Log z combofix

przez **wraq** » 06 Lut 2010, 21:05

ComboFix 10-02-05.04 - wraqs 2010-02-06 19:44:37.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1535.1175 [GMT 1:00]
Uruchomiony z: c:\documents and settings\wraqs\Pulpit\ComboFix.exe
AV: System antywirusowy NOD32 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\wraqs\Dane aplikacji\wiaserva.log
C:\Thumbs.db
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_glaide32

((((((((((((((((((((((((( Pliki utworzone od 2010-01-06 do 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-06 18:34 . 2010-02-06 18:33 396288 ----a-w- c:\windows\system32\CF25614.exe
2010-02-01 17:51 . 2007-12-26 16:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2010-02-01 17:51 . 2007-12-26 16:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2010-01-29 16:04 . 2010-01-29 16:04 -------- d-----w- c:\documents and settings\wraqs\Dane aplikacji\Charles
2010-01-20 19:14 . 2010-01-20 19:25 -------- d-----w- c:\documents and settings\wraqs\Dane aplikacji\Dev-Cpp
2010-01-20 19:12 . 2010-01-20 19:13 -------- d-----w- C:\Dev-Cpp
2010-01-17 06:46 . 2010-01-17 06:46 -------- d-sh--w- c:\documents and settings\wraqs\IECompatCache
2010-01-13 14:39 . 2009-11-21 16:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 15:24 . 2008-10-04 14:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 15:24 . 2009-06-11 16:30 -------- d-----w- c:\program files\Asprate
2010-02-06 14:39 . 2008-10-25 22:09 -------- d-----w- c:\program files\DC++
2010-02-06 10:47 . 2008-10-29 21:03 -------- d-----w- c:\program files\Microsoft Works
2010-02-06 10:43 . 2008-10-29 19:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Dane aplikacji\Microsoft Help
2010-02-04 18:17 . 2008-12-14 16:27 -------- d-----w- c:\program files\Lx_cats
2010-02-02 16:46 . 2009-02-12 18:42 -------- d-----w- c:\program files\ALLPlayer
2010-01-21 20:41 . 2009-04-02 19:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 15:21 . 2008-11-07 18:24 -------- d-----w- c:\documents and settings\wraqs\Dane aplikacji\GanymedeNet
2010-01-11 21:31 . 2008-11-07 18:22 -------- d-----w- c:\program files\Ganymede
2010-01-01 16:08 . 2009-02-27 22:34 -------- d-----w- c:\program files\DScaler
2009-12-31 18:13 . 2008-12-23 22:25 -------- d-----w- c:\documents and settings\wraqs\Dane aplikacji\BESTplayer
2009-12-29 14:46 . 2009-12-29 14:46 -------- d-----w- c:\documents and settings\wraqs\Dane aplikacji\Ashampoo
2009-12-29 14:45 . 2009-12-29 14:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Dane aplikacji\ashampoo
2009-12-29 14:44 . 2009-12-29 14:44 -------- d-----w- c:\program files\Ashampoo
2009-12-25 13:04 . 2008-10-09 18:41 -------- d-----w- c:\program files\Java
2009-12-25 13:03 . 2009-12-25 13:03 152576 ----a-w- c:\documents and settings\wraqs\Dane aplikacji\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-25 13:01 . 2009-12-25 13:01 79488 ----a-w- c:\documents and settings\wraqs\Dane aplikacji\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-25 02:11 . 2001-10-26 18:15 84916 ----a-w- c:\windows\system32\perfc015.dat
2009-12-25 02:11 . 2001-10-26 18:15 493632 ----a-w- c:\windows\system32\perfh015.dat
2009-12-21 19:08 . 2006-06-23 11:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 16:03 . 2004-08-04 00:43 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-10-10 949376]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" "sleep"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"OscarEditor"="c:\program files\OSCAR Editor\OscarEditor.exe" Minimum
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Instalki\\sdf\\v19\\hl.exe"=
"f:\\Steam\\SteamApps\\groobass\\counter-strike\\hl.exe"=
"c:\\Documents and Settings\\wraqs\\Moje dokumenty\\Pobieranie\\ch\\Charles.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-11-15 642560]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-10-10 15424]
R3 MouseCap;MouseCapture Driver;c:\windows\system32\drivers\MouseCap.sys [2005-08-08 6640]
S2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2009-03-11 371349]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-02-24 13224]
S3 vhack;vhack;\??\c:\documents and settings\wraqs\Pulpit\vhack_v4\vhack.sys --> c:\documents and settings\wraqs\Pulpit\vhack_v4\vhack.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Zawartość folderu 'Zaplanowane zadania'

2010-02-06 c:\windows\Tasks\Konserwacja 1 kliknięciem.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-05-14 13:56]

2010-02-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-09 20:18]
.
.
------- Skan uzupełniający -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004
IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001
FF - ProfilePath - c:\documents and settings\wraqs\Dane aplikacji\Mozilla\Firefox\Profiles\bhu9cud1.default\
FF - prefs.js: browser.startup.homepage - www.onet.pl
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBILLARD8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMAKAOV2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPWORDS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 19:54
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8A647450]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk

0x8a647450
\Driver\ACPI

ACPI.sys @ 0xf74c5cb8
\Driver\atapi

atapi.sys @ 0xf7843b40
IoDeviceObjectType

DeleteProcedure

ntoskrnl.exe @ 0x805e668e
ParseProcedure

ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0

DeleteProcedure

ntoskrnl.exe @ 0x805e668e
ParseProcedure

ntoskrnl.exe @ 0x8057b6b1
NDIS: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Coppe

SendCompleteHandler

NDIS.sys @ 0xf7a37bb0
PacketIndicateHandler

NDIS.sys @ 0xf7a44a21
SendHandler

NDIS.sys @ 0xf7a2287b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\program files\Gadu-Gadu\ggwhook.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TUProgSt.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\lxcecoms.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Gadu-Gadu\gg.exe
.
**************************************************************************
.
Czas ukończenia: 2010-02-06 19:59:27 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2010-02-06 18:59
ComboFix2.txt 2008-10-10 22:43

Przed: 3 513 606 144 bajtów wolnych
Po: 3 704 496 128 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9BCD582CA5470CF56D309A866180BDFE

przez **mateo8898** » 06 Lut 2010, 21:13

Wklej do notatnika:

Kod: Zaznacz wszystko: sc stop vhack sc delete vhack

Plik

Zapisz jako

Ustaw rozszerzenie z TXT na Wszystkie pliki

zapisz pod nazwą FIX.BAT

uruchom utworzony plik

Wklej do notatnika:

Kod: Zaznacz wszystko: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"=- "SoundMAXPnP"=- "GrooveMonitor"=- "SunJavaUpdateSched"=- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ALLUpdate"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"=- "iTunesHelper"=- "Adobe Reader Speed Launcher"=- "NeroFilterCheck"=-

Plik

Zapisz jako

Ustaw rozszerzenie z TXT na Wszystkie pliki

zapisz pod nazwą FIX.REG

uruchom utworzony plik i potwierdź

W logu nic więcej nie widzę.

Pobierz OTC uruchom i kliknij CleanUp

Przeczyść dysk oraz rejestr CCleaner

Wyłącz i włącz przywracanie systemu na wszystkich dyskach

Instrukcja

Wykonaj pełne skanowanie Malwarebytes' Anti-Malware - jeśli coś znajdzie usuń i daj raport

Log z combofix

Log z combofix

Re: Log z combofix

Kto jest na forum