Regulamin forum
1. Każdy temat powinien odzwierciedlać treść wątku.2. W przypadku wklejania logów; należy je wykonać od razu przynajmniej z dwóch narzędzi: FRST oraz z GMER
3. Wszelkie logi proszę publikować na przeznaczonych do tego stronach a w poście wklejać tylko link.
4. Nie wskazane jest skracanie logów, należy wkleić cały - od początku, do końca.
5. Nie wskazane jest podczepianie się do tematów innych użytkowników - proszę założyć nowy temat w dziale Bezpieczeństwo, ułatwi to pomoc sprawdzającemu.
6. Osoby nie posiadające odpowiedniej wiedzy, nie powinny sprawdzać logów, ponieważ grozi to poważnym uszkodzeniem systemu lub aplikacji zainstalowanych na komputerze.
7. Należy dokładnie opisać problem, występujące objawy oraz wszelkie podjęte działania.
8. Każdy skrypt jest unikatowy, napisany dla każdego przypadku z osobna, więc nie może być stosowany przez innych.
9. W przypadku zamieszczenia zrzutu ekranu (screenshot'a) proszę korzystać z zewnętrznego serwisu oferującego hosting zdjęć.
Wirus spowodował, że google przestało działać - log
09 Sie 2008, 21:35
Witam,
proszę o sprawdzenie loga. Jakiś wirus spowodował, żę google przestało działać. Po przeskanowaniu Kasperskim - usunęło wirusa, ale dalej nie działały google. Po sporządzeniu loga przez combofixa zaczęło działać lecz uruchomić chce bibliotekę luedqias.dll? Combofix zablokował ją.
Z góry dziękuję za pomoc
***
ComboFix 08-08-08.07 - USER 2008-08-09 15:39:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.465 [GMT 2:00]
Running from: C:\Documents and Settings\USER\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM535be7be.txt
C:\WINDOWS\BM535be7be.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cdexixlm.dll
C:\WINDOWS\system32\diiylyur.dll
C:\WINDOWS\system32\ktrjswyc.ini
C:\WINDOWS\system32\kwquprke.ini
C:\WINDOWS\system32\lbpxgvyu.dll
C:\WINDOWS\system32\luedqias.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nycjudsr.dll
C:\WINDOWS\system32\rscgejfv.ini
C:\WINDOWS\system32\rsdujcyn.ini
C:\WINDOWS\system32\TEMlSvut.ini
C:\WINDOWS\system32\TEMlSvut.ini2
C:\WINDOWS\system32\tuvSlMET.dll
C:\WINDOWS\system32\uyvgxpbl.ini
C:\WINDOWS\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.
2008-08-09 10:30 . 2008-08-09 10:30 2,048 --a------ C:\WINDOWS\system32\hmldpbtc.exe
2008-08-08 22:57 . 2008-08-08 22:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 21:56 . 2008-08-08 21:56 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-08 21:50 . 2008-08-08 21:50 <DIR> d-------- C:\Program Files\NOS
2008-08-08 21:50 . 2008-08-08 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\NOS
2008-08-08 18:43 . 2007-02-26 04:36 180,224 --a------ C:\WINDOWS\system32\igfxres.dll
2008-08-08 10:33 . 2008-08-08 10:33 2,048 --a------ C:\WINDOWS\system32\syynigld.exe
2008-08-08 00:36 . 2006-10-04 16:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-08 00:36 . 2006-10-04 16:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-08 00:36 . 2006-10-04 16:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-08-08 00:32 . 2008-08-08 00:33 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-07 23:56 . 2008-08-07 23:56 161 --a------ C:\Delme.bat
2008-08-07 23:11 . 2008-01-22 11:09 16,384 --a------ C:\WINDOWS\system32\WorkAfterReboot.exe
2008-08-07 21:39 . 2008-08-07 21:45 <DIR> d-------- C:\Program Files\RegCleaner
2008-08-07 10:29 . 2008-08-07 10:29 2,048 --a------ C:\WINDOWS\system32\sfkhagky.exe
2008-08-06 23:11 . 2008-08-08 18:44 <DIR> d-------- C:\Program Files\SkanerOnline
2008-08-06 10:30 . 2008-08-06 10:30 2,048 --a------ C:\WINDOWS\system32\uxviguve.exe
2008-08-05 18:10 . 2008-08-05 18:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 17:13 . 2008-08-08 23:02 <DIR> d-------- C:\Documents and Settings\USER\Dane aplikacji\Lavasoft
2008-08-05 17:11 . 2008-08-08 23:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 10:27 . 2008-08-05 10:27 2,048 --a------ C:\WINDOWS\system32\mbgiwnqi.exe
2008-08-04 19:51 . 2008-08-04 19:51 <DIR> d-------- C:\Documents and Settings\USER\Dane aplikacji\skypePM
2008-08-04 19:51 . 2008-08-04 19:51 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-04 19:47 . 2008-08-08 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-08-04 16:48 . 2008-08-04 16:48 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-04 09:35 . 2008-08-04 09:35 <DIR> d-------- C:\Program Files\piPOol
2008-08-03 12:33 . 2008-08-07 22:56 <DIR> d-------- C:\Program Files\BitComet
2008-07-31 20:05 . 2008-07-31 20:05 <DIR> d-------- C:\Program Files\Webteh
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 09:18 --------- d-----w C:\Program Files\Windows Desktop Search
2008-08-08 12:09 --------- d-----w C:\Documents and Settings\USER\Dane aplikacji\Tlen.pl
2008-08-07 22:35 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-08-07 22:18 --------- d-----w C:\Program Files\TC PowerPack
2008-08-07 22:16 --------- d-----w C:\Program Files\Real
2008-08-07 22:16 --------- d-----w C:\Program Files\Common Files\Real
2008-08-07 22:08 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-07 22:01 --------- d-----w C:\Program Files\Dear Camy
2008-08-07 21:56 --------- d-----w C:\Program Files\SubEdit-Player
2008-08-07 20:57 --------- d-----w C:\Program Files\PCDR5
2008-08-07 17:18 --------- d-----w C:\Documents and Settings\USER\Dane aplikacji\Lenovo
2008-08-07 09:15 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-07-04 11:00 --------- d-----w C:\Program Files\iPlus
2008-06-29 10:57 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar
2008-06-27 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-23 11:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 11:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-06-23 11:17 --------- d-----w C:\Program Files\Wings of Honor - Red Baron
2008-06-20 10:44 360,960 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2007-11-08 17:38 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat
2007-12-03 19:32 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007120320071204\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 11:46 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 18:16 200704]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 18:16 208896]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 20:03 58416]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 07:49 66176]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-03-05 15:27 172032]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 19:32 243248]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 14:19 536576]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 12:51 91688]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 19:02 120368]
"AMSG"="C:\PROGRA~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 20:00 419376]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 17:24 196696]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 15:58 413696]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-30 20:01 2618944]
"iPlusManager"="C:\Program Files\iPlus\iPlusChecker.exe" [2008-01-03 11:59 389120]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-26 04:34 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-26 04:34 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-26 04:33 131072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-02 13:03 538112]
"TpShocks"="TpShocks.exe" [2007-03-29 19:40 181808 C:\WINDOWS\system32\TpShocks.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00 15360]
C:\Documents and Settings\USER\Menu Start\Programy\Autostart\
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 18:43:30 561213]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-08 19:34:08 50688]
Wyszukiwanie z pulpitu systemu Windows.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 23:17 89600 C:\WINDOWS\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 09:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 15:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Tlen.pl\\tlen.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-06-17 18:16]
R2 GtDetectSc;GtDetectSc Service;C:\Program Files\iPlus\Drivers\driver2k\GTMax\GtDetectSc.exe [2007-10-02 15:04]
R2 GtFlashSwitch;GtFlashSwitch Service;C:\Program Files\iPlus\Drivers\driver2k\GTMax\GtFlashSwitch.exe [2007-10-02 15:04]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-14 23:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 14:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 13:42]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 10:24]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14ec530f-61ae-11dd-a2fb-001e3715234b}]
\Shell\AutoRun\command - E:\memotropil.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3d5fb5-1b4b-11dd-a28d-001e3715234b}]
\Shell\AutoRun\command - E:\jfvkcsy.bat
\Shell\explore\Command - E:\jfvkcsy.bat
\Shell\open\Command - E:\jfvkcsy.bat
.
Contents of the 'Scheduled Tasks' folder
2008-08-09 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-17 18:16]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-BM535be7be - C:\WINDOWS\system32\cdexixlm.dll
Notify-pmnnOfCR - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\USER\Dane aplikacji\Mozilla\Firefox\Profiles\hns6m3zs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.pl/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 15:56:29
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-08-09 16:00:01 - machine was rebooted [USER]
ComboFix-quarantined-files.txt 2008-08-09 13:59:57
Pre-Run: 111,112,994,816 bajtów wolnych
Post-Run: 111,009,337,344 bajt˘w wolnych
239 --- E O F --- 2008-07-29 14:05:59
proszę o sprawdzenie loga. Jakiś wirus spowodował, żę google przestało działać. Po przeskanowaniu Kasperskim - usunęło wirusa, ale dalej nie działały google. Po sporządzeniu loga przez combofixa zaczęło działać lecz uruchomić chce bibliotekę luedqias.dll? Combofix zablokował ją.
Z góry dziękuję za pomoc
***
ComboFix 08-08-08.07 - USER 2008-08-09 15:39:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.465 [GMT 2:00]
Running from: C:\Documents and Settings\USER\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM535be7be.txt
C:\WINDOWS\BM535be7be.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cdexixlm.dll
C:\WINDOWS\system32\diiylyur.dll
C:\WINDOWS\system32\ktrjswyc.ini
C:\WINDOWS\system32\kwquprke.ini
C:\WINDOWS\system32\lbpxgvyu.dll
C:\WINDOWS\system32\luedqias.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nycjudsr.dll
C:\WINDOWS\system32\rscgejfv.ini
C:\WINDOWS\system32\rsdujcyn.ini
C:\WINDOWS\system32\TEMlSvut.ini
C:\WINDOWS\system32\TEMlSvut.ini2
C:\WINDOWS\system32\tuvSlMET.dll
C:\WINDOWS\system32\uyvgxpbl.ini
C:\WINDOWS\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.
2008-08-09 10:30 . 2008-08-09 10:30 2,048 --a------ C:\WINDOWS\system32\hmldpbtc.exe
2008-08-08 22:57 . 2008-08-08 22:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 21:56 . 2008-08-08 21:56 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-08 21:50 . 2008-08-08 21:50 <DIR> d-------- C:\Program Files\NOS
2008-08-08 21:50 . 2008-08-08 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\NOS
2008-08-08 18:43 . 2007-02-26 04:36 180,224 --a------ C:\WINDOWS\system32\igfxres.dll
2008-08-08 10:33 . 2008-08-08 10:33 2,048 --a------ C:\WINDOWS\system32\syynigld.exe
2008-08-08 00:36 . 2006-10-04 16:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-08 00:36 . 2006-10-04 16:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-08 00:36 . 2006-10-04 16:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-08-08 00:32 . 2008-08-08 00:33 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-07 23:56 . 2008-08-07 23:56 161 --a------ C:\Delme.bat
2008-08-07 23:11 . 2008-01-22 11:09 16,384 --a------ C:\WINDOWS\system32\WorkAfterReboot.exe
2008-08-07 21:39 . 2008-08-07 21:45 <DIR> d-------- C:\Program Files\RegCleaner
2008-08-07 10:29 . 2008-08-07 10:29 2,048 --a------ C:\WINDOWS\system32\sfkhagky.exe
2008-08-06 23:11 . 2008-08-08 18:44 <DIR> d-------- C:\Program Files\SkanerOnline
2008-08-06 10:30 . 2008-08-06 10:30 2,048 --a------ C:\WINDOWS\system32\uxviguve.exe
2008-08-05 18:10 . 2008-08-05 18:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 17:13 . 2008-08-08 23:02 <DIR> d-------- C:\Documents and Settings\USER\Dane aplikacji\Lavasoft
2008-08-05 17:11 . 2008-08-08 23:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 10:27 . 2008-08-05 10:27 2,048 --a------ C:\WINDOWS\system32\mbgiwnqi.exe
2008-08-04 19:51 . 2008-08-04 19:51 <DIR> d-------- C:\Documents and Settings\USER\Dane aplikacji\skypePM
2008-08-04 19:51 . 2008-08-04 19:51 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-04 19:47 . 2008-08-08 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-08-04 16:48 . 2008-08-04 16:48 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-04 09:35 . 2008-08-04 09:35 <DIR> d-------- C:\Program Files\piPOol
2008-08-03 12:33 . 2008-08-07 22:56 <DIR> d-------- C:\Program Files\BitComet
2008-07-31 20:05 . 2008-07-31 20:05 <DIR> d-------- C:\Program Files\Webteh
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 09:18 --------- d-----w C:\Program Files\Windows Desktop Search
2008-08-08 12:09 --------- d-----w C:\Documents and Settings\USER\Dane aplikacji\Tlen.pl
2008-08-07 22:35 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-08-07 22:18 --------- d-----w C:\Program Files\TC PowerPack
2008-08-07 22:16 --------- d-----w C:\Program Files\Real
2008-08-07 22:16 --------- d-----w C:\Program Files\Common Files\Real
2008-08-07 22:08 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-07 22:01 --------- d-----w C:\Program Files\Dear Camy
2008-08-07 21:56 --------- d-----w C:\Program Files\SubEdit-Player
2008-08-07 20:57 --------- d-----w C:\Program Files\PCDR5
2008-08-07 17:18 --------- d-----w C:\Documents and Settings\USER\Dane aplikacji\Lenovo
2008-08-07 09:15 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-07-04 11:00 --------- d-----w C:\Program Files\iPlus
2008-06-29 10:57 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar
2008-06-27 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-23 11:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 11:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-06-23 11:17 --------- d-----w C:\Program Files\Wings of Honor - Red Baron
2008-06-20 10:44 360,960 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2007-11-08 17:38 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat
2007-12-03 19:32 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007120320071204\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 11:46 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 18:16 200704]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 18:16 208896]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 20:03 58416]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 07:49 66176]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-03-05 15:27 172032]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 19:32 243248]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 14:19 536576]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 12:51 91688]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 19:02 120368]
"AMSG"="C:\PROGRA~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 20:00 419376]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 17:24 196696]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 15:58 413696]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-30 20:01 2618944]
"iPlusManager"="C:\Program Files\iPlus\iPlusChecker.exe" [2008-01-03 11:59 389120]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-26 04:34 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-26 04:34 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-26 04:33 131072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-02 13:03 538112]
"TpShocks"="TpShocks.exe" [2007-03-29 19:40 181808 C:\WINDOWS\system32\TpShocks.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00 15360]
C:\Documents and Settings\USER\Menu Start\Programy\Autostart\
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 18:43:30 561213]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-08 19:34:08 50688]
Wyszukiwanie z pulpitu systemu Windows.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 23:17 89600 C:\WINDOWS\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 09:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 15:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Tlen.pl\\tlen.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-06-17 18:16]
R2 GtDetectSc;GtDetectSc Service;C:\Program Files\iPlus\Drivers\driver2k\GTMax\GtDetectSc.exe [2007-10-02 15:04]
R2 GtFlashSwitch;GtFlashSwitch Service;C:\Program Files\iPlus\Drivers\driver2k\GTMax\GtFlashSwitch.exe [2007-10-02 15:04]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-14 23:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 14:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 13:42]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 10:24]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14ec530f-61ae-11dd-a2fb-001e3715234b}]
\Shell\AutoRun\command - E:\memotropil.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3d5fb5-1b4b-11dd-a28d-001e3715234b}]
\Shell\AutoRun\command - E:\jfvkcsy.bat
\Shell\explore\Command - E:\jfvkcsy.bat
\Shell\open\Command - E:\jfvkcsy.bat
.
Contents of the 'Scheduled Tasks' folder
2008-08-09 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-17 18:16]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-BM535be7be - C:\WINDOWS\system32\cdexixlm.dll
Notify-pmnnOfCR - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\USER\Dane aplikacji\Mozilla\Firefox\Profiles\hns6m3zs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.pl/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 15:56:29
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-08-09 16:00:01 - machine was rebooted [USER]
ComboFix-quarantined-files.txt 2008-08-09 13:59:57
Pre-Run: 111,112,994,816 bajtów wolnych
Post-Run: 111,009,337,344 bajt˘w wolnych
239 --- E O F --- 2008-07-29 14:05:59
10 Sie 2008, 06:31
Do wyleczenia pendrive z wirusów użyj
Perlovga Removal Tool
Flash Disinfector
lub format
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.
Logi dajesz na http://www.wklej.eu/ a w poście dajesz tylko link
Perlovga Removal Tool
Flash Disinfector
lub format
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
- Kod:
File::
C:\Delme.bat
C:\WINDOWS\system32\hmldpbtc.exe
C:\WINDOWS\system32\sfkhagky.exe
C:\WINDOWS\system32\uxviguve.exe
C:\WINDOWS\system32\mbgiwnqi.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14ec530f-61ae-11dd-a2fb-001e3715234b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3d5fb5-1b4b-11dd-a28d-001e3715234b}]
Plik
zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.
Logi dajesz na http://www.wklej.eu/ a w poście dajesz tylko link