skibenz utworzono 25 maja 2008 utworzono 25 maja 2008 HijackThis Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:47:27, on 2008-05-25Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeD:\Programy\Winamp\winampa.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Eset\nod32kui.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\ctfmon.exeD:\Programy\Gadu-Gadu\gg.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\D-Link AirPlus\AirPlus.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: (no name) - {20E9C64D-F33C-4976-BAF8-4791A65BAA2F} - C:\WINDOWS\system32\vtUlJcaX.dllO4 - HKLM\..\Run: [WinampAgent] D:\Programy\Winamp\winampa.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Gadu-Gadu] "D:\Programy\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: D-Link AirPlus.lnk = ?O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: byxofgdb - byXOfgdb.dll (file missing)O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Amsosd - Eset - (no file)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe--End of file - 4270 bytes ComboFix ComboFix 08-05-24.1 - Administrator 2008-05-25 17:41:31.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1477 [GMT 2:00]Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe * Created a new restore point * Resident AV is active[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b].((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\autorun.infC:\copy.exeC:\Program Files\HelperC:\WINDOWS\autorun.infC:\WINDOWS\BM3324d557.xmlC:\WINDOWS\pskt.iniC:\WINDOWS\svchost.exeC:\WINDOWS\system32\btwhyoon.dllC:\WINDOWS\system32\dwiuibbu.iniC:\WINDOWS\system32\ftqbykdo.dllC:\WINDOWS\system32\gcbcyurr.dllC:\WINDOWS\system32\gsbgqpwwfw.sysC:\WINDOWS\system32\jkejlafm.iniC:\WINDOWS\system32\jtsxboqu.iniC:\WINDOWS\system32\kanjshds.iniC:\WINDOWS\system32\lhbyhngt.iniC:\WINDOWS\system32\mcrh.tmpC:\WINDOWS\system32\norsiilc.iniC:\WINDOWS\system32\ppoldfxc.iniC:\WINDOWS\system32\rggiojtx.iniC:\WINDOWS\system32\rruycbcg.iniC:\WINDOWS\system32\sxvvbxnh.dllC:\WINDOWS\system32\XacJlUtv.iniC:\WINDOWS\system32\XacJlUtv.ini2C:\WINDOWS\system32\xtnwxqlo.dllC:\WINDOWS\xcopy.exeD:\Autorun.infD:\copy.exeG:\copy.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_gsbgqpwwfw((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 ))))))))))))))))))))))))))))))).2008-05-25 16:26 . 2008-05-25 16:27 <DIR> d-------- C:\Program Files\IrfanView2008-05-25 15:49 . 2008-05-25 15:48 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys2008-05-25 15:49 . 2008-05-25 15:48 298,104 --a------ C:\WINDOWS\system32\imon.dll2008-05-25 15:49 . 2008-05-25 15:48 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys2008-05-25 15:48 . 2008-05-25 16:41 <DIR> d-------- C:\Program Files\ESET2008-05-25 15:38 . 2008-05-25 15:38 2,624 --a------ C:\WINDOWS\system32\uxnsrbqi.exe2008-05-24 15:07 . 2008-05-24 15:07 <DIR> d-------- C:\Program Files\Trend Micro2008-05-24 14:53 . 2008-05-24 14:53 2,624 --a------ C:\WINDOWS\system32\tlibvuvt.exe2008-05-23 14:47 . 2008-05-23 14:47 <DIR> d-------- C:\Program Files\Opera2008-05-23 14:16 . 2008-05-23 14:16 2,624 --a------ C:\WINDOWS\system32\hlcxihbh.exe2008-05-21 23:33 . 2008-05-21 23:33 <DIR> d-------- C:\Program Files\Real Alternative2008-05-21 23:33 . 2008-05-21 23:33 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic2008-05-21 23:29 . 2008-05-21 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\GRETECH2008-05-21 23:29 . 2008-05-21 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\GRETECH2008-05-21 23:25 . 2008-05-21 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\DivX2008-05-21 23:24 . 2008-05-21 23:24 <DIR> d-------- C:\Program Files\Codec2008-05-21 22:51 . 2008-05-21 22:51 <DIR> d-------- C:\Program Files\GRETECH2008-05-21 22:40 . 2008-05-21 22:40 2,624 --a------ C:\WINDOWS\system32\lvgokhkr.exe2008-05-20 22:47 . 2008-05-20 22:47 2,624 --a------ C:\WINDOWS\system32\kwkvfyri.exe2008-05-20 22:41 . 2008-05-20 22:41 99,904 --a------ C:\WINDOWS\system32\ocvaoyej.dll2008-05-20 15:44 . 2008-05-20 15:44 62,895 --a------ C:\FT_Splash.img2008-05-20 15:38 . 2008-05-20 15:38 <DIR> d-------- C:\Program Files\Common Files\France Telecom2008-05-19 22:43 . 2008-05-19 22:43 2,624 --a------ C:\WINDOWS\system32\dbppmwmm.exe2008-05-18 21:04 . 2008-05-18 21:04 2,112 --a------ C:\WINDOWS\system32\gnxlkrne.exe2008-05-18 20:58 . 2008-05-18 20:58 98,880 --a------ C:\WINDOWS\system32\mojyxkuv.dll2008-05-18 20:54 . 2008-05-18 20:54 3,648 --a------ C:\WINDOWS\system32\bvaurnmx.dll2008-05-16 18:19 . 2008-05-16 18:19 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft2008-05-16 18:17 . 2008-05-16 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Ubisoft2008-05-16 18:01 . 2008-05-16 18:01 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield2008-05-14 16:12 . 2008-05-14 16:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles2008-05-14 15:38 . 2008-05-14 15:38 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment2008-05-13 20:34 . 2008-05-13 20:34 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared2008-05-13 20:34 . 2008-05-13 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Macrovision2008-05-13 15:13 . 2008-05-13 15:13 0 --a------ C:\WINDOWS\ativpsrm.bin2008-05-12 22:08 . 2008-05-12 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\FLEXnet2008-05-12 21:55 . 2008-05-12 21:55 <DIR> d-------- C:\Program Files\Bonjour2008-05-12 21:50 . 2008-05-12 21:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared2008-05-12 21:10 . 2008-05-12 21:10 <DIR> d-------- C:\ATI2008-05-12 20:59 . 2008-05-12 20:59 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav2008-05-12 20:59 . 2008-05-12 20:59 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav2008-05-12 20:55 . 2005-05-03 04:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe2008-05-12 20:45 . 2008-05-12 20:45 <DIR> d-------- C:\WINDOWS\system32\Lang2008-05-12 20:39 . 2001-07-05 18:19 164 --------- C:\WINDOWS\avrack.ini2008-05-12 20:28 . 2008-05-12 20:28 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start2008-05-12 20:10 . 2008-05-12 20:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles2008-05-12 20:09 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe2008-05-12 20:09 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\[u]0[/u]02302_.tmp2008-05-12 20:08 . 2008-05-12 20:11 <DIR> d-------- C:\WINDOWS\EHome2008-05-12 20:05 . 2008-05-13 20:34 <DIR> d-------- C:\Program Files\Common Files\Adobe2008-05-11 22:11 . 2008-05-11 22:11 <DIR> d-------- C:\Program Files\Realtek AC972008-05-11 21:45 . 2008-05-11 21:45 1,231 --a------ C:\WINDOWS\mozver.dat2008-05-11 20:47 . 2008-05-11 20:47 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\HP2008-05-11 20:45 . 2008-05-11 20:45 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared2008-05-11 20:45 . 2008-05-11 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sonic2008-05-11 20:44 . 2008-05-11 20:45 <DIR> d-------- C:\Program Files\Common Files\HP2008-05-11 20:43 . 2008-05-11 20:43 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard2008-05-11 20:42 . 2006-01-04 11:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll2008-05-11 20:42 . 2006-04-13 02:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys2008-05-11 20:42 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll2008-05-11 20:42 . 2006-04-13 02:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys2008-05-11 20:42 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys2008-05-11 20:41 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe2008-05-11 20:41 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll2008-05-11 20:41 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll2008-05-11 20:41 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll2008-05-11 20:41 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe2008-05-11 20:41 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe2008-05-11 20:41 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll2008-05-11 20:39 . 2008-05-11 20:39 <DIR> d-------- C:\Program Files\HP2008-05-11 20:39 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys2008-05-11 20:38 . 2008-05-11 20:50 120,003 --a------ C:\WINDOWS\hpoins11.dat2008-05-11 20:38 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys2008-05-11 18:58 . 2008-05-11 18:58 <DIR> d-------- C:\Documents and Settings\Administrator\Gadu-Gadu2008-05-11 18:58 . 2008-05-11 18:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu2008-05-11 18:54 . 2008-05-12 20:47 169 --a------ C:\WINDOWS\RtlRack.ini2008-05-11 18:40 . 2008-05-11 18:40 <DIR> d-------- C:\Program Files\Realtek Sound Manager2008-05-11 18:40 . 2008-05-12 20:40 <DIR> d-------- C:\Program Files\AvRack2008-05-11 18:40 . 2004-11-17 10:11 9,319,936 --------- C:\WINDOWS\system32\RTLCPL.exe2008-05-11 18:40 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys2008-05-11 18:40 . 2004-11-05 10:29 208,896 --------- C:\WINDOWS\alcupd.exe2008-05-11 18:40 . 2002-02-05 07:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav2008-05-11 18:40 . 2004-09-01 14:04 139,264 --------- C:\WINDOWS\alcrmv.exe2008-05-11 18:33 . 2004-08-04 00:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll2008-05-11 18:33 . 2004-08-04 00:35 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys2008-05-11 18:33 . 2001-08-17 22:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys2008-05-11 18:33 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys2008-05-11 18:32 . 2008-05-11 18:32 <DIR> dr-h----- C:\Documents and Settings\Default User\Ustawienia lokalne2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d-------- C:\Documents and Settings\Default User\Ulubione2008-05-11 18:32 . 2008-05-11 17:37 <DIR> d--h----- C:\Documents and Settings\Default User\Szablony2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d-------- C:\Documents and Settings\Default User\Pulpit2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty2008-05-11 18:32 . 2008-05-11 18:32 <DIR> dr------- C:\Documents and Settings\Default User\Menu Start2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Ulubione2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d--h----- C:\Documents and Settings\All Users\Szablony2008-05-11 18:32 . 2008-05-25 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Pulpit2008-05-11 18:32 . 2008-05-12 20:11 <DIR> dr------- C:\Documents and Settings\All Users\Menu Start2008-05-11 18:32 . 2008-05-12 21:56 <DIR> dr------- C:\Documents and Settings\All Users\Dokumenty2008-05-11 18:31 . 2008-05-12 20:55 <DIR> d-------- C:\WINDOWS\system32\RTCOM2008-05-11 18:31 . 2008-05-12 20:55 <DIR> d-------- C:\Program Files\Realtek2008-05-11 18:31 . 2008-05-11 18:32 <DIR> dr-h----- C:\Documents and Settings\Default User\Dane aplikacji2008-05-11 18:31 . 2008-05-16 18:17 <DIR> dr-h----- C:\Documents and Settings\All Users\Dane aplikacji2008-05-11 18:30 . 2008-05-11 18:30 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE2008-05-11 18:30 . 2008-05-11 18:30 <DIR> d-------- C:\Program Files\DIFX2008-05-11 18:30 . 2006-06-18 23:51 43,520 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys2008-05-11 18:26 . 2008-05-11 18:26 0 --a------ C:\WINDOWS\nsreg.dat2008-05-11 18:25 . 2008-05-11 18:25 <DIR> d-------- C:\Program Files\Winamp2008-05-11 18:21 . 2008-05-11 18:21 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData2008-05-11 18:05 . 2008-05-11 18:05 <DIR> d-------- C:\Program Files\D-Link AirPlus2008-05-11 18:02 . 2008-05-11 18:02 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-05-19 14:24 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-05-11 16:29 --------- d-----w C:\Program Files\Common Files\InstallShield2008-05-11 15:59 --------- d-----w C:\Program Files\ATI Technologies2008-05-11 15:40 --------- d-----w C:\Program Files\microsoft frontpage2008-05-11 15:37 --------- d-----w C:\Program Files\Usługi online2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20E9C64D-F33C-4976-BAF8-4791A65BAA2F}]2006-01-01 23:27 275968 --a------ C:\WINDOWS\system32\vtUlJcaX.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]"Gadu-Gadu"="D:\Programy\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:44 1667584][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"WinampAgent"="D:\Programy\Winamp\winampa.exe" [2007-05-15 00:22 35328]"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 05:49 16269312 C:\WINDOWS\RTHDCPL.exe]"SkyTel"="SkyTel.EXE" [2006-05-16 04:04 2879488 C:\WINDOWS\SkyTel.exe]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]"nwiz"="nwiz.exe" [2006-10-31 08:35 1622016 C:\WINDOWS\system32\nwiz.exe]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-05-25 15:48 949376][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-13 20:34:30 113664]D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2008-05-11 18:05:13 262144][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxofgdb]byXOfgdb.dll 2006-01-01 23:22 37376 C:\WINDOWS\system32\byXOfgdb.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.ac3filter"= ac3filter.acm"msacm.divxa32"= msaud32_divx.acm[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Photosmart Premier - Szybkie uruchomienie.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Photosmart Premier - Szybkie uruchomienie.lnkbackup=C:\WINDOWS\pss\HP Photosmart Premier - Szybkie uruchomienie.lnkCommon Startup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe"="D:\\Gry\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"="D:\\Gry\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"="D:\\Gry\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=S3 EverestDriver;Lavalys EVEREST Kernel Driver;D:\Programy\Lavalys\EVEREST Home Edition\kerneld.wnt [2005-08-18 00:00].**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-05-25 17:45:01Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\English.bin 21914 bytesC:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\SimChin.bin 16408 bytesscan completed successfullyhidden files: 2**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]"ImagePath"="\??\D:\Programy\Lavalys\EVEREST Home Edition\kerneld.wnt".--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\system32\lsass.exe-> C:\Program Files\Eset\pr_imon.dll.------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\ati2evxx.exeC:\WINDOWS\system32\ati2evxx.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\ESET\nod32krn.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exe.**************************************************************************.Completion time: 2008-05-25 17:46:44 - machine was rebootedComboFix-quarantined-files.txt 2008-05-25 15:46:27Pre-Run: 10,532,675,584 bajtów wolnychPost-Run: 11,228,823,552 bajt˘w wolnych244 SilentRunners "Silent Runners.vbs", revision 58, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]"Gadu-Gadu" = ""D:\Programy\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"WinampAgent" = "D:\Programy\Winamp\winampa.exe" [null data]"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{20E9C64D-F33C-4976-BAF8-4791A65BAA2F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\vtUlJcaX.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\Program Files\Codec\Haali\mmfinfo.dll" [null data]"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page" -> {HKLM...CLSID} = "Haali Matroska Shell Property Page" \InProcServer32\(Default) = "C:\Program Files\Codec\Haali\mmfinfo.dll" [null data]"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Extractor" -> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor" \InProcServer32\(Default) = "C:\Program Files\Codec\Haali\mmfinfo.dll" [null data]"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]<<!>> byxofgdb\DLLName = "byXOfgdb.dll" [file not found]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0561ec90-ce54-4f0c-9c55-e226110a740c}\(Default) = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\Program Files\Codec\Haali\mmfinfo.dll" [null data]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000{unrecognized setting}"HideLogoffScripts" = (REG_DWORD) dword:0x00000000{unrecognized setting}"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001{unrecognized setting}"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000{unrecognized setting}"HideStartupScripts" = (REG_DWORD) dword:0x00000000{unrecognized setting}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}"DisableRegistryTools" = (REG_DWORD) dword:0x00000000{unrecognized setting}"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000{unrecognized setting}"HideLogoffScripts" = (REG_DWORD) dword:0x00000000{unrecognized setting}"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001{unrecognized setting}"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000{unrecognized setting}"HideStartupScripts" = (REG_DWORD) dword:0x00000000{unrecognized setting}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\BridgeCS3ImportMediaOnArrival\"Provider" = "Adobe Bridge CS3""InvokeProgID" = "Adobe.adobebridge""InvokeVerb" = "launch"HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "D:\Programy\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]gomplaydvdonarrival\"Provider" = "GOM Player""InvokeProgID" = "GomPlayer.DVD""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\GomPlayer.DVD\shell\open\command\(Default) = ""D:\Programy\GRETECH\GomPlayer\GOM.exe" /open "%1"" ["Gretech Corp."]gomplaymediaonarrival\"Provider" = "GOM Player""InvokeProgID" = "GomPlayer.MediaFile""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\GomPlayer.MediaFile\shell\open\command\(Default) = ""D:\Programy\GRETECH\GomPlayer\GOM.exe" /open "%1"" ["Gretech Corp."]HKLM\SOFTWARE\Classes\GomPlayer.MediaFile\shell\open\droptarget\CLSID = "{D0F0AD6B-ECCC-401E-8E71-C4363D41399C}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = "D:\Programy\GRETECH\GOMPLA~1\GOM.exe" ["Gretech Corp."]WinampMTPHandler\"Provider" = "Winamp""ProgID" = "Shell.HWEventHandlerShellExecute""InitCmdLine" = "D:\Programy\Winamp\winamp.exe"HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]Startup items in "Administrator" & "All Users" startup folders:---------------------------------------------------------------C:\Documents and Settings\All Users\Menu Start\Programy\Autostart"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]"D-Link AirPlus" -> shortcut to: "C:\Program Files\D-Link AirPlus\AirPlus.exe" ["D-Link"]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 21%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 20%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10Toolbars, Explorer Bars, Extensions:------------------------------------Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"]Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]Print Monitors:---------------HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]PCL hpz3l054\Driver = "hpz3l054.dll" ["Hewlett-Packard Company"]---------- (launch time: 2008-05-25 17:47:42)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box.---------- (total run time: 26 seconds, including 7 seconds for message boxes)
Mateusz J. komentarz 25 maja 2008 komentarz 25 maja 2008 Do notatnika wklej: File::C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\English.binC:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\SimChin.binC:\WINDOWS\system32\uxnsrbqi.exeC:\WINDOWS\system32\tlibvuvt.exeC:\WINDOWS\system32\hlcxihbh.exeC:\WINDOWS\system32\lvgokhkr.exeC:\WINDOWS\system32\kwkvfyri.exeC:\WINDOWS\system32\ocvaoyej.dllC:\WINDOWS\system32\dbppmwmm.exeC:\WINDOWS\system32\gnxlkrne.exeC:\WINDOWS\system32\mojyxkuv.dllC:\WINDOWS\system32\bvaurnmx.dllC:\WINDOWS\system32\vtUlJcaX.dllC:\WINDOWS\system32\byXOfgdb.dllRegistry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20E9C64D-F33C-4976-BAF8-4791A65BAA2F}][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxofgdb] W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. O2 - BHO: (no name) - {20E9C64D-F33C-4976-BAF8-4791A65BAA2F} - C:\WINDOWS\system32\vtUlJcaX.dllO20 - Winlogon Notify: byxofgdb - byXOfgdb.dll (file missing)O23 - Service: Amsosd - Eset - (no file) Fix w Hjt
skibenz komentarz 25 maja 2008 Autor komentarz 25 maja 2008 Nowy log ComboFix 08-05-24.1 - Administrator 2008-05-25 18:12:57.2 - NTFSx86 MINIMALMicrosoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1723 [GMT 2:00]Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exeCommand switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\English.binC:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\SimChin.binC:\WINDOWS\system32\bvaurnmx.dllC:\WINDOWS\system32\byXOfgdb.dllC:\WINDOWS\system32\dbppmwmm.exeC:\WINDOWS\system32\gnxlkrne.exeC:\WINDOWS\system32\hlcxihbh.exeC:\WINDOWS\system32\kwkvfyri.exeC:\WINDOWS\system32\lvgokhkr.exeC:\WINDOWS\system32\mojyxkuv.dllC:\WINDOWS\system32\ocvaoyej.dllC:\WINDOWS\system32\tlibvuvt.exeC:\WINDOWS\system32\uxnsrbqi.exeC:\WINDOWS\system32\vtUlJcaX.dll.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\host.exeC:\WINDOWS\system32\bvaurnmx.dllC:\WINDOWS\system32\dbppmwmm.exeC:\WINDOWS\system32\gnxlkrne.exeC:\WINDOWS\system32\hlcxihbh.exeC:\WINDOWS\system32\kwkvfyri.exeC:\WINDOWS\system32\lvgokhkr.exeC:\WINDOWS\system32\mojyxkuv.dllC:\WINDOWS\system32\ocvaoyej.dllC:\WINDOWS\system32\rvdkktaf.dllC:\WINDOWS\system32\tlibvuvt.exeC:\WINDOWS\system32\uxnsrbqi.exeD:\host.exe.((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 ))))))))))))))))))))))))))))))).2008-05-25 16:26 . 2008-05-25 16:27 <DIR> d-------- C:\Program Files\IrfanView2008-05-25 15:49 . 2008-05-25 15:48 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys2008-05-25 15:49 . 2008-05-25 15:48 298,104 --a------ C:\WINDOWS\system32\imon.dll2008-05-25 15:49 . 2008-05-25 15:48 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys2008-05-25 15:48 . 2008-05-25 16:41 <DIR> d-------- C:\Program Files\ESET2008-05-24 15:07 . 2008-05-24 15:07 <DIR> d-------- C:\Program Files\Trend Micro2008-05-23 14:47 . 2008-05-23 14:47 <DIR> d-------- C:\Program Files\Opera2008-05-21 23:33 . 2008-05-21 23:33 <DIR> d-------- C:\Program Files\Real Alternative2008-05-21 23:33 . 2008-05-21 23:33 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic2008-05-21 23:29 . 2008-05-21 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\GRETECH2008-05-21 23:29 . 2008-05-21 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\GRETECH2008-05-21 23:25 . 2008-05-21 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\DivX2008-05-21 23:24 . 2008-05-21 23:24 <DIR> d-------- C:\Program Files\Codec2008-05-21 22:51 . 2008-05-21 22:51 <DIR> d-------- C:\Program Files\GRETECH2008-05-20 15:44 . 2008-05-20 15:44 62,895 --a------ C:\FT_Splash.img2008-05-20 15:38 . 2008-05-20 15:38 <DIR> d-------- C:\Program Files\Common Files\France Telecom2008-05-16 18:19 . 2008-05-16 18:19 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft2008-05-16 18:17 . 2008-05-16 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Ubisoft2008-05-16 18:01 . 2008-05-16 18:01 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield2008-05-14 16:12 . 2008-05-14 16:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles2008-05-14 15:38 . 2008-05-14 15:38 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment2008-05-13 20:34 . 2008-05-13 20:34 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared2008-05-13 20:34 . 2008-05-13 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Macrovision2008-05-13 15:13 . 2008-05-13 15:13 0 --a------ C:\WINDOWS\ativpsrm.bin2008-05-12 22:08 . 2008-05-12 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\FLEXnet2008-05-12 21:55 . 2008-05-12 21:55 <DIR> d-------- C:\Program Files\Bonjour2008-05-12 21:50 . 2008-05-12 21:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared2008-05-12 21:10 . 2008-05-12 21:10 <DIR> d-------- C:\ATI2008-05-12 20:59 . 2008-05-12 20:59 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav2008-05-12 20:59 . 2008-05-12 20:59 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav2008-05-12 20:55 . 2005-05-03 04:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe2008-05-12 20:45 . 2008-05-12 20:45 <DIR> d-------- C:\WINDOWS\system32\Lang2008-05-12 20:39 . 2001-07-05 18:19 164 --------- C:\WINDOWS\avrack.ini2008-05-12 20:28 . 2008-05-12 20:28 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start2008-05-12 20:10 . 2008-05-12 20:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles2008-05-12 20:09 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe2008-05-12 20:09 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\[u]0[/u]02302_.tmp2008-05-12 20:08 . 2008-05-12 20:11 <DIR> d-------- C:\WINDOWS\EHome2008-05-12 20:05 . 2008-05-13 20:34 <DIR> d-------- C:\Program Files\Common Files\Adobe2008-05-11 22:11 . 2008-05-11 22:11 <DIR> d-------- C:\Program Files\Realtek AC972008-05-11 21:45 . 2008-05-11 21:45 1,231 --a------ C:\WINDOWS\mozver.dat2008-05-11 20:47 . 2008-05-11 20:47 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\HP2008-05-11 20:45 . 2008-05-11 20:45 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared2008-05-11 20:45 . 2008-05-11 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sonic2008-05-11 20:44 . 2008-05-11 20:45 <DIR> d-------- C:\Program Files\Common Files\HP2008-05-11 20:43 . 2008-05-11 20:43 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard2008-05-11 20:42 . 2006-01-04 11:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll2008-05-11 20:42 . 2006-04-13 02:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys2008-05-11 20:42 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll2008-05-11 20:42 . 2006-04-13 02:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys2008-05-11 20:42 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys2008-05-11 20:41 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe2008-05-11 20:41 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll2008-05-11 20:41 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll2008-05-11 20:41 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll2008-05-11 20:41 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe2008-05-11 20:41 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe2008-05-11 20:41 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll2008-05-11 20:39 . 2008-05-11 20:39 <DIR> d-------- C:\Program Files\HP2008-05-11 20:39 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys2008-05-11 20:38 . 2008-05-11 20:50 120,003 --a------ C:\WINDOWS\hpoins11.dat2008-05-11 20:38 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys2008-05-11 18:58 . 2008-05-11 18:58 <DIR> d-------- C:\Documents and Settings\Administrator\Gadu-Gadu2008-05-11 18:58 . 2008-05-11 18:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu2008-05-11 18:54 . 2008-05-12 20:47 169 --a------ C:\WINDOWS\RtlRack.ini2008-05-11 18:40 . 2008-05-11 18:40 <DIR> d-------- C:\Program Files\Realtek Sound Manager2008-05-11 18:40 . 2008-05-12 20:40 <DIR> d-------- C:\Program Files\AvRack2008-05-11 18:40 . 2004-11-17 10:11 9,319,936 --------- C:\WINDOWS\system32\RTLCPL.exe2008-05-11 18:40 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys2008-05-11 18:40 . 2004-11-05 10:29 208,896 --------- C:\WINDOWS\alcupd.exe2008-05-11 18:40 . 2002-02-05 07:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav2008-05-11 18:40 . 2004-09-01 14:04 139,264 --------- C:\WINDOWS\alcrmv.exe2008-05-11 18:33 . 2004-08-04 00:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll2008-05-11 18:33 . 2004-08-04 00:35 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys2008-05-11 18:33 . 2001-08-17 22:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys2008-05-11 18:33 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys2008-05-11 18:32 . 2008-05-11 18:32 <DIR> dr-h----- C:\Documents and Settings\Default User\Ustawienia lokalne2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d-------- C:\Documents and Settings\Default User\Ulubione2008-05-11 18:32 . 2008-05-11 17:37 <DIR> d--h----- C:\Documents and Settings\Default User\Szablony2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d-------- C:\Documents and Settings\Default User\Pulpit2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty2008-05-11 18:32 . 2008-05-11 18:32 <DIR> dr------- C:\Documents and Settings\Default User\Menu Start2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Ulubione2008-05-11 18:32 . 2008-05-11 18:32 <DIR> d--h----- C:\Documents and Settings\All Users\Szablony2008-05-11 18:32 . 2008-05-25 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Pulpit2008-05-11 18:32 . 2008-05-12 20:11 <DIR> dr------- C:\Documents and Settings\All Users\Menu Start2008-05-11 18:32 . 2008-05-12 21:56 <DIR> dr------- C:\Documents and Settings\All Users\Dokumenty2008-05-11 18:31 . 2008-05-12 20:55 <DIR> d-------- C:\WINDOWS\system32\RTCOM2008-05-11 18:31 . 2008-05-12 20:55 <DIR> d-------- C:\Program Files\Realtek2008-05-11 18:31 . 2008-05-11 18:32 <DIR> dr-h----- C:\Documents and Settings\Default User\Dane aplikacji2008-05-11 18:31 . 2008-05-16 18:17 <DIR> dr-h----- C:\Documents and Settings\All Users\Dane aplikacji2008-05-11 18:30 . 2008-05-11 18:30 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE2008-05-11 18:30 . 2008-05-11 18:30 <DIR> d-------- C:\Program Files\DIFX2008-05-11 18:30 . 2006-06-18 23:51 43,520 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys2008-05-11 18:26 . 2008-05-11 18:26 0 --a------ C:\WINDOWS\nsreg.dat2008-05-11 18:25 . 2008-05-11 18:25 <DIR> d-------- C:\Program Files\Winamp2008-05-11 18:21 . 2008-05-11 18:21 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData2008-05-11 18:05 . 2008-05-11 18:05 <DIR> d-------- C:\Program Files\D-Link AirPlus2008-05-11 18:02 . 2008-05-11 18:02 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-05-25 13:51 16,768 ----a-w C:\WINDOWS\system32\tcpip_patcher.sys2008-05-19 14:24 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-05-11 16:29 --------- d-----w C:\Program Files\Common Files\InstallShield2008-05-11 15:59 --------- d-----w C:\Program Files\ATI Technologies2008-05-11 15:40 558,142 ----a-w C:\WINDOWS\java\Packages\UETJNJZ9.ZIP2008-05-11 15:40 155,995 ----a-w C:\WINDOWS\java\Packages\4O9ZJZ1B.ZIP2008-05-11 15:40 --------- d-----w C:\Program Files\microsoft frontpage2008-05-11 15:37 --------- d-----w C:\Program Files\Usługi online2008-04-27 08:35 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll2008-04-27 08:33 765,952 ----a-w C:\WINDOWS\system32\xvidcore.dll2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\system32\atioglx2.dll2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll2008-03-29 04:05 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\system32\ati2dvag.dll2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\system32\ati2evxx.exe2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll2008-03-29 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\system32\ativvaxx.dll2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll2008-03-28 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe2008-03-21 19:30 524,288 ----a-w C:\WINDOWS\system32\divxsm.exe2008-03-21 19:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll2008-03-21 19:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll2008-03-21 19:28 682,496 ----a-w C:\WINDOWS\system32\divx.dll.((((((((((((((((((((((((((((( snapshot@2008-05-25_17.46.19.07 ))))))))))))))))))))))))))))))))))))))))).- 2008-05-25 15:44:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat+ 2008-05-25 16:12:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]"Gadu-Gadu"="D:\Programy\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:44 1667584][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"WinampAgent"="D:\Programy\Winamp\winampa.exe" [2007-05-15 00:22 35328]"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 05:49 16269312 C:\WINDOWS\RTHDCPL.exe]"SkyTel"="SkyTel.EXE" [2006-05-16 04:04 2879488 C:\WINDOWS\SkyTel.exe]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]"nwiz"="nwiz.exe" [2006-10-31 08:35 1622016 C:\WINDOWS\system32\nwiz.exe]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-05-25 15:48 949376][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-13 20:34:30 113664]D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2008-05-11 18:05:13 262144][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.ac3filter"= ac3filter.acm"msacm.divxa32"= msaud32_divx.acm[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Photosmart Premier - Szybkie uruchomienie.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Photosmart Premier - Szybkie uruchomienie.lnkbackup=C:\WINDOWS\pss\HP Photosmart Premier - Szybkie uruchomienie.lnkCommon Startup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe"="D:\\Gry\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"="D:\\Gry\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"="D:\\Gry\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=S3 EverestDriver;Lavalys EVEREST Kernel Driver;D:\Programy\Lavalys\EVEREST Home Edition\kerneld.wnt [2005-08-18 00:00]*Newly Created Service* - CATCHME.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-05-25 18:14:02Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]"ImagePath"="\??\D:\Programy\Lavalys\EVEREST Home Edition\kerneld.wnt".Completion time: 2008-05-25 18:14:29ComboFix-quarantined-files.txt 2008-05-25 16:14:23ComboFix2.txt 2008-05-25 15:46:45Pre-Run: 11,235,815,424 bajtów wolnychPost-Run: 11,223,752,704 bajtów wolnych240
skibenz komentarz 25 maja 2008 Autor komentarz 25 maja 2008 Dzięki bardzo, narazie jest wszyściutko ok +
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.