Malware.gen prosze o sprawdzenie logów
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:43:41, on 2008-10-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Applications\wcs.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Hotkey 1.0.4\FuncKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\IPLA\IPLA.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\sylwia\Pulpit\mirka\specyfikator.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {2DB53B5D-D416-4B61-AC4F-F179EC9E4502} - (no file)
O2 - BHO: (no name) - {48F2A76C-BCC4-4D15-97AC-2C78BC84CB45} - C:\WINDOWS\system32\yayxvtrp.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [FuncKey] "C:\Program Files\Hotkey 1.0.4\FuncKey.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [18e2f255] rundll32.exe "C:\WINDOWS\system32\ofuhxohg.dll",b
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdytw.exe] C:\WINDOWS\system32\kdytw.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IPLA!] C:\Program Files\IPLA\IPLA.exe /autorun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKLM\..\Policies\Explorer\Run: [QuickTimeTask] C:\Program Files\Applications\wcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4A8D93-1460-4443-B9EB-34C19ED85402}: NameServer = 85.255.112.112;85.255.112.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{6E4A8D93-1460-4443-B9EB-34C19ED85402}: NameServer = 85.255.112.112;85.255.112.69
O17 - HKLM\System\CS2\Services\Tcpip\..\{6E4A8D93-1460-4443-B9EB-34C19ED85402}: NameServer = 85.255.112.112;85.255.112.69
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
O20 - Winlogon Notify: yayxvtrp - yayxvtrp.dll (file missing)
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 7995 bytes
prosze o szybka porade
Odpowiedzi: 10
Tego nie mogłem znaleśc :(
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48F2A76C-BCC4-4D15-97AC-2C78BC84CB45}
podaje jeszcze log z hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:53:57, on 2008-10-16
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Hotkey 1.0.4\FuncKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {48F2A76C-BCC4-4D15-97AC-2C78BC84CB45} - C:\WINDOWS\system32\yayxvtrp.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [FuncKey] "C:\Program Files\Hotkey 1.0.4\FuncKey.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6480 bytes
Edytorem rejestru
Wpisz w start -> uruchom regedit
Ino ostroznie bo jak zbyt dużo wyrżniejsz to będzie bida
Profilaktyccznie mozesz sobie kopie rejstru zrobić - np erunt bardzo ładnie robi kopie wszystkich plików rejestru.
jak?? czym to kasowac?? i zmieniac wpisy??
ComboFix 08-10-14.07 - sylwia 2008-10-15 12:15:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.405 [GMT 2:00]
Uruchomiony z: C:\Documents and Settings\sylwia\Pulpit\ComboFix.exe
[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\resycled
C:\resycled\boot.com
C:\WINDOWS\system32\ghoxhufo.ini
C:\WINDOWS\system32\ofuhxohg.dll
C:\WINDOWS\system32\sAIOVvut.ini
C:\WINDOWS\system32\sAIOVvut.ini2
C:\WINDOWS\system32\tmp70.tmp
.
((((((((((((((((((((((((( Pliki utworzone od 2008-09-15 do 2008-10-15 )))))))))))))))))))))))))))))))
.
2008-10-15 11:16 . 2008-10-15 11:16 d-------- C:\Program Files\Sunbelt Software
2008-10-15 11:16 . 2008-10-15 11:16 d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Sunbelt
2008-10-15 11:16 . 2008-10-15 11:16 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sunbelt
2008-10-15 11:04 . 2008-10-15 11:08 d-------- C:\fixwareout
2008-10-15 08:31 . 2008-10-15 08:31 d-------- C:\Program Files\Trend Micro
2008-10-14 13:03 . 2008-10-14 13:03 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-10-14 13:03 . 2008-10-14 13:03 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-10-14 13:00 . 2008-10-14 13:00 d-------- C:\Program Files\Kaspersky Lab
2008-10-14 13:00 . 2008-10-15 12:12 1,121,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-14 13:00 . 2008-10-15 12:14 270,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-14 13:00 . 2008-10-15 12:12 10,892 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-14 13:00 . 2008-10-15 12:14 3,052 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-14 12:57 . 2008-10-14 12:57 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-10-14 12:54 . 2008-10-14 12:54 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-10-14 12:46 . 2008-10-14 12:46 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-10-14 12:46 . 2008-10-15 12:14 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-10-14 12:43 . 2008-10-14 12:43 d-------- C:\Program Files\Yahoo!
2008-10-14 12:14 . 2008-10-15 11:12 d-------- C:\Program Files\Applications
2008-10-10 09:33 . 2008-10-14 14:24 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar
2008-10-10 09:32 . 2008-10-13 07:42 d-------- C:\Program Files\Winamp
2008-10-10 09:32 . 2008-10-10 09:37 d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Winamp
2008-10-09 22:28 . 2008-10-09 22:28 d-------- C:\WINDOWS\Setup2K
2008-10-09 22:28 . 2002-10-01 14:43 119,798 --a------ C:\WINDOWS\system32\drivers\spca561.sys
2008-10-09 22:28 . 2002-11-22 15:56 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2008-10-09 22:28 . 2002-08-13 18:01 53,248 --a------ C:\WINDOWS\ap561.exe
2008-10-09 22:28 . 2002-08-13 18:01 14,385 --a------ C:\WINDOWS\Tw561a.ini
2008-10-09 22:28 . 2002-09-20 19:44 14,336 --a------ C:\WINDOWS\system32\dshow508.ax
2008-10-09 22:28 . 2002-08-13 18:01 7,431 --a------ C:\WINDOWS\Tw561a.src
2008-10-09 22:28 . 2002-03-19 14:11 81 --a------ C:\WINDOWS\Setup8a.ini
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 09:49 --------- d-----w C:\Documents and Settings\sylwia\Dane aplikacji\Skype
2008-10-15 07:10 --------- d-----w C:\Documents and Settings\sylwia\Dane aplikacji\skypePM
2008-10-14 12:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ipla
2008-10-14 12:17 --------- d-----w C:\Program Files\Elaborate Bytes
2008-10-09 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-01 17:51 --------- d-----w C:\Program Files\eMule
2008-09-12 10:34 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Codemasters
2008-09-12 09:58 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-12 09:57 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-09-12 09:57 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-09-12 09:57 --------- d-----w C:\Program Files\OpenAL
2008-09-11 17:21 --------- d-----w C:\Program Files\WineCalc
2008-09-11 13:44 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-08-29 10:23 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SlySoft
2008-08-29 10:17 --------- d-----w C:\Program Files\SlySoft
2008-08-29 10:10 --------- d-----w C:\Documents and Settings\sylwia\Dane aplikacji\Ashampoo
2008-08-29 10:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ashampoo
2008-08-29 09:39 --------- d-----w C:\Program Files\Alcohol Soft
2008-08-27 10:13 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-27 08:52 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-27 08:52 --------- d-----w C:\Documents and Settings\sylwia\Dane aplikacji\DAEMON Tools
2008-08-27 06:39 --------- d-----w C:\Program Files\Gadu-Gadu
2008-08-22 08:43 --------- d-----w C:\Program Files\The KMPlayer
2008-08-19 15:59 --------- d-----w C:\Program Files\MSBuild
2008-08-19 15:59 --------- d-----w C:\Program Files\Microsoft Works
2008-07-31 08:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 08:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 08:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-30 07:13 73,216 -c--a-w C:\WINDOWS\ST6UNST.EXE
2008-07-30 07:13 249,856 -c----w C:\WINDOWS\Setup1.exe
2008-07-29 18:21 218,376 ----a-w C:\WINDOWS\system32\klogon.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-05-15 15:50 16,384 -csha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-05-15 15:50 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
2008-05-15 15:50 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008051520080516\index.dat
2008-05-15 15:50 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48F2A76C-BCC4-4D15-97AC-2C78BC84CB45}]
C:\WINDOWS\system32\yayxvtrp.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X]
"FuncKey"="C:\Program Files\Hotkey 1.0.4\FuncKey.exe" [2006-07-27 122880]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-04-16 172032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-09-12 36352]
"BigDog305"="C:\WINDOWS\VM305_STI.EXE" [2005-08-05 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"18e2f255"="C:\WINDOWS\system32\ofuhxohg.dll" [BU]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"VTTimer"="VTTimer.exe" [2006-09-21 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-10-10 C:\WINDOWS\system32\S3Trayp.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{48F2A76C-BCC4-4D15-97AC-2C78BC84CB45}"= "C:\WINDOWS\system32\yayxvtrp.dll" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxvtrp]
yayxvtrp.dll [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\[u]0[/u]00.fcl [2008-05-15 12:07 61424]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-11-15 634880]
S3 ZSMC0305;VIMICRO USB PC Camera V;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-02-09 392444]
.
- - - - USUNIĘTO PUSTE WPISY - - - -
BHO-{2DB53B5D-D416-4B61-AC4F-F179EC9E4502} - (no file)
HKLM-Run-C:\WINDOWS\system32\kdytw.exe - C:\WINDOWS\system32\kdytw.exe
.
------- Skan uzupełniający -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.pl/
O8 -: E&ksportuj do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 -: {1E53EA77-34F2-474E-9046-B2B0C86F1821} - hxxp://www.eska.pl/streamplayers/OggX.ocx
C:\WINDOWS\Downloaded Program Files\OggX.ocx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 12:17:28
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\[u]0[/u]00.fcl"
.
Czas ukończenia: 2008-10-15 12:18:25
ComboFix-quarantined-files.txt 2008-10-15 10:18:20
Przed: 5,570,838,528 bajtów wolnych
Po: 5,569,126,400 bajtów wolnych
183 --- E O F --- 2008-10-14 19:51:07
-
Upewnij sie, że plików wymienionych poniżej nie ma na dysku: [quote] C:\WINDOWS\system32\yayxvtrp.dll C:\WINDOWS\system32\ofuhxohg.dll [/quote] Skasuj klucze HKEY_LOCAL_MACHINE\~\Browser Helper Objects\[b]{48F2A76C-BCC4-4D15-97AC-2C78BC84CB45}[/b] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\[b]yayxvtrp[/b] Z klucza HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run usuń wpis "18e2f255" Z klucza hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks usuń wpis "{48F2A76C-BCC4-4D15-97AC-2C78BC84CB45}" No to chyba wszystko by było albom slepy Pokaż jeszcze dla pewności na koniec HIjacka jak juz wsio pokasujesz.
wszystko zrobil do konca i sam zapisal to co podalem moge jeszcze raz zrobic
Log Combofixa jest urwany (pomimo tego widać, że wywalił trochę). Musisz poczekać na koniec.
Combofix
ComboFix 08-10-14.07 - sylwia 2008-10-15 11:28:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.356 [GMT 2:00]
Uruchomiony z: C:\Documents and Settings\sylwia\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.
[i] ADS - WINDOWS: deleted 72 bytes in 1 streams. [/i]
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\resycled
C:\resycled\boot.com
C:\WINDOWS\system32\ghoxhufo.ini
C:\WINDOWS\system32\ofuhxohg.dll
C:\WINDOWS\system32\sAIOVvut.ini
C:\WINDOWS\system32\sAIOVvut.ini2
C:\WINDOWS\system32\tmp70.tmp
.
((((((((((((((((((((((((( Pliki utworzone od 2008-09-15 do 2008-10-15 )))))))))))))))))))))))))))))))
.
2008-10-15 11:16 . 2008-10-15 11:16 d-------- C:\Program Files\Sunbelt Software
2008-10-15 11:16 . 2008-10-15 11:16 d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Sunbelt
2008-10-15 11:16 . 2008-10-15 11:16 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sunbelt
2008-10-15 11:04 . 2008-10-15 11:08 d-------- C:\fixwareout
2008-10-15 08:31 . 2008-10-15 08:31 d-------- C:\Program Files\Trend Micro
2008-10-14 13:03 . 2008-10-14 13:03 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-10-14 13:03 . 2008-10-14 13:03 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-10-14 13:00 . 2008-10-14 13:00 d-------- C:\Program Files\Kaspersky Lab
2008-10-14 13:00 . 2008-10-15 11:33 1,121,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-14 13:00 . 2008-10-15 11:33 262,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-14 13:00 . 2008-10-15 11:33 10,892 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-14 13:00 . 2008-10-15 11:33 3,024 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-14 12:57 . 2008-10-14 12:57 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-10-14 12:54 . 2008-10-14 12:54 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-10-14 12:46 . 2008-10-14 12:46 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-10-14 12:46 . 2008-10-15 11:34 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-10-14 12:43 . 2008-10-14 12:43 d-------- C:\Program Files\Yahoo!
2008-10-14 12:14 . 2008-10-15 11:12 d-------- C:\Program Files\Applications
2008-10-10 09:33 . 2008-10-14 14:24 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar
2008-10-10 09:32 . 2008-10-13 07:42 d-------- C:\Program Files\Winamp
2008-10-10 09:32 . 2008-10-10 09:37 d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Winamp
2008-10-09 22:28 . 2008-10-09 22:28 d-------- C:\WINDOWS\Setup2K
2008-10-09 22:28 . 2002-10-01 14:43 119,798 --a------ C:\WINDOWS\system32\drivers\spca561.sys
2008-10-09 22:28 . 2002-11-22 15:56 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2008-10-09 22:28 . 2002-08-13 18:01 53,248 --a------ C:\WINDOWS\ap561.exe
2008-10-09 22:28 . 2002-08-13 18:01 14,385 --a------ C:\WINDOWS\Tw561a.ini
2008-10-09 22:28 . 2002-09-20 19:44 14,336 --a------ C:\WINDOWS\system32\dshow508.ax
2008-10-09 22:28 . 2002-08-13 18:01 7,431 --a------ C:\WINDOWS\Tw561a.src
2008-10-09 22:28 . 2002-03-19 14:11 81 --a------ C:\WINDOWS\Setup8a.ini
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 09:35 --------- d-----w C:\Documents and Settings\sylwia\Dane aplikacji\Skype
2008-10-15 07:10 --------- d-----w C:\Documents and Settings\sylwia\Dane aplikacji\skypePM
2008-10-14 12:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ipla
2008-10-14 12:17 --------- d-----w C:\Program Files\Elaborate Bytes
2008-10-09 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-01 17:51 --------- d-----w C:\Program Files\eMule
2008-09-12 10:34 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Codemasters
2008-09-12 09:58 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-12 09:57 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-09-12 09:57 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-09-12 09:57 --------- d-----w C:\Program Files\OpenAL
2008-09-11 17:21 --------- d-----w C:\Program Files\WineCalc
2008-09-11 13:44 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-08-29 10:23 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SlySoft
2008-08-29 10:17 --------- d-----w C:\Program Files\SlySoft
2008-08-29 10:10 --------- d-----w C:\Documents and Settings\sylwia\Dane aplikacji\Ashampoo
2008-08-29 10:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ashampoo
2008-08-29 09:39 --------- d-----w C:\Program Files\Alcohol Soft
2008-08-27 10:13 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-27 08:52 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-27 08:52 --------- d-----w C:\Documents and Settings\sylwia\Dane aplikacji\DAEMON Tools
2008-08-27 06:39 --------- d-----w C:\Program Files\Gadu-Gadu
2008-08-22 08:43 --------- d-----w C:\Program Files\The KMPlayer
2008-08-19 15:59 --------- d-----w C:\Program Files\MSBuild
2008-08-19 15:59 --------- d-----w C:\Program Files\Microsoft Works
2008-07-31 08:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 08:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 08:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-30 07:13 73,216 -c--a-w C:\WINDOWS\ST6UNST.EXE
2008-07-30 07:13 249,856 -c----w C:\WINDOWS\Setup1.exe
2008-07-29 18:21 218,376 ----a-w C:\WINDOWS\system32\klogon.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-05-15 15:50 16,384 -csha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-05-15 15:50 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
2008-05-15 15:50 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008051520080516\index.dat
2008-05-15 15:50 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37, on 2008-10-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Hotkey 1.0.4\FuncKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\IPLA\IPLA.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {2DB53B5D-D416-4B61-AC4F-F179EC9E4502} - (no file)
O2 - BHO: (no name) - {48F2A76C-BCC4-4D15-97AC-2C78BC84CB45} - C:\WINDOWS\system32\yayxvtrp.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [FuncKey] "C:\Program Files\Hotkey 1.0.4\FuncKey.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [18e2f255] rundll32.exe "C:\WINDOWS\system32\ofuhxohg.dll",b
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdytw.exe] C:\WINDOWS\system32\kdytw.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IPLA!] C:\Program Files\IPLA\IPLA.exe /autorun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayxvtrp - yayxvtrp.dll (file missing)
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6934 bytes
Mało tych logów. Pomimo to widać w nich
"18e2f255"="rundll32.exe \"C:\\WINDOWS\\system32\\ofuhxohg.dll\",b"
"C:\\WINDOWS\\system32\\kdytw.exe"="C:\\WINDOWS\\system32\\kdytw.exe"
Najpierw Combofix + Hijack potem usuwanie.
Username "sylwia" - 2008-10-15 11:04:54 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdytw.exe"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6E4A8D93-1460-4443-B9EB-34C19ED85402}
"nameserver"="85.255.112.112;85.255.112.69"
No masz problem.
DNSy wskazują na infekcje rootkitowa.
Pobierz Fixwareout, przeskanuj nim system, pokaz z niego loga
O FixwareOut masz tu -> http://cybertrash.pl/images/tata/FixwareOut.html
Dodatkowo do usunięcia plik C:\Program Files\Applications\wcs.exe
Po robocie pokaz logi - Hijacka, wspomniany FixwareOut i Combofixa
Strona 1 / 1