Regulamin forum
1. Każdy temat powinien odzwierciedlać treść wątku.2. W przypadku wklejania logów; należy je wykonać od razu przynajmniej z dwóch narzędzi: FRST oraz z GMER
3. Wszelkie logi proszę publikować na przeznaczonych do tego stronach a w poście wklejać tylko link.
4. Nie wskazane jest skracanie logów, należy wkleić cały - od początku, do końca.
5. Nie wskazane jest podczepianie się do tematów innych użytkowników - proszę założyć nowy temat w dziale Bezpieczeństwo, ułatwi to pomoc sprawdzającemu.
6. Osoby nie posiadające odpowiedniej wiedzy, nie powinny sprawdzać logów, ponieważ grozi to poważnym uszkodzeniem systemu lub aplikacji zainstalowanych na komputerze.
7. Należy dokładnie opisać problem, występujące objawy oraz wszelkie podjęte działania.
8. Każdy skrypt jest unikatowy, napisany dla każdego przypadku z osobna, więc nie może być stosowany przez innych.
9. W przypadku zamieszczenia zrzutu ekranu (screenshot'a) proszę korzystać z zewnętrznego serwisu oferującego hosting zdjęć.
Problem z Virtumonde
30 Mar 2008, 02:52
Próbowałem pozbyć się tego trojana poprzez skan podczas uruchomionego trybu awaryjnego. Niby wszystko w porządku, ale wolę jednak, żeby ktoś na to rzucił 'fachowym' okiem. 
Log z ComboFix
Log z HijackThis
Log z ComboFix
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.414 [GMT 1:00]
Running from: C:\Documents and Settings\XXX\Pulpit\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL
C:\WINDOWS\system32\awtsrpp.dll
C:\WINDOWS\system32\bjgvqdwj.ini
C:\WINDOWS\system32\bxscscsc.ini
C:\WINDOWS\system32\chknshec.dll
C:\WINDOWS\system32\demsgvts.ini
C:\WINDOWS\system32\dkuxyjbl.dll
C:\WINDOWS\system32\dpunikrf.ini
C:\WINDOWS\system32\fgaxobbo.dll
C:\WINDOWS\system32\fptmndlm.dll
C:\WINDOWS\system32\ftmehoox.dll
C:\WINDOWS\system32\fwekeaux.ini
C:\WINDOWS\system32\imedfosc.dll
C:\WINDOWS\system32\kwixusxc.dll
C:\WINDOWS\system32\ldehjsnk.dll
C:\WINDOWS\system32\lymwkscq.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nohypigq.dll
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\qcskwmyl.dll
C:\WINDOWS\system32\rvtkbanr.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\tgajxflt.dll
C:\WINDOWS\system32\ynfcjbbt.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.
2008-03-29 23:07 . 2008-03-29 23:08 <DIR> d-------- C:\Program Files\Boilsoft ASF Converter
2008-03-29 23:02 . 2008-03-29 23:02 <DIR> d-------- C:\Program Files\AsfTools
2008-03-29 16:52 . 2008-03-29 16:51 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-03-29 16:52 . 2008-03-29 16:51 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-03-29 16:52 . 2008-03-29 16:51 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-03-29 16:51 . 2008-03-29 16:51 <DIR> d-------- C:\Program Files\ESET
2008-03-25 20:31 . 2008-03-25 20:31 <DIR> d-------- C:\Program Files\CamStudio
2008-03-25 20:21 . 2008-03-25 20:21 <DIR> d-------- C:\Program Files\Fraps
2008-03-25 20:21 . 2008-03-25 20:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\TEMP
2008-03-25 20:13 . 2008-03-25 20:13 <DIR> d-------- C:\WINDOWS\system32\QuickTimeVR.Resources
2008-03-25 20:13 . 2008-03-25 20:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime.Resources
2008-03-25 20:13 . 2008-03-25 20:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-03-25 20:12 . 2008-03-25 20:12 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Apple Computer
2008-03-25 20:00 . 2008-03-25 20:00 <DIR> d-------- C:\Program Files\HyCam2
2008-03-25 00:23 . 2008-03-25 00:23 <DIR> d-------- C:\FINAť LM 00
2008-03-24 21:54 . 2008-03-24 21:54 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 21:54 . 2008-03-24 21:55 2,565 --a------ C:\WINDOWS\unins000.dat
2008-03-21 21:54 . 2008-03-21 21:54 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\MEGAUPLOADTOOLBAR
2008-03-20 23:15 . 2008-03-21 23:16 1,331,832 ---hs---- C:\WINDOWS\system32\dhmpksyg.ini
2008-03-20 20:15 . 2008-03-20 20:15 <DIR> d-------- C:\Program Files\X-Chat 2
2008-03-20 20:15 . 2008-03-20 20:15 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\X-Chat 2
2008-03-20 20:11 . 2008-03-20 20:11 <DIR> d-------- C:\Program Files\ruby_2
2008-03-20 20:11 . 2008-03-20 20:11 <DIR> d-------- C:\Program Files\Ruby
2008-03-20 16:01 . 2008-03-29 23:53 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-20 15:20 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-03-20 15:20 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-03-20 15:20 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-03-20 15:20 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-03-20 15:20 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-20 15:20 . 2004-03-02 16:37 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-03-20 15:20 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-20 15:20 . 2004-03-02 16:37 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-03-19 23:15 . 2008-03-20 22:21 2,177,233 ---hs---- C:\WINDOWS\system32\wxgloqqj.ini
2008-03-19 21:02 . 2008-03-19 21:02 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\TVU Networks
2008-03-19 21:02 . 2008-03-19 21:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\TVU Networks
2008-03-18 23:57 . 2008-03-19 18:27 1,361,100 ---hs---- C:\WINDOWS\system32\grkcgaja.ini
2008-03-17 23:56 . 2008-03-18 23:31 1,360,500 ---hs---- C:\WINDOWS\system32\tlqfekan.ini
2008-03-17 18:52 . 2008-03-17 18:52 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-17 01:21 . 2008-03-17 01:21 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\uTorrent
2008-03-16 23:58 . 2008-03-17 20:02 1,367,695 ---hs---- C:\WINDOWS\system32\vejmfvgy.ini
2008-03-15 23:57 . 2008-03-16 23:58 1,367,453 ---hs---- C:\WINDOWS\system32\auwficcs.ini
2008-03-15 01:10 . 2008-03-15 01:10 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Spybot - Search & Destroy
2008-03-14 23:53 . 2008-03-15 20:57 1,367,215 ---hs---- C:\WINDOWS\system32\svqvgbkk.ini
2008-03-14 23:52 . 2008-03-14 23:52 63 --a------ C:\WINDOWS\system32\acaceb1d
2008-03-14 23:50 . 2008-03-14 23:50 <DIR> d-------- C:\Program Files\KONAMI
2008-03-14 21:50 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-14 21:04 . 2008-03-14 17:02 3,808,727 --a------ C:\WINDOWS\Mestallapanoramic4.jpg
2008-03-14 20:59 . 2004-08-04 02:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-14 20:56 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-14 19:38 . 2008-03-14 19:38 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\Skype
2008-03-13 15:29 . 2008-03-01 21:39 704,537 --a------ C:\WINDOWS\57337_poster2000.jpg
2008-03-13 01:58 . 2008-03-13 01:58 <DIR> d-------- C:\Program Files\Deutsch Translator 2
2008-03-13 01:57 . 2008-03-15 02:03 100 --a------ C:\WINDOWS\wininit.ini
2008-03-12 21:15 . 2008-03-12 21:15 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-12 20:57 . 2008-03-12 20:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\FLEXnet
2008-03-12 20:22 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-03-12 20:18 . 2008-03-12 20:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Microsoft Help
2008-03-12 20:17 . 2008-03-12 20:17 <DIR> dr-h----- C:\MSOCache
2008-03-12 20:14 . 2008-03-12 20:14 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\vlc
2008-03-12 20:08 . 2008-03-12 20:08 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\Gadu-Gadu
2008-03-12 20:01 . 2008-03-12 20:01 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\The Bat!
2008-03-12 19:55 . 2008-03-12 19:55 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\stamina
2008-03-12 19:48 . 2007-01-30 06:03 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-12 19:48 . 2007-01-20 21:26 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2008-03-12 19:48 . 2007-01-30 06:03 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-12 19:48 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-12 19:48 . 2007-02-01 05:56 639,066 --a------ C:\WINDOWS\system32\divx.dll
2008-03-12 19:48 . 2007-01-30 06:03 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-12 19:48 . 2007-01-30 05:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-03-12 19:48 . 2006-11-01 14:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-12 19:48 . 2006-05-13 23:16 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-03-12 19:48 . 2007-01-30 05:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2008-03-12 19:47 . 2007-03-14 02:04 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-12 19:24 . 2008-03-12 19:24 <DIR> d-------- C:\Program Files\ffdshow
2008-03-12 19:24 . 2007-07-28 09:56 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-12 19:24 . 2007-07-28 09:56 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-12 19:24 . 2007-07-28 09:56 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-03-12 19:24 . 2007-07-28 09:56 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-12 19:24 . 2007-07-28 09:56 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-03-12 19:24 . 2007-07-28 09:56 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-03-12 19:09 . 2008-03-12 20:08 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-12 18:54 . 2001-10-26 16:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0404.dll
2008-03-12 18:53 . 2001-07-21 21:20 195,618 --a------ C:\WINDOWS\system32\dllcache\c_10002.nls
2008-03-12 18:53 . 2001-07-21 21:20 189,986 --a------ C:\WINDOWS\system32\dllcache\c_1361.nls
2008-03-12 18:53 . 2001-07-21 21:20 177,698 --a------ C:\WINDOWS\system32\dllcache\c_10003.nls
2008-03-12 18:53 . 2001-07-21 21:20 173,602 --a------ C:\WINDOWS\system32\dllcache\c_10008.nls
2008-03-12 18:53 . 2001-10-26 16:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0804.dll
2008-03-12 18:53 . 2001-10-26 16:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0412.dll
2008-03-12 18:47 . 2001-07-21 21:20 66,594 --a------ C:\WINDOWS\system32\dllcache\c_869.nls
2008-03-12 18:27 . 2008-03-12 18:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-03-12 18:27 . 2008-03-12 18:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-03-12 18:24 . 2008-03-30 01:22 129 --a------ C:\WINDOWS\winamp.ini
2008-03-12 18:23 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\XXX\Stellarium
2008-03-12 18:23 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\XXX\Phone Browser
2008-03-12 18:23 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\XXX\Gadu-Gadu
2008-03-12 18:23 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\XXX\.drdivx2
2008-03-12 18:22 . 2008-03-12 18:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-12 18:15 . 2008-03-29 23:56 4,421 --a------ C:\WINDOWS\WINCMD.INI
2008-03-12 18:13 . 2008-03-12 18:13 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-03-12 18:13 . 2008-03-12 18:14 1,024 --a------ C:\.rnd
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 23:14 1,572,864 ---ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-03-10 23:14 1,572,864 ---ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-01-28 14:41 --------- d-----w C:\Program Files\TransEsp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-06-28 21:15 2101248]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31 1372160]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-29 16:51 949376]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsrpp]
awtsrpp.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\sstqo.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acacf993]
C:\WINDOWS\system32\qcskwmyl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 22:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 15:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 20:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2005-04-29 18:22 266240 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-19 13:26 86016 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-03 20:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-03 20:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-25 20:13 114688 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1535.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2006-05-24 19:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\thebat_startup]
--a------ 2007-04-23 12:54 11548152 C:\Program Files\The Bat!\thebat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"odserv"=3 (0x3)
"LEC TranslateDotNet Server"=2 (0x2)
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"E:\\GRY\\PES 2008v.2\\PES2008.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 01:23:37
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
Log z HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:40:50, on 2008-03-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\The Bat!\thebat.exe
C:\Documents and Settings\xxx\Pulpit\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: awtsrpp - awtsrpp.dll (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
30 Mar 2008, 11:20
Wklej do Notatnika:
>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe)
– podobnie jak na tym obrazku -
(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: \Qoobox.
Po tym nowy log z Combofix.
File::
C:\WINDOWS\system32\grkcgaja.ini
C:\WINDOWS\system32\wxgloqqj.ini
C:\WINDOWS\system32\tlqfekan.ini
C:\WINDOWS\system32\vejmfvgy.ini
C:\WINDOWS\system32\auwficcs.ini
C:\WINDOWS\system32\svqvgbkk.ini
C:\.rnd
C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe)
– podobnie jak na tym obrazku -
(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: \Qoobox.
Po tym nowy log z Combofix.
31 Mar 2008, 00:40
Nowy Log:
Btw, są może jakieś zbędne funkcjonalności Windowsa, które można ze spokojem wyłączyć?
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.
2008-03-30 01:25 . 2008-03-30 01:25 <DIR> d-------- C:\Documents and Settings\GoťŠ\Ustawienia lokalne
2008-03-29 23:07 . 2008-03-29 23:08 <DIR> d-------- C:\Program Files\Boilsoft ASF Converter
2008-03-29 23:02 . 2008-03-29 23:02 <DIR> d-------- C:\Program Files\AsfTools
2008-03-29 16:52 . 2008-03-29 16:51 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-03-29 16:52 . 2008-03-29 16:51 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-03-29 16:52 . 2008-03-29 16:51 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-03-29 16:51 . 2008-03-29 16:51 <DIR> d-------- C:\Program Files\ESET
2008-03-25 20:31 . 2008-03-25 20:31 <DIR> d-------- C:\Program Files\CamStudio
2008-03-25 20:21 . 2008-03-25 20:21 <DIR> d-------- C:\Program Files\Fraps
2008-03-25 20:21 . 2008-03-25 20:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\TEMP
2008-03-25 20:13 . 2008-03-25 20:13 <DIR> d-------- C:\WINDOWS\system32\QuickTimeVR.Resources
2008-03-25 20:13 . 2008-03-25 20:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime.Resources
2008-03-25 20:13 . 2008-03-25 20:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-03-25 20:12 . 2008-03-25 20:12 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Apple Computer
2008-03-25 20:00 . 2008-03-25 20:00 <DIR> d-------- C:\Program Files\HyCam2
2008-03-24 21:54 . 2008-03-24 21:54 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 21:54 . 2008-03-24 21:55 2,565 --a------ C:\WINDOWS\unins000.dat
2008-03-21 21:54 . 2008-03-21 21:54 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\MEGAUPLOADTOOLBAR
2008-03-20 23:15 . 2008-03-21 23:16 1,331,832 ---hs---- C:\WINDOWS\system32\dhmpksyg.ini
2008-03-20 20:15 . 2008-03-20 20:15 <DIR> d-------- C:\Program Files\X-Chat 2
2008-03-20 20:15 . 2008-03-20 20:15 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\X-Chat 2
2008-03-20 20:11 . 2008-03-20 20:11 <DIR> d-------- C:\Program Files\ruby_2
2008-03-20 20:11 . 2008-03-20 20:11 <DIR> d-------- C:\Program Files\Ruby
2008-03-20 16:01 . 2008-03-30 19:38 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-20 15:20 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-03-20 15:20 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-03-20 15:20 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-03-20 15:20 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-03-20 15:20 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-20 15:20 . 2004-03-02 16:37 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-03-20 15:20 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-20 15:20 . 2004-03-02 16:37 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-03-19 21:02 . 2008-03-19 21:02 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\TVU Networks
2008-03-19 21:02 . 2008-03-19 21:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\TVU Networks
2008-03-17 18:52 . 2008-03-17 18:52 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-17 01:21 . 2008-03-17 01:21 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\uTorrent
2008-03-15 01:10 . 2008-03-15 01:10 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Spybot - Search & Destroy
2008-03-14 23:52 . 2008-03-14 23:52 63 --a------ C:\WINDOWS\system32\acaceb1d
2008-03-14 23:50 . 2008-03-14 23:50 <DIR> d-------- C:\Program Files\KONAMI
2008-03-14 21:50 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-14 21:04 . 2008-03-14 17:02 3,808,727 --a------ C:\WINDOWS\Mestallapanoramic4.jpg
2008-03-14 20:59 . 2004-08-04 02:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-14 20:56 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-14 19:38 . 2008-03-14 19:38 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\Skype
2008-03-13 15:29 . 2008-03-01 21:39 704,537 --a------ C:\WINDOWS\57337_poster2000.jpg
2008-03-13 01:58 . 2008-03-13 01:58 <DIR> d-------- C:\Program Files\Deutsch Translator 2
2008-03-13 01:57 . 2008-03-15 02:03 100 --a------ C:\WINDOWS\wininit.ini
2008-03-12 21:15 . 2008-03-12 21:15 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-12 20:57 . 2008-03-12 20:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\FLEXnet
2008-03-12 20:22 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-03-12 20:18 . 2008-03-12 20:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Microsoft Help
2008-03-12 20:17 . 2008-03-12 20:17 <DIR> dr-h----- C:\MSOCache
2008-03-12 20:14 . 2008-03-12 20:14 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\vlc
2008-03-12 20:08 . 2008-03-12 20:08 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\Gadu-Gadu
2008-03-12 20:01 . 2008-03-12 20:01 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\The Bat!
2008-03-12 19:55 . 2008-03-12 19:55 <DIR> d-------- C:\Documents and Settings\XXX\Dane aplikacji\stamina
2008-03-12 19:48 . 2007-01-30 06:03 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-12 19:48 . 2007-01-20 21:26 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2008-03-12 19:48 . 2007-01-30 06:03 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-12 19:48 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-12 19:48 . 2007-02-01 05:56 639,066 --a------ C:\WINDOWS\system32\divx.dll
2008-03-12 19:48 . 2007-01-30 06:03 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-12 19:48 . 2007-01-30 05:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-03-12 19:48 . 2006-11-01 14:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-12 19:48 . 2006-05-13 23:16 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-03-12 19:48 . 2007-01-30 05:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2008-03-12 19:47 . 2007-03-14 02:04 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-12 19:24 . 2008-03-12 19:24 <DIR> d-------- C:\Program Files\ffdshow
2008-03-12 19:24 . 2007-07-28 09:56 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-12 19:24 . 2007-07-28 09:56 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-12 19:24 . 2007-07-28 09:56 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-03-12 19:24 . 2007-07-28 09:56 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-12 19:24 . 2007-07-28 09:56 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-03-12 19:24 . 2007-07-28 09:56 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-03-12 19:09 . 2008-03-12 20:08 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-12 18:54 . 2001-10-26 16:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0404.dll
2008-03-12 18:53 . 2001-07-21 21:20 195,618 --a------ C:\WINDOWS\system32\dllcache\c_10002.nls
2008-03-12 18:53 . 2001-07-21 21:20 189,986 --a------ C:\WINDOWS\system32\dllcache\c_1361.nls
2008-03-12 18:53 . 2001-07-21 21:20 177,698 --a------ C:\WINDOWS\system32\dllcache\c_10003.nls
2008-03-12 18:53 . 2001-07-21 21:20 173,602 --a------ C:\WINDOWS\system32\dllcache\c_10008.nls
2008-03-12 18:53 . 2001-10-26 16:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0804.dll
2008-03-12 18:53 . 2001-10-26 16:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0412.dll
2008-03-12 18:47 . 2001-07-21 21:20 66,594 --a------ C:\WINDOWS\system32\dllcache\c_869.nls
2008-03-12 18:27 . 2008-03-12 18:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-03-12 18:27 . 2008-03-12 18:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-03-12 18:24 . 2008-03-31 00:29 129 --a------ C:\WINDOWS\winamp.ini
2008-03-12 18:23 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\XXX\Stellarium
2008-03-12 18:23 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\XXX\Phone Browser
2008-03-12 18:23 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\XXX\Gadu-Gadu
2008-03-12 18:23 . 2008-03-12 18:23 <DIR> d-------- C:\Documents and Settings\XXX\.drdivx2
2008-03-12 18:22 . 2008-03-12 18:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-12 18:15 . 2008-03-30 19:43 4,374 --a------ C:\WINDOWS\WINCMD.INI
2008-03-12 18:13 . 2008-03-12 18:13 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-03-12 18:13 . 2008-03-12 18:13 22 --a------ C:\WINDOWS\FileName
2008-03-12 18:12 . 2005-06-03 15:09 454,656 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2008-03-12 18:12 . 2005-05-13 10:52 176,128 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-03-12 18:12 . 2005-06-03 15:07 176,128 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-03-12 18:12 . 2005-02-08 14:26 3,596 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-03-12 18:12 . 2005-02-08 14:26 1,231 --a------ C:\WINDOWS\system32\nvsmb.nvu
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 13:41 --------- d-----w C:\Program Files\TransEsp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-06-28 21:15 2101248]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31 1372160]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-29 16:51 949376]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsrpp]
awtsrpp.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acacf993]
C:\WINDOWS\system32\qcskwmyl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 22:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 15:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 20:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2005-04-29 18:22 266240 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-19 13:26 86016 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-03 20:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-03 20:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-25 20:13 114688 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1535.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2006-05-24 19:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\thebat_startup]
--a------ 2007-04-23 12:54 11548152 C:\Program Files\The Bat!\thebat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"odserv"=3 (0x3)
"LEC TranslateDotNet Server"=2 (0x2)
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"E:\\GRY\\PES 2008v.2\\PES2008.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 00:33:02
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-31 0:33:23
ComboFix2.txt 2008-03-30 19:34:18
ComboFix-quarantined-files.txt 2008-03-30 22:33:22
Pre-Run: 787,005,440 bajtów wolnych
Post-Run: 777,207,808 bajtów wolnych
Btw, są może jakieś zbędne funkcjonalności Windowsa, które można ze spokojem wyłączyć?
01 Kwi 2008, 15:01
http://forum.instalki.pl/viewtopic.php? ... t=msconfig
Został jeszcze jeden plik do usunięcia, można ręcznie(do kosza):
C:\WINDOWS\system32\dhmpksyg.ini
Proszę o log kontrolny z HiJackThisa.
Został jeszcze jeden plik do usunięcia, można ręcznie(do kosza):
C:\WINDOWS\system32\dhmpksyg.ini
Proszę o log kontrolny z HiJackThisa.
10 Kwi 2008, 20:27
Podaj nowy log z combofix i Hijackthis
Kolejność jak podałem
Kolejność jak podałem