Contact Us Forum Rules FAQ About Us
Search the forums:

Tech Support Team

Join Now!Nav Seperator FAQNav Seperator GalleryNav Seperator TutorialsNav Seperator BlogNav Seperator SearchNav Seperator Today's PostsNav Seperator Mark Forums ReadNav Seperator Navigation Right

Hello and Welcome to Tech Support Team! Before you can start posting and answering questions, you'll have to register. Registration is fast, simple and absolutely free! Feel free to browse through existing questions by choosing the forum you want to visit below.


Tech Support Team » Malware Removal & Security » Malware Removal » [SOLVED] problem with viewing web pages (IE)

Notices
Before creating a new thread, we ask that you please read our Removal guide first: Malware Removal Guide - Read Before Posting. We also advise you reading this thread before continuing: P2P programs - please remove before posting for help

NOTE: NEVER follow someone elses fix. Just because the symptoms may appear to be the same, it does NOT mean your system has the same malware infection. ALWAYS start a new thread so that a member of our Security Team can take you through the steps of cleaning your computer.

Reply
Page 1 of 2 1 2 >
Thread Tools
 
  #1 (permalink)   Top
Old 27th September 2008, 05:14 PM
roo's Avatar
roo roo is offline
Newcomer
  
Join Date: Sep 2008, 29 posts.
Location: Jaworzno, Poland
Reputation: roo is on a distinguished road
[SOLVED] problem with viewing web pages (IE)
Hi,
I have a problem with viewing the web pages - all the graphic content doesn't load and appears only after: right-click/show image.
A couple of days ago Avira AntiVir detected two Trojans on my computer: Dropper.Gen and Crypt.XDR.Gen, however, these seem to be removed now (I used ComboFix to remove them). But the web sites still don't work properly (neither in IE nor in Firefox).
All other programs work fine.
please, help

below SAS, MBAM and HJT logs:

---
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

Generated 09/27/2008 at 05:20 PM

Application Version : 4.21.1004

Core Rules Database Version : 3581
Trace Rules Database Version: 1569

Scan type : Quick Scan
Total Scan Time : 00:08:05

Memory items scanned : 334
Memory threats detected : 0
Registry items scanned : 316
Registry threats detected : 1
File items scanned : 9305
File threats detected : 1

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{C5AF42A3-94F3-42BD-F434-3604812C897D}

Adware.Tracking Cookie
C:\Documents and Settings\sylwia\Cookies\sylwia@tribalfusion[1].txt


----


Malwarebytes' Anti-Malware 1.28
Database version: 1213
Windows 5.1.2600 Dodatek Service Pack 2

2008-09-27 17:30:19
mbam-log-2008-09-27 (17-30-19).txt

Scan type: Quick Scan
Objects scanned: 41325
Time elapsed: 1 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\basemas32.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\[system] (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\basemas32.dll (Trojan.Agent) -> Delete on reboot.


----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:23, on 2008-09-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Terminator\Quick TV\Scheduled.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Serwis informacyjny sieci jawnet.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Quick TV Agent] C:\Program Files\Terminator\Quick TV\Scheduled.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [a783nfo9ewofmdejgywf] C:\DOCUME~1\sylwia\USTAWI~1\Temp\winlogen.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/vi...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1222105873828
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 4834 bytes
Reply With Quote
  #2 (permalink)   Top
Old 27th September 2008, 07:01 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 1,998 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Do you know what this is?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Serwis informacyjny sieci jawnet.pl

If not have HijackThis fix it also.

----------

Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [a783nfo9ewofmdejgywf] C:\DOCUME~1\sylwia\USTAWI~1\Temp\winlogen.exe

Now click Fix checked.

Close HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"a783nfo9ewofmdejgywf"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

Run CCleaner and restart the computer.

----------

Please post the ComboFix log. It can be found in C:\combofix.txt
__________________
.

sǝƃɐd slıʌǝ
Last edited by evilfantasy; 27th September 2008 at 07:03 PM.
Reply With Quote
  #3 (permalink)   Top
Old 27th September 2008, 07:23 PM
roo's Avatar
roo roo is offline
Newcomer
  
Join Date: Sep 2008, 29 posts.
Location: Jaworzno, Poland
Reputation: roo is on a distinguished road
Hi!
thanks for reply
about the entry:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Serwis informacyjny sieci jawnet.pl
it is my home page (I know it looks wierd but that's because it's in Polish) so I didn't remove that.
I ran HJT with two other entries and I also ra the fixme.reg. I received the success message.

about the ComboFix log - should I run it now or do you mean the log I had the last time when fixing the Trojans?
Reply With Quote
  #4 (permalink)   Top
Old 27th September 2008, 07:41 PM
roo's Avatar
roo roo is offline
Newcomer
  
Join Date: Sep 2008, 29 posts.
Location: Jaworzno, Poland
Reputation: roo is on a distinguished road
I thought that a new log will be of more use so here it goes

it seams that parts of it are in Polish :-/ so let me know if you need some aditional info.

ComboFix 08-09-26.06 - sylwia 2008-09-27 20:38:13.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.307 [GMT 2:00]
Uruchomiony z: C:\Documents and Settings\sylwia\Pulpit\ComboFix.exe

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

((((((((((((((((((((((((( Pliki utworzone od 2008-08-27 do 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-27 17:48 . 2008-09-27 17:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-27 17:44 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-27 17:43 . 2008-09-27 17:44 <DIR> d-------- C:\Program Files\Java
2008-09-27 17:43 . 2008-09-27 17:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-27 17:25 . 2008-09-27 17:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-27 17:25 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Malwarebytes
2008-09-27 17:25 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-09-27 17:25 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-27 17:25 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\SUPERAntiSpyware.com
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-09-27 16:59 . 2008-09-27 16:59 <DIR> d-------- C:\Program Files\CCleaner
2008-09-26 23:25 . 2001-08-17 20:13 27,165 --a--c--- C:\WINDOWS\system32\dllcache\fetnd5.sys
2008-09-26 23:23 . 2001-08-17 21:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-09-26 23:18 . 2001-08-17 20:12 97,354 --a--c--- C:\WINDOWS\system32\dllcache\aspndis3.sys
2008-09-26 23:15 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-09-26 23:14 . 2004-08-04 00:38 2,149,888 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-09-26 23:14 . 2001-10-26 17:29 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-09-26 22:14 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-25 22:24 . 2008-09-27 20:38 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-09-25 22:24 . 2008-09-22 19:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-09-25 22:24 . 2008-09-25 22:25 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-25 20:02 . 2008-09-25 20:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-09-25 20:02 . 2008-09-25 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-09-25 19:37 . 2008-09-25 22:19 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-24 23:57 . 2008-09-24 23:57 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\MSN6
2008-09-24 23:57 . 2008-09-24 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\MSN6
2008-09-24 23:23 . 2008-09-24 23:23 130 --a------ C:\WINDOWS\wininit.ini
2008-09-24 23:11 . 2008-09-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-09-24 22:59 . 2008-09-24 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-09-24 00:03 . 2008-04-11 20:51 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-23 21:14 . 2008-09-23 21:15 <DIR> d-------- C:\Program Files\NAPI-PROJEKT
2008-09-23 20:03 . 2008-09-23 20:03 3,532 --a------ C:\drmHeader.bin
2008-09-23 19:00 . 2008-09-23 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\IM
2008-09-23 18:59 . 2008-09-23 19:00 <DIR> d-------- C:\Program Files\IncrediMail
2008-09-23 18:59 . 2008-09-23 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\IncrediMail
2008-09-23 18:41 . 2008-09-25 22:58 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\The Bat!
2008-09-23 18:40 . 2008-09-23 18:51 <DIR> d-------- C:\Program Files\The Bat!
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\custom matrices
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\C2MP
2008-09-22 23:16 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-09-22 23:15 . 2008-09-22 23:15 <DIR> d-------- C:\Program Files\Microsoft Works
2008-09-22 23:14 . 2008-09-22 23:14 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-09-22 23:13 . 2008-09-22 23:13 <DIR> dr-h----- C:\MSOCache
2008-09-22 23:13 . 2008-09-22 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-09-22 23:06 . 2008-09-22 23:06 <DIR> d-------- C:\Program Files\Avira
2008-09-22 23:06 . 2008-09-22 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Avira
2008-09-22 22:54 . 2008-09-25 00:03 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\uTorrent
2008-09-22 22:50 . 2008-09-22 22:50 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Gadu-Gadu
2008-09-22 22:49 . 2008-09-22 22:49 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-09-22 22:49 . 2008-09-22 22:50 <DIR> d-------- C:\Documents and Settings\sylwia\Gadu-Gadu
2008-09-22 22:41 . 2008-09-22 22:43 <DIR> d-------- C:\Program Files\Winamp
2008-09-22 22:41 . 2008-09-22 22:45 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Winamp
2008-09-22 22:36 . 2008-09-27 20:18 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-09-22 22:36 . 2008-09-22 22:36 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Thunderbird
2008-09-22 22:36 . 2008-09-22 22:36 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-22 22:31 . 2008-09-22 22:31 <DIR> d-------- C:\Program Files\SubEdit-Player
2008-09-22 22:22 . 2008-09-22 22:22 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2008-09-22 22:17 . 2008-09-22 22:43 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-09-22 22:14 . 2008-09-22 22:14 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-22 22:14 . 2004-08-04 00:43 333,312 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll
2008-09-22 22:14 . 2004-08-04 00:43 105,984 --a--c--- C:\WINDOWS\system32\dllcache\evntagnt.dll
2008-09-22 22:12 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002249_.tmp
2008-09-22 22:11 . 2008-09-22 22:11 <DIR> d-------- C:\WINDOWS\EHome
2008-09-22 20:31 . 2008-09-22 20:31 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-22 20:30 . 2008-09-22 20:30 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-22 20:22 . 2004-08-04 00:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-09-22 20:22 . 2001-08-17 23:00 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Default User\Ustawienia lokalne
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Ulubione
2008-09-22 20:21 . 2008-09-22 19:26 <DIR> d--h----- C:\Documents and Settings\Default User\Szablony
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Pulpit
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr------- C:\Documents and Settings\Default User\Menu Start
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Default User\Dane aplikacji
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Ulubione
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d--h----- C:\Documents and Settings\All Users\Szablony
2008-09-22 20:21 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Pulpit
2008-09-22 20:21 . 2008-09-22 22:16 <DIR> dr------- C:\Documents and Settings\All Users\Menu Start
2008-09-22 20:21 . 2008-09-22 19:27 <DIR> dr------- C:\Documents and Settings\All Users\Dokumenty
2008-09-22 20:21 . 2008-09-27 17:25 <DIR> dr-h----- C:\Documents and Settings\All Users\Dane aplikacji
2008-09-22 20:20 . 2008-09-22 19:29 <DIR> d--h----- C:\Documents and Settings\Default User
2008-09-22 20:20 . 2008-09-22 19:28 <DIR> d-------- C:\Documents and Settings\All Users
2008-09-22 20:20 . 2008-09-25 22:24 <DIR> d-------- C:\Documents and Settings
2008-09-22 20:15 . 2008-09-22 20:15 <DIR> d-------- C:\Program Files\Philips Semiconductors
2008-09-22 20:14 . 2003-09-16 20:11 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-09-22 20:11 . 2008-09-22 20:14 <DIR> d-------- C:\Program Files\Terminator
2008-09-22 20:05 . 2008-09-22 20:05 13,646 --a------ C:\WINDOWS\system32\wpa.bak

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-23 20:25 578,560 ----a-w C:\WINDOWS\system32\user32.DLL
2008-09-22 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-22 17:47 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-09-22 17:47 --------- d-----w C:\Program Files\AvRack
2008-09-22 17:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-22 17:36 --------- d-----w C:\Program Files\ATI Technologies
2008-09-22 17:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-22 17:28 --------- d-----w C:\Program Files\Usługi online
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
561,664 2003-04-16 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
578,560 2004-08-03 22:44:14 C:\WINDOWS\ServicePackFiles\i386\user32.dll
578,560 2008-09-23 20:25:56 C:\WINDOWS\system32\user32.DLL


------- Sigcheck -------

2003-04-16 14:00 561664 3a4892a57cfe05d61e4bbc3ec3e24a63 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 00:44 578560 0c81764f50f32d376e6e4b9e9f4b01a0 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-09-23 22:25 578560 49d4bddebff2ad94b991a5eb1af6d8bc C:\WINDOWS\system32\user32.DLL
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 335872]
"Quick TV Agent"="C:\Program Files\Terminator\Quick TV\Scheduled.exe" [2004-10-11 740352]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-04 36352]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
TV Remote Control.lnk - C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe [2008-09-22 57344]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati1taxx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati2xexx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati5otxx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati8rxxx.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2008-07-24 14:22 243072 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:44 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2004-10-20 414592]
S0 bibfanpm;bibfanpm;C:\WINDOWS\system32\drivers\ahbw h.sys [ ]
.
.
------- Skan uzupełniający -------
.
FireFox -: Profile - C:\Documents and Settings\sylwia\Dane aplikacji\Mozilla\Firefox\Profiles\9g9bv1zj.defaul t\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.jawnet.pl/
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\WINDOWS\system32\C2MP\npdivx32.dll
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 20:38:57
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

************************************************** ************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

PROCES: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Czas ukończenia: 2008-09-27 20:39:27
ComboFix-quarantined-files.txt 2008-09-27 18:39:25

Przed: 14˙599˙372˙800 bajt˘w wolnych
Po: 14,588,141,568 bajt˘w wolnych

206 --- E O F --- 2008-09-25 20:57:19
Reply With Quote
  #5 (permalink)   Top
Old 27th September 2008, 08:07 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 1,998 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Download this file to your Desktop. Windows XP Home Edition with Service Pack 2 Utility

Now close all open windows and programs.
Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
When complete, a log named CF_RC.txt will open.
Please post the contents of that log in your next reply.
__________________
.

sǝƃɐd slıʌǝ
Reply With Quote
  #6 (permalink)   Top
Old 27th September 2008, 08:21 PM
roo's Avatar
roo roo is offline
Newcomer
  
Join Date: Sep 2008, 29 posts.
Location: Jaworzno, Poland
Reputation: roo is on a distinguished road
something like this opened - but it was called "log". is it ok?

ComboFix 08-09-26.06 - sylwia 2008-09-27 21:13:50.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.314 [GMT 2:00]
Uruchomiony z: C:\Documents and Settings\sylwia\Pulpit\ComboFix.exe
Użyto następujących komend :: C:\Documents and Settings\sylwia\Pulpit\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Utworzono nowy punkt przywracania
.

((((((((((((((((((((((((( Pliki utworzone od 2008-08-27 do 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-27 17:48 . 2008-09-27 17:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-27 17:44 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-27 17:43 . 2008-09-27 17:44 <DIR> d-------- C:\Program Files\Java
2008-09-27 17:43 . 2008-09-27 17:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-27 17:25 . 2008-09-27 17:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-27 17:25 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Malwarebytes
2008-09-27 17:25 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-09-27 17:25 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-27 17:25 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\SUPERAntiSpyware.com
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-09-27 16:59 . 2008-09-27 16:59 <DIR> d-------- C:\Program Files\CCleaner
2008-09-26 23:25 . 2001-08-17 20:13 27,165 --a--c--- C:\WINDOWS\system32\dllcache\fetnd5.sys
2008-09-26 23:23 . 2001-08-17 21:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-09-26 23:18 . 2001-08-17 20:12 97,354 --a--c--- C:\WINDOWS\system32\dllcache\aspndis3.sys
2008-09-26 23:15 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-09-26 23:14 . 2004-08-04 00:38 2,149,888 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-09-26 23:14 . 2001-10-26 17:29 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-09-26 22:14 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-25 22:24 . 2008-09-27 20:39 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-09-25 22:24 . 2008-09-22 19:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-09-25 22:24 . 2008-09-25 22:25 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-25 20:02 . 2008-09-25 20:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-09-25 20:02 . 2008-09-25 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-09-25 19:37 . 2008-09-25 22:19 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-24 23:57 . 2008-09-24 23:57 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\MSN6
2008-09-24 23:57 . 2008-09-24 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\MSN6
2008-09-24 23:23 . 2008-09-24 23:23 130 --a------ C:\WINDOWS\wininit.ini
2008-09-24 23:11 . 2008-09-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-09-24 22:59 . 2008-09-24 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-09-24 00:03 . 2008-04-11 20:51 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-23 21:14 . 2008-09-23 21:15 <DIR> d-------- C:\Program Files\NAPI-PROJEKT
2008-09-23 20:03 . 2008-09-23 20:03 3,532 --a------ C:\drmHeader.bin
2008-09-23 19:00 . 2008-09-23 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\IM
2008-09-23 18:59 . 2008-09-23 19:00 <DIR> d-------- C:\Program Files\IncrediMail
2008-09-23 18:59 . 2008-09-23 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\IncrediMail
2008-09-23 18:41 . 2008-09-25 22:58 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\The Bat!
2008-09-23 18:40 . 2008-09-23 18:51 <DIR> d-------- C:\Program Files\The Bat!
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\custom matrices
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\C2MP
2008-09-22 23:16 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-09-22 23:15 . 2008-09-22 23:15 <DIR> d-------- C:\Program Files\Microsoft Works
2008-09-22 23:14 . 2008-09-22 23:14 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-09-22 23:13 . 2008-09-22 23:13 <DIR> dr-h----- C:\MSOCache
2008-09-22 23:13 . 2008-09-22 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-09-22 23:06 . 2008-09-22 23:06 <DIR> d-------- C:\Program Files\Avira
2008-09-22 23:06 . 2008-09-22 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Avira
2008-09-22 22:54 . 2008-09-25 00:03 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\uTorrent
2008-09-22 22:50 . 2008-09-22 22:50 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Gadu-Gadu
2008-09-22 22:49 . 2008-09-22 22:49 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-09-22 22:49 . 2008-09-22 22:50 <DIR> d-------- C:\Documents and Settings\sylwia\Gadu-Gadu
2008-09-22 22:41 . 2008-09-22 22:43 <DIR> d-------- C:\Program Files\Winamp
2008-09-22 22:41 . 2008-09-22 22:45 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Winamp
2008-09-22 22:36 . 2008-09-27 20:42 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-09-22 22:36 . 2008-09-22 22:36 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Thunderbird
2008-09-22 22:36 . 2008-09-22 22:36 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-22 22:31 . 2008-09-22 22:31 <DIR> d-------- C:\Program Files\SubEdit-Player
2008-09-22 22:22 . 2008-09-22 22:22 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2008-09-22 22:17 . 2008-09-22 22:43 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-09-22 22:14 . 2008-09-22 22:14 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-22 22:14 . 2004-08-04 00:43 333,312 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll
2008-09-22 22:14 . 2004-08-04 00:43 105,984 --a--c--- C:\WINDOWS\system32\dllcache\evntagnt.dll
2008-09-22 22:12 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002249_.tmp
2008-09-22 22:11 . 2008-09-22 22:11 <DIR> d-------- C:\WINDOWS\EHome
2008-09-22 20:31 . 2008-09-22 20:31 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-22 20:30 . 2008-09-22 20:30 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-22 20:22 . 2004-08-04 00:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-09-22 20:22 . 2001-08-17 23:00 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Default User\Ustawienia lokalne
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Ulubione
2008-09-22 20:21 . 2008-09-22 19:26 <DIR> d--h----- C:\Documents and Settings\Default User\Szablony
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Pulpit
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr------- C:\Documents and Settings\Default User\Menu Start
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Default User\Dane aplikacji
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Ulubione
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d--h----- C:\Documents and Settings\All Users\Szablony
2008-09-22 20:21 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Pulpit
2008-09-22 20:21 . 2008-09-22 22:16 <DIR> dr------- C:\Documents and Settings\All Users\Menu Start
2008-09-22 20:21 . 2008-09-22 19:27 <DIR> dr------- C:\Documents and Settings\All Users\Dokumenty
2008-09-22 20:21 . 2008-09-27 17:25 <DIR> dr-h----- C:\Documents and Settings\All Users\Dane aplikacji
2008-09-22 20:20 . 2008-09-22 19:29 <DIR> d--h----- C:\Documents and Settings\Default User
2008-09-22 20:20 . 2008-09-22 19:28 <DIR> d-------- C:\Documents and Settings\All Users
2008-09-22 20:20 . 2008-09-25 22:24 <DIR> d-------- C:\Documents and Settings
2008-09-22 20:15 . 2008-09-22 20:15 <DIR> d-------- C:\Program Files\Philips Semiconductors
2008-09-22 20:14 . 2003-09-16 20:11 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-09-22 20:11 . 2008-09-22 20:14 <DIR> d-------- C:\Program Files\Terminator
2008-09-22 20:05 . 2008-09-22 20:05 13,646 --a------ C:\WINDOWS\system32\wpa.bak

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-23 20:25 578,560 ----a-w C:\WINDOWS\system32\user32.DLL
2008-09-22 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-22 17:47 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-09-22 17:47 --------- d-----w C:\Program Files\AvRack
2008-09-22 17:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-22 17:36 --------- d-----w C:\Program Files\ATI Technologies
2008-09-22 17:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-22 17:28 --------- d-----w C:\Program Files\Usługi online
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll
.
file copied: C:\WINDOWS\system32\user32.dll -> C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll .vir.vir ( 578560 bytes )

C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
561,664 2003-04-16 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
578,560 2004-08-03 22:44:14 C:\WINDOWS\ServicePackFiles\i386\user32.dll
578,560 2008-09-23 20:25:56 C:\WINDOWS\system32\user32.DLL


------- Sigcheck -------

2003-04-16 14:00 561664 3a4892a57cfe05d61e4bbc3ec3e24a63 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 00:44 578560 0c81764f50f32d376e6e4b9e9f4b01a0 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-09-23 22:25 578560 49d4bddebff2ad94b991a5eb1af6d8bc C:\WINDOWS\system32\user32.DLL
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 335872]
"Quick TV Agent"="C:\Program Files\Terminator\Quick TV\Scheduled.exe" [2004-10-11 740352]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-04 36352]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
TV Remote Control.lnk - C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe [2008-09-22 57344]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati1taxx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati2xexx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati5otxx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati8rxxx.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2008-07-24 14:22 243072 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:44 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2004-10-20 414592]
S0 bibfanpm;bibfanpm;C:\WINDOWS\system32\drivers\ahbw h.sys [ ]
.
.
------- Skan uzupełniający -------
.
FireFox -: Profile - C:\Documents and Settings\sylwia\Dane aplikacji\Mozilla\Firefox\Profiles\9g9bv1zj.defaul t\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.jawnet.pl/
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\WINDOWS\system32\C2MP\npdivx32.dll
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 21:15:11
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

************************************************** ************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

PROCES: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\ComboFix\pv.cfexe
.
************************************************** ************************
.
Czas ukończenia: 2008-09-27 21:16:32 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2008-09-27 19:16:29
ComboFix2.txt 2008-09-27 18:39:28

Przed: 14˙568˙873˙984 bajt˘w wolnych
Po: 14,546,182,144 bajt˘w wolnych

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

227 --- E O F --- 2008-09-25 20:57:19
Reply With Quote
  #7 (permalink)   Top
Old 27th September 2008, 08:29 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 1,998 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Uninstall ComboFix and scan with the new version then post that log.

Uninstall CF.
  • Click START then RUN
  • Now type Combofix /u in the runbox
  • Make sure there's a space between Combofix and /u
  • Then hit Enter.


Download ComboFix.exe
__________________
.

sǝƃɐd slıʌǝ
Reply With Quote
  #8 (permalink)   Top
Old 27th September 2008, 08:44 PM
roo's Avatar
roo roo is offline
Newcomer
  
Join Date: Sep 2008, 29 posts.
Location: Jaworzno, Poland
Reputation: roo is on a distinguished road
uninstalled, installed again and here's the log

ComboFix 08-09-27.01 - sylwia 2008-09-27 21:38:48.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.306 [GMT 2:00]
Uruchomiony z: C:\Documents and Settings\sylwia\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
.

((((((((((((((((((((((((( Pliki utworzone od 2008-08-27 do 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-27 17:48 . 2008-09-27 17:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-27 17:44 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-27 17:43 . 2008-09-27 17:44 <DIR> d-------- C:\Program Files\Java
2008-09-27 17:43 . 2008-09-27 17:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-27 17:25 . 2008-09-27 17:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-27 17:25 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Malwarebytes
2008-09-27 17:25 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-09-27 17:25 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-27 17:25 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\SUPERAntiSpyware.com
2008-09-27 17:07 . 2008-09-27 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-09-27 16:59 . 2008-09-27 16:59 <DIR> d-------- C:\Program Files\CCleaner
2008-09-26 23:25 . 2001-08-17 20:13 27,165 --a--c--- C:\WINDOWS\system32\dllcache\fetnd5.sys
2008-09-26 23:23 . 2001-08-17 21:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-09-26 23:18 . 2001-08-17 20:12 97,354 --a--c--- C:\WINDOWS\system32\dllcache\aspndis3.sys
2008-09-26 23:15 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-09-26 23:14 . 2004-08-04 00:38 2,149,888 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-09-26 23:14 . 2001-10-26 17:29 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-09-26 22:14 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-25 22:24 . 2008-09-27 21:16 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-09-25 22:24 . 2008-09-22 19:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-09-25 22:24 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-09-25 22:24 . 2008-09-25 22:25 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-25 20:02 . 2008-09-25 20:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-09-25 20:02 . 2008-09-25 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-09-25 19:37 . 2008-09-25 22:19 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-24 23:57 . 2008-09-24 23:57 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\MSN6
2008-09-24 23:57 . 2008-09-24 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\MSN6
2008-09-24 23:23 . 2008-09-24 23:23 130 --a------ C:\WINDOWS\wininit.ini
2008-09-24 23:11 . 2008-09-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-09-24 22:59 . 2008-09-24 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-09-24 00:03 . 2008-04-11 20:51 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-23 21:14 . 2008-09-23 21:15 <DIR> d-------- C:\Program Files\NAPI-PROJEKT
2008-09-23 20:03 . 2008-09-23 20:03 3,532 --a------ C:\drmHeader.bin
2008-09-23 19:00 . 2008-09-23 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\IM
2008-09-23 18:59 . 2008-09-23 19:00 <DIR> d-------- C:\Program Files\IncrediMail
2008-09-23 18:59 . 2008-09-23 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\IncrediMail
2008-09-23 18:41 . 2008-09-25 22:58 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\The Bat!
2008-09-23 18:40 . 2008-09-23 18:51 <DIR> d-------- C:\Program Files\The Bat!
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\custom matrices
2008-09-22 23:26 . 2008-09-22 23:26 <DIR> d-------- C:\WINDOWS\system32\C2MP
2008-09-22 23:16 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-09-22 23:15 . 2008-09-22 23:15 <DIR> d-------- C:\Program Files\Microsoft Works
2008-09-22 23:14 . 2008-09-22 23:14 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-09-22 23:13 . 2008-09-22 23:13 <DIR> dr-h----- C:\MSOCache
2008-09-22 23:13 . 2008-09-22 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-09-22 23:06 . 2008-09-22 23:06 <DIR> d-------- C:\Program Files\Avira
2008-09-22 23:06 . 2008-09-22 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Avira
2008-09-22 22:54 . 2008-09-25 00:03 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\uTorrent
2008-09-22 22:50 . 2008-09-22 22:50 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Gadu-Gadu
2008-09-22 22:49 . 2008-09-22 22:49 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-09-22 22:49 . 2008-09-22 22:50 <DIR> d-------- C:\Documents and Settings\sylwia\Gadu-Gadu
2008-09-22 22:41 . 2008-09-22 22:43 <DIR> d-------- C:\Program Files\Winamp
2008-09-22 22:41 . 2008-09-22 22:45 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Winamp
2008-09-22 22:36 . 2008-09-27 21:27 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-09-22 22:36 . 2008-09-22 22:36 <DIR> d-------- C:\Documents and Settings\sylwia\Dane aplikacji\Thunderbird
2008-09-22 22:36 . 2008-09-22 22:36 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-22 22:31 . 2008-09-22 22:31 <DIR> d-------- C:\Program Files\SubEdit-Player
2008-09-22 22:22 . 2008-09-22 22:22 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2008-09-22 22:17 . 2008-09-22 22:43 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-09-22 22:14 . 2008-09-22 22:14 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-22 22:14 . 2004-08-04 00:43 333,312 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll
2008-09-22 22:14 . 2004-08-04 00:43 105,984 --a--c--- C:\WINDOWS\system32\dllcache\evntagnt.dll
2008-09-22 22:12 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002249_.tmp
2008-09-22 22:11 . 2008-09-22 22:11 <DIR> d-------- C:\WINDOWS\EHome
2008-09-22 20:31 . 2008-09-22 20:31 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-22 20:30 . 2008-09-22 20:30 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-22 20:22 . 2004-08-04 00:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-09-22 20:22 . 2001-08-17 23:00 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Default User\Ustawienia lokalne
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Ulubione
2008-09-22 20:21 . 2008-09-22 19:26 <DIR> d--h----- C:\Documents and Settings\Default User\Szablony
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Pulpit
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr------- C:\Documents and Settings\Default User\Menu Start
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> dr-h----- C:\Documents and Settings\Default User\Dane aplikacji
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Ulubione
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d--h----- C:\Documents and Settings\All Users\Szablony
2008-09-22 20:21 . 2008-09-27 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Pulpit
2008-09-22 20:21 . 2008-09-22 22:16 <DIR> dr------- C:\Documents and Settings\All Users\Menu Start
2008-09-22 20:21 . 2008-09-22 19:27 <DIR> dr------- C:\Documents and Settings\All Users\Dokumenty
2008-09-22 20:21 . 2008-09-27 17:25 <DIR> dr-h----- C:\Documents and Settings\All Users\Dane aplikacji
2008-09-22 20:20 . 2008-09-22 19:29 <DIR> d--h----- C:\Documents and Settings\Default User
2008-09-22 20:20 . 2008-09-22 19:28 <DIR> d-------- C:\Documents and Settings\All Users
2008-09-22 20:20 . 2008-09-25 22:24 <DIR> d-------- C:\Documents and Settings
2008-09-22 20:15 . 2008-09-22 20:15 <DIR> d-------- C:\Program Files\Philips Semiconductors
2008-09-22 20:14 . 2003-09-16 20:11 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-09-22 20:11 . 2008-09-22 20:14 <DIR> d-------- C:\Program Files\Terminator
2008-09-22 20:05 . 2008-09-22 20:05 13,646 --a------ C:\WINDOWS\system32\wpa.bak

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-23 20:25 578,560 ----a-w C:\WINDOWS\system32\user32.DLL
2008-09-22 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-22 17:47 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-09-22 17:47 --------- d-----w C:\Program Files\AvRack
2008-09-22 17:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-22 17:36 --------- d-----w C:\Program Files\ATI Technologies
2008-09-22 17:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-22 17:28 --------- d-----w C:\Program Files\Usługi online
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll
.
file copied: C:\WINDOWS\system32\user32.dll -> C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll .vir.vir ( 578560 bytes )

C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
561,664 2003-04-16 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
578,560 2004-08-03 22:44:14 C:\WINDOWS\ServicePackFiles\i386\user32.dll
578,560 2008-09-23 20:25:56 C:\WINDOWS\system32\user32.DLL


------- Sigcheck -------

2003-04-16 14:00 561664 3a4892a57cfe05d61e4bbc3ec3e24a63 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 00:44 578560 0c81764f50f32d376e6e4b9e9f4b01a0 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-09-23 22:25 578560 49d4bddebff2ad94b991a5eb1af6d8bc C:\WINDOWS\system32\user32.DLL
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 335872]
"Quick TV Agent"="C:\Program Files\Terminator\Quick TV\Scheduled.exe" [2004-10-11 740352]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-04 36352]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
TV Remote Control.lnk - C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe [2008-09-22 57344]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati1taxx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati2xexx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati5otxx.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ati8rxxx.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2008-07-24 14:22 243072 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:44 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2004-10-20 414592]
S0 bibfanpm;bibfanpm;C:\WINDOWS\system32\drivers\ahbw h.sys [ ]
.
.
------- Skan uzupełniający -------
.
FireFox -: Profile - C:\Documents and Settings\sylwia\Dane aplikacji\Mozilla\Firefox\Profiles\9g9bv1zj.defaul t\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.jawnet.pl/
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\WINDOWS\system32\C2MP\npdivx32.dll
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 21:40:36
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

************************************************** ************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

PROCES: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\ComboFix\pv.cfexe
.
************************************************** ************************
.
Czas ukończenia: 2008-09-27 21:41:49 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2008-09-27 19:41:44
ComboFix2.txt 2008-09-27 19:16:33

Przed: 14˙795˙583˙488 bajt˘w wolnych
Po: 14,790,959,104 bajt˘w wolnych

219 --- E O F --- 2008-09-25 20:57:19
Reply With Quote
  #9 (permalink)   Top
Old 27th September 2008, 08:46 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 1,998 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator
  • Under Main: Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords click No at the prompt.
  • Click Exit on the Main menu to close the program.


Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

----------

Run this online scan. Requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.
__________________
.

sǝƃɐd slıʌǝ
Reply With Quote
  #10 (permalink)   Top
Old 27th September 2008, 09:39 PM
roo's Avatar
roo roo is offline
Newcomer
  
Join Date: Sep 2008, 29 posts.
Location: Jaworzno, Poland
Reputation: