Zaloguj się

Arti222 · 16.07.2008, 03:17

Kod:
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 04:11:06, on 2008-07-16

Platform: Windows XP(WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:Program FilescFosSpeedspd.exe

C:WINDOWSSystem32nvsvc32.exe

C:Program FilesPC Tools AntiVirusPCTAVSvc.exe

C:Program FilesAnalog DevicesSoundMAXSMAgent.exe

C:WINDOWSExplorer.EXE

C:Program FilesPC Tools AntiVirusPCTAV.exe

C:Program FilesJavajre1.5.0_07binjusched.exe

C:Program FilescFosSpeedcFosSpeed.exe

C:WINDOWSSystem32RUNDLL32.EXE

C:WINDOWSSystem32ctfmon.exe

C:Program FilesMessengermsmsgs.exe

C:Program FilesVIARAIDraid_tool.exe

C:Program FilesMozilla Firefoxfirefox.exe

C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_07binssv.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:PROGRA~1FlashFXPIEFlash.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL

O4 - HKLM..Run: [PCTAVApp] "C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN

O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_07binjusched.exe

O4 - HKLM..Run: [cFosSpeed] C:Program FilescFosSpeedcFosSpeed.exe

O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup

O4 - HKLM..Run: [nwiz] nwiz.exe /install

O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit

O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k

O4 - HKLM..Run: [Windows] C:WINDOWSservices.exe

O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe

O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background

O4 - HKCU..Run: [Gadu-Gadu] "C:Program FilesGadu-Gadugg.exe" /tray

O4 - HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized

O4 - HKUSS-1-5-18..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background (User ''SYSTEM'')

O4 - HKUS.DEFAULT..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background (User ''Default user'')

O4 - Startup: hamachi.lnk = C:Program FilesHamachihamachi.exe

O4 - Global Startup: VIA RAID TOOL.lnk = C:Program FilesVIARAIDraid_tool.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07binssv.dll

O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07binssv.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)

O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)

O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:Program FilescFosSpeedspd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe

O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:Program FilesPC Tools AntiVirusPCTAVSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe

--

End of file - 3989 bytes

Kod:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}

"CTFMON.EXE" = "C:WINDOWSSystem32ctfmon.exe" [MS]

"MSMSGS" = ""C:Program FilesMessengermsmsgs.exe" /background" [MS]

"Gadu-Gadu" = ""C:Program FilesGadu-Gadugg.exe" /tray" ["Gadu-Gadu S.A."]

"Skype" = ""C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}

"PCTAVApp" = ""C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN" ["PC Tools Research Pty Ltd"]

"SunJavaUpdateSched" = "C:Program FilesJavajre1.5.0_07binjusched.exe" ["Sun Microsystems, Inc."]

"cFosSpeed" = "C:Program FilescFosSpeedcFosSpeed.exe" ["cFos Software GmbH"]

"NvCplDaemon" = "RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit" [MS]

"KernelFaultCheck" = "C:WINDOWSsystem32dumprep 0 -k"

"Windows" = "C:WINDOWSservices.exe" [file not found]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

InProcServer32(Default) = "C:Program FilesJavajre1.5.0_07binssv.dll" ["Sun Microsystems, Inc."]

{E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = (no title provided)

-> {HKLM...CLSID} = "FlashFXP Helper for Internet Explorer"

InProcServer32(Default) = "C:PROGRA~1FlashFXPIEFlash.dll" ["IniCom Networks, Inc."]

{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}(Default) = "Ask Toolbar BHO"

-> {HKLM...CLSID} = "Ask Toolbar BHO"

InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsApproved

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

InProcServer32(Default) = "C:WINDOWSSystem32hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

InProcServer32(Default) = "C:WINDOWSSystem32nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

InProcServer32(Default) = "C:WINDOWSSystem32nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]

HKLMSOFTWAREClasses*shellexContextMenuHandlers

PCTAVShellExtension(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}"

-> {HKLM...CLSID} = "PCTAVShlExt Class"

InProcServer32(Default) = "C:Program FilesPC Tools AntiVirusPCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]

HKLMSOFTWAREClassesDirectoryshellexContextMenuHandlers

PCTAVShellExtension(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}"

-> {HKLM...CLSID} = "PCTAVShlExt Class"

InProcServer32(Default) = "C:Program FilesPC Tools AntiVirusPCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]

HKLMSOFTWAREClassesFoldershellexContextMenuHandlers

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral

"Wallpaper" = "C:WINDOWSWebWallpaperIdylla.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCUControl PanelDesktop

"Wallpaper" = "C:WINDOWSWebWallpaperIdylla.bmp"

Windows Portable Device AutoPlay Handlers

-----------------------------------------

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAutoplayHandlersHandlers

ASHAshampoo_Burning_Studio_7BURNONARRIVAL

"Provider" = "Ashampoo Burning Studio 7"

"InvokeProgID" = "Ashampoo.BurningStudio7"

"InvokeVerb" = "autoplay-burn"

HKLMSOFTWAREClassesAshampoo.BurningStudio7shellautoplay-burnCommand(Default) = ""C:Program FilesAshampooAshampoo Burning Studio 7burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"]

ASHAshampoo_Burning_Studio_7COPYONARRIVAL

"Provider" = "Ashampoo Burning Studio 7"

"InvokeProgID" = "Ashampoo.BurningStudio7"

"InvokeVerb" = "autoplay-copy"

HKLMSOFTWAREClassesAshampoo.BurningStudio7shellautoplay-copyCommand(Default) = "C:Program FilesAshampooAshampoo Burning Studio 7burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found]

ASHAshampoo_Burning_Studio_7RIPONARRIVAL

"Provider" = "Ashampoo Burning Studio 7"

"InvokeProgID" = "Ashampoo.BurningStudio7"

"InvokeVerb" = "autoplay-rip"

HKLMSOFTWAREClassesAshampoo.BurningStudio7shellautoplay-ripCommand(Default) = ""C:Program FilesAshampooAshampoo Burning Studio 7burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"]

MSPlayMusicFilesOnArrival

"Provider" = "@wmploc.dll,-6502"

"ProgID" = "WMPShell.HWEventHandler.1"

HKLMSOFTWAREClassesWMPShell.HWEventHandler.1CLSID(Default) = "{9B186A8F-F520-4eeb-B553-118304AC46C5}"

-> {HKLM...CLSID} = "WMP HWEventHandler"

LocalServer32(Default) = "C:WINDOWSSystem32wmpstub.exe" [MS]

MSPlayVideoFilesOnArrival

"Provider" = "@wmploc.dll,-6502"

"ProgID" = "WMPShell.HWEventHandler.1"

HKLMSOFTWAREClassesWMPShell.HWEventHandler.1CLSID(Default) = "{9B186A8F-F520-4eeb-B553-118304AC46C5}"

-> {HKLM...CLSID} = "WMP HWEventHandler"

LocalServer32(Default) = "C:WINDOWSSystem32wmpstub.exe" [MS]

WinampMTPHandler

"Provider" = "Winamp"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "C:Program FilesWinampwinamp.exe"

HKLMSOFTWAREClassesShell.HWEventHandlerShellExecuteCLSID(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

LocalServer32(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival

"Provider" = "Winamp"

"InvokeProgID" = "Winamp.File"

"InvokeVerb" = "Play"

HKLMSOFTWAREClassesWinamp.FileshellPlaycommand(Default) = ""C:Program FilesWinampwinamp.exe" "%1"" ["Nullsoft"]

HKLMSOFTWAREClassesWinamp.FileshellPlayDropTargetCLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"

-> {HKLM...CLSID} = (no title provided)

LocalServer32(Default) = ""C:Program FilesWinampwinamp.exe"" ["Nullsoft"]

Startup items in "Arti" & "All Users" startup folders:

------------------------------------------------------

C:Documents and SettingsAll UsersMenu StartProgramyAutostart

"VIA RAID TOOL" -> shortcut to: "C:Program FilesVIARAIDraid_tool.exe" ["VIA Technologies"]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}

000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]

000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}

0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:Program FilesCommon FilesPC ToolsLspPCTLsp.dll ["PC Tools Research Pty Ltd."], 01 - 03, 09

%SystemRoot%system32mswsock.dll [MS], 04 - 06, 10 - 19

%SystemRoot%system32rsvpsp.dll [MS], 07 - 08

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKLMSOFTWAREMicrosoftInternet ExplorerToolbar

"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)

-> {HKLM...CLSID} = "Ask Toolbar"

InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLMSOFTWAREMicrosoftInternet ExplorerExtensions

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in"

InProcServer32(Default) = "C:Program FilesJavajre1.5.0_07binssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"

InProcServer32(Default) = "C:Program FilesJavajre1.5.0_07binnpjpi150_07.dll" ["Sun Microsystems, Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

cFosSpeed System Service, cFosSpeedS, ""C:Program FilescFosSpeedspd.exe" -service" ["cFos Software GmbH"]

NVIDIA Display Driver Service, NVSvc, "C:WINDOWSSystem32nvsvc32.exe" ["NVIDIA Corporation"]

PC Tools AntiVirus Engine, PCTAVSvc, ""C:Program FilesPC Tools AntiVirusPCTAVSvc.exe"" ["PC Tools Research Pty Ltd"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:Program FilesAnalog DevicesSoundMAXSMAgent.exe" ["Analog Devices, Inc."]

Windows User Mode Driver Framework, UMWdf, "C:WINDOWSSystem32wdfmgr.exe" [MS]

---------- (launch time: 2008-07-16 16:05:05)

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 501 seconds.

---------- (total run time: 3490 seconds)

Oto moje logi z Hijacka i Silenta. Wystawiłem je, ponieważ obawiam się, że pomimo moich prób usunięcia keyloggera z komputera chyba nadal tam został. (ponowna instalacja systemu, lecz nie wiem czy format coś dał bo gdy chciałem zainstalować system pisało, że już jest) Prosiłbym o sprawdzenie wyników i poinformowanie mnie czy pośród procesów nie ma podejrzanych rzeczy.

@edit

Wydaje mi się, że teraz jest już wszystko ok. W razie jakichkolwiek niedociągnięć proszę o powiadomienie.

Serafin · 16.07.2008, 11:37

Logi obejmujemy w tagach. Na początku dajemy log z Hijackthisi Silent runners . Zapoznaj się z

[Aby zobaczyć linki, zarejestruj się tutaj]

i popraw posta

Cytat: O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - Crogram Files AskSBar bar1.binASKSBAR.DLL
O4 - HKLM..Run: [KernelFaultCheck]%systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [Windows]C:WINDOWS services.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)

Usuń pogrubione pliki ręcznie z dysku w trybie awaryjnym i wyłączonym przywracaniem systemu. Wpisy kasujesz w hijacku.

Po zabiegach dajesz nowy log z hijacka i log z

[Aby zobaczyć linki, zarejestruj się tutaj]

Arti222 · 16.07.2008, 16:28

No więc tego AskSBara wykasowałem, ale z plikiem services.exe nie moge sobie poradzić.
Szukałem go w C:WINDOWS ale go tam nie było za to był w C:WINDOWSsystem32 lecz nie moge go usunąć nawet w trybie awaryjnym. Prosiłbym o radę co z tym dalej zrobić.

@edit

Jeszcze log z Silenta nie został sprawdzony przez nikogo. Jeśli ktoś mógłby go oglądnąć i wyciągnąć szkodliwe procesy byłbym wdzięczny.

Serafin · 16.07.2008, 17:05

Log z Silent runners pokazał mi to samo co log z hijackthis, tylko dokładniej. Chciałbym zobaczyć log z Combofix.

Arti222 · 16.07.2008, 19:31

Oczywiście, oto i on:

Kod:
ComboFix 08-07-15.4 - Arti 2008-07-16 20:20:56.1 - NTFSx86

Microsoft Windows XP Professional5.1.2600.0.1250.1.1045.18.734 [GMT 2:00]

Running from: C:Documents and SettingsArtiPulpitComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:WINDOWSsystem32msssc.dll

.

((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16)))))))))))))))))))))))))))))))

.

2008-07-16 17:16 . 2008-07-16 20:23    <DIR>    d--h-----    C:Documents and SettingsAdministratorUstawienia lokalne

2008-07-16 17:16 . 2008-06-06 17:54    <DIR>    d--------    C:Documents and SettingsAdministratorUlubione

2008-07-16 17:16 . 2008-06-06 17:01    <DIR>    d--h-----    C:Documents and SettingsAdministratorSzablony

2008-07-16 17:16 . 2008-06-06 17:54    <DIR>    d--------    C:Documents and SettingsAdministratorPulpit

2008-07-16 17:16 . 2008-07-16 17:16    <DIR>    d--------    C:Documents and SettingsAdministratorMoje dokumenty

2008-07-16 17:16 . 2008-06-06 17:54    <DIR>    dr-------    C:Documents and SettingsAdministratorMenu Start

2008-07-16 17:16 . 2008-06-06 17:54    <DIR>    dr-h-----    C:Documents and SettingsAdministratorDane aplikacji

2008-07-16 17:16 . 2008-07-16 17:16    <DIR>    d--------    C:Documents and SettingsAdministrator

2008-07-15 15:37 . 2008-07-15 15:37    <DIR>    d--------    C:Program FilesHamachi

2008-07-15 15:37 . 2008-07-16 11:41    <DIR>    d--------    C:Documents and SettingsArtiDane aplikacjiHamachi

2008-07-15 15:37 . 2008-07-15 15:37    25,544    --a------    C:WINDOWSsystem32drivershamachi.sys

2008-07-14 15:09 . 2008-07-14 15:09    <DIR>    d--------    C:Documents and SettingsArti.thumbnails

2008-07-14 15:09 . 2008-07-14 15:10    <DIR>    d--------    C:Documents and SettingsArti.gimp-2.4

2008-07-08 22:48 . 2008-07-08 22:46    220    --a------    C:index.html

2008-07-07 23:40 . 2008-07-07 23:40    <DIR>    d--------    C:WINDOWSSun

2008-07-06 13:51 . 2008-07-06 13:51    <DIR>    d--------    C:Program FilesFlashFXP

2008-07-06 13:51 . 2008-07-06 13:51    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiFlashFXP

2008-07-06 13:45 . 2008-07-06 13:45    <DIR>    d--------    C:Documents and SettingsArtiDane aplikacjiSmartFTP

2008-07-05 22:21 . 2008-07-05 22:21    <DIR>    d--------    C:Program FilesHLTooLz

2008-07-05 22:19 . 2008-07-05 22:20    249,856    ---------    C:WINDOWSSetup1.exe

2008-07-05 22:19 . 2008-07-05 22:20    73,216    --a------    C:WINDOWSST6UNST.EXE

2008-07-04 18:57 . 2008-07-04 19:35    <DIR>    d--------    C:Program FilesTibia 7.6

2008-07-04 01:56 . 2008-07-10 14:45    <DIR>    d--------    C:Program FilesSteam

2008-07-03 19:41 . 2008-07-03 19:41    <DIR>    d--------    C:Program FilesAshampoo

2008-07-03 19:41 . 2008-07-03 19:41    <DIR>    d--------    C:Documents and SettingsArtiDane aplikacjiAshampoo

2008-07-03 19:41 . 2008-07-03 19:41    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiashampoo

2008-07-03 19:16 . 2008-07-03 19:16    <DIR>    d--hs----    C:WINDOWSftpcache

2008-07-03 00:53 . 2008-07-03 00:53    <DIR>    d--------    C:Program FilesTibia 8.11

2008-07-02 18:23 . 2008-07-02 18:23    <DIR>    d--------    C:Automap

2008-07-02 15:44 . 2008-07-02 15:44    <DIR>    d--h-----    C:WINDOWSPIF

2008-06-30 03:17 . 2008-06-30 03:19    <DIR>    d----c---    C:WINDOWSsystem32DRVSTORE

2008-06-30 03:17 . 2006-09-28 14:10    11,648    --a------    C:WINDOWSsystem32driversgggen.sys

2008-06-30 02:58 . 2008-06-30 02:58    <DIR>    d--------    C:SterySE

2008-06-28 01:02 . 2008-06-28 01:02    11    -ra------    C:WINDOWSamunres.lsl

2008-06-25 11:37 . 2008-06-25 11:37    <DIR>    d--------    C:Program FilesuTorrent

2008-06-25 11:37 . 2008-06-25 11:58    <DIR>    d--------    C:Documents and SettingsArtiDane aplikacjiuTorrent

2008-06-25 02:03 . 2008-06-25 11:32    <DIR>    d--------    C:Documents and SettingsArtiDane aplikacjiAzureus

2008-06-25 02:03 . 2008-06-25 02:03    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiAzureus

2008-06-25 02:02 . 2008-06-25 11:33    <DIR>    d--------    C:Program FilesVuze

2008-06-22 22:57 . 2008-06-30 03:19    <DIR>    d--------    C:Program FilesSony Ericsson

2008-06-22 21:26 . 2008-06-22 23:11    <DIR>    d--------    C:Documents and SettingsSpidiDane aplikacjigtk-2.0

2008-06-22 21:26 . 2008-06-22 21:26    <DIR>    d--------    C:Documents and SettingsSpidi.thumbnails

2008-06-22 21:25 . 2008-06-23 00:36    <DIR>    d--------    C:Documents and SettingsSpidi.gimp-2.4

2008-06-22 21:24 . 2008-06-22 21:24    <DIR>    d--------    C:Program FilesGIMP-2.0

2008-06-20 13:51 . 2008-06-20 13:52    <DIR>    d--------    C:Documents and SettingsSpidiDane aplikacjiSkype

2008-06-19 14:51 . 2008-06-19 14:51    <DIR>    d--------    C:Program FilesOrtalion Entertainment

2008-06-19 14:29 . 2008-06-19 16:17    <DIR>    d--------    C:Program FilesSpring

2008-06-19 12:26 . 2008-06-19 12:26    <DIR>    d--------    C:Program FilesLittleFighter2

2008-06-18 16:31 . 2008-06-18 16:31    10,752    --ahs----    C:WINDOWSThumbs.db

2008-06-18 16:31 . 2008-06-18 16:31    9,728    --ahs----    C:Thumbs.db

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-16 18:22    ---------    d-----w    C:Program FilesStepMania

2008-07-16 18:20    ---------    d-----w    C:Program FilescFosSpeed

2008-07-16 18:19    ---------    d---a-w    C:Documents and SettingsAll UsersDane aplikacjiTEMP

2008-07-16 18:16    ---------    d-----w    C:Program FilesPC Tools AntiVirus

2008-07-16 18:16    ---------    d-----w    C:Documents and SettingsArtiDane aplikacjiSkype

2008-07-09 18:49    ---------    d-----w    C:Program FilesGarena

2008-07-09 16:58    ---------    d-----w    C:Program FilesTibia

2008-07-07 20:53    ---------    d-----w    C:Documents and SettingsSpidiDane aplikacjiTibia

2008-07-05 07:53    ---------    d-----w    C:Documents and SettingsArtiDane aplikacjiTibia

2008-07-04 16:52    ---------    d-----w    C:Program FilesValve

2008-07-02 22:44    ---------    d-----w    C:Program FilesTibia 8.10

2008-06-18 11:46    ---------    d-----w    C:Program FilesworldTVRT

2008-06-16 13:52    ---------    d-----w    C:Program FilesCamStudio

2008-06-15 20:20    ---------    d-----w    C:Program FilesFraps

2008-06-14 09:45    ---------    d-----w    C:Documents and SettingsSpidiDane aplikacjiWinamp

2008-06-13 16:12    ---------    d-----w    C:WINDOWSsystem32configsystemprofileDane aplikacjiPC Tools

2008-06-09 16:57    ---------    d-----w    C:Program FilesTibiaBot NG

2008-06-09 13:58    ---------    d-----w    C:Program FilesUltraStar

2008-06-08 19:16    ---------    d-----w    C:Program FilesSopCast

2008-06-07 23:41    ---------    d-----w    C:Program FilesAsprate

2008-06-07 23:26    ---------    d-----w    C:Program FilesTibia 7.92

2008-06-07 23:21    ---------    d-----w    C:Documents and SettingsSpidiDane aplikacjiVentrilo

2008-06-07 13:18    ---------    d-----w    C:Program FilesVentrilo

2008-06-07 13:17    ---------    d-----w    C:Program FilesCommon FilesWise Installation Wizard

2008-06-07 11:57    ---------    d-----w    C:Documents and SettingsArtiDane aplikacjiVentrilo

2008-06-07 09:18    ---------    d-----w    C:Documents and SettingsArtiDane aplikacjiGadu-Gadu

2008-06-07 07:57    ---------    d-----w    C:Documents and SettingsAll UsersDane aplikacjiSpybot - Search & Destroy

2008-06-07 07:42    ---------    d-----w    C:Documents and SettingsArtiDane aplikacjiWinamp

2008-06-06 23:13    ---------    d--h--w    C:Program FilesInstallShield Installation Information

2008-06-06 21:44    ---------    d-----w    C:Documents and SettingsSpidiDane aplikacjiGadu-Gadu

2008-06-06 21:38    ---------    d-----w    C:Documents and SettingsSpidiDane aplikacjiPC Tools

2008-06-06 16:12    ---------    d-----w    C:Program FilesVIA

2008-06-06 16:12    ---------    d-----w    C:Program FilesCommon FilesInstallShield

2008-06-06 16:10    ---------    d-----w    C:Program FilesAnalog Devices

2008-06-06 15:31    ---------    d-----w    C:Program FilesSpybot - Search & Destroy

2008-06-06 15:31    ---------    d-----w    C:Program FilesK-Lite CodecPack

2008-06-06 15:30    ---------    d-----w    C:Program FilesSubEdit-Player

2008-06-06 15:30    ---------    d-----w    C:Program FilesK-Lite Codec Pack

2008-06-06 15:28    ---------    d-----w    C:Program FilesWinamp

2008-06-06 15:28    ---------    d-----w    C:Program FilesSkype

2008-06-06 15:28    ---------    d-----w    C:Documents and SettingsArtiDane aplikacjiPC Tools

2008-06-06 15:28    ---------    d-----w    C:Documents and SettingsAll UsersDane aplikacjiPC Tools

2008-06-06 15:18    ---------    d-----w    C:Program FilesGadu-Gadu

2008-06-06 15:17    ---------    d-----w    C:Program FilesJava

2008-06-06 15:16    ---------    d-----w    C:Program FilesCommon FilesJava

2008-06-06 15:15    ---------    d-----w    C:Program FilesCommon FilesPC Tools

2008-06-06 15:15    ---------    d-----w    C:Documents and SettingsArtiDane aplikacjiInstallShield

2008-06-06 15:14    ---------    d-----w    C:Program FilesTrend Micro

2008-06-06 15:14    ---------    d-----w    C:Program FilesStepMania CVS

2008-06-06 15:06    ---------    d-----w    C:Program Filesmicrosoft frontpage

2008-06-06 15:01    ---------    d-----w    C:Program FilesUsługi online

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]

"CTFMON.EXE"="C:WINDOWSSystem32ctfmon.exe" [2001-10-26 19:29 13312]

"MSMSGS"="C:Program FilesMessengermsmsgs.exe" [2001-08-02 07:14 1077277]

"Gadu-Gadu"="C:Program FilesGadu-Gadugg.exe" [2007-05-10 16:36 2111176]

"Skype"="C:Program FilesSkypePhoneSkype.exe" [2006-09-11 15:07 21840936]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]

"PCTAVApp"="C:Program FilesPC Tools AntiVirusPCTAV.exe" [2008-03-05 09:37 1238928]

"SunJavaUpdateSched"="C:Program FilesJavajre1.5.0_07binjusched.exe" [2006-05-03 02:56 36975]

"cFosSpeed"="C:Program FilescFosSpeedcFosSpeed.exe" [2007-10-29 18:02 850896]

"NvCplDaemon"="C:WINDOWSSystem32NvCpl.dll" [2005-05-12 00:34 6729728]

"NvMediaCenter"="C:WINDOWSSystem32NvMcTray.dll" [2005-05-12 00:34 86016]

"nwiz"="nwiz.exe" [2005-05-12 00:34 1519616 C:WINDOWSsystem32nwiz.exe]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]

"MSMSGS"="C:Program FilesMessengermsmsgs.exe" [2001-08-02 07:14 1077277]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]

"vidc.XVID"= xvid.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.VP31"= vp31vfw.dll

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]

"C:\Program Files\FlashFXP\FlashFXP.exe"=

R0 tffsport;M-Systems DiskOnChip 2000;C:WINDOWSSystem32DRIVERStffsport.sys [2001-08-17 21:52]

R0 viasraid;viasraid;C:WINDOWSSystem32DRIVERSviasraid.sys [2003-10-31 05:22]

S3 gggen;Generic USB Flash Driver;C:WINDOWSSystem32DRIVERSgggen.sys [2006-09-28 14:10]

S3 vhack;vhack;C:Documents and SettingsSpidiPulpitvHack v4vhack.sys []

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-16 20:24:17

Windows 5.1.2600NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

**************************************************************************

.

Completion time: 2008-07-16 20:26:58

ComboFix-quarantined-files.txt2008-07-16 18:25:56

Pre-Run: 12,940,828,672 bajtów wolnych

Post-Run: 13,090,230,272 bajtów wolnych

165

@edit

Chyba uporałem się z tym plikiem services.exe czytając na innych forach. Jest to koń trojański a dokładniej backdoor. Podaję jeszcze log z hijacka i prosiłbym o jego sprawdzenie (powyższy log z combofixa jest sprzed kasacji services.exe)

Kod:
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:54:51, on 2008-07-17

Platform: Windows XP(WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:WINDOWSExplorer.EXE

C:Program FilesPC Tools AntiVirusPCTAV.exe

C:Program FilesJavajre1.5.0_07binjusched.exe

C:Program FilescFosSpeedcFosSpeed.exe

C:WINDOWSSystem32RUNDLL32.EXE

C:WINDOWSSystem32ctfmon.exe

C:Program FilesMessengermsmsgs.exe

C:Program FilesGadu-Gadugg.exe

C:Program FilesSkypePhoneSkype.exe

C:Program FilesTrend MicroHijackThisHijackThis.exe

C:Program FilescFosSpeedspd.exe

C:WINDOWSSystem32nvsvc32.exe

C:Program FilesPC Tools AntiVirusPCTAVSvc.exe

C:Program FilesAnalog DevicesSoundMAXSMAgent.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_07binssv.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:PROGRA~1FlashFXPIEFlash.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx

O4 - HKLM..Run: [PCTAVApp] "C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN

O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_07binjusched.exe

O4 - HKLM..Run: [cFosSpeed] C:Program FilescFosSpeedcFosSpeed.exe

O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup

O4 - HKLM..Run: [nwiz] nwiz.exe /install

O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit

O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe

O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background

O4 - HKCU..Run: [Gadu-Gadu] "C:Program FilesGadu-Gadugg.exe" /tray

O4 - HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized

O4 - HKUSS-1-5-18..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background (User ''SYSTEM'')

O4 - HKUS.DEFAULT..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background (User ''Default user'')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07binssv.dll

O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07binssv.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)

O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)

O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:Program FilescFosSpeedspd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe

O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:Program FilesPC Tools AntiVirusPCTAVSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe

--

End of file - 3817 bytes

Serafin · 19.07.2008, 14:53

Cytat: O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)

Skasuj te wpisy w hijacku. Po za tym nic nie widać

Arti222 · 13.11.2011, 10:43

Też mam nadzieję, że to juz wszystko. Dzięki za pomoc.

Zaloguj się
Login:
Hasło:	Nie pamiętam hasła
	Zapamiętaj mnie