prosze o analizę loga z combofixa

[marjano82]

Prosze o przeanalizowanie ponizszego loga z combofixa, najprtawdopodobniej pendrive jest żródłem infekcji, która objawia się zwolnieniem pracy systemu oraz znikaniem plików z pendrive'a...znikana plików na twardych dyskach nie zanotowalem jak narazie. oto log:

ComboFix 08-06-20.4 - Mariusz 2008-06-24 7:29:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.244 [GMT 2:00]
Running from: C:\Documents and Settings\Mariusz\Pulpit\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Mariusz\Dane aplikacji\addon.dat
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\hosts
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-23 10:43 . 2008-06-23 08:07 111,715 -r-hs---- C:\1nkbd8h.bat
2008-06-23 08:15 . 2008-06-23 08:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-23 08:15 . 2008-06-23 08:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-23 08:14 . 2008-06-24 07:33 2,576,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-23 08:14 . 2008-06-24 07:34 507,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-23 08:14 . 2008-06-24 07:33 22,260 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-23 08:14 . 2008-06-24 07:34 3,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-18 10:50 . 2008-02-07 17:10 <DIR> d--h----- C:\ckis
2008-06-18 09:59 . 2008-06-24 06:53 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-18 09:35 . 2008-06-18 09:54 <DIR> d-------- C:\KAV
2008-06-11 15:02 . 2008-06-11 15:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 07:00 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:00 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 08:11 . 2008-06-02 08:11 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 04:54 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\OpenOffice.org2
2008-06-24 04:53 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-06-23 11:44 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\MegauploadToolbar
2008-06-23 08:14 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-02 06:11 --------- d-----w C:\Program Files\Common Files\Real
2008-06-02 06:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-28 05:02 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\AdobeUM
2008-05-19 07:27 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Zoner
2008-05-19 07:26 --------- d-----w C:\Program Files\Zoner
2008-05-16 08:29 --------- d-----w C:\Program Files\MERIDIAN
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-25 16:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 20:44 1200128]
"Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [ ]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [ ]
"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 07:26 68856]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 13:18 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15 366400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-02 08:10 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\Mariusz\Menu Start\Programy\Autostart\
OpenOffice.org 2.0.3.lnk - C:\Program Files\OpenOffice.org 2.0.3\program\quickstart.exe [2006-07-02 18:46:50 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Konnekt\\konnekt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24600:TCP"= 24600:TCP:BitComet 24600 TCP
"24600:UDP"= 24600:UDP:BitComet 24600 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R2 AntiVirusKit Client;G DATA AntiVirus Client;"C:\Program Files\G DATA\AVKClient\AVKCl.exe" [2006-08-29 15:16]
R2 AVK Client;AVK Client;C:\Program Files\G DATA\AVKClient\AVKClSv.exe [2001-11-14 02:09]
R2 AVKProxy;AVKProxy;"C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe" [2006-10-04 10:47]
R2 AVKWCtl;Strażnik AVK;"C:\Program Files\G DATA\AVKClient\AVKWCtl.exe" [2006-06-21 11:56]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [2007-01-31 08:31]
R3 GDMnIcpt;GDMnIcpt;C:\WINDOWS\system32\drivers\MiniIcpt.sys [2007-01-31 08:32]
R3 HookCentre;HookCentre;C:\WINDOWS\system32\drivers\HookCentre.sys [2007-01-31 08:32]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 AVK_FSAVP;AVK_FSAVP;C:\WINDOWS\system32\avkfsavp.sys [2007-03-23 13:00]
S3 avk10w;avk10w;C:\WINDOWS\system32\avkwfilt.sys [2007-03-23 13:00]
S3 GDInterceptor;GDInterceptor;C:\WINDOWS\system32\interceptor.sys [2006-11-29 12:45]
S3 RAVGD;RAVGD;C:\WINDOWS\system32\ravgd.sys [2007-03-23 13:00]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f7240ef-40fb-11dd-a109-00161747b403}]
\Shell\AutoRun\command - F:\1nkbd8h.bat
\Shell\explore\Command - F:\1nkbd8h.bat
\Shell\open\Command - F:\1nkbd8h.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bf98e3b-2e06-11dd-a0e6-00161747b403}]
\Shell\AutoRun\command - G:\jjcx.com
\Shell\explore\Command - G:\jjcx.com
\Shell\open\Command - G:\jjcx.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d277c97a-317f-11dd-a0ec-00161747b403}]
\Shell\AutoRun\command - F:\d.cmd
\Shell\explore\Command - F:\d.cmd
\Shell\open\Command - F:\d.cmd

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 07:35:39
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\G DATA\AVKClient\AVKAgent.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\OpenOffice.org 2.0.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0.3\program\soffice.bin
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-24 7:41:39 - machine was rebooted [Mariusz]
ComboFix-quarantined-files.txt 2008-06-24 05:41:25

Pre-Run: 26,872,991,744 bajtów wolnych
Post-Run: 29,058,682,880 bajt˘w wolnych

165 --- E O F --- 2008-06-20 13:01:14

Pozdrawiam i czekam na ewentualne wskazówki.

[ Dodano: Dzisiaj o 7:58 ]
mam jeszcze pytanie czy sformatowanie pendrive'a usunie problemy oraz czy powinienem zrobic loga z pendrivem podłaczonym do komputera.

[Okocza]

otwórz notatnik i wklej:

Kod: Zaznacz wszystko

File::
C:\1nkbd8h.bat

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f7240ef-40fb-11dd-a109-00161747b403}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bf98e3b-2e06-11dd-a0e6-00161747b403}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d277c97a-317f-11dd-a0ec-00161747b403}]

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . odczekaj az wygeneruje sie nowy log i go daj na forum

tak razem z podłączonym pendrivem

[marjano82]

teraz jest tak jak poniżej.....log zrobiony z pendrivem podłączonym do kompa

ComboFix 08-06-20.4 - Mariusz 2008-06-24 10:46:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.206 [GMT 2:00]
Running from: C:\Documents and Settings\Mariusz\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mariusz\Moje dokumenty\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\1nkbd8h.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1nkbd8h.bat
C:\autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-23 08:15 . 2008-06-23 08:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-23 08:15 . 2008-06-23 08:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-23 08:14 . 2008-06-24 08:38 2,634,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-23 08:14 . 2008-06-24 10:46 524,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-23 08:14 . 2008-06-24 08:38 22,708 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-23 08:14 . 2008-06-24 10:46 3,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-18 10:50 . 2008-02-07 17:10 <DIR> d--h----- C:\ckis
2008-06-18 09:59 . 2008-06-24 06:53 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-18 09:35 . 2008-06-18 09:54 <DIR> d-------- C:\KAV
2008-06-11 15:02 . 2008-06-11 15:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 07:00 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:00 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 08:11 . 2008-06-02 08:11 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 05:39 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\OpenOffice.org2
2008-06-23 11:44 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\MegauploadToolbar
2008-06-23 08:14 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-02 06:11 --------- d-----w C:\Program Files\Common Files\Real
2008-06-02 06:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-28 05:02 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\AdobeUM
2008-05-19 07:27 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Zoner
2008-05-19 07:26 --------- d-----w C:\Program Files\Zoner
2008-05-16 08:29 --------- d-----w C:\Program Files\MERIDIAN
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-25 16:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-24_ 7.40.58.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-24 04:53:15 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
+ 2006-03-02 12:00:00 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 20:44 1200128]
"Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [ ]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [ ]
"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 07:26 68856]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 13:18 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15 366400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-02 08:10 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\Mariusz\Menu Start\Programy\Autostart\
OpenOffice.org 2.0.3.lnk - C:\Program Files\OpenOffice.org 2.0.3\program\quickstart.exe [2006-07-02 18:46:50 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Konnekt\\konnekt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24600:TCP"= 24600:TCP:BitComet 24600 TCP
"24600:UDP"= 24600:UDP:BitComet 24600 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R2 AntiVirusKit Client;G DATA AntiVirus Client;"C:\Program Files\G DATA\AVKClient\AVKCl.exe" [2006-08-29 15:16]
R2 AVK Client;AVK Client;C:\Program Files\G DATA\AVKClient\AVKClSv.exe [2001-11-14 02:09]
R2 AVKProxy;AVKProxy;"C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe" [2006-10-04 10:47]
R2 AVKWCtl;Strażnik AVK;"C:\Program Files\G DATA\AVKClient\AVKWCtl.exe" [2006-06-21 11:56]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [2007-01-31 08:31]
R3 GDMnIcpt;GDMnIcpt;C:\WINDOWS\system32\drivers\MiniIcpt.sys [2007-01-31 08:32]
R3 HookCentre;HookCentre;C:\WINDOWS\system32\drivers\HookCentre.sys [2007-01-31 08:32]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 AVK_FSAVP;AVK_FSAVP;C:\WINDOWS\system32\avkfsavp.sys [2007-03-23 13:00]
S3 avk10w;avk10w;C:\WINDOWS\system32\avkwfilt.sys [2007-03-23 13:00]
S3 GDInterceptor;GDInterceptor;C:\WINDOWS\system32\interceptor.sys [2006-11-29 12:45]
S3 RAVGD;RAVGD;C:\WINDOWS\system32\ravgd.sys [2007-03-23 13:00]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f7240ef-40fb-11dd-a109-00161747b403}]
\Shell\AutoRun\command - F:\1nkbd8h.bat
\Shell\explore\Command - F:\1nkbd8h.bat
\Shell\open\Command - F:\1nkbd8h.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bf98e3b-2e06-11dd-a0e6-00161747b403}]
\Shell\AutoRun\command - jjcx.com
\Shell\explore\Command - jjcx.com
\Shell\open\Command - jjcx.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d277c97a-317f-11dd-a0ec-00161747b403}]
\Shell\AutoRun\command - F:\d.cmd
\Shell\explore\Command - F:\d.cmd
\Shell\open\Command - F:\d.cmd

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 10:49:34
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-24 10:52:31
ComboFix-quarantined-files.txt 2008-06-24 08:51:14
ComboFix2.txt 2008-06-24 05:41:41

Pre-Run: 29,990,453,248 bajtów wolnych
Post-Run: 29,980,811,264 bajtów wolnych

147 --- E O F --- 2008-06-20 13:01:14

[Dzi@dek]

C:\ckis

Znasz ten katalog

Wklej do notatnika:

Kod: Zaznacz wszystko

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f7240ef-40fb-11dd-a109-00161747b403}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bf98e3b-2e06-11dd-a0e6-00161747b403}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d277c97a-317f-11dd-a0ec-00161747b403}]

Plik Zapisz jako... CFScript - najlepiej jeśli zapiszesz w

takiej lokalizacji, by ikona CFScript.txt znalazła się obok ikony ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
Potwierdz zrestartuje sie komputer.

Jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER. Rozpocznie się proces usuwania.

Daj nowe logi z Combofix oraz Hijackthis.

[marjano82]

nie znam tego katalogu. juz postepuje wedle wskazówek.

[Dzi@dek]

Kod: Zaznacz wszystko

Folder::
C:\ckis

Usuwanie tak samo jak wyżej.

[marjano82]

wkleilem w notatnik podany przez ciebie Dzi@dku tekscik i zapisalem jako CFScript , po najechaniu plikiem na combofixa komp sie nie zrestartowal, nie musialem tez wybierac 1. oto nowy log z combofixa

ComboFix 08-06-20.4 - Mariusz 2008-06-24 11:16:27.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.181 [GMT 2:00]
Running from: C:\Documents and Settings\Mariusz\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mariusz\Pulpit\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-24 11:14 . 2008-06-24 11:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 08:15 . 2008-06-23 08:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-23 08:15 . 2008-06-23 08:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-23 08:14 . 2008-06-24 10:56 2,634,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-23 08:14 . 2008-06-24 11:08 557,088 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-23 08:14 . 2008-06-24 10:56 22,708 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-23 08:14 . 2008-06-24 11:08 4,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-18 10:50 . 2008-02-07 17:10 <DIR> d--h----- C:\ckis
2008-06-18 09:59 . 2008-06-24 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-18 09:35 . 2008-06-18 09:54 <DIR> d-------- C:\KAV
2008-06-11 15:02 . 2008-06-11 15:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 07:00 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:00 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 08:11 . 2008-06-02 08:11 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 09:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 09:07 --------- d-----w C:\Program Files\PITy
2008-06-24 08:59 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\MegauploadToolbar
2008-06-24 08:58 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\OpenOffice.org2
2008-06-23 08:14 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-02 06:11 --------- d-----w C:\Program Files\Common Files\Real
2008-06-02 06:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-28 05:02 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\AdobeUM
2008-05-19 07:27 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Zoner
2008-05-16 08:29 --------- d-----w C:\Program Files\MERIDIAN
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-25 16:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-24_ 7.40.58.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-24 05:34:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-24 08:57:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-24 05:34:31 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-24 08:57:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-24 05:34:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-06-24 08:57:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
- 2008-06-24 04:53:15 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
+ 2006-03-02 12:00:00 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 20:44 1200128]
"Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [ ]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [ ]
"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 07:26 68856]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 13:18 98304]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15 366400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-02 08:10 185896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\Mariusz\Menu Start\Programy\Autostart\
OpenOffice.org 2.0.3.lnk - C:\Program Files\OpenOffice.org 2.0.3\program\quickstart.exe [2006-07-02 18:46:50 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Konnekt\\konnekt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24600:TCP"= 24600:TCP:BitComet 24600 TCP
"24600:UDP"= 24600:UDP:BitComet 24600 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R2 AntiVirusKit Client;G DATA AntiVirus Client;"C:\Program Files\G DATA\AVKClient\AVKCl.exe" [2006-08-29 15:16]
R2 AVK Client;AVK Client;C:\Program Files\G DATA\AVKClient\AVKClSv.exe [2001-11-14 02:09]
R2 AVKProxy;AVKProxy;"C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe" [2006-10-04 10:47]
R2 AVKWCtl;Strażnik AVK;"C:\Program Files\G DATA\AVKClient\AVKWCtl.exe" [2006-06-21 11:56]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [2007-01-31 08:31]
R3 GDMnIcpt;GDMnIcpt;C:\WINDOWS\system32\drivers\MiniIcpt.sys [2007-01-31 08:32]
R3 HookCentre;HookCentre;C:\WINDOWS\system32\drivers\HookCentre.sys [2007-01-31 08:32]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 AVK_FSAVP;AVK_FSAVP;C:\WINDOWS\system32\avkfsavp.sys [2007-03-23 13:00]
S3 avk10w;avk10w;C:\WINDOWS\system32\avkwfilt.sys [2007-03-23 13:00]
S3 GDInterceptor;GDInterceptor;C:\WINDOWS\system32\interceptor.sys [2006-11-29 12:45]
S3 RAVGD;RAVGD;C:\WINDOWS\system32\ravgd.sys [2007-03-23 13:00]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 11:18:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-24 11:20:38
ComboFix-quarantined-files.txt 2008-06-24 09:19:31
ComboFix2.txt 2008-06-24 08:52:32
ComboFix3.txt 2008-06-24 05:41:41

Pre-Run: 29,963,579,392 bajtów wolnych
Post-Run: 29,954,138,112 bajtów wolnych

137 --- E O F --- 2008-06-20 13:01:14

[ Dodano: Dzisiaj o 11:32 ]

ComboFix 08-06-20.4 - Mariusz 2008-06-24 11:26:58.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.193 [GMT 2:00]
Running from: C:\Documents and Settings\Mariusz\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mariusz\Pulpit\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ckis
C:\ckis\crack.lst

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-24 11:14 . 2008-06-24 11:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 08:15 . 2008-06-23 08:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-23 08:15 . 2008-06-23 08:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-23 08:14 . 2008-06-24 10:56 2,634,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-23 08:14 . 2008-06-24 11:08 557,088 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-23 08:14 . 2008-06-24 10:56 22,708 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-23 08:14 . 2008-06-24 11:08 4,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-18 09:59 . 2008-06-24 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-18 09:35 . 2008-06-18 09:54 <DIR> d-------- C:\KAV
2008-06-11 15:02 . 2008-06-11 15:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 07:00 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:00 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 08:11 . 2008-06-02 08:11 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 09:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 09:07 --------- d-----w C:\Program Files\PITy
2008-06-24 08:59 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\MegauploadToolbar
2008-06-24 08:58 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\OpenOffice.org2
2008-06-23 08:14 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-02 06:11 --------- d-----w C:\Program Files\Common Files\Real
2008-06-02 06:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-28 05:02 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\AdobeUM
2008-05-19 07:27 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Zoner
2008-05-16 08:29 --------- d-----w C:\Program Files\MERIDIAN
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-25 16:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-24_ 7.40.58.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-24 05:34:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-24 08:57:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-24 05:34:31 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-24 08:57:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-24 05:34:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-06-24 08:57:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
- 2008-06-24 04:53:15 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
+ 2006-03-02 12:00:00 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 20:44 1200128]
"Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [ ]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [ ]
"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 07:26 68856]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 13:18 98304]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15 366400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-02 08:10 185896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\Mariusz\Menu Start\Programy\Autostart\
OpenOffice.org 2.0.3.lnk - C:\Program Files\OpenOffice.org 2.0.3\program\quickstart.exe [2006-07-02 18:46:50 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Konnekt\\konnekt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24600:TCP"= 24600:TCP:BitComet 24600 TCP
"24600:UDP"= 24600:UDP:BitComet 24600 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R2 AntiVirusKit Client;G DATA AntiVirus Client;"C:\Program Files\G DATA\AVKClient\AVKCl.exe" [2006-08-29 15:16]
R2 AVK Client;AVK Client;C:\Program Files\G DATA\AVKClient\AVKClSv.exe [2001-11-14 02:09]
R2 AVKProxy;AVKProxy;"C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe" [2006-10-04 10:47]
R2 AVKWCtl;Strażnik AVK;"C:\Program Files\G DATA\AVKClient\AVKWCtl.exe" [2006-06-21 11:56]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [2007-01-31 08:31]
R3 GDMnIcpt;GDMnIcpt;C:\WINDOWS\system32\drivers\MiniIcpt.sys [2007-01-31 08:32]
R3 HookCentre;HookCentre;C:\WINDOWS\system32\drivers\HookCentre.sys [2007-01-31 08:32]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 AVK_FSAVP;AVK_FSAVP;C:\WINDOWS\system32\avkfsavp.sys [2007-03-23 13:00]
S3 avk10w;avk10w;C:\WINDOWS\system32\avkwfilt.sys [2007-03-23 13:00]
S3 GDInterceptor;GDInterceptor;C:\WINDOWS\system32\interceptor.sys [2006-11-29 12:45]
S3 RAVGD;RAVGD;C:\WINDOWS\system32\ravgd.sys [2007-03-23 13:00]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 11:28:13
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-24 11:30:42
ComboFix-quarantined-files.txt 2008-06-24 09:29:39
ComboFix2.txt 2008-06-24 09:20:39
ComboFix3.txt 2008-06-24 08:52:32
ComboFix4.txt 2008-06-24 05:41:41

Pre-Run: 29,937,283,072 bajtów wolnych
Post-Run: 29,937,000,448 bajtów wolnych

138 --- E O F --- 2008-06-20 13:01:14

a to log po wprowadzeniu drugiego podanego pzrez Dzi@dka scriptu.

[ Dodano: Dzisiaj o 11:38 ]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:35, on 2008-06-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\G DATA\AVKClient\AVKCl.exe
C:\Program Files\G DATA\AVKClient\AVKClSv.exe
C:\Program Files\G DATA\AVKClient\AVKAgent.exe
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files\G DATA\AVKClient\AVKWCtl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\OpenOffice.org 2.0.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0.3\program\soffice.BIN
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.3.lnk = C:\Program Files\OpenOffice.org 2.0.3\program\quickstart.exe
O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://slimak.onet.pl/_m/wirusy/ArcaOnline.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O23 - Service: G DATA AntiVirus Client (AntiVirusKit Client) - G DATA Software AG - C:\Program Files\G DATA\AVKClient\AVKCl.exe
O23 - Service: AVK Client - Unknown owner - C:\Program Files\G DATA\AVKClient\AVKClSv.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\G DATA\AVKClient\AVKWCtl.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.popartuk.com/g/l/lgsp0076.jpg

--
End of file - 9597 bytes

i log z hijackthis

[Dzi@dek]

OK.
Zastosuj jeszcze ten temat
http://forum.programosy.pl/bad-generic-host-process-for-win32-services-vt79489.html

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem

[marjano82]

wykonalem wszystkie polecenia. Myślicie ze dyski sa bez żadnych "robaczków"?

[Okocza]

http://forum.programosy.pl/program-szukajacy-trojanow-i-malware-vt97108.html

wykonaj jeszcze to

[marjano82]

po restarcie systemu, odlaczeniu i ponownym podlaczeniu pendrivea kaspersky wykazuje, iż 1NKBD8H.BAT chce w ukryty sposób pobrac sterownik c:\WINDOWS\SYSTEM32\DRIVERS\VGA.SYS

Jak tą cholerę wykurzyć? Kaspersky zaleca kwarantanne....

[Okocza]

podłącz pendrive i przeskanuj sobie system FixIEDef'em
w poprzednim moim poście jest opisane jak to zrobić.

[marjano82]

użyłem FixIEDa kaspersky nadal zgłasza problem wspomniany powyżej



Podejrzany obiekt- F:\1NKBD8H.BAT

[Okocza]

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

zastosuj to przy podpiętym pendrajwie - powinien go oczyścić z syfu

[marjano82]

nie dał rady....ja tego śmiecia chyba poprostu normalnie legalnie...sformatuje:)

[Dzi@dek]

Opcje folderów-widok-pokaż ukryte pliki - i w awaryjnym go out.
Lub - pobierz killbox-a i wklej ścieżkę: F:\1NKBD8H.BAT
http://forum.programosy.pl/narzedzia-do-usuwania-plikow-vt96629.html

[marjano82]

Mam problem z wirusem amvo.exe proszę o przeanalizowanie loga z combofixa raz jeszcze. wcześniejsze problemy z pendrivem skończone.

ComboFix 08-06-20.4 - Mariusz 2008-06-30 9:14:58.6 - NTFSx86
Running from: C:\Documents and Settings\Mariusz\Pulpit\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-27 07:56 . 2008-06-27 07:56 <DIR> d-------- C:\Program Files\MoorHunt
2008-06-26 07:31 . 2008-06-26 07:31 <DIR> d-------- C:\!KillBox
2008-06-24 11:14 . 2008-06-24 11:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 08:15 . 2008-06-23 08:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-23 08:15 . 2008-06-23 08:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-23 08:14 . 2008-06-30 08:12 2,634,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-23 08:14 . 2008-06-30 08:12 557,088 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-23 08:14 . 2008-06-30 08:12 22,708 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-23 08:14 . 2008-06-30 08:12 4,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-18 09:59 . 2008-06-30 08:21 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-18 09:35 . 2008-06-18 09:54 <DIR> d-------- C:\KAV
2008-06-11 15:02 . 2008-06-11 15:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 07:00 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:00 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 08:11 . 2008-06-02 08:11 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-19 09:27 . 2008-05-19 09:27 <DIR> d-------- C:\Documents and Settings\Mariusz\Dane aplikacji\Zoner
2008-05-16 10:29 . 2008-05-16 10:29 <DIR> d-------- C:\Program Files\MERIDIAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 05:55 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\MegauploadToolbar
2008-06-24 09:50 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\OpenOffice.org2
2008-06-24 09:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 09:07 --------- d-----w C:\Program Files\PITy
2008-06-23 08:14 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-02 06:11 --------- d-----w C:\Program Files\Common Files\Real
2008-06-02 06:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-28 05:02 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 20:44 1200128]
"Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [ ]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 07:26 68856]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 13:18 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-02 08:10 185896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^Mariusz^Menu Start^Programy^Autostart^OpenOffice.org 2.0.3.lnk]
path=C:\Documents and Settings\Mariusz\Menu Start\Programy\Autostart\OpenOffice.org 2.0.3.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]
C:\Program Files\Tlen.pl\tlen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-06-16 01:15 366400 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Konnekt\\konnekt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24600:TCP"= 24600:TCP:BitComet 24600 TCP
"24600:UDP"= 24600:UDP:BitComet 24600 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R2 AntiVirusKit Client;G DATA AntiVirus Client;"C:\Program Files\G DATA\AVKClient\AVKCl.exe" [2006-08-29 15:16]
R2 AVK Client;AVK Client;C:\Program Files\G DATA\AVKClient\AVKClSv.exe [2001-11-14 02:09]
R2 AVKProxy;AVKProxy;"C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe" [2006-10-04 10:47]
R2 AVKWCtl;Strażnik AVK;"C:\Program Files\G DATA\AVKClient\AVKWCtl.exe" [2006-06-21 11:56]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [2007-01-31 08:31]
R3 GDMnIcpt;GDMnIcpt;C:\WINDOWS\system32\drivers\MiniIcpt.sys [2007-01-31 08:32]
R3 HookCentre;HookCentre;C:\WINDOWS\system32\drivers\HookCentre.sys [2007-01-31 08:32]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 AVK_FSAVP;AVK_FSAVP;C:\WINDOWS\system32\avkfsavp.sys [2007-03-23 13:00]
S3 avk10w;avk10w;C:\WINDOWS\system32\avkwfilt.sys [2007-03-23 13:00]
S3 GDInterceptor;GDInterceptor;C:\WINDOWS\system32\interceptor.sys [2006-11-29 12:45]
S3 RAVGD;RAVGD;C:\WINDOWS\system32\ravgd.sys [2007-03-23 13:00]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f7240ef-40fb-11dd-a109-00161747b403}]
\Shell\AutoRun\command - G:\1nkbd8h.bat
\Shell\explore\Command - G:\1nkbd8h.bat
\Shell\open\Command - G:\1nkbd8h.bat

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 09:17:01
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 9:18:32
ComboFix-quarantined-files.txt 2008-06-30 07:18:25

Pre-Run: 30,735,187,968 bajtów wolnych
Post-Run: 30,746,857,472 bajtów wolnych

129 --- E O F --- 2008-06-20 13:01:14

[Okocza]

otwórz notatnik i wklej...

Kod: Zaznacz wszystko

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f7240ef-40fb-11dd-a109-00161747b403}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

[marjano82]

a czemu to posłuży i jak się ma to do sprawy wirusów na dysku? nie to że wątpię w kolegi wiadomości, ale chce wiedzieć co i jak:)

[ Dodano: Dzisiaj o 11:45 ]
wprowadziłem fix do rejestru. zrobić ponownie log z combofixa?

[Dzi@dek]

zrobić ponownie log z combofixa

Tak - zrób.