 2008-09-09 23:17   <DIR>   d--------   C:\Program Files\Maxthon2
2008-09-09 23:16 . 2008-09-09 23:16   <DIR>   d--------   C:\Program Files\Alwil Software
2008-09-09 22:53 . 2008-09-30 09:38   <DIR>   d--h-----   C:\WINDOWS\ShellNew
2008-09-09 22:45 . 2008-09-09 22:45   <DIR>   d--------   C:\WINDOWS\Twain32
2008-09-09 22:45 . 2008-09-09 22:45   <DIR>   d--------   C:\Documents and Settings\admin.A-T6WA48AD9O4LQ\Dane aplikacji\Microsoft Web Folders

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 07:35   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-09-29 20:00   558,142   ----a-w   C:\WINDOWS\java\Packages\Z5B9Z57R.ZIP
2008-09-29 20:00   155,995   ----a-w   C:\WINDOWS\java\Packages\TZXB5375.ZIP
2008-09-09 19:39   ---------   d-----w   C:\Program Files\Usługi online
.

------- Sigcheck -------

2002-09-20 19:05  1015296  b15a936635b8695cb365658254c30093   C:\WINDOWS\explorer.exe
2002-09-20 19:05  1015296  961a07ca183e3e9bcb168664f90125ee   C:\WINDOWS\system32\dllcache\explorer.exe

2002-09-20 19:05  23040  f425f260f45185b4c28a1616521d51a9   C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  6e36ee74e24314e60e8bc574a14ff836   C:\WINDOWS\system32\dllcache\ctfmon.exe

2001-10-26 19:30  60928  ef665afd55e81cdf2adef68da46ca90a   C:\WINDOWS\system32\spoolsv.exe
2001-10-26 19:30  60928  5e14ea7c489805b98865b1f176c263ae   C:\WINDOWS\system32\dllcache\spoolsv.exe

2002-09-20 19:05  152064  a225d00be218b05d9283cb16b3df3a57   C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  3aa0fe5883f36571a1a4b90169a5d6f8   C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  f09f7a5102afc1b7b7f351cf8d75e9c9   C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  a8cbe9368470e20ed25fbeb99a513258   C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 23040]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 1523741]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 23040]

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 77876]


*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SHAREDACCESS
.
.
------- Skan uzupełniający -------
.
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 11:31:39
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2008-09-30 11:32:45
ComboFix-quarantined-files.txt  2008-09-30 09:32:42

Przed: 24,156,987,392 bajt˘w wolnych
Po: 24,394,399,744 bajt˘w wolnych

196


HiJack
Kod: Zaznacz wszystko
Logfile of HijackThis v1.99.1
Scan saved at 11:42, on 2008-09-30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxthon2\Maxthon.exe
D:\INSTALKI CD6\Anti Spyware - różne progsy\ghgfhfgh\retertertert.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Melonix
~user
 
Posty: 16
Dołączenie: 05 Mar 2006, 14:46
Miejscowość: Koszalin


Góra
Wyślij odpowiedź

Powróć do Bezpieczeństwo

Kto jest na forum

Użytkownicy przeglądający to forum: Brak zarejestrowanych użytkowników oraz 8 gości

Powered by phpBB © Group
Forum Programosy.pl