Mam ten sam problem co pani przede mna. Objawy sa identyczne a wszystko zaczelo sie dzis rano jak programem UnhackMe (Greatis Software) wykrylem Hacker Defender 100. Po egzekucji podejrzanych plikow (kluczy?) komputer nie uruchomil sie juz w normalnym trybie. Teraz jade na awarujnym i notarycznie wykrywam (programem Spyware Terminator) jakies trojany (Agent-GT7, Monderb).
Bardzo prosze o sprawdzenie loga:
ComboFix 08-08-10.02 - Maks 2008-08-11 13:48:34.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.308 [GMT 2:00]
Running from: D:\Virus\Instalki\Antivir\Combo Fix\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.
2008-08-11 10:14 . 2008-08-11 10:15 <DIR> d-------- C:\RootkitNO
2008-08-09 19:04 . 2008-08-09 19:12 <DIR> d-------- C:\Documents and Settings\Maks\Dane aplikacji\U3
2008-08-03 00:53 . 2008-08-03 00:53 <DIR> d-------- C:\WINDOWS\RestoreSafeDeleted
2008-08-03 00:12 . 2008-08-03 00:12 38 --a------ C:\WINDOWS\pbMv.INI
2008-08-02 23:51 . 2008-08-02 23:56 88 -r-hs---- C:\Documents and Settings\All Users\Dane aplikacji\F4DCB114C3.sys
2008-08-02 23:50 . 2008-08-02 23:59 2,516 --ahs---- C:\Documents and Settings\All Users\Dane aplikacji\KGyGaAvL.sys
2008-07-31 21:50 . 2008-07-31 21:50 40 --ah----- C:\WINDOWS\system32\ivireg.ivr
2008-07-31 08:35 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2008-07-31 08:30 . 2008-07-31 08:30 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-31 08:30 . 2008-07-31 08:30 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-31 08:29 . 2008-07-31 08:29 <DIR> d-------- C:\Program Files\Real
2008-07-31 08:24 . 2008-07-31 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Corel
2008-07-31 08:18 . 2008-07-31 08:18 <DIR> d-------- C:\Program Files\InterVideo
2008-07-31 08:18 . 2008-07-31 08:18 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-07-31 08:18 . 2008-07-31 08:18 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-07-31 08:17 . 2008-07-31 08:17 <DIR> d-------- C:\Program Files\Corel
2008-07-30 18:01 . 2008-07-30 18:01 <DIR> d-------- C:\WINDOWS\system32\backuped
2008-07-30 18:01 . 2008-07-30 19:12 <DIR> d-------- C:\Program Files\True Sword 4
2008-07-30 14:10 . 2008-07-30 14:10 <DIR> d-------- C:\Documents and Settings\Maks\Dane aplikacji\Orca Profiles
2008-07-30 13:52 . 2008-08-11 13:29 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-07-30 13:52 . 2008-07-30 13:52 <DIR> d-------- C:\Program Files\Crawler
2008-07-30 13:52 . 2008-08-11 13:16 <DIR> d-------- C:\Documents and Settings\Maks\Dane aplikacji\Spyware Terminator
2008-07-30 13:52 . 2008-08-11 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spyware Terminator
2008-07-30 13:52 . 2008-07-30 13:52 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-07-24 23:28 . 2008-07-27 12:32 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-24 23:23 . 2008-07-24 23:23 <DIR> d-------- C:\Program Files\Sony Setup
2008-07-24 18:13 . 2008-07-24 18:13 <DIR> d-------- C:\Program Files\Recovery Toolbox for Word
2008-07-24 18:05 . 2008-07-24 18:32 131 --ah----- C:\Documents and Settings\Maks\Dane aplikacji\Balzo.dat
2008-07-24 18:03 . 2008-07-24 18:09 <DIR> d-------- C:\Program Files\docXConverter
2008-07-24 00:37 . 2008-07-24 01:06 <DIR> d-------- C:\Documents and Settings\Maks\dwhelper
2008-07-20 12:23 . 2008-08-11 10:00 78 --a------ C:\WINDOWS\lsoon.ini
2008-07-19 21:21 . 2008-07-19 21:21 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2008-07-19 21:06 . 2008-07-26 12:29 <DIR> d-------- C:\Documents and Settings\Maks\Dane aplikacji\Regrun
2008-07-19 21:06 . 2008-08-10 10:35 <DIR> d-------- C:\backreg
2008-07-19 20:51 . 2008-07-19 20:51 <DIR> d-------- C:\Program Files\Greatis
2008-07-19 20:51 . 2003-09-06 16:55 57,556 --a------ C:\WINDOWS\guard.bmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 08:18 48,704 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-11 08:18 3,797,024 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-11 08:00 --------- d-----w C:\Documents and Settings\Maks\Dane aplikacji\Skype
2008-08-02 21:57 --------- d-----w C:\Documents and Settings\Maks\Dane aplikacji\Corel
2008-07-31 06:34 --------- d-----w C:\Program Files\QuickTime
2008-07-31 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-30 11:06 --------- d-----w C:\Program Files\Opera
2008-07-22 20:36 1,011,200 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-07-20 16:49 2,032,128 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-07-20 13:36 2,029,568 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-07-09 07:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 07:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2005-12-17 12:31 28,200 ----a-w C:\Documents and Settings\Maks\Dane aplikacji\GDIPFONTCACHEV1.DAT
1999-07-15 10:14 948 ----a-w C:\Program Files\README.DOC
1999-07-15 10:14 6,356 ----a-w C:\Program Files\CLNSYS.DOC
1999-07-15 10:14 40,192 ----a-w C:\Program Files\CLNSYS.EXE
1999-07-15 10:14 389 ----a-w C:\Program Files\FILE_ID.DIZ
1998-12-21 17:47 85,504 ----a-w C:\Program Files\SETUP.EXE
1998-12-21 17:47 620 ----a-w C:\Program Files\SETUP.SET
1998-12-21 17:47 27,632 ----a-w C:\Program Files\CTL3DV2.DLL
2006-01-06 14:20 32 --sha-w C:\WINDOWS\{33488616-3AF5-4768-B7BE-23045A776341}.dat
2006-01-06 14:18 32 --sha-w C:\WINDOWS\{A0CFC56A-E4AB-485B-B2AC-25159C8A5A77}.dat
2006-01-06 14:18 32 --sha-w C:\WINDOWS\{AEC8C664-E6EE-4789-B3DF-7E5FA3949999}.dat
2006-01-06 14:19 32 --sha-w C:\WINDOWS\{BBDA05FF-588D-4C28-A77D-2DDEC5BEDA81}.dat
2006-01-06 14:21 32 --sha-w C:\WINDOWS\{C86DE6C0-19B3-4548-AD74-709093845C00}.dat
2006-01-06 14:18 32 --sha-w C:\WINDOWS\{EC98DEED-93E9-4B8D-8890-FD373514DE84}.dat
2006-01-06 14:18 32 --sha-w C:\WINDOWS\system32\{2D3A8781-B077-4144-98A1-58388123CC2F}.dat
2006-01-06 14:19 32 --sha-w C:\WINDOWS\system32\{83FA0760-622E-4E0C-8333-6C3C63A106F9}.dat
2006-01-06 14:18 32 --sha-w C:\WINDOWS\system32\{9BEF687A-18AA-4D79-8ED0-AE8521B2F2DE}.dat
2006-01-06 14:20 32 --sha-w C:\WINDOWS\system32\{E7487622-CC58-4B5B-A4DD-961880F8F9D9}.dat
2006-01-06 14:21 32 --sha-w C:\WINDOWS\system32\{ECCB7A38-329E-4430-80FB-F8A5F7C55A70}.dat
2006-01-06 14:18 32 --sha-w C:\WINDOWS\system32\{F0F0A758-404A-4533-A8AE-7120F0583E0E}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20 20058152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-11-25 18:36 1232946]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 02:50 33792]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 18:35 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 01:50 233472]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 11:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"Tweak UI"="TWEAKUI.CPL" [2003-03-25 06:49 106544 C:\WINDOWS\system32\tweakui.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]
C:\Documents and Settings\Maks\Menu Start\Programy\Autostart\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-10-06 01:00:00 111376]
Uruchamianie pakietu Office.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-10-06 01:00:00 51984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"vidc.ir41"= C:\WINDOWS\System32\ir41_32.ax
"vidc.DIVF"= DivX412.dll
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 21:27]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-07-30 13:52]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
S2 PSI_SVC_2;Protexis Licensing V2;C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 11:15]
S2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 20:09]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 XSWQPCA;XSWQPCA;C:\DOCUME~1\Maks\USTAWI~1\Temp\XSWQPCA.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
*Newly Created Service* - SP_RSSRV
*Newly Created Service* - XSWQPCA
.
Contents of the 'Scheduled Tasks' folder
2008-08-11 C:\WINDOWS\Tasks\Startup Analyser.job
- C:\PROGRA~1\Greatis\REGRUN~1\TrojanAnalyser.exe []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Maks\Dane aplikacji\Mozilla\Firefox\Profiles\w1n8vwi1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPSignPlugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 13:50:33
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-11 13:51:45
ComboFix-quarantined-files.txt 2008-08-11 11:51:29
Pre-Run: 13,324,718,080 bajtów wolnych
Post-Run: 13,339,156,480 bajtów wolnych
170 --- E O F --- 2008-03-11 22:57:55
Temat podzielony.
Edit by Bozz
