bolekd utworzono 27 kwietnia 2009 utworzono 27 kwietnia 2009 (edytowane) Witam Prośba o pomoc. Próbuję naprawić komputer znajomych, wygląda na dośc mocno zawirusowany. Większosć wirusów (w tym kilka trojanów) usunął AVG lub online scaner eset'a, ale wygląda na to, że nie wszystkie... objawy: - po wpisaniu w cmd, netstat /o widzę całą masę (ok 30 jednoczesnie) połączeń po smtp z zewnetrznymi, roznymi serwerami (zrzut w załączeniu) - domyslam sie, ze to komputer wysla, na polecenie jakiegos wirusa całe tony spamu... - servery są rózne, w tym google, .gov, .edu, .org, same IP, .jp, .de, .pl - cała masa domen - wszystkie działają z tego samego PIDu, który w menedzeze zadań jest oznaczony jako services.exe - czy tu chodzi o jakąś z dzialajacych usług w panelu administracyjnym (panel sterowania, wydajnosc i konserwacja, narzedzia administracyjne, uslugi)? - probowałem róznych antyviarusów: -- kasperski - po instalacji, niby wszystko ok, ale sie nie odpala w ogole -- eset - wykrzacza sie na instalacji wlasnie w momencie proby skonfigurowania (uruchomienia) usług... mowi, ze nei udało się uruchomić usługi i sugeruje, że mogę nie mieć uprawnien do tego (instaluje z konta 'administrator', wiec to raczej nie normalny problem) -- avg - zainstalowal się poprawnie, usunął częsć viarusów, ale nie wszystkie... komuter działa już lepiej, żwawiej itd, ale ciągle widać te połączenia smtp w netstat... coś poradzicie? system: win xp pro, sp2, zaktualizowany. z góry dzięki wielkie bolek moze pomoze raport z silent runners, hijackthis po zainstalowaniu sie nie odpala... "Silent Runners.vbs", revision 59, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"PMHandler" = "C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" ["Lenovo"]"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]"TPFNF7" = "C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r" ["Lenovo Group Limited"]"TPWAUDAP" = "C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [null data]"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]"AzMixerSel" = "C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe" ["Realtek Semiconductor Corp."]"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]"TVT Scheduler Proxy" = "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" ["Lenovo Group Limited"]"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]"(Default)" = "(empty string)" [file not found]"FingerPrintSoftware" = ""C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s" ["Authentec,Inc"]"LPManager" = "C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe" ["Lenovo Group Limited"]"AwaySch" = "C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" ["Lenovo Group Limited"]"AMSG" = "C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup" ["LENOVO"]"DiskeeperSystray" = ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"" ["Diskeeper Corporation"]"cssauth" = ""C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent" ["Lenovo Group Limited"]"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]"AdslTaskBar" = "rundll32.exe stmctrl.dll,TaskBar" [MS]"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{3ca2f312-6f6e-4b53-a66e-4e65e497c8c0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter" -> {HKLM...CLSID} = "AVG Safe Search" \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]{a057a204-bacc-4d26-9990-79a187e2698e}\(Default) = (no title provided) -> {HKLM...CLSID} = "AVG Security Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["[[[COMPANYNAME]]]----------------------------"]{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided) -> {HKLM...CLSID} = "Windows Live Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]{F040E541-A427-4CF7-85D8-75E3E0F476C5}\(Default) = "ThinkVantage Password Manager" -> {HKLM...CLSID} = "CPwmIEBrowserHelper Object" \InProcServer32\(Default) = "C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll" ["Lenovo Group Limited"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {HKLM...CLSID} = "Moje miejsca interfejsu Bluetooth" \InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor" -> {HKLM...CLSID} = "Monitor Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\btncopy.dll" ["Broadcom Corporation."]"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\<<!>> "GinaDLL" = "ATGinaHook.dll" ["AuthenTec, Inc"]HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\<<!>> ("digiwet.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> ATFUS\DLLName = "C:\WINDOWS\system32\FpWinLogonNp.dll" ["AuthenTec,Inc"]<<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]<<!>> crypt\DLLName = "crypts.dll" [file not found]<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]<<!>> tphotkey\DLLName = "C:\Program Files\Lenovo\HOTKEY\tphklock.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<<!>> a2service.exe\Debugger = "ntsd -d" [MS]<<!>> ArcaCheck.exe\Debugger = "ntsd -d" [MS]<<!>> arcavir.exe\Debugger = "ntsd -d" [MS]<<!>> ashDisp.exe\Debugger = "ntsd -d" [MS]<<!>> ashEnhcd.exe\Debugger = "ntsd -d" [MS]<<!>> ashServ.exe\Debugger = "ntsd -d" [MS]<<!>> ashUpd.exe\Debugger = "ntsd -d" [MS]<<!>> aswUpdSv.exe\Debugger = "ntsd -d" [MS]<<!>> autoruns.exe\Debugger = "ntsd -d" [MS]<<!>> avadmin.exe\Debugger = "ntsd -d" [MS]<<!>> avcenter.exe\Debugger = "ntsd -d" [MS]<<!>> avcls.exe\Debugger = "ntsd -d" [MS]<<!>> avconfig.exe\Debugger = "ntsd -d" [MS]<<!>> avconsol.exe\Debugger = "ntsd -d" [MS]<<!>> avgnt.exe\Debugger = "ntsd -d" [MS]<<!>> avgrssvc.exe\Debugger = "ntsd -d" [MS]<<!>> avguard.exe\Debugger = "ntsd -d" [MS]<<!>> AvMonitor.exe\Debugger = "ntsd -d" [MS]<<!>> avp.com\Debugger = "ntsd -d" [MS]<<!>> avp.exe\Debugger = "ntsd -d" [MS]<<!>> AVP32.EXE\Debugger = "ntsd -d" [MS]<<!>> avscan.exe\Debugger = "ntsd -d" [MS]<<!>> avz.exe\Debugger = "ntsd -d" [MS]<<!>> avz4.exe\Debugger = "ntsd -d" [MS]<<!>> avz_se.exe\Debugger = "ntsd -d" [MS]<<!>> bdagent.exe\Debugger = "ntsd -d" [MS]<<!>> bdinit.exe\Debugger = "ntsd -d" [MS]<<!>> caav.exe\Debugger = "ntsd -d" [MS]<<!>> caavguiscan.exe\Debugger = "ntsd -d" [MS]<<!>> casecuritycenter.exe\Debugger = "ntsd -d" [MS]<<!>> CCenter.exe\Debugger = "ntsd -d" [MS]<<!>> ccupdate.exe\Debugger = "ntsd -d" [MS]<<!>> cfp.exe\Debugger = "ntsd -d" [MS]<<!>> cfpupdat.exe\Debugger = "ntsd -d" [MS]<<!>> cmdagent.exe\Debugger = "ntsd -d" [MS]<<!>> drwadins.exe\Debugger = "ntsd -d" [MS]<<!>> DRWEB32.EXE\Debugger = "ntsd -d" [MS]<<!>> drwebupw.exe\Debugger = "ntsd -d" [MS]<<!>> ekrn.exe\Debugger = "ntsd -d" [MS]<<!>> FAMEH32.EXE\Debugger = "ntsd -d" [MS]<<!>> filemon.exe\Debugger = "ntsd -d" [MS]<<!>> FPAVServer.exe\Debugger = "ntsd -d" [MS]<<!>> fpscan.exe\Debugger = "ntsd -d" [MS]<<!>> FPWin.exe\Debugger = "ntsd -d" [MS]<<!>> fsav32.exe\Debugger = "ntsd -d" [MS]<<!>> fsgk32st.exe\Debugger = "ntsd -d" [MS]<<!>> FSMA32.EXE\Debugger = "ntsd -d" [MS]<<!>> GFRing3.exe\Debugger = "ntsd -d" [MS]<<!>> guardgui.exe\Debugger = "ntsd -d" [MS]<<!>> guardxservice.exe\Debugger = "ntsd -d" [MS]<<!>> guardxup.exe\Debugger = "ntsd -d" [MS]<<!>> HijackThis.exe\Debugger = "ntsd -d" [MS]<<!>> KASMain.exe\Debugger = "ntsd -d" [MS]<<!>> KASTask.exe\Debugger = "ntsd -d" [MS]<<!>> KAV32.exe\Debugger = "ntsd -d" [MS]<<!>> KAVDX.exe\Debugger = "ntsd -d" [MS]<<!>> KAVPF.exe\Debugger = "ntsd -d" [MS]<<!>> KAVPFW.exe\Debugger = "ntsd -d" [MS]<<!>> KAVStart.exe\Debugger = "ntsd -d" [MS]<<!>> KPFW32.exe\Debugger = "ntsd -d" [MS]<<!>> KPFW32X.exe\Debugger = "ntsd -d" [MS]<<!>> Navapsvc.exe\Debugger = "ntsd -d" [MS]<<!>> Navapw32.exe\Debugger = "ntsd -d" [MS]<<!>> navigator.exe\Debugger = "ntsd -d" [MS]<<!>> NAVNT.EXE\Debugger = "ntsd -d" [MS]<<!>> NAVSTUB.EXE\Debugger = "ntsd -d" [MS]<<!>> NAVW32.EXE\Debugger = "ntsd -d" [MS]<<!>> NAVWNT.EXE\Debugger = "ntsd -d" [MS]<<!>> niu.exe\Debugger = "ntsd -d" [MS]<<!>> nod32.exe\Debugger = "ntsd -d" [MS]<<!>> nod32krn.exe\Debugger = "ntsd -d" [MS]<<!>> Nvcc.exe\Debugger = "ntsd -d" [MS]<<!>> OllyDBG.EXE\Debugger = "ntsd -d" [MS]<<!>> outpost.exe\Debugger = "ntsd -d" [MS]<<!>> preupd.exe\Debugger = "ntsd -d" [MS]<<!>> procexp.exe\Debugger = "ntsd -d" [MS]<<!>> pskdr.exe\Debugger = "ntsd -d" [MS]<<!>> regedit.exe\Debugger = "ntsd -d" [MS]<<!>> regmon.exe\Debugger = "ntsd -d" [MS]<<!>> RegTool.exe\Debugger = "ntsd -d" [MS]<<!>> scan32.exe\Debugger = "ntsd -d" [MS]<<!>> SfFnUp.exe\Debugger = "ntsd -d" [MS]<<!>> Vba32arkit.exe\Debugger = "ntsd -d" [MS]<<!>> vba32ldr.exe\Debugger = "ntsd -d" [MS]<<!>> vsserv.exe\Debugger = "ntsd -d" [MS]<<!>> Zanda.exe\Debugger = "ntsd -d" [MS]<<!>> zapro.exe\Debugger = "ntsd -d" [MS]<<!>> Zlh.exe\Debugger = "ntsd -d" [MS]<<!>> zonealarm.exe\Debugger = "ntsd -d" [MS]<<!>> zoneband.dll\Debugger = "ntsd -d" [MS]HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\avg8 shell extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avg8 shell extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoCDBurning" = (REG_DWORD) dword:0x00000000{unrecognized setting}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\WINDOWS\Lenovo1280_800.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\CanonCW50PicturesOnArrival\"Provider" = "Canon CameraWindow""InvokeProgID" = "Cw50.AutoplayHandler""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\Cw50.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files\Canon\CameraWindow\CameraWindowMC\CameraLauncherMC.exe" [empty string]CanonZB4PicturesOnArrival\"Provider" = "ZoomBrowser EX""InvokeProgID" = "Zb.AutoplayHandler""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\Zb.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files\Canon\ZoomBrowser EX\Program\ZoomBrowser.exe /AUTOPLAY ""%1"""" [empty string]IviCDBurningOnArrival\"Provider" = "@C:\Program Files\InterVideo\WCreator3\WCreator.exe,-57344""InvokeProgID" = "InterVideo WinDVD Creator .wcp""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\InterVideo WinDVD Creator .wcp\shell\open\command\(Default) = "C:\Program Files\InterVideo\WCreator3\WCreator.exe "%L"" ["InterVideo Inc."]IviDVDEventHandler\"Provider" = "InterVideo WinDVD""InvokeProgID" = "Ivi.MediaFile""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]IviVideoCameraArrival\"Provider" = "@C:\Program Files\InterVideo\WCreator3\WCreator.exe,-57344""ProgID" = "Shell.HWEventHandlerShellExecute""InitCmdLine" = ""C:\Program Files\InterVideo\WCreator3\WCreator.exe" --capture"HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]IviVideoCDHandler\"Provider" = "InterVideo WinDVD""InvokeProgID" = "Ivi.MediaFile""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]MSWPDShellNamespaceHandler\"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501""CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}""InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]Picasa2ImportPicturesOnArrival\"Provider" = "Picasa3""InvokeProgID" = "picasa2.autoplay""InvokeVerb" = "import"HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Google\Picasa3\Picasa3.exe "%1"" ["Google Inc."]SonicSCAudioCDTask\"Provider" = "Roxio RecordNow Audio""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "AudioCDTask"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]SonicSCCopyCD\"Provider" = "Roxio RecordNow Copy""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "ExactCopyJob"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]SonicSCCopyDisc\"Provider" = "Roxio RecordNow Copy""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "ExactCopyJob"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]SonicSCDataProject\"Provider" = "Roxio RecordNow Data""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "DataGuide"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]SonicSCDataTask\"Provider" = "Roxio RecordNow Data""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "DataTask"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]Startup items in "Administrator" & "All Users" startup folders:---------------------------------------------------------------C:\Documents and Settings\All Users\Menu Start\Programy\Autostart"BTTray" -> shortcut to: "C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]Enabled Scheduled Tasks:------------------------"Przypomnienie o rejestracji 2" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:2" [MS]"Sprawdź aktualizacje paska narzędzi Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKCU\Software\Microsoft\Internet Explorer\Toolbar\webbrowser\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" -> {HKLM...CLSID} = "Windows Live Toolbar" \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]"{A057A204-BACC-4D26-9990-79A187E2698E}" -> {HKLM...CLSID} = "AVG Security Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["[[[COMPANYNAME]]]----------------------------"]HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided) -> {HKLM...CLSID} = "Windows Live Toolbar" \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]"{A057A204-BACC-4D26-9990-79A187E2698E}" = (no title provided) -> {HKLM...CLSID} = "AVG Security Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["[[[COMPANYNAME]]]----------------------------"]Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0045D4BC-5189-4B67-969C-83BB1906C421}\"MenuText" = "ThinkVantage Password Manager...""CLSIDExtension" = "{0FE81B52-73FA-425F-8F06-3F32451AC73F}" -> {HKLM...CLSID} = "CPwmIEToolsMenuItem Object" \InProcServer32\(Default) = "C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll" ["Lenovo Group Limited"]{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]{2670000A-7350-4F3C-8081-5663EE0C6C49}\"ButtonText" = "Wyślij do programu OneNote""MenuText" = "Wyślij &do programu OneNote""CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}" -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Research"{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]Bluetooth Service, btwdins, "C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]Fn+F5 Service, FNF5SVC, "C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe" ["Lenovo."]Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]Intel® PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]IPS Core Service, IPSSVC, "C:\WINDOWS\system32\IPSSVC.EXE" ["Lenovo Group Limited"]IviRegMgr, IviRegMgr, "C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe" ["InterVideo"]Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]PMSveH, PMSveH, "C:\Program Files\Lenovo\PM Driver\PMSveH.exe" ["Lenovo"]ProtexisLicensing, ProtexisLicensing, "C:\WINDOWS\system32\PSIService.exe" [null data]SQL Server (MSSMLBIZ), MSSQL$MSSMLBIZ, ""c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ" [MS]System Update, SUService, "c:\program files\lenovo\system update\suservice.exe" [null data]ThinkVantage Registry Monitor Service, ThinkVantage Registry Monitor Service, ""C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe"" ["Lenovo Group Limited"]TVT Backup Protection Service, TVT Backup Protection Service, ""C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe"" [null data]TVT Backup Service, TVT Backup Service, ""C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe"" ["Lenovo Group Limited"]TVT Scheduler, TVT Scheduler, ""c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe"" ["Lenovo Group Limited"]Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]Print Monitors:---------------HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]Port drukarki interfejsu Bluetooth\Driver = "bthcrp.dll" ["Broadcom Corporation."]Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]---------- (launch time: 2009-04-27 23:26:36)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 71 seconds.---------- (total run time: 107 seconds)
bolekd komentarz 27 kwietnia 2009 Autor komentarz 27 kwietnia 2009 Z Combofixa daj jeszcze loga. nie obyło się bez hard reseta, w międzyczasie wywalił się services.exe i zaczęło się odliczanie 60 sek do restartu (Proces systemowy c:\windows\system32\services.exe zostal nieoczekiwanie zakonczony z kodem stanu 1073741819, system zostanie zamkniety i uruchomiony ponownie. to sie czasem wczesniej tez dzialo, zawsze po wykrzaczeniu sie services.exe i pytaniu, czy chce wyslac error do windowsa, czy nie. ComboFix 09-04-27.02 - Administrator 2009-04-28 0:20.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2038.1471 [GMT 2:00]Uruchomiony z: c:\documents and settings\Administrator\Pulpit\bolek\ComboFix.exeAV: AVG Anti-Virus Free *On-access scanning disabled* (Updated).((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))..---- Poprzednie uruchomienie -------.c:\windows\system32\setup.ini.((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_cisvcmsdtc-------\Service_CiSvcMSDTC((((((((((((((((((((((((( Pliki utworzone od 2009-05-27 do 2009-4-27 ))))))))))))))))))))))))))))))).2009-04-27 21:28 . 2009-04-27 21:28 -------- d-----w c:\program files\Trend Micro2009-04-27 19:04 . 2009-04-27 19:17 -------- d-----w c:\documents and settings\Administrator\Dane aplikacji\AVGTOOLBAR2009-04-26 16:18 . 2009-04-27 20:26 -------- d--h--w C:\$AVG8.VAULT$2009-04-26 16:15 . 2009-04-26 16:15 10520 ----a-w c:\windows\system32\avgrsstx.dll2009-04-26 16:15 . 2009-04-26 16:15 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys2009-04-26 16:14 . 2009-04-26 16:14 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys2009-04-26 16:14 . 2009-04-26 16:16 -------- d-----w c:\windows\system32\drivers\Avg2009-04-26 16:14 . 2009-04-26 16:26 -------- d-----w c:\documents and settings\aleksandra\Dane aplikacji\AVGTOOLBAR2009-04-26 16:14 . 2009-04-26 16:14 -------- d-----w c:\program files\AVG2009-04-26 16:14 . 2009-04-26 16:14 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\avg82009-04-26 14:38 . 2009-04-26 14:38 -------- d-----w c:\documents and settings\aleksandra\Dane aplikacji\Symantec2009-04-26 12:33 . 2009-04-26 12:33 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files2009-04-26 11:22 . 2009-04-26 11:22 -------- d-----w c:\program files\ESET2009-04-25 16:03 . 2009-04-25 17:05 -------- d-----w c:\program files\EsetOnlineScanner2009-04-22 21:48 . 2009-04-27 22:22 111612 ----a-w c:\windows\system32\drivers\26429cd2.sys2009-04-22 21:48 . 2009-04-25 17:11 32 --s-a-w c:\windows\system32\3170628135.dat2009-04-21 11:28 . 2009-04-21 11:28 -------- d-----w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Google2009-04-21 11:28 . 2009-04-21 11:28 -------- d-----w c:\windows\system32\IOSUBSYS2009-04-15 06:26 . 2005-07-26 04:36 60416 ------w c:\windows\system32\dllcache\colbact.dll2009-04-15 06:26 . 2009-03-06 14:01 285696 ------w c:\windows\system32\dllcache\pdh.dll2009-04-15 06:26 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe2009-04-15 06:26 . 2009-02-09 10:03 401408 ------w c:\windows\system32\dllcache\rpcss.dll2009-04-15 06:26 . 2009-02-09 10:03 473088 ------w c:\windows\system32\dllcache\fastprox.dll2009-04-15 06:26 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe2009-04-15 06:26 . 2009-02-09 09:55 111104 ------w c:\windows\system32\dllcache\services.exe2009-04-15 06:26 . 2009-02-09 10:03 687104 ------w c:\windows\system32\dllcache\advapi32.dll2009-04-15 06:26 . 2009-02-09 10:03 723456 ------w c:\windows\system32\dllcache\ntdll.dll2009-04-15 06:26 . 2009-02-09 10:03 730624 ------w c:\windows\system32\dllcache\lsasrv.dll2009-04-15 06:25 . 2008-04-21 21:28 218112 ------w c:\windows\system32\dllcache\wordpad.exe2009-04-12 12:24 . 2009-04-12 12:24 -------- d-----w c:\program files\EA GAMES.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-04-26 21:00 . 2008-05-13 10:48 -------- d-----w c:\program files\Symantec2009-04-26 21:00 . 2008-05-13 10:48 -------- d-----w c:\program files\Common Files\Symantec Shared2009-04-26 14:07 . 2008-05-13 10:19 -------- d--h--w c:\program files\InstallShield Installation Information2009-04-26 11:35 . 2008-05-13 17:55 98384 ----a-w c:\windows\system32\perfc015.dat2009-04-26 11:35 . 2008-05-13 17:55 508316 ----a-w c:\windows\system32\perfh015.dat2009-04-21 11:28 . 2008-05-13 10:39 -------- d-----w c:\program files\Google2009-03-25 15:01 . 2008-05-13 10:58 78344 ------w c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT2009-03-16 22:05 . 2009-03-16 22:05 108144 ----a-w c:\windows\system32\CmdLineExt.dll2009-03-16 21:47 . 2009-03-16 21:38 -------- d-----w c:\program files\2K Games2009-03-16 20:23 . 2009-03-16 20:23 -------- d-----w c:\program files\Kolekcja Klasyki2009-03-10 07:39 . 2009-03-10 07:39 -------- d-----w c:\program files\PITy2009-03-06 14:01 . 2008-05-13 17:57 285696 ----a-w c:\windows\system32\pdh.dll2009-03-03 00:10 . 2008-05-13 17:57 826368 ----a-w c:\windows\system32\wininet.dll2009-02-20 17:13 . 2008-05-13 17:56 78336 ------w c:\windows\system32\ieencode.dll2009-02-09 13:56 . 2008-05-13 17:57 1847680 ----a-w c:\windows\system32\win32k.sys2009-02-09 11:45 . 2008-05-13 17:57 2022400 ------w c:\windows\system32\ntkrnlpa.exe2009-02-09 11:45 . 2008-05-13 17:57 2144256 ----a-w c:\windows\system32\ntoskrnl.exe2009-02-09 10:03 . 2008-05-13 17:57 401408 ----a-w c:\windows\system32\rpcss.dll2009-02-09 10:03 . 2008-05-13 17:57 723456 ----a-w c:\windows\system32\ntdll.dll2009-02-09 10:03 . 2008-05-13 17:56 730624 ----a-w c:\windows\system32\lsasrv.dll2009-02-09 10:03 . 2008-05-13 17:56 687104 ----a-w c:\windows\system32\advapi32.dll2009-02-09 09:55 . 2008-05-13 17:57 111104 ----a-w c:\windows\system32\services.exe2009-02-06 09:54 . 2008-05-13 17:57 35328 ------w c:\windows\system32\sc.exe2009-02-03 20:11 . 2008-05-13 17:57 55808 ----a-w c:\windows\system32\secur32.dll2008-09-01 19:37 . 2008-09-01 19:37 8 --sh--r c:\windows\system32\D7E2322BB5.sys2008-09-01 19:37 . 2008-09-01 19:37 6266 --sh--w c:\windows\system32\KGyGaAvL.sys.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe" [2007-03-16 31840]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-09-06 54824]"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2007-08-23 53248]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-23 138008]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-23 162584]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-23 138008]"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 536576]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe" [2007-05-31 946176]"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 439856]"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-08-30 89542]"AdslTaskBar"="stmctrl.dll" - c:\windows\system32\stmctrl.dll [2006-06-02 151552][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]c:\documents and settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2006-11-13 561213][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]2007-05-31 11:57 155648 ----a-w c:\windows\system32\FpWinlogonNp.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]2006-12-14 02:06 28672 ----a-w c:\program files\Lenovo\HOTKEY\tphklock.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-04-26 16:15 10520 ----a-w c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\Great Game Products\\Bridge Baron 17 PLK\\Baron.exe"="c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate; [x]R3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-06-22 106496]R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\DRIVERS\torususb.sys [2006-07-05 683791]S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]S1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2006-05-24 10240]S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-09 54832]S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344]S3 Stmatm;ATM/ADSL miniport;c:\windows\system32\DRIVERS\stmatm.sys [2003-08-12 60255]S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336].Zawartość folderu 'Zaplanowane zadania'2008-08-27 c:\windows\Tasks\Przypomnienie o rejestracji 2.job- c:\windows\system32\OOBE\oobebaln.exe [2008-05-13 21:00]2009-04-27 c:\windows\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 13:54]..------- Skan uzupełniający -------.uStart Page = hxxp://lenovo.live.comIE: &windows live search - c:\program files\Windows Live Toolbar\msntb.dll/search.htmIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: e&ksportuj do programu microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Wyślij do urządzenia &Bluetooth... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htmDPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} - hxxp://www.cltnet.de/login/dplaunch.cabDPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/SignActivX.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-28 00:22Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(1576)c:\windows\system32\ATGinaHook.dllc:\program files\Lenovo Fingerprint Software\ATCSSINT.DLLc:\program files\Lenovo Fingerprint Software\SharedResources.dllc:\program files\Lenovo Fingerprint Software\FPResource.dllc:\program files\Lenovo\Client Security Solution\CSS_Enroll.dllc:\program files\Lenovo\Client Security Solution\css_banner.dllc:\windows\system32\cssuserdatadispatcher.dllc:\windows\system32\tvttsp.dllc:\windows\system32\tcsrpc.dllc:\windows\system32\FpWinLogonNp.dllc:\program files\Lenovo\HOTKEY\tphklock.dll- - - - - - - > 'explorer.exe'(3124)c:\windows\system32\btmmhook.dllc:\windows\system32\msi.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dllc:\windows\system32\browselc.dllc:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllc:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll.Czas ukończenia: 2009-04-27 0:22ComboFix-quarantined-files.txt 2009-04-27 22:22Przed: 95 356 928 000 bajtów wolnychPo: 95 357 050 880 bajtów wolnych289 --- E O F --- 2009-04-15 07:14
Gość komentarz 28 kwietnia 2009 komentarz 28 kwietnia 2009 Start>>>Uruchom>>>regedit [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options Znajdź ten klucz i go usuń. Po usunięciu - restart kompa. Najświeży log z ComboFixa. .
bolekd komentarz 28 kwietnia 2009 Autor komentarz 28 kwietnia 2009 Start>>>Uruchom>>>regedit[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options Znajdź ten klucz i go usuń. Po usunięciu - restart kompa. Najświeży log z ComboFixa. . done, oto log, smtp nadal wysyla ComboFix 09-04-27.02 - Administrator 2009-04-28 7:38.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2038.1472 [GMT 2:00]Uruchomiony z: c:\documents and settings\Administrator\Pulpit\bolek\ComboFix.exeAV: AVG Anti-Virus Free *On-access scanning disabled* (Updated).((((((((((((((((((((((((( Pliki utworzone od 2009-05-28 do 2009-4-28 ))))))))))))))))))))))))))))))).2009-04-27 21:28 . 2009-04-27 21:28 -------- d-----w c:\program files\Trend Micro2009-04-27 19:04 . 2009-04-27 19:17 -------- d-----w c:\documents and settings\Administrator\Dane aplikacji\AVGTOOLBAR2009-04-26 16:18 . 2009-04-27 20:26 -------- d--h--w C:\$AVG8.VAULT$2009-04-26 16:15 . 2009-04-26 16:15 10520 ----a-w c:\windows\system32\avgrsstx.dll2009-04-26 16:15 . 2009-04-26 16:15 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys2009-04-26 16:14 . 2009-04-26 16:14 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys2009-04-26 16:14 . 2009-04-26 16:16 -------- d-----w c:\windows\system32\drivers\Avg2009-04-26 16:14 . 2009-04-26 16:26 -------- d-----w c:\documents and settings\aleksandra\Dane aplikacji\AVGTOOLBAR2009-04-26 16:14 . 2009-04-26 16:14 -------- d-----w c:\program files\AVG2009-04-26 16:14 . 2009-04-26 16:14 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\avg82009-04-26 14:38 . 2009-04-26 14:38 -------- d-----w c:\documents and settings\aleksandra\Dane aplikacji\Symantec2009-04-26 12:33 . 2009-04-26 12:33 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files2009-04-26 11:22 . 2009-04-26 11:22 -------- d-----w c:\program files\ESET2009-04-25 16:03 . 2009-04-25 17:05 -------- d-----w c:\program files\EsetOnlineScanner2009-04-22 21:48 . 2009-04-28 05:39 111612 ----a-w c:\windows\system32\drivers\26429cd2.sys2009-04-22 21:48 . 2009-04-25 17:11 32 --s-a-w c:\windows\system32\3170628135.dat2009-04-21 11:28 . 2009-04-21 11:28 -------- d-----w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Google2009-04-21 11:28 . 2009-04-21 11:28 -------- d-----w c:\windows\system32\IOSUBSYS2009-04-15 06:26 . 2005-07-26 04:36 60416 ------w c:\windows\system32\dllcache\colbact.dll2009-04-15 06:26 . 2009-03-06 14:01 285696 ------w c:\windows\system32\dllcache\pdh.dll2009-04-15 06:26 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe2009-04-15 06:26 . 2009-02-09 10:03 401408 ------w c:\windows\system32\dllcache\rpcss.dll2009-04-15 06:26 . 2009-02-09 10:03 473088 ------w c:\windows\system32\dllcache\fastprox.dll2009-04-15 06:26 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe2009-04-15 06:26 . 2009-02-09 09:55 111104 ------w c:\windows\system32\dllcache\services.exe2009-04-15 06:26 . 2009-02-09 10:03 687104 ------w c:\windows\system32\dllcache\advapi32.dll2009-04-15 06:26 . 2009-02-09 10:03 723456 ------w c:\windows\system32\dllcache\ntdll.dll2009-04-15 06:26 . 2009-02-09 10:03 730624 ------w c:\windows\system32\dllcache\lsasrv.dll2009-04-15 06:25 . 2008-04-21 21:28 218112 ------w c:\windows\system32\dllcache\wordpad.exe2009-04-12 12:24 . 2009-04-12 12:24 -------- d-----w c:\program files\EA GAMES.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-04-26 21:00 . 2008-05-13 10:48 -------- d-----w c:\program files\Symantec2009-04-26 21:00 . 2008-05-13 10:48 -------- d-----w c:\program files\Common Files\Symantec Shared2009-04-26 14:07 . 2008-05-13 10:19 -------- d--h--w c:\program files\InstallShield Installation Information2009-04-26 11:35 . 2008-05-13 17:55 98384 ----a-w c:\windows\system32\perfc015.dat2009-04-26 11:35 . 2008-05-13 17:55 508316 ----a-w c:\windows\system32\perfh015.dat2009-04-21 11:28 . 2008-05-13 10:39 -------- d-----w c:\program files\Google2009-03-25 15:01 . 2008-05-13 10:58 78344 ------w c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT2009-03-16 22:05 . 2009-03-16 22:05 108144 ----a-w c:\windows\system32\CmdLineExt.dll2009-03-16 21:47 . 2009-03-16 21:38 -------- d-----w c:\program files\2K Games2009-03-16 20:23 . 2009-03-16 20:23 -------- d-----w c:\program files\Kolekcja Klasyki2009-03-10 07:39 . 2009-03-10 07:39 -------- d-----w c:\program files\PITy2009-03-06 14:01 . 2008-05-13 17:57 285696 ----a-w c:\windows\system32\pdh.dll2009-03-03 00:10 . 2008-05-13 17:57 826368 ----a-w c:\windows\system32\wininet.dll2009-02-20 17:13 . 2008-05-13 17:56 78336 ------w c:\windows\system32\ieencode.dll2009-02-09 13:56 . 2008-05-13 17:57 1847680 ----a-w c:\windows\system32\win32k.sys2009-02-09 11:45 . 2008-05-13 17:57 2022400 ------w c:\windows\system32\ntkrnlpa.exe2009-02-09 11:45 . 2008-05-13 17:57 2144256 ----a-w c:\windows\system32\ntoskrnl.exe2009-02-09 10:03 . 2008-05-13 17:57 401408 ----a-w c:\windows\system32\rpcss.dll2009-02-09 10:03 . 2008-05-13 17:57 723456 ----a-w c:\windows\system32\ntdll.dll2009-02-09 10:03 . 2008-05-13 17:56 730624 ----a-w c:\windows\system32\lsasrv.dll2009-02-09 10:03 . 2008-05-13 17:56 687104 ----a-w c:\windows\system32\advapi32.dll2009-02-09 09:55 . 2008-05-13 17:57 111104 ----a-w c:\windows\system32\services.exe2009-02-06 09:54 . 2008-05-13 17:57 35328 ------w c:\windows\system32\sc.exe2009-02-03 20:11 . 2008-05-13 17:57 55808 ----a-w c:\windows\system32\secur32.dll2008-09-01 19:37 . 2008-09-01 19:37 8 --sh--r c:\windows\system32\D7E2322BB5.sys2008-09-01 19:37 . 2008-09-01 19:37 6266 --sh--w c:\windows\system32\KGyGaAvL.sys.((((((((((((((((((((((((((((( SnapShot@2009-04-27_22.22.04 ))))))))))))))))))))))))))))))))))))))))).+ 2009-04-28 05:36 . 2009-04-28 05:36 16384 c:\windows\Temp\Perflib_Perfdata_a1c.dat.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe" [2007-03-16 31840]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-09-06 54824]"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2007-08-23 53248]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-23 138008]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-23 162584]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-23 138008]"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 536576]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe" [2007-05-31 946176]"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 439856]"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-08-30 89542]"AdslTaskBar"="stmctrl.dll" - c:\windows\system32\stmctrl.dll [2006-06-02 151552][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]c:\documents and settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2006-11-13 561213][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]2007-05-31 11:57 155648 ----a-w c:\windows\system32\FpWinlogonNp.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]2006-12-14 02:06 28672 ----a-w c:\program files\Lenovo\HOTKEY\tphklock.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-04-26 16:15 10520 ----a-w c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\Great Game Products\\Bridge Baron 17 PLK\\Baron.exe"="c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate; [x]R3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-06-22 106496]R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\DRIVERS\torususb.sys [2006-07-05 683791]S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]S1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2006-05-24 10240]S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-09 54832]S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344]S3 Stmatm;ATM/ADSL miniport;c:\windows\system32\DRIVERS\stmatm.sys [2003-08-12 60255]S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336].Zawartość folderu 'Zaplanowane zadania'2008-08-27 c:\windows\Tasks\Przypomnienie o rejestracji 2.job- c:\windows\system32\OOBE\oobebaln.exe [2008-05-13 21:00]2009-04-28 c:\windows\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 13:54]..------- Skan uzupełniający -------.uStart Page = hxxp://lenovo.live.comIE: &windows live search - c:\program files\Windows Live Toolbar\msntb.dll/search.htmIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: e&ksportuj do programu microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Wyślij do urządzenia &Bluetooth... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htmDPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} - hxxp://www.cltnet.de/login/dplaunch.cabDPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/SignActivX.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-28 07:39Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(1580)c:\windows\system32\ATGinaHook.dllc:\program files\Lenovo Fingerprint Software\ATCSSINT.DLLc:\program files\Lenovo Fingerprint Software\SharedResources.dllc:\program files\Lenovo Fingerprint Software\FPResource.dllc:\program files\Lenovo\Client Security Solution\CSS_Enroll.dllc:\program files\Lenovo\Client Security Solution\css_banner.dllc:\windows\system32\cssuserdatadispatcher.dllc:\windows\system32\tvttsp.dllc:\windows\system32\tcsrpc.dllc:\windows\system32\FpWinLogonNp.dllc:\program files\Lenovo\HOTKEY\tphklock.dll- - - - - - - > 'explorer.exe'(5608)c:\windows\system32\btmmhook.dllc:\windows\system32\msi.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.Czas ukończenia: 2009-04-28 7:40ComboFix-quarantined-files.txt 2009-04-28 05:40ComboFix2.txt 2009-04-27 22:23Przed: 94 945 349 632 bajtów wolnychPo: 95 021 801 472 bajtów wolnych194 --- E O F --- 2009-04-15 07:14
Gość komentarz 28 kwietnia 2009 komentarz 28 kwietnia 2009 Log jest czysty. Usuń ręcznie folder C:\Qoobox, Przeczyść komputer Ccleanerem Z folderu "System Volume Information" usuniesz kopie "wirusów" poprzez chwilowe wyłączenie "Przywracania Systemu": >Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy "Wyłącz przywracanie na wszystkich dyskach">Zastosuj>OK.Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka). Użyj tego programu ---> Dr.WEB CureIt!. .
bolekd komentarz 28 kwietnia 2009 Autor komentarz 28 kwietnia 2009 dzięki wielkie! wygląda na to, że pomogło... magicy jesteście jakby to paskudztwo wrociło, odezwę się. ostatni trojan usuniety przez DrWeb to: 26429cd2.sys c:\windows\system32\drivers Trojan.NtRootKit.2779 i po tym wszystko wygląda zdrowo.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.