x-kom hosting

[rozwiązany] wirus rozsyla maile po smtp bez pytania

bolekd
utworzono
utworzono (edytowane)

Witam

Prośba o pomoc.

Próbuję naprawić komputer znajomych, wygląda na dośc mocno zawirusowany. Większosć wirusów (w tym kilka trojanów) usunął AVG lub online scaner eset'a, ale wygląda na to, że nie wszystkie...

objawy:

- po wpisaniu w cmd, netstat /o widzę całą masę (ok 30 jednoczesnie) połączeń po smtp z zewnetrznymi, roznymi serwerami (zrzut w załączeniu)

- domyslam sie, ze to komputer wysla, na polecenie jakiegos wirusa całe tony spamu...

- servery są rózne, w tym google, .gov, .edu, .org, same IP, .jp, .de, .pl - cała masa domen

- wszystkie działają z tego samego PIDu, który w menedzeze zadań jest oznaczony jako services.exe - czy tu chodzi o jakąś z dzialajacych usług w panelu administracyjnym (panel sterowania, wydajnosc i konserwacja, narzedzia administracyjne, uslugi)?

- probowałem róznych antyviarusów:

-- kasperski - po instalacji, niby wszystko ok, ale sie nie odpala w ogole

-- eset - wykrzacza sie na instalacji wlasnie w momencie proby skonfigurowania (uruchomienia) usług... mowi, ze nei udało się uruchomić usługi i sugeruje, że mogę nie mieć uprawnien do tego (instaluje z konta 'administrator', wiec to raczej nie normalny problem)

-- avg - zainstalowal się poprawnie, usunął częsć viarusów, ale nie wszystkie...

komuter działa już lepiej, żwawiej itd, ale ciągle widać te połączenia smtp w netstat...

coś poradzicie?

system: win xp pro, sp2, zaktualizowany.

z góry dzięki wielkie

bolek

moze pomoze raport z silent runners, hijackthis po zainstalowaniu sie nie odpala...

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"PMHandler" = "C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" ["Lenovo"]"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]"TPFNF7" = "C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r" ["Lenovo Group Limited"]"TPWAUDAP" = "C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [null data]"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]"AzMixerSel" = "C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe" ["Realtek Semiconductor Corp."]"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]"TVT Scheduler Proxy" = "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" ["Lenovo Group Limited"]"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]"(Default)" = "(empty string)" [file not found]"FingerPrintSoftware" = ""C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s" ["Authentec,Inc"]"LPManager" = "C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe" ["Lenovo Group Limited"]"AwaySch" = "C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" ["Lenovo Group Limited"]"AMSG" = "C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup" ["LENOVO"]"DiskeeperSystray" = ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"" ["Diskeeper Corporation"]"cssauth" = ""C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent" ["Lenovo Group Limited"]"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]"AdslTaskBar" = "rundll32.exe stmctrl.dll,TaskBar" [MS]"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"				   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{3ca2f312-6f6e-4b53-a66e-4e65e497c8c0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"  -> {HKLM...CLSID} = "AVG Safe Search"				   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)  -> {HKLM...CLSID} = "SSVHelper Class"				   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]{a057a204-bacc-4d26-9990-79a187e2698e}\(Default) = (no title provided)  -> {HKLM...CLSID} = "AVG Security Toolbar"				   \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["[[[COMPANYNAME]]]----------------------------"]{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)  -> {HKLM...CLSID} = "Windows Live Toolbar Helper"				   \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]{F040E541-A427-4CF7-85D8-75E3E0F476C5}\(Default) = "ThinkVantage Password Manager"  -> {HKLM...CLSID} = "CPwmIEBrowserHelper Object"				   \InProcServer32\(Default) = "C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll" ["Lenovo Group Limited"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"				   \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"  -> {HKLM...CLSID} = "History Band"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"  -> {HKLM...CLSID} = (no title provided)				   \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"  -> {HKLM...CLSID} = "Outlook File Icon Extension"				   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"  -> {HKLM...CLSID} = "Microsoft Office Outlook"				   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"  -> {HKLM...CLSID} = (no title provided)				   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"  -> {HKLM...CLSID} = "Moje miejsca interfejsu Bluetooth"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor"  -> {HKLM...CLSID} = "Monitor Class"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\btncopy.dll" ["Broadcom Corporation."]"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"				   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"				   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"  -> {HKLM...CLSID} = "WPDShServiceObj Class"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]HKLM\SOFTWA	RE\Microsoft\Windows NT\CurrentVersion\Winlogon\<<!>> "GinaDLL" = "ATGinaHook.dll" ["AuthenTec, Inc"]HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\<<!>> ("digiwet.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> ATFUS\DLLName = "C:\WINDOWS\system32\FpWinLogonNp.dll" ["AuthenTec,Inc"]<<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]<<!>> crypt\DLLName = "crypts.dll" [file not found]<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]<<!>> tphotkey\DLLName = "C:\Program Files\Lenovo\HOTKEY\tphklock.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<<!>> a2service.exe\Debugger = "ntsd -d" [MS]<<!>> ArcaCheck.exe\Debugger = "ntsd -d" [MS]<<!>> arcavir.exe\Debugger = "ntsd -d" [MS]<<!>> ashDisp.exe\Debugger = "ntsd -d" [MS]<<!>> ashEnhcd.exe\Debugger = "ntsd -d" [MS]<<!>> ashServ.exe\Debugger = "ntsd -d" [MS]<<!>> ashUpd.exe\Debugger = "ntsd -d" [MS]<<!>> aswUpdSv.exe\Debugger = "ntsd -d" [MS]<<!>> autoruns.exe\Debugger = "ntsd -d" [MS]<<!>> avadmin.exe\Debugger = "ntsd -d" [MS]<<!>> avcenter.exe\Debugger = "ntsd -d" [MS]<<!>> avcls.exe\Debugger = "ntsd -d" [MS]<<!>> avconfig.exe\Debugger = "ntsd -d" [MS]<<!>> avconsol.exe\Debugger = "ntsd -d" [MS]<<!>> avgnt.exe\Debugger = "ntsd -d" [MS]<<!>> avgrssvc.exe\Debugger = "ntsd -d" [MS]<<!>> avguard.exe\Debugger = "ntsd -d" [MS]<<!>> AvMonitor.exe\Debugger = "ntsd -d" [MS]<<!>> avp.com\Debugger = "ntsd -d" [MS]<<!>> avp.exe\Debugger = "ntsd -d" [MS]<<!>> AVP32.EXE\Debugger = "ntsd -d" [MS]<<!>> avscan.exe\Debugger = "ntsd -d" [MS]<<!>> avz.exe\Debugger = "ntsd -d" [MS]<<!>> avz4.exe\Debugger = "ntsd -d" [MS]<<!>> avz_se.exe\Debugger = "ntsd -d" [MS]<<!>> bdagent.exe\Debugger = "ntsd -d" [MS]<<!>> bdinit.exe\Debugger = "ntsd -d" [MS]<<!>> caav.exe\Debugger = "ntsd -d" [MS]<<!>> caavguiscan.exe\Debugger = "ntsd -d" [MS]<<!>> casecuritycenter.exe\Debugger = "ntsd -d" [MS]<<!>> CCenter.exe\Debugger = "ntsd -d" [MS]<<!>> ccupdate.exe\Debugger = "ntsd -d" [MS]<<!>> cfp.exe\Debugger = "ntsd -d" [MS]<<!>> cfpupdat.exe\Debugger = "ntsd -d" [MS]<<!>> cmdagent.exe\Debugger = "ntsd -d" [MS]<<!>> drwadins.exe\Debugger = "ntsd -d" [MS]<<!>> DRWEB32.EXE\Debugger = "ntsd -d" [MS]<<!>> drwebupw.exe\Debugger = "ntsd -d" [MS]<<!>> ekrn.exe\Debugger = "ntsd -d" [MS]<<!>> FAMEH32.EXE\Debugger = "ntsd -d" [MS]<<!>> filemon.exe\Debugger = "ntsd -d" [MS]<<!>> FPAVServer.exe\Debugger = "ntsd -d" [MS]<<!>> fpscan.exe\Debugger = "ntsd -d" [MS]<<!>> FPWin.exe\Debugger = "ntsd -d" [MS]<<!>> fsav32.exe\Debugger = "ntsd -d" [MS]<<!>> fsgk32st.exe\Debugger = "ntsd -d" [MS]<<!>> FSMA32.EXE\Debugger = "ntsd -d" [MS]<<!>> GFRing3.exe\Debugger = "ntsd -d" [MS]<<!>> guardgui.exe\Debugger = "ntsd -d" [MS]<<!>> guardxservice.exe\Debugger = "ntsd -d" [MS]<<!>> guardxup.exe\Debugger = "ntsd -d" [MS]<<!>> HijackThis.exe\Debugger = "ntsd -d" [MS]<<!>> KASMain.exe\Debugger = "ntsd -d" [MS]<<!>> KASTask.exe\Debugger = "ntsd -d" [MS]<<!>> KAV32.exe\Debugger = "ntsd -d" [MS]<<!>> KAVDX.exe\Debugger = "ntsd -d" [MS]<<!>> KAVPF.exe\Debugger = "ntsd -d" [MS]<<!>> KAVPFW.exe\Debugger = "ntsd -d" [MS]<<!>> KAVStart.exe\Debugger = "ntsd -d" [MS]<<!>> KPFW32.exe\Debugger = "ntsd -d" [MS]<<!>> KPFW32X.exe\Debugger = "ntsd -d" [MS]<<!>> Navapsvc.exe\Debugger = "ntsd -d" [MS]<<!>> Navapw32.exe\Debugger = "ntsd -d" [MS]<<!>> navigator.exe\Debugger = "ntsd -d" [MS]<<!>> NAVNT.EXE\Debugger = "ntsd -d" [MS]<<!>> NAVSTUB.EXE\Debugger = "ntsd -d" [MS]<<!>> NAVW32.EXE\Debugger = "ntsd -d" [MS]<<!>> NAVWNT.EXE\Debugger = "ntsd -d" [MS]<<!>> niu.exe\Debugger = "ntsd -d" [MS]<<!>> nod32.exe\Debugger = "ntsd -d" [MS]<<!>> nod32krn.exe\Debugger = "ntsd -d" [MS]<<!>> Nvcc.exe\Debugger = "ntsd -d" [MS]<<!>> OllyDBG.EXE\Debugger = "ntsd -d" [MS]<<!>> outpost.exe\Debugger = "ntsd -d" [MS]<<!>> preupd.exe\Debugger = "ntsd -d" [MS]<<!>> procexp.exe\Debugger = "ntsd -d" [MS]<<!>> pskdr.exe\Debugger = "ntsd -d" [MS]<<!>> regedit.exe\Debugger = "ntsd -d" [MS]<<!>> regmon.exe\Debugger = "ntsd -d" [MS]<<!>> RegTool.exe\Debugger = "ntsd -d" [MS]<<!>> scan32.exe\Debugger = "ntsd -d" [MS]<<!>> SfFnUp.exe\Debugger = "ntsd -d" [MS]<<!>> Vba32arkit.exe\Debugger = "ntsd -d" [MS]<<!>> vba32ldr.exe\Debugger = "ntsd -d" [MS]<<!>> vsserv.exe\Debugger = "ntsd -d" [MS]<<!>> Zanda.exe\Debugger = "ntsd -d" [MS]<<!>> zapro.exe\Debugger = "ntsd -d" [MS]<<!>> Zlh.exe\Debugger = "ntsd -d" [MS]<<!>> zonealarm.exe\Debugger = "ntsd -d" [MS]<<!>> zoneband.dll\Debugger = "ntsd -d" [MS]HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"  -> {HKLM...CLSID} = "PDF Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\avg8 shell extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"				   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avg8 shell extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"				   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoCDBurning" = (REG_DWORD) dword:0x00000000{unrecognized setting}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\WINDOWS\Lenovo1280_800.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\CanonCW50PicturesOnArrival\"Provider" = "Canon CameraWindow""InvokeProgID" = "Cw50.AutoplayHandler""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\Cw50.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files\Canon\CameraWindow\CameraWindowMC\CameraLauncherMC.exe" [empty string]CanonZB4PicturesOnArrival\"Provider" = "ZoomBrowser EX""InvokeProgID" = "Zb.AutoplayHandler""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\Zb.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files\Canon\ZoomBrowser EX\Program\ZoomBrowser.exe /AUTOPLAY ""%1"""" [empty string]IviCDBurningOnArrival\"Provider" = "@C:\Program Files\InterVideo\WCreator3\WCreator.exe,-57344""InvokeProgID" = "InterVideo WinDVD Creator .wcp""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\InterVideo WinDVD Creator .wcp\shell\open\command\(Default) = "C:\Program Files\InterVideo\WCreator3\WCreator.exe "%L"" ["InterVideo Inc."]IviDVDEventHandler\"Provider" = "InterVideo WinDVD""InvokeProgID" = "Ivi.MediaFile""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]IviVideoCameraArrival\"Provider" = "@C:\Program Files\InterVideo\WCreator3\WCreator.exe,-57344""ProgID" = "Shell.HWEventHandlerShellExecute""InitCmdLine" = ""C:\Program Files\InterVideo\WCreator3\WCreator.exe" --capture"HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"				   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]IviVideoCDHandler\"Provider" = "InterVideo WinDVD""InvokeProgID" = "Ivi.MediaFile""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]MSWPDShellNamespaceHandler\"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501""CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}""InitCmdLine" = " "  -> {HKLM...CLSID} = "WPDShextAutoplay"				   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]Picasa2ImportPicturesOnArrival\"Provider" = "Picasa3""InvokeProgID" = "picasa2.autoplay""InvokeVerb" = "import"HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Google\Picasa3\Picasa3.exe "%1"" ["Google Inc."]SonicSCAudioCDTask\"Provider" = "Roxio RecordNow Audio""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "AudioCDTask"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]SonicSCCopyCD\"Provider" = "Roxio RecordNow Copy""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "ExactCopyJob"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]SonicSCCopyDisc\"Provider" = "Roxio RecordNow Copy""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "ExactCopyJob"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]SonicSCDataProject\"Provider" = "Roxio RecordNow Data""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "DataGuide"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]SonicSCDataTask\"Provider" = "Roxio RecordNow Data""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "DataTask"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]Startup items in "Administrator" & "All Users" startup folders:---------------------------------------------------------------C:\Documents and Settings\All Users\Menu Start\Programy\Autostart"BTTray" -> shortcut to: "C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]Enabled Scheduled Tasks:------------------------"Przypomnienie o rejestracji 2" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:2" [MS]"Sprawdź aktualizacje paska narzędzi Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKCU\Software\Microsoft\Internet Explorer\Toolbar\webbrowser\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"  -> {HKLM...CLSID} = "Windows Live Toolbar"				   \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]"{A057A204-BACC-4D26-9990-79A187E2698E}"  -> {HKLM...CLSID} = "AVG Security Toolbar"				   \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["[[[COMPANYNAME]]]----------------------------"]HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)  -> {HKLM...CLSID} = "Windows Live Toolbar"				   \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]"{A057A204-BACC-4D26-9990-79A187E2698E}" = (no title provided)  -> {HKLM...CLSID} = "AVG Security Toolbar"				   \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["[[[COMPANYNAME]]]----------------------------"]Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0045D4BC-5189-4B67-969C-83BB1906C421}\"MenuText" = "ThinkVantage Password Manager...""CLSIDExtension" = "{0FE81B52-73FA-425F-8F06-3F32451AC73F}"  -> {HKLM...CLSID} = "CPwmIEToolsMenuItem Object"				   \InProcServer32\(Default) = "C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll" ["Lenovo Group Limited"]{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"  -> {HKCU...CLSID} = "Java Plug-in"				   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"				   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]{2670000A-7350-4F3C-8081-5663EE0C6C49}\"ButtonText" = "Wyślij do programu OneNote""MenuText" = "Wyślij &do programu OneNote""CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"				   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Research"{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]Bluetooth Service, btwdins, "C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]Fn+F5 Service, FNF5SVC, "C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe" ["Lenovo."]Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]Intel® PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]IPS Core Service, IPSSVC, "C:\WINDOWS\system32\IPSSVC.EXE" ["Lenovo Group Limited"]IviRegMgr, IviRegMgr, "C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe" ["InterVideo"]Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]PMSveH, PMSveH, "C:\Program Files\Lenovo\PM Driver\PMSveH.exe" ["Lenovo"]ProtexisLicensing, ProtexisLicensing, "C:\WINDOWS\system32\PSIService.exe" [null data]SQL Server (MSSMLBIZ), MSSQL$MSSMLBIZ, ""c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ" [MS]System Update, SUService, "c:\program files\lenovo\system update\suservice.exe" [null data]ThinkVantage Registry Monitor Service, ThinkVantage Registry Monitor Service, ""C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe"" ["Lenovo Group Limited"]TVT Backup Protection Service, TVT Backup Protection Service, ""C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe"" [null data]TVT Backup Service, TVT Backup Service, ""C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe"" ["Lenovo Group Limited"]TVT Scheduler, TVT Scheduler, ""c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe"" ["Lenovo Group Limited"]Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]Print Monitors:---------------HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]Port drukarki interfejsu Bluetooth\Driver = "bthcrp.dll" ["Broadcom Corporation."]Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]---------- (launch time: 2009-04-27 23:26:36)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds,  launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives  took 71 seconds.---------- (total run time: 107 seconds)

netstat.JPG

post-39541-1240860648_thumb.jpg

Psycholandia
komentarz
komentarz

Z Combofixa daj jeszcze loga.

bolekd
komentarz
komentarz
Z Combofixa daj jeszcze loga.

nie obyło się bez hard reseta, w międzyczasie wywalił się services.exe i zaczęło się odliczanie 60 sek do restartu (Proces systemowy c:\windows\system32\services.exe zostal nieoczekiwanie zakonczony z kodem stanu 1073741819, system zostanie zamkniety i uruchomiony ponownie.

to sie czasem wczesniej tez dzialo, zawsze po wykrzaczeniu sie services.exe i pytaniu, czy chce wyslac error do windowsa, czy nie.

ComboFix 09-04-27.02 - Administrator 2009-04-28  0:20.2 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1250.48.1045.18.2038.1471 [GMT 2:00]Uruchomiony z: c:\documents and settings\Administrator\Pulpit\bolek\ComboFix.exeAV: AVG Anti-Virus Free *On-access scanning disabled* (Updated).(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))..---- Poprzednie uruchomienie -------.c:\windows\system32\setup.ini.(((((((((((((((((((((((((((((((((((((((   Sterowniki/Usługi   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_cisvcmsdtc-------\Service_CiSvcMSDTC(((((((((((((((((((((((((   Pliki utworzone od 2009-05-27 do 2009-4-27  ))))))))))))))))))))))))))))))).2009-04-27 21:28 . 2009-04-27 21:28	--------	d-----w	c:\program files\Trend Micro2009-04-27 19:04 . 2009-04-27 19:17	--------	d-----w	c:\documents and settings\Administrator\Dane aplikacji\AVGTOOLBAR2009-04-26 16:18 . 2009-04-27 20:26	--------	d--h--w	C:\$AVG8.VAULT$2009-04-26 16:15 . 2009-04-26 16:15	10520	----a-w	c:\windows\system32\avgrsstx.dll2009-04-26 16:15 . 2009-04-26 16:15	108552	----a-w	c:\windows\system32\drivers\avgtdix.sys2009-04-26 16:14 . 2009-04-26 16:14	325640	----a-w	c:\windows\system32\drivers\avgldx86.sys2009-04-26 16:14 . 2009-04-26 16:16	--------	d-----w	c:\windows\system32\drivers\Avg2009-04-26 16:14 . 2009-04-26 16:26	--------	d-----w	c:\documents and settings\aleksandra\Dane aplikacji\AVGTOOLBAR2009-04-26 16:14 . 2009-04-26 16:14	--------	d-----w	c:\program files\AVG2009-04-26 16:14 . 2009-04-26 16:14	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\avg82009-04-26 14:38 . 2009-04-26 14:38	--------	d-----w	c:\documents and settings\aleksandra\Dane aplikacji\Symantec2009-04-26 12:33 . 2009-04-26 12:33	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files2009-04-26 11:22 . 2009-04-26 11:22	--------	d-----w	c:\program files\ESET2009-04-25 16:03 . 2009-04-25 17:05	--------	d-----w	c:\program files\EsetOnlineScanner2009-04-22 21:48 . 2009-04-27 22:22	111612	----a-w	c:\windows\system32\drivers\26429cd2.sys2009-04-22 21:48 . 2009-04-25 17:11	32	--s-a-w	c:\windows\system32\3170628135.dat2009-04-21 11:28 . 2009-04-21 11:28	--------	d-----w	c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Google2009-04-21 11:28 . 2009-04-21 11:28	--------	d-----w	c:\windows\system32\IOSUBSYS2009-04-15 06:26 . 2005-07-26 04:36	60416	------w	c:\windows\system32\dllcache\colbact.dll2009-04-15 06:26 . 2009-03-06 14:01	285696	------w	c:\windows\system32\dllcache\pdh.dll2009-04-15 06:26 . 2009-02-06 09:41	227840	------w	c:\windows\system32\dllcache\wmiprvse.exe2009-04-15 06:26 . 2009-02-09 10:03	401408	------w	c:\windows\system32\dllcache\rpcss.dll2009-04-15 06:26 . 2009-02-09 10:03	473088	------w	c:\windows\system32\dllcache\fastprox.dll2009-04-15 06:26 . 2009-02-06 09:54	35328	------w	c:\windows\system32\dllcache\sc.exe2009-04-15 06:26 . 2009-02-09 09:55	111104	------w	c:\windows\system32\dllcache\services.exe2009-04-15 06:26 . 2009-02-09 10:03	687104	------w	c:\windows\system32\dllcache\advapi32.dll2009-04-15 06:26 . 2009-02-09 10:03	723456	------w	c:\windows\system32\dllcache\ntdll.dll2009-04-15 06:26 . 2009-02-09 10:03	730624	------w	c:\windows\system32\dllcache\lsasrv.dll2009-04-15 06:25 . 2008-04-21 21:28	218112	------w	c:\windows\system32\dllcache\wordpad.exe2009-04-12 12:24 . 2009-04-12 12:24	--------	d-----w	c:\program files\EA GAMES.((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-04-26 21:00 . 2008-05-13 10:48	--------	d-----w	c:\program files\Symantec2009-04-26 21:00 . 2008-05-13 10:48	--------	d-----w	c:\program files\Common Files\Symantec Shared2009-04-26 14:07 . 2008-05-13 10:19	--------	d--h--w	c:\program files\InstallShield Installation Information2009-04-26 11:35 . 2008-05-13 17:55	98384	----a-w	c:\windows\system32\perfc015.dat2009-04-26 11:35 . 2008-05-13 17:55	508316	----a-w	c:\windows\system32\perfh015.dat2009-04-21 11:28 . 2008-05-13 10:39	--------	d-----w	c:\program files\Google2009-03-25 15:01 . 2008-05-13 10:58	78344	------w	c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT2009-03-16 22:05 . 2009-03-16 22:05	108144	----a-w	c:\windows\system32\CmdLineExt.dll2009-03-16 21:47 . 2009-03-16 21:38	--------	d-----w	c:\program files\2K Games2009-03-16 20:23 . 2009-03-16 20:23	--------	d-----w	c:\program files\Kolekcja Klasyki2009-03-10 07:39 . 2009-03-10 07:39	--------	d-----w	c:\program files\PITy2009-03-06 14:01 . 2008-05-13 17:57	285696	----a-w	c:\windows\system32\pdh.dll2009-03-03 00:10 . 2008-05-13 17:57	826368	----a-w	c:\windows\system32\wininet.dll2009-02-20 17:13 . 2008-05-13 17:56	78336	------w	c:\windows\system32\ieencode.dll2009-02-09 13:56 . 2008-05-13 17:57	1847680	----a-w	c:\windows\system32\win32k.sys2009-02-09 11:45 . 2008-05-13 17:57	2022400	------w	c:\windows\system32\ntkrnlpa.exe2009-02-09 11:45 . 2008-05-13 17:57	2144256	----a-w	c:\windows\system32\ntoskrnl.exe2009-02-09 10:03 . 2008-05-13 17:57	401408	----a-w	c:\windows\system32\rpcss.dll2009-02-09 10:03 . 2008-05-13 17:57	723456	----a-w	c:\windows\system32\ntdll.dll2009-02-09 10:03 . 2008-05-13 17:56	730624	----a-w	c:\windows\system32\lsasrv.dll2009-02-09 10:03 . 2008-05-13 17:56	687104	----a-w	c:\windows\system32\advapi32.dll2009-02-09 09:55 . 2008-05-13 17:57	111104	----a-w	c:\windows\system32\services.exe2009-02-06 09:54 . 2008-05-13 17:57	35328	------w	c:\windows\system32\sc.exe2009-02-03 20:11 . 2008-05-13 17:57	55808	----a-w	c:\windows\system32\secur32.dll2008-09-01 19:37 . 2008-09-01 19:37	8	--sh--r	c:\windows\system32\D7E2322BB5.sys2008-09-01 19:37 . 2008-09-01 19:37	6266	--sh--w	c:\windows\system32\KGyGaAvL.sys.(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe" [2007-03-16 31840]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-09-06 54824]"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2007-08-23 53248]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-23 138008]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-23 162584]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-23 138008]"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 536576]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe" [2007-05-31 946176]"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 439856]"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-08-30 89542]"AdslTaskBar"="stmctrl.dll" - c:\windows\system32\stmctrl.dll [2006-06-02 151552][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]c:\documents and settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2006-11-13 561213][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]2007-05-31 11:57	155648	----a-w	c:\windows\system32\FpWinlogonNp.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]2006-12-14 02:06	28672	----a-w	c:\program files\Lenovo\HOTKEY\tphklock.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-04-26 16:15	10520	----a-w	c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]"Debugger"=ntsd -d[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\Great Game Products\\Bridge Baron 17 PLK\\Baron.exe"="c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate; [x]R3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-06-22 106496]R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\DRIVERS\torususb.sys [2006-07-05 683791]S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]S1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2006-05-24 10240]S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-09 54832]S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344]S3 Stmatm;ATM/ADSL miniport;c:\windows\system32\DRIVERS\stmatm.sys [2003-08-12 60255]S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336].Zawartość folderu 'Zaplanowane zadania'2008-08-27 c:\windows\Tasks\Przypomnienie o rejestracji 2.job- c:\windows\system32\OOBE\oobebaln.exe [2008-05-13 21:00]2009-04-27 c:\windows\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 13:54]..------- Skan uzupełniający -------.uStart Page = hxxp://lenovo.live.comIE: &windows live search - c:\program files\Windows Live Toolbar\msntb.dll/search.htmIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: e&ksportuj do programu microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Wyślij do urządzenia &Bluetooth... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htmDPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} - hxxp://www.cltnet.de/login/dplaunch.cabDPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/SignActivX.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-28 00:22Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ...  skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ...  skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(1576)c:\windows\system32\ATGinaHook.dllc:\program files\Lenovo Fingerprint Software\ATCSSINT.DLLc:\program files\Lenovo Fingerprint Software\SharedResources.dllc:\program files\Lenovo Fingerprint Software\FPResource.dllc:\program files\Lenovo\Client Security Solution\CSS_Enroll.dllc:\program files\Lenovo\Client Security Solution\css_banner.dllc:\windows\system32\cssuserdatadispatcher.dllc:\windows\system32\tvttsp.dllc:\windows\system32\tcsrpc.dllc:\windows\system32\FpWinLogonNp.dllc:\program files\Lenovo\HOTKEY\tphklock.dll- - - - - - - > 'explorer.exe'(3124)c:\windows\system32\btmmhook.dllc:\windows\system32\msi.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dllc:\windows\system32\browselc.dllc:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllc:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll.Czas ukończenia: 2009-04-27  0:22ComboFix-quarantined-files.txt  2009-04-27 22:22Przed: 95 356 928 000 bajtów wolnychPo: 95 357 050 880 bajtów wolnych289	--- E O F ---	2009-04-15 07:14
Gość
komentarz
komentarz

Start>>>Uruchom>>>regedit

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options

Znajdź ten klucz i go usuń. Po usunięciu - restart kompa.

Najświeży log z ComboFixa.

.

bolekd
komentarz
komentarz
Start>>>Uruchom>>>regedit
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options

Znajdź ten klucz i go usuń. Po usunięciu - restart kompa.

Najświeży log z ComboFixa.

.

done, oto log, smtp nadal wysyla

ComboFix 09-04-27.02 - Administrator 2009-04-28  7:38.3 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1250.48.1045.18.2038.1472 [GMT 2:00]Uruchomiony z: c:\documents and settings\Administrator\Pulpit\bolek\ComboFix.exeAV: AVG Anti-Virus Free *On-access scanning disabled* (Updated).(((((((((((((((((((((((((   Pliki utworzone od 2009-05-28 do 2009-4-28  ))))))))))))))))))))))))))))))).2009-04-27 21:28 . 2009-04-27 21:28	--------	d-----w	c:\program files\Trend Micro2009-04-27 19:04 . 2009-04-27 19:17	--------	d-----w	c:\documents and settings\Administrator\Dane aplikacji\AVGTOOLBAR2009-04-26 16:18 . 2009-04-27 20:26	--------	d--h--w	C:\$AVG8.VAULT$2009-04-26 16:15 . 2009-04-26 16:15	10520	----a-w	c:\windows\system32\avgrsstx.dll2009-04-26 16:15 . 2009-04-26 16:15	108552	----a-w	c:\windows\system32\drivers\avgtdix.sys2009-04-26 16:14 . 2009-04-26 16:14	325640	----a-w	c:\windows\system32\drivers\avgldx86.sys2009-04-26 16:14 . 2009-04-26 16:16	--------	d-----w	c:\windows\system32\drivers\Avg2009-04-26 16:14 . 2009-04-26 16:26	--------	d-----w	c:\documents and settings\aleksandra\Dane aplikacji\AVGTOOLBAR2009-04-26 16:14 . 2009-04-26 16:14	--------	d-----w	c:\program files\AVG2009-04-26 16:14 . 2009-04-26 16:14	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\avg82009-04-26 14:38 . 2009-04-26 14:38	--------	d-----w	c:\documents and settings\aleksandra\Dane aplikacji\Symantec2009-04-26 12:33 . 2009-04-26 12:33	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files2009-04-26 11:22 . 2009-04-26 11:22	--------	d-----w	c:\program files\ESET2009-04-25 16:03 . 2009-04-25 17:05	--------	d-----w	c:\program files\EsetOnlineScanner2009-04-22 21:48 . 2009-04-28 05:39	111612	----a-w	c:\windows\system32\drivers\26429cd2.sys2009-04-22 21:48 . 2009-04-25 17:11	32	--s-a-w	c:\windows\system32\3170628135.dat2009-04-21 11:28 . 2009-04-21 11:28	--------	d-----w	c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Google2009-04-21 11:28 . 2009-04-21 11:28	--------	d-----w	c:\windows\system32\IOSUBSYS2009-04-15 06:26 . 2005-07-26 04:36	60416	------w	c:\windows\system32\dllcache\colbact.dll2009-04-15 06:26 . 2009-03-06 14:01	285696	------w	c:\windows\system32\dllcache\pdh.dll2009-04-15 06:26 . 2009-02-06 09:41	227840	------w	c:\windows\system32\dllcache\wmiprvse.exe2009-04-15 06:26 . 2009-02-09 10:03	401408	------w	c:\windows\system32\dllcache\rpcss.dll2009-04-15 06:26 . 2009-02-09 10:03	473088	------w	c:\windows\system32\dllcache\fastprox.dll2009-04-15 06:26 . 2009-02-06 09:54	35328	------w	c:\windows\system32\dllcache\sc.exe2009-04-15 06:26 . 2009-02-09 09:55	111104	------w	c:\windows\system32\dllcache\services.exe2009-04-15 06:26 . 2009-02-09 10:03	687104	------w	c:\windows\system32\dllcache\advapi32.dll2009-04-15 06:26 . 2009-02-09 10:03	723456	------w	c:\windows\system32\dllcache\ntdll.dll2009-04-15 06:26 . 2009-02-09 10:03	730624	------w	c:\windows\system32\dllcache\lsasrv.dll2009-04-15 06:25 . 2008-04-21 21:28	218112	------w	c:\windows\system32\dllcache\wordpad.exe2009-04-12 12:24 . 2009-04-12 12:24	--------	d-----w	c:\program files\EA GAMES.((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-04-26 21:00 . 2008-05-13 10:48	--------	d-----w	c:\program files\Symantec2009-04-26 21:00 . 2008-05-13 10:48	--------	d-----w	c:\program files\Common Files\Symantec Shared2009-04-26 14:07 . 2008-05-13 10:19	--------	d--h--w	c:\program files\InstallShield Installation Information2009-04-26 11:35 . 2008-05-13 17:55	98384	----a-w	c:\windows\system32\perfc015.dat2009-04-26 11:35 . 2008-05-13 17:55	508316	----a-w	c:\windows\system32\perfh015.dat2009-04-21 11:28 . 2008-05-13 10:39	--------	d-----w	c:\program files\Google2009-03-25 15:01 . 2008-05-13 10:58	78344	------w	c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT2009-03-16 22:05 . 2009-03-16 22:05	108144	----a-w	c:\windows\system32\CmdLineExt.dll2009-03-16 21:47 . 2009-03-16 21:38	--------	d-----w	c:\program files\2K Games2009-03-16 20:23 . 2009-03-16 20:23	--------	d-----w	c:\program files\Kolekcja Klasyki2009-03-10 07:39 . 2009-03-10 07:39	--------	d-----w	c:\program files\PITy2009-03-06 14:01 . 2008-05-13 17:57	285696	----a-w	c:\windows\system32\pdh.dll2009-03-03 00:10 . 2008-05-13 17:57	826368	----a-w	c:\windows\system32\wininet.dll2009-02-20 17:13 . 2008-05-13 17:56	78336	------w	c:\windows\system32\ieencode.dll2009-02-09 13:56 . 2008-05-13 17:57	1847680	----a-w	c:\windows\system32\win32k.sys2009-02-09 11:45 . 2008-05-13 17:57	2022400	------w	c:\windows\system32\ntkrnlpa.exe2009-02-09 11:45 . 2008-05-13 17:57	2144256	----a-w	c:\windows\system32\ntoskrnl.exe2009-02-09 10:03 . 2008-05-13 17:57	401408	----a-w	c:\windows\system32\rpcss.dll2009-02-09 10:03 . 2008-05-13 17:57	723456	----a-w	c:\windows\system32\ntdll.dll2009-02-09 10:03 . 2008-05-13 17:56	730624	----a-w	c:\windows\system32\lsasrv.dll2009-02-09 10:03 . 2008-05-13 17:56	687104	----a-w	c:\windows\system32\advapi32.dll2009-02-09 09:55 . 2008-05-13 17:57	111104	----a-w	c:\windows\system32\services.exe2009-02-06 09:54 . 2008-05-13 17:57	35328	------w	c:\windows\system32\sc.exe2009-02-03 20:11 . 2008-05-13 17:57	55808	----a-w	c:\windows\system32\secur32.dll2008-09-01 19:37 . 2008-09-01 19:37	8	--sh--r	c:\windows\system32\D7E2322BB5.sys2008-09-01 19:37 . 2008-09-01 19:37	6266	--sh--w	c:\windows\system32\KGyGaAvL.sys.(((((((((((((((((((((((((((((   SnapShot@2009-04-27_22.22.04   ))))))))))))))))))))))))))))))))))))))))).+ 2009-04-28 05:36 . 2009-04-28 05:36	16384			  c:\windows\Temp\Perflib_Perfdata_a1c.dat.(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe" [2007-03-16 31840]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-09-06 54824]"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2007-08-23 53248]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-23 138008]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-23 162584]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-23 138008]"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 536576]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe" [2007-05-31 946176]"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 439856]"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-08-30 89542]"AdslTaskBar"="stmctrl.dll" - c:\windows\system32\stmctrl.dll [2006-06-02 151552][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]c:\documents and settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2006-11-13 561213][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]2007-05-31 11:57	155648	----a-w	c:\windows\system32\FpWinlogonNp.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]2006-12-14 02:06	28672	----a-w	c:\program files\Lenovo\HOTKEY\tphklock.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-04-26 16:15	10520	----a-w	c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\Great Game Products\\Bridge Baron 17 PLK\\Baron.exe"="c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate; [x]R3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-06-22 106496]R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\DRIVERS\torususb.sys [2006-07-05 683791]S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]S1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2006-05-24 10240]S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-09 54832]S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344]S3 Stmatm;ATM/ADSL miniport;c:\windows\system32\DRIVERS\stmatm.sys [2003-08-12 60255]S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336].Zawartość folderu 'Zaplanowane zadania'2008-08-27 c:\windows\Tasks\Przypomnienie o rejestracji 2.job- c:\windows\system32\OOBE\oobebaln.exe [2008-05-13 21:00]2009-04-28 c:\windows\Tasks\Sprawdź aktualizacje paska narzędzi Windows Live Toolbar.job- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 13:54]..------- Skan uzupełniający -------.uStart Page = hxxp://lenovo.live.comIE: &windows live search - c:\program files\Windows Live Toolbar\msntb.dll/search.htmIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: e&ksportuj do programu microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Wyślij do urządzenia &Bluetooth... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htmDPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} - hxxp://www.cltnet.de/login/dplaunch.cabDPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/SignActivX.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-28 07:39Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ...  skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ...  skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(1580)c:\windows\system32\ATGinaHook.dllc:\program files\Lenovo Fingerprint Software\ATCSSINT.DLLc:\program files\Lenovo Fingerprint Software\SharedResources.dllc:\program files\Lenovo Fingerprint Software\FPResource.dllc:\program files\Lenovo\Client Security Solution\CSS_Enroll.dllc:\program files\Lenovo\Client Security Solution\css_banner.dllc:\windows\system32\cssuserdatadispatcher.dllc:\windows\system32\tvttsp.dllc:\windows\system32\tcsrpc.dllc:\windows\system32\FpWinLogonNp.dllc:\program files\Lenovo\HOTKEY\tphklock.dll- - - - - - - > 'explorer.exe'(5608)c:\windows\system32\btmmhook.dllc:\windows\system32\msi.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.Czas ukończenia: 2009-04-28  7:40ComboFix-quarantined-files.txt  2009-04-28 05:40ComboFix2.txt  2009-04-27 22:23Przed: 94 945 349 632 bajtów wolnychPo: 95 021 801 472 bajtów wolnych194	--- E O F ---	2009-04-15 07:14
Gość
komentarz
komentarz

Log jest czysty.

Usuń ręcznie folder C:\Qoobox,

Przeczyść komputer Ccleanerem

Z folderu "System Volume Information" usuniesz kopie "wirusów" poprzez chwilowe wyłączenie "Przywracania Systemu":

>Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy "Wyłącz przywracanie na wszystkich dyskach">Zastosuj>OK.

Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka).

Użyj tego programu ---> Dr.WEB CureIt!.

.

bolekd
komentarz
komentarz

dzięki wielkie! wygląda na to, że pomogło... magicy jesteście :)

jakby to paskudztwo wrociło, odezwę się.

ostatni trojan usuniety przez DrWeb to:

26429cd2.sys c:\windows\system32\drivers Trojan.NtRootKit.2779

i po tym wszystko wygląda zdrowo.

:):):)

Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!

Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.

×
×
  • Dodaj nową pozycję...

Powiadomienie o plikach cookie

Strona wykorzystuje pliki cookies w celu prawidłowego świadczenia usług i wygody użytkowników. Warunki przechowywania i dostępu do plików cookies możesz zmienić w ustawieniach przeglądarki.