mertruve utworzono 15 maja 2009 utworzono 15 maja 2009 Witam, Moj komputer podlapal chyba jakies swinstwo. Gdy klikam na pulpicie na ikone np c:\ d:\ itd wtedy caly pulpit znika na kilka sekund, pozostaje sama gola tapeta, po chwili pojawiaja sie znow wszystkie ikony i pasek. Dodatkowo nie moge wejsc w rejestr, gdy wpisuje regedit, takze wszystko znika na kilka sekund. Zrobilem 2 skany na hijacku i na silent runnerze. "Silent Runners.vbs", revision 59, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data]"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub" -> {HKLM...CLSID} = "Adobe PDF Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\Program Files\SubEdit-Player\codec\MatroskaSplitter\mmfinfo.dll" [null data]"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page" -> {HKLM...CLSID} = "Haali Matroska Shell Property Page" \InProcServer32\(Default) = "C:\Program Files\SubEdit-Player\codec\MatroskaSplitter\mmfinfo.dll" [null data]"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Extractor" -> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor" \InProcServer32\(Default) = "C:\Program Files\SubEdit-Player\codec\MatroskaSplitter\mmfinfo.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\Program Files\SubEdit-Player\codec\MatroskaSplitter\mmfinfo.dll" [null data]{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\Alienpl.DURON\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\WinampPlayMediaOnArrival\"Provider" = "Winamp""InvokeProgID" = "Winamp.File""InvokeVerb" = "Play"HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]Startup items in "Alienpl" & "All Users" startup folders:---------------------------------------------------------C:\Documents and Settings\Alienpl.DURON\Menu Start\Programy\Autostart"MutiKeyboard Driver" -> shortcut to: "C:\Program Files\MultiKeyboard Driver\KbdDrv.exe" [empty string]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Badanie"{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]Print Monitors:---------------HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Canon BJ Language Monitor i250\Driver = "CNMLM50.DLL" ["CANON INC."]Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]---------- (launch time: 2009-05-15 16:41:34)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box.---------- (total run time: 29 seconds, including 2 seconds for message boxes) I hijack Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:08:07, on 2009-05-15Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ATI Technologies\ATI.ACE\CLI.EXEC:\Program Files\Gadu-Gadu\gg.exeC:\Program Files\MultiKeyboard Driver\KbdDrv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\WINDOWS\explorer.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exeO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cabO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: getPlus? Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe--End of file - 3942 bytes // Widzę, że jesteś nowy. // Logi wklejamy w tagi // djdresik
Gość komentarz 15 maja 2009 komentarz 15 maja 2009 Przejrzałem logi bardzo dokładnie i nic nie stwierdziłem - czysto. Proszę o danie logów z >>> DSS'a (DSS.txt i Attach.txt.) .
mertruve komentarz 15 maja 2009 Autor komentarz 15 maja 2009 (edytowane) No i jest problem, sciagnalem oba programy dds.pif i dds.scr i chyba nie dzialają.. Klikam 2x i tylko mignie mi czarne okienko, ale zaden raport nie wyskakuje. Zrobilem jeszcze jeden skan hijackiem i pokazało mi cos takiego z czerwonym X. Wczesniej juz bralem fix checked ale to znow sie pojawilo. O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:20:54, on 2009-05-15Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ATI Technologies\ATI.ACE\CLI.EXEC:\Program Files\MultiKeyboard Driver\KbdDrv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\WINDOWS\explorer.exeC:\Program Files\Gadu-Gadu\gg.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Internet Explorer\iexplore.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exeO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cabO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: getPlus? Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe--End of file - 3922 bytes
Gość komentarz 16 maja 2009 komentarz 16 maja 2009 O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe Infekcja z pena. Tutaj jest potrzebny log z ---> ComboFixa (wklej z niego loga). .
mertruve komentarz 16 maja 2009 Autor komentarz 16 maja 2009 (edytowane) A wiec tak, uruchomilem ComboFixa.. za pierwszym razem podczas skanowania usunal kilka plikow z kazdej z partycji m.in. widzialem tam ten wymieniony przeze mnie w poprzednim poscie. Podczas skanowania wyswietlilo sie okienko, ze system zostanie zamkniety za 1 minute i rozpoczelo sie odliczanie. Gdy sie zakonczylo, komputer sie nei wylaczyl ale Combo Fix na etapie 47 przestal skanowac. Po 15 zresetowalem komputer i wykonalem skan ponownie a oto jego wyniki. ComboFix 09-05-15.04 - Alienpl 2009-05-16 11:21.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.1023.723 [GMT 2:00]Uruchomiony z: e:\programy\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))..---- Poprzednie uruchomienie -------.C:\Autorun.infc:\docume~1\ALIENP~1.DUR\USTAWI~1\fwgl.bmpC:\icxpa.cmdC:\j.cmdC:\w.comc:\windows\system32\nmdfgds0.dllc:\windows\system32\nmdfgds1.dllc:\windows\system32\olhrwef.exeC:\ysep1.exeD:\Autorun.infD:\icxpa.cmdD:\j.cmdD:\w.comD:\ysep1.exeE:\Autorun.infE:\icxpa.cmdE:\j.cmdE:\w.comE:\ysep1.exe.((((((((((((((((((((((((( Pliki utworzone od 2009-04-16 do 2009-05-16 ))))))))))))))))))))))))))))))).2009-05-15 18:03 . 2009-05-15 18:03 -------- d-s---w c:\documents and settings\Alienpl.DURON\UserData2009-05-15 16:56 . 2009-05-15 16:56 -------- d-----w c:\program files\IrfanView2009-05-15 14:52 . 2009-05-15 14:52 -------- d-----w c:\windows\Sun2009-05-15 14:51 . 2009-05-15 14:51 410984 ----a-w c:\windows\system32\deploytk.dll2009-05-15 14:51 . 2009-05-15 14:51 -------- d-----w c:\program files\Java2009-05-15 13:54 . 2009-05-15 13:54 -------- d-----w c:\program files\Trend Micro2009-05-14 13:40 . 2009-05-14 13:40 -------- d-----w c:\documents and settings\Alienpl.DURON\Dane aplikacji\Softplicity2009-05-13 18:28 . 2009-05-15 19:05 -------- d-----w c:\documents and settings\Alienpl.DURON\Ustawienia lokalne\Dane aplikacji\Adobe2009-05-12 19:11 . 2009-05-15 07:48 -------- d---a-w c:\documents and settings\All Users.WINDOWS\Dane aplikacji\TEMP2009-05-12 12:25 . 2006-11-01 12:52 765952 ----a-w c:\windows\system32\xvidcore.dll2009-05-12 12:25 . 2007-02-25 13:36 383238 ----a-w c:\windows\system32\libmp3lame-0.dll2009-05-12 09:16 . 2009-05-12 09:21 -------- d-----w c:\documents and settings\Alienpl.DURON\Dane aplikacji\Tibia2009-05-12 09:15 . 2009-05-12 09:15 -------- d-----w c:\program files\Asprate2009-05-11 21:04 . 2009-04-27 18:18 154624 ----a-w c:\windows\system32\zlib4.dll2009-05-11 19:45 . 2009-05-11 19:45 -------- d-----w c:\program files\Common Files\Adobe AIR2009-05-11 19:44 . 2009-05-11 19:44 -------- d-----w c:\program files\Common Files\Adobe2009-05-11 19:37 . 2004-08-03 21:08 26496 -c--a-w c:\windows\system32\dllcache\usbstor.sys2009-05-11 19:35 . 2009-05-11 19:35 -------- d-----w c:\documents and settings\All Users.WINDOWS\Dane aplikacji\NOS2009-05-11 19:35 . 2009-05-11 19:35 -------- d-----w c:\program files\NOS2009-05-11 19:33 . 2009-05-11 19:33 -------- d-----w c:\program files\NAPI-PROJEKT2009-05-11 19:30 . 2009-05-11 19:30 -------- d-----w c:\documents and settings\Alienpl.DURON\Dane aplikacji\Gadu-Gadu2009-05-11 19:29 . 2009-05-11 19:30 -------- d-----w c:\documents and settings\Alienpl.DURON\Gadu-Gadu2009-05-11 19:29 . 2009-05-11 19:29 -------- d-----w c:\program files\Gadu-Gadu2009-05-11 18:48 . 2004-08-03 21:01 25856 -c--a-w c:\windows\system32\dllcache\usbprint.sys2009-05-11 18:48 . 2004-08-03 21:01 25856 ----a-w c:\windows\system32\drivers\usbprint.sys2009-05-11 18:48 . 2003-02-28 07:00 5632 ----a-w c:\windows\system32\CNMVS50.DLL2009-05-11 18:48 . 2003-02-28 07:00 100352 ----a-w c:\windows\system32\CNMLM50.DLL2009-05-11 18:48 . 2003-02-14 17:01 73728 ----a-r c:\windows\system32\CNMCP50.exe2009-05-11 18:47 . 2009-05-11 18:47 -------- d--h--w C:\BJPrinter2009-05-11 18:45 . 2001-08-17 21:59 3072 ----a-w c:\windows\system32\drivers\audstub.sys2009-05-11 18:45 . 2004-08-04 00:44 21504 ----a-w c:\windows\system32\hidserv.dll2009-05-11 18:44 . 2004-08-04 00:35 58624 ----a-w c:\windows\system32\drivers\redbook.sys2009-05-11 18:44 . 2004-08-03 22:44 77312 -c--a-w c:\windows\system32\dllcache\usbui.dll2009-05-11 18:44 . 2004-08-03 22:44 77312 ----a-w c:\windows\system32\usbui.dll2009-05-11 18:41 . 2009-05-11 16:51 -------- d-----w c:\documents and settings\All Users.WINDOWS2009-05-11 18:41 . 2009-05-16 09:09 -------- d--h--w c:\documents and settings\Default User.WINDOWS2009-05-11 17:32 . 2009-05-11 17:32 -------- d-----w c:\program files\SubEdit-Player2009-05-11 17:31 . 2003-06-18 23:31 17920 ----a-w c:\windows\system32\mdimon.dll2009-05-11 17:30 . 2009-05-11 17:31 -------- d-----w c:\windows\SHELLNEW2009-05-11 17:30 . 2009-05-11 17:30 -------- d-----w c:\program files\Microsoft.NET2009-05-11 17:29 . 2009-05-11 17:29 -------- d-----w c:\documents and settings\Alienpl.DURON\Ustawienia lokalne\Dane aplikacji\WinZip2009-05-11 17:28 . 2009-05-11 17:29 -------- d-----w c:\documents and settings\All Users.WINDOWS\Dane aplikacji\WinZip2009-05-11 17:21 . 2009-05-11 17:50 42168 ----a-w c:\documents and settings\Alienpl.DURON\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT2009-05-11 17:21 . 2009-05-11 17:21 -------- d-----w c:\documents and settings\Alienpl.DURON\Dane aplikacji\ATI2009-05-11 17:21 . 2009-05-11 17:21 -------- d-----w c:\documents and settings\Alienpl.DURON\Ustawienia lokalne\Dane aplikacji\ATI2009-05-11 17:15 . 2009-05-11 17:15 -------- d-----w c:\program files\Common Files\ATI Technologies2009-05-11 17:11 . 2006-12-20 19:05 520192 ------w c:\windows\system32\ati2sgag.exe2009-05-11 17:11 . 2006-12-17 02:41 307200 ----a-r c:\windows\system32\atiiiexx.dll2009-05-11 17:11 . 2006-12-17 02:30 3107788 ----a-r c:\windows\system32\ativvaxx.dat2009-05-11 17:11 . 2006-11-28 19:55 142347 ----a-r c:\windows\system32\atiicdxx.dat2009-05-11 17:11 . 2009-05-11 17:17 -------- d-----w c:\program files\ATI Technologies2009-05-11 17:08 . 2004-02-01 03:53 26166 ----a-w c:\windows\system32\drivers\usbfilt.sys2009-05-11 17:07 . 2009-05-11 17:07 -------- d-----w c:\program files\MultiKeyboard Driver2009-05-11 17:06 . 2009-05-11 17:06 -------- d-----w c:\windows\system32\Lang2009-05-11 17:03 . 2006-05-04 08:35 9709568 ------r c:\windows\RTLCPL.exe2009-05-11 17:03 . 2006-11-14 09:21 16270848 ------r c:\windows\RTHDCPL.exe2009-05-11 17:03 . 2006-10-11 09:42 2157568 ------r c:\windows\MicCal.exe2009-05-11 17:03 . 2005-05-03 10:43 69632 ------r c:\windows\Alcmtr.exe2009-05-11 17:03 . 2006-05-04 08:26 2808832 ------r c:\windows\alcwzrd.exe2009-05-11 17:03 . 2009-05-11 17:03 -------- d-----w c:\documents and settings\Alienpl.DURON\Dane aplikacji\InstallShield2009-05-11 17:03 . 2006-09-12 06:34 499712 ------r c:\windows\RtlExUpd.dll2009-05-11 17:02 . 2009-05-11 17:16 -------- d-----w c:\program files\Common Files\InstallShield2009-05-11 17:02 . 2004-11-18 08:42 22752 ----a-w c:\windows\system32\spupdsvc.exe2009-05-11 16:59 . 2009-05-11 16:59 -------- d-----w c:\documents and settings\ALIENP~1~DUR2009-05-11 16:59 . 2009-05-11 16:59 -------- d-----w c:\documents and settings\ALIENP~1~DUR\USTAWI~12009-05-11 16:56 . 2009-05-11 16:56 -------- d-sh--w c:\documents and settings\NetworkService.ZARZĄDZANIE NT.0002009-05-11 16:54 . 2001-10-26 15:29 38912 -c--a-w c:\windows\system32\dllcache\EXCH_ntfsdrv.dll2009-05-11 16:53 . 2004-08-03 22:44 42496 -c--a-w c:\windows\system32\dllcache\davcdata.exe2009-05-11 16:52 . 2009-05-11 16:52 -------- d-----w c:\documents and settings\Default User.WINDOWS\Ustawienia lokalne\Dane aplikacji\Microsoft2009-05-11 16:51 . 2009-05-14 13:48 -------- d-sh--w c:\documents and settings\All Users.WINDOWS\DRM2009-05-11 16:49 . 2004-08-03 22:44 16384 -c--a-w c:\windows\system32\dllcache\msobdl.dll2009-05-11 16:48 . 2001-10-26 16:30 5632 -c--a-w c:\windows\system32\dllcache\write.exe2009-05-11 16:47 . 2004-08-03 22:44 345088 -c--a-w c:\windows\system32\dllcache\mspaint.exe.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-05-14 13:48 . 2009-05-14 13:46 -------- d-----w c:\program files\Winamp2009-05-13 13:20 . 2001-10-26 15:15 75706 ----a-w c:\windows\system32\perfc015.dat2009-05-13 13:20 . 2001-10-26 15:15 451564 ----a-w c:\windows\system32\perfh015.dat2009-05-11 17:11 . 2009-05-11 12:38 -------- d--h--w c:\program files\InstallShield Installation Information2009-05-11 17:03 . 2009-05-11 12:38 -------- d-----w c:\program files\Realtek2009-05-11 16:49 . 2009-05-11 16:49 21856 ----a-w c:\windows\system32\emptyregdb.dat2009-05-11 12:35 . 2009-05-11 12:35 -------- d-----w c:\program files\Intel2009-05-11 10:46 . 2009-05-11 10:46 -------- d-----w c:\program files\microsoft frontpage2009-05-11 10:44 . 2009-05-11 10:44 -------- d-----w c:\program files\Usługi online.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-04-17 2113536][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-15 148888]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]c:\documents and settings\Alienpl.DURON\Menu Start\Programy\Autostart\MutiKeyboard Driver.lnk - c:\program files\MultiKeyboard Driver\KbdDrv.exe [2009-5-11 367104][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"=S2 FF86F760F010F8C802D60CDE9E0AC52F;FF86F760F010F8C802D60CDE9E0AC52F;cmd /k start /i "/dC:" "c:\combofix\HIDEC.exe" "c:\combofix\SWREG.EXE" ACL "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep" /RESET /Q --> cmd [?]S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-05-11 33176]S3 Usbfilt;UsbFilt;c:\windows\system32\drivers\usbfilt.sys [2009-05-11 26166]..------- Skan uzupełniający -------.uStart Page = hxxp://www.onet.pl/IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-05-16 11:23Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FF86F760F010F8C802D60CDE9E0AC52F]"ImagePath"="cmd /k start /i \"/d%systemdrive%\" \"c:\combofix\HIDEC.exe\" \"c:\combofix\SWREG.EXE\" ACL \"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep\" /RESET /Q".--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(708)c:\windows\system32\Ati2evxx.dll.Czas ukończenia: 2009-05-16 11:24ComboFix-quarantined-files.txt 2009-05-16 09:23Przed: 3 373 023 232 bajtów wolnychPo: 3 623 239 680 bajtów wolnych170 Dodam, ze na partycje moge juz wchodzic normalnie, otwieraja sie bez problemu. Mysle, ze ten robak jest nadal na mojej mp3, jak moglbym go bezpiecznie usunac?
Gość komentarz 16 maja 2009 komentarz 16 maja 2009 Log jest czysty. 1. Posprzątaj po ComboFixie i różnych narzędziach >>> OTCleanIt. 2. Zajmij się MP3: http://www.forumpc.pl/index.php?showtopic=99378&hl= I to wszystko. .
mertruve komentarz 16 maja 2009 Autor komentarz 16 maja 2009 Wyczyscilem kompa, zresetowalem i bah. Zaraz po zaladowaniu systepu czerwony X, błąd o treści: System windows nie moze odnalezc pliku C:/ComboFix\HIDEC.exe. upewnij sie, ze wpisana nazwa jest poprawna i sprobuj ponownie. Aby wyszukac plik, kliknij przycisk Start, a nastepnie kliknij polecenie Wyszukaj.
Mateusz J. komentarz 16 maja 2009 komentarz 16 maja 2009 Start => Uruchom => cmd wpisz: sc stop FF86F760F010F8C802D60CDE9E0AC52F kliknij enter wpisz: sc delete FF86F760F010F8C802D60CDE9E0AC52F kliknij enter Zamknij okno cmd i po sprawie.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.