Sochu komentarz 15 lutego 2009 komentarz 15 lutego 2009 (edytowane) Witam. Mam ten sam problem ;/ Zrobiłem loga programem Hijackthis. Prosze by ktoś je sprawdził. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:31:15, on 2009-02-15 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Users\Sochu\AppData\Local\Temp\systeminit.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files (x86)\Java\jre6\bin\jusched.exe C:\Program Files (x86)\Opera\opera.exe C:\Users\Sochu\AppData\Local\Temp\perce.jpg.exe D:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O1 - Hosts: ::1 localhost O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files (x86)\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files (x86)\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files (x86)\Nowe Gadu-Gadu\gg.exe" O4 - HKCU\..\Run: [RGSC] E:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [RICOlmer] C:\Program Files (x86)\RICOlmer\RICOlmer.exe O4 - HKCU\..\Run: [Cognac] C:\Users\Sochu\AppData\Local\Temp\perce.jpg.exe O4 - HKCU\..\Run: [systeminit.exe] C:\Users\Sochu\AppData\Local\Temp\systeminit.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA SIECIOWA') O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 7648 bytes acha i jeszcze Sillent Runners: "Silent Runners.vbs", revision 59, http://www.silentrunners.org/Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS] "WindowsWelcomeCenter" = "rundll32.exe oobefldr.dll,ShowWelcomeCenter" [MS] "Nowe Gadu-Gadu" = ""C:\Program Files (x86)\Nowe Gadu-Gadu\gg.exe"" ["Gadu-Gadu S.A."] "RGSC" = "E:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent" [null data] "DAEMON Tools Lite" = ""C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"] "RICOlmer" = "C:\Program Files (x86)\RICOlmer\RICOlmer.exe" ["Robert Wieckowicz"] "Cognac" = "C:\Users\Sochu\AppData\Local\Temp\perce.jpg.exe" [null data] "systeminit.exe" = "C:\Users\Sochu\AppData\Local\Temp\systeminit.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide" "RivaTunerStartupDaemon" = ""C:\Program Files (x86)\RivaTuner v2.20\RivaTunerWrapper.exe" /S" [empty string] "NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS] "NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShA64.dll" ["ALWIL Software"] "{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Menedżer plików firmy Sony Ericsson" -> {HKLM...CLSID} = "Menedżer plików firmy Sony Ericsson" \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager x64\FM.dll" ["Popwire AB"] "{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Menedżer plików firmy Sony Ericsson" -> {HKLM...CLSID} = "Menedżer plików firmy Sony Ericsson" \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager x64\FM.dll" ["Popwire AB"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShA64.dll" ["ALWIL Software"] WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShA64.dll" ["ALWIL Software"] WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data] Default executables: -------------------- HKLM\SOFTWARE\Classes\.hta\(Default) = "htafile" <<!>> HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "C:\Windows\SysWOW64\mshta.exe "%1" %*" [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoActiveDesktop" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "ForceActiveDesktopOn" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} "EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Opera\Opera\profile\skin\dddqi9.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Users\Sochu\AppData\Roaming\Opera\Opera\profile\skin\dddqi9.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ MSPlayCDAudioOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.AudioCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"" [MS] MSPlayDVDMovieOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.DVD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"" [MS] MSPlaySuperVideoCDMovieOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.VCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS] MSPlayVideoCDMovieOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.VCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS] MSRipCDAudioOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.RipCD" "InvokeVerb" = "Rip" HKLM\SOFTWARE\Classes\WMP.RipCD\shell\Rip\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /RipAudioCD "%L" " [MS] MSWMPBurnCDOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.BurnCD" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L" " [MS] MSWMPBurnDataDVDArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.BurnDVD" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\WMP.BurnDVD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:DVDWrite /Device:"%L" " [MS] WIA_{5FCF1B41-2D0F-41C9-878B-12C576D89D84}\ "Provider" = "Microsoft Office Word" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = "/WiaCmd;C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE /IMG_WIA;" -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS] Non-disabled Scheduled Tasks: ----------------------------- C:\Windows\System32\Tasks "User_Feed_Synchronization-{0E08BDB9-5BD8-400B-A6E5-F4E7D69B6B16}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS] C:\Windows\System32\Tasks\Apple "AppleSoftwareUpdate" -> launches: "C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client "AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}" -> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth "UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient "SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] "UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] "UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program "Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS] "OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Defrag "ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Media Center "ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS] "mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS] "OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS] "OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS] "UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC "HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}" -> {HKLM...CLSID} = "HotStart User Agent" \InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS] "TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}" -> {HKLM...CLSID} = "Transient Multi-Monitor Manager" \InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MUI "LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia "SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}" -> {HKLM...CLSID} = "Microsoft PlaySoundService Class" \InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection "NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}" -> {HKLM...CLSID} = "Nap ITask Handler Implementation" \InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System "ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RAC "RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance "RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Shell "CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}" -> {HKLM...CLSID} = "CrawlStartPages Task Handler" \InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SideShow "GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}" -> {HKLM...CLSID} = "GadgetsManager Class" \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore "SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip "IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS] "IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework "MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}" -> {HKLM...CLSID} = "MsCtfMonitor task handler" \InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\UPnP "UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WDI "ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}" -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler" \InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting "QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Wired "GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data] C:\Windows\System32\Tasks\Microsoft\Windows\Wireless "GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data] C:\Windows\System32\Tasks\Microsoft\Windows Defender "MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{32099AAC-C132-4136-9E9A-4E364A424E17}" -> {HKLM...CLSID} = "DAEMON Tools Toolbar" \InProcServer32\(Default) = "C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll" [file not found] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{32099AAC-C132-4136-9E9A-4E364A424E17}" = (no title provided) -> {HKLM...CLSID} = "DAEMON Tools Toolbar" \InProcServer32\(Default) = "C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"] avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"] avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] NVIDIA Display Driver Service, nvsvc, "C:\Windows\system32\nvvsvc.exe" ["NVIDIA Corporation"] PnkBstrA, PnkBstrA, "C:\Windows\system32\PnkBstrA.exe" [file not found] PnkBstrB, PnkBstrB, "C:\Windows\system32\PnkBstrB.exe" [file not found] Usługa buforowania czcionek platformy Windows Presentation Foundation, wersja 3.0.0.0, FontCache3.0.0.0, "C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe" [MS] Usługa Protokół SSTP, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]} Windows Driver Foundation — User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]} Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]} ---------- (launch time: 2009-02-15 14:49:36) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 46 seconds. ---------- (total run time: 79 seconds) Edytowane 15 lutego 2009 przez Sochu
Mateusz J. komentarz 16 lutego 2009 komentarz 16 lutego 2009 Do notatnika wklej: File::C:\Users\Sochu\AppData\Local\Temp\perce.jpg.exeC:\Users\Sochu\AppData\Local\Temp\systeminit.exeRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Cognac"=-"systeminit.exe"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.
Sochu komentarz 16 lutego 2009 komentarz 16 lutego 2009 (edytowane) Hmm... Jest pewien problem, ponieważ nie umiem wyłączyć avasta i program mówi, że mogą wystąpić jakieś błędy dopuki nie wyłącze avasta. Dróga sprawa jest taka, że używam Windows Vista x64, i podczas gdy przeciągam zrobiony plik CFScript.txt na ikonę ComboFix`a to wyskakuje error-win32 only, że ComboFix obsługuje tylko win XP lub 2000. Da się coś z tym zrobić ? Edytowane 16 lutego 2009 przez Sochu
Mateusz J. komentarz 16 lutego 2009 komentarz 16 lutego 2009 Wykonaj: http://www.forumpc.pl/index.php?showtopic=50241 Skrypt do wklejenia: Files to delete:C:\Users\Sochu\AppData\Local\Temp\perce.jpg.exeC:\Users\Sochu\AppData\Local\Temp\systeminit.exe Następnie, do notatnika wklej: Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Cognac"=-"systeminit.exe"=- Plik ==> Zapisz jako ==> Zmień rozszerzenie na Wszystkie pliki ==> Zapisz pod nazwą FIX.REG Uruchom utworzony plik FIX.REG i potwierdź dodanie do Rejestru i zresetuj komputer. Następnie pokazujesz log z RSIT. http://www.forumpc.pl/index.php?showtopic=72102
Sochu komentarz 16 lutego 2009 komentarz 16 lutego 2009 (edytowane) zrobione, dzieki. Edytowane 19 lutego 2009 przez Sochu
olaty komentarz 25 lutego 2009 komentarz 25 lutego 2009 Witam, jestem kompletna laiczka jesli chodzi o sprawy wirusowe itp. pojawil mi sie taki sam problem jak w temacie. mam juz HijackThis i Combo. Zrobilam loga i bardzo prosze o sprawdzenie, bo wyskakujaca ikonka jest bardzo denerwujaca. Bardzo dziekuje z gory i poprosze o dalsze wskazowki. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:12:27, on 2009-02-25 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\PowerS.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Nowe Gadu-Gadu\gg.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\7DDrEhhG.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\DOCUME~1\Ola\USTAWI~1\Temp\10032.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Pomocnik rejestracji usługi Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe" O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Ola\USTAWI~1\Temp\10032.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191754818312 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 7690 bytes
Mateusz J. komentarz 25 lutego 2009 komentarz 25 lutego 2009 Do notatnika wklej: File::C:\DOCUME~1\Ola\USTAWI~1\Temp\10032.exeC:\WINDOWS\system32\msxml71.dllRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Cognac"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.
olaty komentarz 26 lutego 2009 komentarz 26 lutego 2009 Zrobione. Wklejam loga. ComboFix 09-02-24.02 - Ola 2009-02-26 16:01:42.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.511.248 [GMT 1:00] Uruchomiony z: c:\documents and settings\Ola\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Ola\Pulpit\CFScript.txt AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) * Utworzono nowy punkt przywracania FILE :: c:\docume~1\Ola\USTAWI~1\Temp\10032.exe c:\windows\system32\msxml71.dll . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf c:\docume~1\Ola\USTAWI~1\Temp\10032.exe c:\windows\system32\7DDrEhhG.exe.a_a c:\windows\system32\drivers\npf.sys c:\windows\system32\init32.exe c:\windows\system32\msxml71.dll c:\windows\system32\packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\wanpacket.dll c:\windows\system32\wpcap.dll Zainfekowana kopia została znaleziona. Problem naprawiono Plik odzyskano z - . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_NPF ((((((((((((((((((((((((( Pliki utworzone od 2009-01-26 do 2009-02-26 ))))))))))))))))))))))))))))))) . 2009-02-25 20:00 . 2009-02-25 20:00 <DIR> d-------- c:\program files\Trend Micro 2009-02-25 19:01 . 2009-02-25 19:01 <DIR> dr------- c:\documents and settings\NetworkService\Ulubione 2009-02-25 18:28 . 2009-02-25 18:28 77,824 --a------ c:\windows\system32\7DDrEhhG.exe 2009-02-24 21:13 . 2009-02-25 18:45 2,333 --a------ c:\windows\TSCTNDBG.INI 2009-02-23 21:23 . 2009-02-23 21:23 <DIR> d-------- c:\program files\Common Files\xing shared 2009-02-23 20:14 . 2009-02-23 20:24 <DIR> d-------- c:\documents and settings\Lukasz\Tracing 2009-02-10 18:46 . 2009-02-11 01:20 <DIR> d-------- c:\documents and settings\Ola\Dane aplikacji\Nowe Gadu-Gadu 2009-02-10 18:45 . 2009-02-10 18:46 <DIR> d-------- c:\program files\Nowe Gadu-Gadu 2009-02-10 18:27 . 2009-02-26 16:07 <DIR> d-------- c:\documents and settings\Ola\Tracing 2009-02-10 18:23 . 2009-02-10 18:23 <DIR> d-------- c:\program files\Microsoft 2009-02-10 18:22 . 2009-02-10 18:22 <DIR> d-------- c:\program files\Windows Live SkyDrive 2009-02-10 18:09 . 2009-02-10 18:09 <DIR> d-------- c:\program files\Common Files\Windows Live 2009-02-06 18:52 . 2009-02-06 18:52 49,504 --a------ c:\windows\system32\sirenacm.dll . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-26 15:06 --------- d-----w c:\program files\DNA 2009-02-26 15:06 --------- d-----w c:\documents and settings\Ola\Dane aplikacji\DNA 2009-02-25 17:17 --------- d-----w c:\program files\eMule 2009-02-23 20:23 --------- d-----w c:\program files\Common Files\Real 2009-02-11 15:37 --------- d-----w c:\program files\Gadu-Gadu 2009-02-10 17:22 --------- d-----w c:\program files\Windows Live 2009-01-05 19:20 --------- d-----w c:\documents and settings\Ola\Dane aplikacji\gtk-2.0 2009-01-04 21:19 --------- d-----w c:\documents and settings\Ola\Dane aplikacji\Image Zone Express 2008-12-30 22:19 --------- d-----w c:\program files\MSECache 2008-12-29 21:36 --------- d-----w c:\program files\Scribus 1.3.2 2008-12-28 21:27 --------- d-----w c:\program files\Common Files\DVDVIDEOSOFT 2008-10-03 21:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008100320081004\index.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848] "Nowe Gadu-Gadu"="c:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-06 9302632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-23 266497] "PowerS"="c:\windows\PowerS.exe" [2001-08-03 159800] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-23 185872] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= R2 CX88XBAR;Conexant 2388x Crossbar;c:\windows\system32\drivers\cx88xbar.sys [2007-10-06 8506] . Zawartość folderu 'Zaplanowane zadania' 2008-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-02-25 c:\windows\Tasks\At1.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At10.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At11.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At12.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At13.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At14.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At15.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At16.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At17.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At18.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At19.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At2.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At20.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-26 c:\windows\Tasks\At21.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At22.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At23.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At24.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At3.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At4.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At5.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At6.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At7.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At8.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] 2009-02-25 c:\windows\Tasks\At9.job - c:\windows\system32\7DDrEhhG.exe [2009-02-25 18:28] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ uInternet Settings,ProxyOverride = *.local IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: free4web.pl Trusted Zone: grono.net . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-26 16:06:39 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Nowe Gadu-Gadu\spellchecker_gg.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe . ************************************************************************** . Czas ukończenia: 2009-02-26 16:10:41 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-02-26 15:10:32 Przed: 16 729 272 320 bajtów wolnych Po: 18,422,378,496 bajtów wolnych WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 209 --- E O F --- 2009-02-25 17:56:02
Mateusz J. komentarz 26 lutego 2009 komentarz 26 lutego 2009 Do notatnika wklej: File::c:\windows\Tasks\At1.jobc:\windows\Tasks\At10.jobc:\windows\Tasks\At11.jobc:\windows\Tasks\At12.jobc:\windows\Tasks\At13.jobc:\windows\Tasks\At14.jobc:\windows\Tasks\At15.jobc:\windows\Tasks\At16.jobc:\windows\Tasks\At17.jobc:\windows\Tasks\At18.jobc:\windows\Tasks\At19.jobc:\windows\Tasks\At2.jobc:\windows\Tasks\At20.jobc:\windows\Tasks\At21.jobc:\windows\Tasks\At22.jobc:\windows\Tasks\At23.jobc:\windows\Tasks\At24.jobc:\windows\Tasks\At3.jobc:\windows\Tasks\At4.jobc:\windows\Tasks\At5.jobc:\windows\Tasks\At6.jobc:\windows\Tasks\At7.jobc:\windows\Tasks\At8.jobc:\windows\system32\7DDrEhhG.exec:\windows\Tasks\At9.job W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.
Jerzak komentarz 28 lutego 2009 komentarz 28 lutego 2009 Witam, jesiona mam identyczny problem co poprzednicy Widzę, że wszystkim pomogłeś, może dasz rade i mi pomóc. Będę wdzięczny, sam niestety jestem zielony w tych tematach Oto mój log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:35:17, on 2009-02-28Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\SYSTEM32\userinit.exeC:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\WinFast\WFTVFM\WFWIZ.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\vsnpstd.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exeC:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WinFast\WFTVFM\WFTV.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet ExplorerR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dllO3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_14_silver\TrayServer.exeO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clearO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\15831.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BlueSoleil.lnk = ?O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exeO23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe--End of file - 9166 bytes Proszę o pomoc i wskazówki. Z góry dzięki.
Mateusz J. komentarz 28 lutego 2009 komentarz 28 lutego 2009 Pobierz ComboFix. Do notatnika wklej: File::C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\15831.exeRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Cognac"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.
Jerzak komentarz 28 lutego 2009 komentarz 28 lutego 2009 Zrobione. O dziwo od momentu napisania posta, czyli od południa, nie pojawił się już komunikat you have a security problem... Ale jak działać to do końca Oto log: ComboFix 09-02-27.02 - Administrator 2009-02-28 22:06:42.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2047.1427 [GMT 1:00]Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exeUżyto następujących komend :: c:\documents and settings\Administrator\Pulpit\CFScript.txtAV: avast! antivirus 4.8.1296 [VPS 090227-0] *On-access scanning disabled* (Updated) * Utworzono nowy punkt przywracaniaFILE ::c:\docume~1\ADMINI~1\USTAWI~1\Temp\15831.exe.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Dane aplikacji\CrucialSoft Ltdc:\windows\system32\init32.exeZainfekowana kopia została znaleziona. Problem naprawiono Plik odzyskano z - .((((((((((((((((((((((((( Pliki utworzone od 2009-01-28 do 2009-02-28 ))))))))))))))))))))))))))))))).2009-02-28 13:04 . 2009-02-28 13:04 <DIR> d-------- c:\documents and settings\Administrator\.gstreamer-0.102009-02-28 13:00 . 2009-02-28 13:07 <DIR> d-------- c:\documents and settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu2009-02-28 12:59 . 2009-02-28 12:59 <DIR> d-------- c:\program files\Nowe Gadu-Gadu2009-02-28 12:33 . 2009-02-28 12:33 <DIR> d-------- c:\program files\Trend Micro2009-02-25 23:57 . 2009-02-28 18:01 <DIR> d-------- c:\program files\Spyware Doctor2009-02-25 23:57 . 2009-02-28 22:09 <DIR> d-a------ c:\documents and settings\All Users\Dane aplikacji\TEMP2009-02-25 23:57 . 2009-02-25 23:57 <DIR> d-------- c:\documents and settings\Administrator\Dane aplikacji\PC Tools2009-02-25 23:57 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys2009-02-25 23:57 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys2009-02-25 23:57 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys2009-02-25 23:57 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys2009-02-25 21:00 . 2009-02-25 21:00 <DIR> dr------- c:\documents and settings\NetworkService\Ulubione2009-02-24 00:19 . 2009-02-24 00:24 <DIR> d-------- c:\program files\WebSite X5 Evolution2009-02-16 22:42 . 2009-02-16 22:42 <DIR> d-------- c:\program files\Cream Software2009-02-16 22:42 . 2009-02-16 22:42 <DIR> d-------- c:\documents and settings\Administrator\Dane aplikacji\Cream Software2009-02-16 16:32 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll2009-02-16 16:32 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll2009-02-16 16:32 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll2009-02-16 16:32 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll2009-02-16 16:32 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll2009-02-16 16:32 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll2009-02-16 15:03 . 2009-02-16 17:56 <DIR> d-------- c:\program files\particleIllusion_32009-02-16 15:03 . 2009-02-16 15:03 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS2009-02-13 19:31 . 2009-02-16 15:08 <DIR> d-------- c:\program files\123 Flash Menu2009-02-12 23:04 . 2009-02-12 23:04 <DIR> d-------- c:\program files\CoffeeCup Software2009-02-08 20:27 . 2009-02-08 20:27 <DIR> d-------- C:\SWSetup2009-02-08 16:43 . 2009-02-08 16:45 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Bluetooth2009-02-08 16:41 . 2004-08-04 00:44 91,136 --a------ c:\windows\system32\drivers\kswdmcap.ax2009-02-08 16:41 . 2004-08-04 00:44 61,952 --a------ c:\windows\system32\drivers\kstvtune.ax2009-02-08 16:41 . 2004-08-04 00:44 54,784 --a------ c:\windows\system32\drivers\vfwwdm32.dll2009-02-08 16:41 . 2004-08-04 00:44 43,008 --a------ c:\windows\system32\drivers\ksxbar.ax2009-02-08 16:41 . 2004-08-04 00:44 28,672 --a------ c:\windows\system32\drivers\vidcap.ax2009-02-08 16:40 . 2009-02-08 16:40 <DIR> d-------- c:\program files\IVT Corporation2009-02-06 21:29 . 2009-02-06 21:29 <DIR> d-------- c:\program files\jdownloader v3.2622009-02-02 16:46 . 2009-02-02 16:46 4 --a------ c:\windows\system32\proc-1037709799.bin2009-02-02 16:26 . 2009-02-02 16:27 <DIR> d-------- c:\program files\Ganymede2009-01-30 14:59 . 2009-01-30 15:00 <DIR> d-------- c:\documents and settings\Administrator\Dane aplikacji\Magic Academy2009-01-29 15:46 . 2009-01-29 15:46 <DIR> d-------- c:\program files\PSPad editor2009-01-28 21:55 . 2009-01-28 21:55 <DIR> d-------- c:\program files\Blender Foundation.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-28 21:06 --------- d-----w c:\program files\FlashGet2009-02-28 17:57 --------- d-----w c:\documents and settings\Administrator\Dane aplikacji\Azureus2009-02-28 10:38 --------- d-----w c:\program files\Gadu-Gadu2009-02-26 23:27 --------- d-----w c:\program files\Vuze2009-02-25 18:53 --------- d-----w c:\program files\Torrent Master2009-02-22 19:39 --------- d-----w c:\program files\Pool Sharks2009-02-16 16:39 --------- d--h--w c:\program files\InstallShield Installation Information2009-02-02 15:46 --------- d-----w c:\documents and settings\Administrator\Dane aplikacji\GanymedeNet2009-02-01 19:22 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys2009-02-01 19:22 111,928 ----a-w c:\windows\system32\PnkBstrB.exe2009-01-30 13:49 --------- d-----w c:\program files\Electronic Arts2009-01-28 14:27 --------- d-----w c:\program files\Opera2009-01-18 17:51 --------- d-----w c:\program files\Motorama2009-01-18 15:15 66,872 ----a-w c:\windows\system32\PnkBstrA.exe2009-01-11 11:36 --------- d-----w c:\documents and settings\Administrator\Dane aplikacji\Winamp2009-01-11 11:20 --------- d-----w c:\documents and settings\Administrator\Dane aplikacji\foobar20002009-01-06 19:29 --------- d-----w c:\documents and settings\Administrator\Dane aplikacji\gtk-2.02009-01-06 19:28 --------- d-----w c:\program files\GIMP-2.02009-01-06 19:09 --------- d-----w c:\program files\Reallusion2009-01-06 18:45 --------- d-----w c:\program files\Macromedia2009-01-06 18:45 --------- d-----w c:\program files\Common Files\Macromedia2009-01-05 12:34 --------- d-----w c:\documents and settings\Administrator\Dane aplikacji\Skype2009-01-03 13:08 --------- d-----w c:\program files\DivX2009-01-03 12:53 --------- d-----w c:\program files\VirtualDub-1.8.62009-01-03 12:49 --------- d-----w c:\program files\Team MediaPortal2009-01-03 12:49 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Team MediaPortal2009-01-03 12:47 --------- d-----w c:\program files\RADVideo2009-01-03 11:22 --------- d-----w c:\documents and settings\Administrator\Dane aplikacji\MAGIX2009-01-03 11:21 --------- d-----w c:\program files\MAGIX2009-01-03 11:21 --------- d-----w c:\program files\Common Files\MAGIX Shared2009-01-03 11:21 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\MAGIX2008-12-30 23:07 --------- d-----w c:\program files\Audible2008-12-26 12:11 410,984 ----a-w c:\windows\system32\deploytk.dll2008-12-19 10:11 118,784 ----a-w c:\windows\SeaMonkeyUninstall.exe2008-12-19 10:11 118,784 ----a-w c:\windows\GREUninstall.exe2008-12-05 08:46 682,280 ----a-w c:\windows\system32\pbsvc.exe2008-12-05 08:46 22,328 ----a-w c:\documents and settings\Administrator\Dane aplikacji\PnkBstrK.sys2008-12-05 08:22 107,888 ----a-w c:\windows\system32\CmdLineExt.dll2007-12-06 17:40 81,920 ----a-w c:\documents and settings\Administrator\Dane aplikacji\ezpinst.exe2007-12-06 17:40 47,360 ----a-w c:\documents and settings\Administrator\Dane aplikacji\pcouffin.sys2007-01-05 10:50 222 ----a-w c:\program files\Common Files\m2bj1003.kk2006-12-20 14:05 221 ----a-w c:\program files\Common Files\max.kk2006-06-23 22:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe2007-08-28 12:54 237,568 ----a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll2006-05-25 17:43 204,895 ----a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll2005-09-29 13:41 77,824 ----a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll2006-06-19 12:10 426,081 ----a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll2005-02-02 11:19 458,752 ----a-w c:\program files\mozilla firefox\plugins\imagickrt.dll2006-04-10 17:35 139,264 ----a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll2005-11-09 10:10 204,800 ----a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll2005-11-09 10:42 106,496 ----a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll2006-01-04 10:22 212,992 ----a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll2006-01-04 10:21 167,936 ----a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 81920]"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-29 171464]"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2006-07-07 348160]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]"snpstd"="c:\windows\vsnpstd.exe" [2004-06-10 286720]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]"TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_14_silver\TrayServer.exe" [2007-12-04 90112]"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe]"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]c:\documents and settings\Administrator\Menu Start\Programy\Autostart\Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-02-08 1183744]Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-04 67128]Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-01-05 784912][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]2007-11-15 10:10 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm"msacm.mpegacm"= mpegacm.acm"msacm.ulmp3acm"= ulmp3acm.acm"msacm.divxa32"= msaud32_divx.acm"MSVideo"= CSvidcap.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]@=""[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="g:\\gry\\LOKI\\Loki\\Loki.exe"="g:\\gry\\LOKI\\Loki\\Autorun\\AutoRun.exe"="c:\\Program Files\\MSN Messenger\\msnmsgr.exe"="c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="c:\\Program Files\\FlashGet\\flashget.exe"="c:\\Program Files\\PPMate\\ppmate.exe"="c:\\Program Files\\PPMate\\ppamnet.exe"="c:\\WINDOWS\\system32\\dplaysvr.exe"="f:\\GRY\\Grid\\GRID.exe"="c:\\Program Files\\Vuze\\Azureus.exe"="f:\\GRY\\FC2\\Far Cry 2\\bin\\FarCry2.exe"="f:\\GRY\\FC2\\Far Cry 2\\bin\\FC2Launcher.exe"="f:\\GRY\\FC2\\Far Cry 2\\bin\\FC2Editor.exe"="f:\\GRY\\COD5\\CoDWaWmp.exe"="f:\\GRY\\COD5\\CoDWaW.exe"="f:\\GRY\\MASSEF\\Mass Effect\\Binaries\\MassEffect.exe"="f:\\GRY\\MASSEF\\Mass Effect\\MassEffectLauncher.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"="c:\\WINDOWS\\system32\\java.exe"="c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-04 111184]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-04 20560]R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-25 356920]R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-12-23 38656]R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2007-11-25 9446]S3 BS_DEF;BS_DEF;\??\c:\program files\ASUS\ASUSUpdate\BS_DEF.sys --> c:\program files\ASUS\ASUSUpdate\BS_DEF.sys [?]S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [2009-01-03 1527900]S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]--- Inne Usługi/Sterowniki w Pamięci ---*Deregistered* - mchInjDrv[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ead8898-c10e-11dd-a190-001d60b93f9d}]\Shell\AutoRun\command - g83816.com\Shell\explore\Command - g83816.com\Shell\open\Command - g83816.com[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ead8899-c10e-11dd-a190-001d60b93f9d}]\Shell\AutoRun\command - g83816.com\Shell\explore\Command - g83816.com\Shell\open\Command - g83816.com[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c086ee3-b182-11dc-9f1e-001d60b93f9d}]\Shell\AutoRun\command - E:\EXPLORER.EXE\Shell\explore\Command - E:\EXPLORER.EXE\Shell\open\Command - E:\EXPLORER.EXE[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a538e012-a91f-11dd-a166-001d60b93f9d}]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe..------- Skan uzupełniający -------.uStart Page = hxxp://www.onet.pl/IE: &Ściągnij przy pomocy FlashGet'a - c:\program files\FlashGet\jc_link.htmIE: &Ściągnij wszystko przy pomocy FlashGet'a - c:\program files\FlashGet\jc_all.htmIE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllFF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\z8slsbd3.default\FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPBILLARD8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npOggX.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dllFF - plugin: c:\program files\Picasa2\npPicasa2.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-28 22:09:49Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------[HKEY_USERS\Administrator\Software\SecuROM\License information*]"datasecu"=hex:06,14,26,0b,1e,27,d7,ff,36,70,9d,a9,37,6d,00,9b,54,20,f2,c7,16, 66,ee,8d,24,b5,4f,be,e2,bc,87,96,01,d1,cb,a1,ee,af,20,4b,a3,3a,53,34,b1,fe,\"rkeysecu"=hex:31,02,55,f9,63,99,46,40,86,85,bf,5b,d8,de,07,ce.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(1148)c:\program files\common files\logitech\bluetooth\LBTWlgn.dllc:\program files\common files\logitech\bluetooth\LBTServ.dll.------------------------ Pozostałe uruchomione procesy ------------------------.c:\program files\Alwil Software\Avast4\aswUpdSv.exec:\program files\Alwil Software\Avast4\ashServ.exec:\program files\IVT Corporation\BlueSoleil\BTNtService.exec:\windows\system32\CTSVCCDA.EXEc:\program files\Java\jre6\bin\jqs.exec:\program files\NVIDIA Corporation\nTune\nTuneService.exec:\windows\system32\rundll32.exec:\windows\system32\nvsvc32.exec:\windows\system32\PnkBstrA.exec:\program files\Spyware Doctor\pctsSvc.exec:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exec:\windows\system32\wdfmgr.exec:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exec:\program files\Alwil Software\Avast4\ashMaiSv.exec:\program files\Alwil Software\Avast4\ashWebSv.exec:\windows\system32\wbem\wmiapsrv.exec:\windows\system32\wscntfy.exe.**************************************************************************.Czas ukończenia: 2009-02-28 22:12:17 - komputer został uruchomiony ponownie [Administrator]ComboFix-quarantined-files.txt 2009-02-28 21:12:15Przed: 5 169 102 848 bajtów wolnychPo: 6,171,938,816 bajtów wolnychWindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect284 --- E O F --- 2008-03-01 13:38:13
Mateusz J. komentarz 28 lutego 2009 komentarz 28 lutego 2009 Usuń folder c:\QooBox. Zostały jeszcze szkodliwe wpisy w rejestrze usuwanie: Do notatnika wklej: Windows Registry Editor Version 5.00[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] Plik ==> Zapisz jako ==> Zmień rozszerzenie na Wszystkie pliki ==> Zapisz pod nazwą FIX.REG Uruchom utworzony plik FIX.REG i potwierdź dodanie do Rejestru i zresetuj komputer.
Jerzak komentarz 28 lutego 2009 komentarz 28 lutego 2009 oki. Zrobiłem tak jak napisałeś. Wygląda że wszystko ok. Dzięki ! CZy mam jeszcze coś zrobic, by potwierdzić, sprwdzić? Czy to już wszystko? Jescze raz wielkie dzięki.
Mateusz J. komentarz 28 lutego 2009 komentarz 28 lutego 2009 To już wszystko. Jeśli posiadasz pendrive, to te szkodliwe wpisy z rejestru pochodzą właśnie z niego. Aby pozbyć się wirusów z pendrive wykonaj: http://www.searchengines.pl/Infekcje-z-pen...ch-t94761.html# (Sprawdzanie dysku z niedziałającą opcją Pokaż ukryte).
Jerzak komentarz 28 lutego 2009 komentarz 28 lutego 2009 OK. Super dzieki Mam pena, zaraz go załatwie. pozdrawiam.
torson komentarz 22 marca 2009 komentarz 22 marca 2009 (edytowane) witam!ja z podobnym problemem sie zglaszam co moi poprzednicy...czy jest ktos chetny zeby mi pomoc..?bylbym wdzieczny.. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:55:44, on 2009-03-22Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\userinit.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ULI5289\ALi5289.exeC:\WINDOWS\SOUNDMAN.EXEE:\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\Program Files\Search Settings\SearchSettings.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Kalendarz XP\Kalendarz.exeC:\Program Files\Mozilla Firefox\firefox.exeF:\hjt\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaR3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dllO2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dllO2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dllO3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dllO3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dllO3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dllO4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exeO4 - HKLM\..\Run: [searchSettings] C:\Program Files\Search Settings\SearchSettings.exeO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\adobe reader\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [Picasa Media Detector] E:\Programy\Picasa2\PicasaMediaDetectorO4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Prec] E:\RapidShare\Prec\PrecStarter.exeO4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exeO4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exeO4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Adobe Media Player.lnk = F:\adobe reader\Adobe Media Player\Adobe Media Player.exeO4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dllO9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 8369 bytes Edytowane 22 marca 2009 przez Andziorka Tagi//Andziorka
Gość komentarz 22 marca 2009 komentarz 22 marca 2009 @torson: 1) Zamknij robaczywe porty przy pomocy --> Windows Worms Doors Cleaner (niżej na stronie linku).. Ustaw znaczki na zielono, Netbios może być na żółto. Po użyciu narzędzia wymagany jest restart. 2) Daj log z ComboFixa. .
torson komentarz 22 marca 2009 komentarz 22 marca 2009 (edytowane) ComboFix 09-03-19.02 - Paweł 2009-03-22 15:34:40.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.211 [GMT 1:00]Uruchomiony z: F:\ComboFix.exeAV: AVG 7.5.557 *On-access scanning enabled* (Updated) * Utworzono nowy punkt przywracania.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Dane aplikacji\Solt Lake Softwarec:\windows\IE4 Error Log.txtc:\windows\system32\1gOMNla5.exe.a_ac:\windows\system32\install.exec:\windows\system32\msxml71.dllE:\WinRAR.exeZainfekowana kopia została znaleziona. Problem naprawiono Plik odzyskano z - .((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_ISODRIVE-------\Service_ISODrive((((((((((((((((((((((((( Pliki utworzone od 2009-02-22 do 2009-03-22 ))))))))))))))))))))))))))))))).2009-03-20 22:00 . 2009-03-20 22:00 <DIR> dr------- c:\documents and settings\NetworkService\Ulubione2009-03-17 10:35 . 2001-10-09 19:25 4,358,144 -ra------ c:\windows\uncsetup.exe2009-03-12 21:58 . 2009-03-12 21:58 <DIR> d-------- c:\program files\Common Files\EZB Systems.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-22 14:22 --------- d-----w c:\program files\Kalendarz XP2009-03-22 12:35 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\AVG72009-03-19 16:12 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\U32009-03-16 18:31 --------- d-----w c:\program files\Faktura VAT 20092009-03-06 11:31 --------- d-----w c:\program files\Winamp2009-03-06 11:30 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\Winamp2009-02-22 19:27 63,488 ----a-w c:\windows\xobglu16.dll2009-02-22 19:27 23,552 ----a-w c:\windows\xobglu32.dll2009-02-22 17:33 --------- d-----w c:\program files\Lexmark X1100 Series2009-02-18 17:44 --------- d-----w c:\program files\Seventhsea2009-02-18 17:43 286,720 ----a-w c:\windows\iun506.exe2009-02-16 19:13 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\Skype2009-02-09 14:19 1,846,528 ----a-w c:\windows\system32\win32k.sys2009-02-04 11:42 --------- d-----w c:\program files\Christmas Package2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr2004-03-11 11:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Picasa Media Detector"="e:\programy\Picasa2\PicasaMediaDetector" [X]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-11-14 2131392]"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 1871872]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ALi5289"="c:\program files\ULI5289\ALi5289.exe" [2005-03-10 405504]"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"Adobe Photo Downloader"="e:\adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]"au"="c:\program files\Dealio\DealioAU.exe" [2008-04-16 591200]"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2008-04-16 985440]"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]"Adobe Reader Speed Launcher"="f:\adobe reader\Reader\Reader_sl.exe" [2008-01-11 39792]"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]"nwiz"="nwiz.exe" [2004-07-12 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-07-05 219136]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Kalendarz XP.lnk - c:\program files\Kalendarz XP\Kalendarz.exe [2007-09-15 882176][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.l3acm"= l3codecp.acm"msacm.divxa32"= msaud32_divx.acm[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"="f:\\BearShare\\BearShare.exe"="c:\\WINDOWS\\system32\\LEXPPS.EXE"="e:\\Sopcast\\SopCast.exe"="e:\\Sopcast\\adv\\SopAdver.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"7601:TCP"= 7601:TCP:BitComet 7601 TCP"7601:UDP"= 7601:UDP:BitComet 7601 UDP"24319:TCP"= 24319:TCP:BitComet 24319 TCP"24319:UDP"= 24319:UDP:BitComet 24319 UDPR0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2007-09-12 51840]R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2007-09-12 45056]S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2007-11-15 58288]S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [2007-11-15 8336]S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [2007-11-15 94064]S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2007-11-15 85408]S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2007-11-15 83344]S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\drivers\s716bus.sys [2008-10-22 83208][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c517d06b-8236-11dd-a3e7-000fea2a6eef}]\Shell\AutoRun\command - K:\LaunchU3.exe -a.Zawartość folderu 'Zaplanowane zadania'2009-03-21 c:\windows\Tasks\At1.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At10.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At11.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At12.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At13.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At14.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At15.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At16.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At17.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At18.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At19.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At2.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At20.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At21.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At22.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At23.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At24.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At3.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At4.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At5.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At6.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At7.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At8.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At9.job- c:\windows\system32\1gOMNla5.exe [].- - - - USUNIĘTO PUSTE WPISY - - - -HKCU-Run-Prec - e:\rapidshare\Prec\PrecStarter.exeHKCU-Run-PowerBar - (no file)HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe.------- Skan uzupełniający -------.uStart Page = hxxp://www.google.pl/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200FF - ProfilePath - c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\[u]0[/u]bwpv566.default\FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=FF - component: c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\[u]0[/u]bwpv566.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dllFF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dllFF - plugin: e:\filmy\Real Alternative\browser\plugins\nppl3260.dllFF - plugin: e:\filmy\Real Alternative\browser\plugins\nprpjplug.dllFF - plugin: e:\programy\Google\Picasa3\npPicasa3.dllFF - plugin: f:\adobe reader\Reader\browser\nppdf32.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-22 15:38:03Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.------------------------ Pozostałe uruchomione procesy ------------------------.c:\program files\Ahead\InCD\InCDsrv.exec:\windows\system32\LEXBCES.EXEc:\windows\system32\LEXPPS.EXEc:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exec:\progra~1\Grisoft\AVG7\avgamsvr.exec:\progra~1\Grisoft\AVG7\avgupsvc.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\windows\system32\nvsvc32.exec:\windows\system32\wdfmgr.exe.**************************************************************************.Czas ukończenia: 2009-03-22 15:40:34 - komputer został uruchomiony ponownie [Paweł]ComboFix-quarantined-files.txt 2009-03-22 14:40:04Przed: 1 821 413 376 bajtów wolnychPo: 2,396,221,440 bajtów wolnychWindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect226 --- E O F --- 2009-03-14 10:06:13 Edytowane 22 marca 2009 przez Andziorka Tagi//Andziorka
Gość komentarz 22 marca 2009 komentarz 22 marca 2009 Wklej do Notatnika: File::c:\windows\uncsetup.exeFolder::c:\windows\Tasksc:\program files\Dealioc:\program files\Search SettingsRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Picasa Media Detector"=-"MSMSGS"=-"NBJ"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ALi5289"=-"NVRTCLK"=-"NvCplDaemon"=-"NvMediaCenter"=-"NeroFilterCheck"=-"Adobe Photo Downloader"=-"au"=-"SearchSettings"=-"Symantec PIF AlertEng"=-"Adobe Reader Speed Launcher"=- >>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe --> Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania. Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox. .
torson komentarz 22 marca 2009 komentarz 22 marca 2009 ComboFix 09-03-19.02 - Paweł 2009-03-22 21:36:44.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.236 [GMT 1:00]Uruchomiony z: F:\ComboFix.exeUżyto następujących komend :: F:\CFScript.txtAV: AVG 7.5.557 *On-access scanning enabled* (Updated) * Utworzono nowy punkt przywracaniaFILE ::c:\windows\uncsetup.exec:\windows\Tasks -- Whitelisted --.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).c:\program files\Dealioc:\program files\Dealio\DealioAU.exec:\program files\Dealio\kb127\Dealio Deskbar.exec:\program files\Dealio\kb127\Dealio.dllc:\program files\Dealio\kb127\DealioRes409.dllc:\program files\Dealio\kb127\res\alerts.gifc:\program files\Dealio\kb127\res\alerts_over.gifc:\program files\Dealio\kb127\res\alerts_rec.gifc:\program files\Dealio\kb127\res\alerts_rec_over.gifc:\program files\Dealio\kb127\res\chevron-small.gifc:\program files\Dealio\kb127\res\deal_report.jpgc:\program files\Dealio\kb127\res\DealioSearch.htmlc:\program files\Dealio\kb127\res\deals-leftcap.gifc:\program files\Dealio\kb127\res\ebay_login.jpgc:\program files\Dealio\kb127\res\err_mainwindow.htmlc:\program files\Dealio\kb127\res\err_toolbar.htmlc:\program files\Dealio\kb127\res\global_scripts.jsc:\program files\Dealio\kb127\res\headerbgthin.jpgc:\program files\Dealio\kb127\res\highlight-bg.pngc:\program files\Dealio\kb127\res\logo.gifc:\program files\Dealio\kb127\res\logo_over.gifc:\program files\Dealio\kb127\res\man_toolbar.cssc:\program files\Dealio\kb127\res\man_toolbar.htmlc:\program files\Dealio\kb127\res\man_toolbar.jsc:\program files\Dealio\kb127\res\man_toolbarl.jsc:\program files\Dealio\kb127\res\post-this-deal.gifc:\program files\Dealio\kb127\res\post-this-deal_over.gifc:\program files\Dealio\kb127\res\scripts.jsc:\program files\Dealio\kb127\res\scroller.jsc:\program files\Dealio\kb127\res\search-chevron.gifc:\program files\Dealio\kb127\res\search-chevron_over.gifc:\program files\Dealio\kb127\res\search_bg_blink.gifc:\program files\Dealio\kb127\res\separator.gifc:\program files\Dealio\kb127\res\settings.gifc:\program files\Dealio\kb127\res\settings_over.gifc:\program files\Dealio\kb127\res\yahoo-search.pngc:\program files\Dealio\kb127\resDN\bottom.gifc:\program files\Dealio\kb127\resDN\chevron_down.gifc:\program files\Dealio\kb127\resDN\chevron_up.gifc:\program files\Dealio\kb127\resDN\close.gifc:\program files\Dealio\kb127\resDN\deskbar.cssc:\program files\Dealio\kb127\resDN\deskbar.jsc:\program files\Dealio\kb127\resDN\dispatch_helper.jsc:\program files\Dealio\kb127\resDN\ebay_compatible.jpgc:\program files\Dealio\kb127\resDN\logo.gifc:\program files\Dealio\kb127\resDN\logo_chevron_bkg.gifc:\program files\Dealio\kb127\resDN\losing.gifc:\program files\Dealio\kb127\resDN\lost.gifc:\program files\Dealio\kb127\resDN\man_deskbar.htmlc:\program files\Dealio\kb127\resDN\menu_arrow.gifc:\program files\Dealio\kb127\resDN\menu_check.gifc:\program files\Dealio\kb127\resDN\no_image.gifc:\program files\Dealio\kb127\resDN\prod_img.gifc:\program files\Dealio\kb127\resDN\search_chevron.gifc:\program files\Dealio\kb127\resDN\spacer.gifc:\program files\Dealio\kb127\resDN\textfield_bkg.gifc:\program files\Dealio\kb127\resDN\top.gifc:\program files\Dealio\kb127\resDN\unknown.gifc:\program files\Dealio\kb127\resDN\winning.gifc:\program files\Dealio\kb127\resDN\won.gifc:\program files\Dealio\kb127\resFF\deal_report.jpgc:\program files\Dealio\kb127\resFF\ebay_login.jpgc:\program files\Dealio\kb127\rules\index.76.35c:\program files\Dealio\kb127\rules\rules.1.10.76c:\program files\Dealio\kb127\rules\rules.1.109.43c:\program files\Dealio\kb127\rules\rules.1.110.43c:\program files\Dealio\kb127\rules\rules.1.12.52c:\program files\Dealio\kb127\rules\rules.1.13.58c:\program files\Dealio\kb127\rules\rules.1.130.58c:\program files\Dealio\kb127\rules\rules.1.135.50c:\program files\Dealio\kb127\rules\rules.1.153.44c:\program files\Dealio\kb127\rules\rules.1.155.43c:\program files\Dealio\kb127\rules\rules.1.156.49c:\program files\Dealio\kb127\rules\rules.1.16.60c:\program files\Dealio\kb127\rules\rules.1.161.52c:\program files\Dealio\kb127\rules\rules.1.178.66c:\program files\Dealio\kb127\rules\rules.1.184.55c:\program files\Dealio\kb127\rules\rules.1.188.52c:\program files\Dealio\kb127\rules\rules.1.189.45c:\program files\Dealio\kb127\rules\rules.1.196.43c:\program files\Dealio\kb127\rules\rules.1.198.56c:\program files\Dealio\kb127\rules\rules.1.199.43c:\program files\Dealio\kb127\rules\rules.1.200.53c:\program files\Dealio\kb127\rules\rules.1.201.43c:\program files\Dealio\kb127\rules\rules.1.202.43c:\program files\Dealio\kb127\rules\rules.1.203.71c:\program files\Dealio\kb127\rules\rules.1.205.62c:\program files\Dealio\kb127\rules\rules.1.213.71c:\program files\Dealio\kb127\rules\rules.1.214.49c:\program files\Dealio\kb127\rules\rules.1.215.43c:\program files\Dealio\kb127\rules\rules.1.216.67c:\program files\Dealio\kb127\rules\rules.1.217.67c:\program files\Dealio\kb127\rules\rules.1.218.52c:\program files\Dealio\kb127\rules\rules.1.219.43c:\program files\Dealio\kb127\rules\rules.1.220.43c:\program files\Dealio\kb127\rules\rules.1.221.57c:\program files\Dealio\kb127\rules\rules.1.222.43c:\program files\Dealio\kb127\rules\rules.1.223.68c:\program files\Dealio\kb127\rules\rules.1.226.68c:\program files\Dealio\kb127\rules\rules.1.227.43c:\program files\Dealio\kb127\rules\rules.1.228.62c:\program files\Dealio\kb127\rules\rules.1.229.76c:\program files\Dealio\kb127\rules\rules.1.23.63c:\program files\Dealio\kb127\rules\rules.1.239.43c:\program files\Dealio\kb127\rules\rules.1.24.43c:\program files\Dealio\kb127\rules\rules.1.240.43c:\program files\Dealio\kb127\rules\rules.1.241.43c:\program files\Dealio\kb127\rules\rules.1.242.43c:\program files\Dealio\kb127\rules\rules.1.243.43c:\program files\Dealio\kb127\rules\rules.1.244.63c:\program files\Dealio\kb127\rules\rules.1.245.43c:\program files\Dealio\kb127\rules\rules.1.247.43c:\program files\Dealio\kb127\rules\rules.1.248.43c:\program files\Dealio\kb127\rules\rules.1.249.43c:\program files\Dealio\kb127\rules\rules.1.250.43c:\program files\Dealio\kb127\rules\rules.1.251.43c:\program files\Dealio\kb127\rules\rules.1.252.43c:\program files\Dealio\kb127\rules\rules.1.253.43c:\program files\Dealio\kb127\rules\rules.1.254.43c:\program files\Dealio\kb127\rules\rules.1.255.43c:\program files\Dealio\kb127\rules\rules.1.256.43c:\program files\Dealio\kb127\rules\rules.1.257.43c:\program files\Dealio\kb127\rules\rules.1.279.43c:\program files\Dealio\kb127\rules\rules.1.28.58c:\program files\Dealio\kb127\rules\rules.1.282.75c:\program files\Dealio\kb127\rules\rules.1.283.43c:\program files\Dealio\kb127\rules\rules.1.284.43c:\program files\Dealio\kb127\rules\rules.1.289.67c:\program files\Dealio\kb127\rules\rules.1.290.62c:\program files\Dealio\kb127\rules\rules.1.291.61c:\program files\Dealio\kb127\rules\rules.1.296.43c:\program files\Dealio\kb127\rules\rules.1.297.43c:\program files\Dealio\kb127\rules\rules.1.304.43c:\program files\Dealio\kb127\rules\rules.1.307.43c:\program files\Dealio\kb127\rules\rules.1.308.75c:\program files\Dealio\kb127\rules\rules.1.31.47c:\program files\Dealio\kb127\rules\rules.1.310.46c:\program files\Dealio\kb127\rules\rules.1.311.43c:\program files\Dealio\kb127\rules\rules.1.315.43c:\program files\Dealio\kb127\rules\rules.1.316.43c:\program files\Dealio\kb127\rules\rules.1.317.43c:\program files\Dealio\kb127\rules\rules.1.318.43c:\program files\Dealio\kb127\rules\rules.1.319.49c:\program files\Dealio\kb127\rules\rules.1.32.48c:\program files\Dealio\kb127\rules\rules.1.334.44c:\program files\Dealio\kb127\rules\rules.1.335.60c:\program files\Dealio\kb127\rules\rules.1.336.44c:\program files\Dealio\kb127\rules\rules.1.337.44c:\program files\Dealio\kb127\rules\rules.1.338.75c:\program files\Dealio\kb127\rules\rules.1.339.47c:\program files\Dealio\kb127\rules\rules.1.34.43c:\program files\Dealio\kb127\rules\rules.1.340.47c:\program files\Dealio\kb127\rules\rules.1.341.47c:\program files\Dealio\kb127\rules\rules.1.349.50c:\program files\Dealio\kb127\rules\rules.1.35.48c:\program files\Dealio\kb127\rules\rules.1.350.50c:\program files\Dealio\kb127\rules\rules.1.351.51c:\program files\Dealio\kb127\rules\rules.1.352.54c:\program files\Dealio\kb127\rules\rules.1.353.51c:\program files\Dealio\kb127\rules\rules.1.354.51c:\program files\Dealio\kb127\rules\rules.1.357.62c:\program files\Dealio\kb127\rules\rules.1.358.52c:\program files\Dealio\kb127\rules\rules.1.359.52c:\program files\Dealio\kb127\rules\rules.1.360.53c:\program files\Dealio\kb127\rules\rules.1.361.54c:\program files\Dealio\kb127\rules\rules.1.362.68c:\program files\Dealio\kb127\rules\rules.1.363.58c:\program files\Dealio\kb127\rules\rules.1.364.54c:\program files\Dealio\kb127\rules\rules.1.365.53c:\program files\Dealio\kb127\rules\rules.1.367.56c:\program files\Dealio\kb127\rules\rules.1.368.58c:\program files\Dealio\kb127\rules\rules.1.369.55c:\program files\Dealio\kb127\rules\rules.1.370.56c:\program files\Dealio\kb127\rules\rules.1.371.56c:\program files\Dealio\kb127\rules\rules.1.372.57c:\program files\Dealio\kb127\rules\rules.1.373.55c:\program files\Dealio\kb127\rules\rules.1.375.56c:\program files\Dealio\kb127\rules\rules.1.376.57c:\program files\Dealio\kb127\rules\rules.1.377.55c:\program files\Dealio\kb127\rules\rules.1.378.65c:\program files\Dealio\kb127\rules\rules.1.384.58c:\program files\Dealio\kb127\rules\rules.1.386.71c:\program files\Dealio\kb127\rules\rules.1.387.59c:\program files\Dealio\kb127\rules\rules.1.388.59c:\program files\Dealio\kb127\rules\rules.1.389.59c:\program files\Dealio\kb127\rules\rules.1.390.60c:\program files\Dealio\kb127\rules\rules.1.391.60c:\program files\Dealio\kb127\rules\rules.1.392.60c:\program files\Dealio\kb127\rules\rules.1.393.60c:\program files\Dealio\kb127\rules\rules.1.394.60c:\program files\Dealio\kb127\rules\rules.1.396.61c:\program files\Dealio\kb127\rules\rules.1.397.61c:\program files\Dealio\kb127\rules\rules.1.398.60c:\program files\Dealio\kb127\rules\rules.1.399.60c:\program files\Dealio\kb127\rules\rules.1.403.61c:\program files\Dealio\kb127\rules\rules.1.404.63c:\program files\Dealio\kb127\rules\rules.1.405.61c:\program files\Dealio\kb127\rules\rules.1.406.61c:\program files\Dealio\kb127\rules\rules.1.407.76c:\program files\Dealio\kb127\rules\rules.1.408.63c:\program files\Dealio\kb127\rules\rules.1.409.61c:\program files\Dealio\kb127\rules\rules.1.412.62c:\program files\Dealio\kb127\rules\rules.1.413.62c:\program files\Dealio\kb127\rules\rules.1.414.62c:\program files\Dealio\kb127\rules\rules.1.415.62c:\program files\Dealio\kb127\rules\rules.1.416.62c:\program files\Dealio\kb127\rules\rules.1.417.62c:\program files\Dealio\kb127\rules\rules.1.418.62c:\program files\Dealio\kb127\rules\rules.1.419.62c:\program files\Dealio\kb127\rules\rules.1.420.62c:\program files\Dealio\kb127\rules\rules.1.421.62c:\program files\Dealio\kb127\rules\rules.1.423.63c:\program files\Dealio\kb127\rules\rules.1.424.63c:\program files\Dealio\kb127\rules\rules.1.425.63c:\program files\Dealio\kb127\rules\rules.1.426.63c:\program files\Dealio\kb127\rules\rules.1.427.63c:\program files\Dealio\kb127\rules\rules.1.428.65c:\program files\Dealio\kb127\rules\rules.1.429.63c:\program files\Dealio\kb127\rules\rules.1.430.63c:\program files\Dealio\kb127\rules\rules.1.432.65c:\program files\Dealio\kb127\rules\rules.1.433.64c:\program files\Dealio\kb127\rules\rules.1.434.65c:\program files\Dealio\kb127\rules\rules.1.435.64c:\program files\Dealio\kb127\rules\rules.1.436.76c:\program files\Dealio\kb127\rules\rules.1.437.64c:\program files\Dealio\kb127\rules\rules.1.438.71c:\program files\Dealio\kb127\rules\rules.1.439.71c:\program files\Dealio\kb127\rules\rules.1.440.75c:\program files\Dealio\kb127\rules\rules.1.442.73c:\program files\Dealio\kb127\rules\rules.1.443.73c:\program files\Dealio\kb127\rules\rules.1.444.73c:\program files\Dealio\kb127\rules\rules.1.445.68c:\program files\Dealio\kb127\rules\rules.1.446.69c:\program files\Dealio\kb127\rules\rules.1.450.67c:\program files\Dealio\kb127\rules\rules.1.451.67c:\program files\Dealio\kb127\rules\rules.1.452.68c:\program files\Dealio\kb127\rules\rules.1.453.68c:\program files\Dealio\kb127\rules\rules.1.454.69c:\program files\Dealio\kb127\rules\rules.1.456.69c:\program files\Dealio\kb127\rules\rules.1.457.75c:\program files\Dealio\kb127\rules\rules.1.458.70c:\program files\Dealio\kb127\rules\rules.1.459.70c:\program files\Dealio\kb127\rules\rules.1.460.69c:\program files\Dealio\kb127\rules\rules.1.462.74c:\program files\Dealio\kb127\rules\rules.1.463.69c:\program files\Dealio\kb127\rules\rules.1.464.70c:\program files\Dealio\kb127\rules\rules.1.465.68c:\program files\Dealio\kb127\rules\rules.1.468.70c:\program files\Dealio\kb127\rules\rules.1.469.70c:\program files\Dealio\kb127\rules\rules.1.470.70c:\program files\Dealio\kb127\rules\rules.1.471.73c:\program files\Dealio\kb127\rules\rules.1.472.70c:\program files\Dealio\kb127\rules\rules.1.478.74c:\program files\Dealio\kb127\rules\rules.1.479.73c:\program files\Dealio\kb127\rules\rules.1.480.68c:\program files\Dealio\kb127\rules\rules.1.481.71c:\program files\Dealio\kb127\rules\rules.1.482.74c:\program files\Dealio\kb127\rules\rules.1.49.67c:\program files\Dealio\kb127\rules\rules.1.50.43c:\program files\Dealio\kb127\rules\rules.1.500.71c:\program files\Dealio\kb127\rules\rules.1.501.74c:\program files\Dealio\kb127\rules\rules.1.502.71c:\program files\Dealio\kb127\rules\rules.1.51.69c:\program files\Dealio\kb127\rules\rules.1.52.72c:\program files\Dealio\kb127\rules\rules.1.520.76c:\program files\Dealio\kb127\rules\rules.1.521.76c:\program files\Dealio\kb127\rules\rules.1.522.76c:\program files\Dealio\kb127\rules\rules.1.53.51c:\program files\Dealio\kb127\rules\rules.1.531.76c:\program files\Dealio\kb127\rules\rules.1.532.75c:\program files\Dealio\kb127\rules\rules.1.534.75c:\program files\Dealio\kb127\rules\rules.1.54.47c:\program files\Dealio\kb127\rules\rules.1.55.45c:\program files\Dealio\kb127\rules\rules.1.56.69c:\program files\Dealio\kb127\rules\rules.1.57.43c:\program files\Dealio\kb127\rules\rules.1.58.47c:\program files\Dealio\kb127\rules\rules.1.593.76c:\program files\Dealio\kb127\rules\rules.1.595.76c:\program files\Dealio\kb127\rules\rules.1.63.57c:\program files\Dealio\kb127\rules\rules.1.66.47c:\program files\Dealio\kb127\rules\rules.1.70.75c:\program files\Dealio\kb127\rules\rules.1.71.43c:\program files\Dealio\kb127\rulesFF\index.3.67.22c:\program files\Dealio\kb127\rulesFF\rules.3.109.43c:\program files\Dealio\kb127\rulesFF\rules.3.178.66c:\program files\Dealio\kb127\rulesFF\rules.3.198.56c:\program files\Dealio\kb127\rulesFF\rules.3.245.43c:\program files\Dealio\kb127\rulesFF\rules.3.247.43c:\program files\Dealio\kb127\rulesFF\rules.3.279.43c:\program files\Dealio\kb127\rulesFF\rules.3.283.43c:\program files\Dealio\kb127\rulesFF\rules.3.284.43c:\program files\Dealio\kb127\rulesFF\rules.3.289.67c:\program files\Dealio\kb127\rulesFF\rules.3.290.62c:\program files\Dealio\kb127\rulesFF\rules.3.297.43c:\program files\Dealio\kb127\rulesFF\rules.3.315.43c:\program files\Dealio\kb127\rulesFF\rules.3.319.49c:\program files\Dealio\kb127\rulesFF\rules.3.335.60c:\program files\Dealio\kb127\rulesFF\rules.3.337.44c:\program files\Dealio\kb127\rulesFF\rules.3.340.47c:\program files\Dealio\kb127\rulesFF\rules.3.360.53c:\program files\Dealio\kb127\rulesFF\rules.3.386.59c:\program files\Dealio\kb127\rulesFF\rules.3.388.59c:\program files\Dealio\kb127\rulesFF\rules.3.391.60c:\program files\Dealio\kb127\rulesFF\rules.3.398.60c:\program files\Dealio\kb127\rulesFF\rules.3.399.60c:\program files\Dealio\kb127\rulesFF\rules.3.403.61c:\program files\Dealio\kb127\rulesFF\rules.3.404.63c:\program files\Dealio\kb127\rulesFF\rules.3.405.61c:\program files\Dealio\kb127\rulesFF\rules.3.406.61c:\program files\Dealio\kb127\rulesFF\rules.3.407.61c:\program files\Dealio\kb127\rulesFF\rules.3.408.63c:\program files\Dealio\kb127\rulesFF\rules.3.409.61c:\program files\Dealio\kb127\rulesFF\rules.3.412.62c:\program files\Dealio\kb127\rulesFF\rules.3.413.62c:\program files\Dealio\kb127\rulesFF\rules.3.414.62c:\program files\Dealio\kb127\rulesFF\rules.3.415.62c:\program files\Dealio\kb127\rulesFF\rules.3.416.62c:\program files\Dealio\kb127\rulesFF\rules.3.417.62c:\program files\Dealio\kb127\rulesFF\rules.3.418.62c:\program files\Dealio\kb127\rulesFF\rules.3.419.62c:\program files\Dealio\kb127\rulesFF\rules.3.420.62c:\program files\Dealio\kb127\rulesFF\rules.3.421.62c:\program files\Dealio\kb127\rulesFF\rules.3.424.63c:\program files\Dealio\kb127\rulesFF\rules.3.427.63c:\program files\Dealio\kb127\rulesFF\rules.3.432.65c:\program files\Dealio\kb127\rulesFF\rules.3.49.67c:\program files\Dealio\kb127\rulesFF\rules.3.51.46c:\program files\Dealio\kb127\rulesFF\rules.3.52.57c:\program files\Dealio\kb127\rulesFF\rules.3.53.51c:\program files\Dealio\kb127\rulesFF\rules.3.54.47c:\program files\Dealio\kb127\rulesFF\rules.3.57.43c:\program files\Dealio\kb127\rulesFF\rules.3.58.47c:\program files\Dealio\SearchSettingsKit.exec:\program files\Search Settingsc:\program files\Search Settings\kb127\SearchSettings.dllc:\program files\Search Settings\kb127\SearchSettingsRes409.dllc:\program files\Search Settings\SearchSettings.exec:\windows\uncsetup.exe.((((((((((((((((((((((((( Pliki utworzone od 2009-02-22 do 2009-03-22 ))))))))))))))))))))))))))))))).2009-03-20 22:00 . 2009-03-20 22:00 <DIR> dr------- c:\documents and settings\NetworkService\Ulubione2009-03-12 21:58 . 2009-03-12 21:58 <DIR> d-------- c:\program files\Common Files\EZB Systems.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-22 16:33 --------- d-----w c:\program files\Kalendarz XP2009-03-22 12:35 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\AVG72009-03-19 16:12 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\U32009-03-16 18:31 --------- d-----w c:\program files\Faktura VAT 20092009-03-06 11:31 --------- d-----w c:\program files\Winamp2009-03-06 11:30 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\Winamp2009-02-22 19:27 63,488 ----a-w c:\windows\xobglu16.dll2009-02-22 19:27 23,552 ----a-w c:\windows\xobglu32.dll2009-02-22 17:33 --------- d-----w c:\program files\Lexmark X1100 Series2009-02-18 17:44 --------- d-----w c:\program files\Seventhsea2009-02-18 17:43 286,720 ----a-w c:\windows\iun506.exe2009-02-16 19:13 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\Skype2009-02-09 14:19 1,846,528 ----a-w c:\windows\system32\win32k.sys2009-02-04 11:42 --------- d-----w c:\program files\Christmas Package2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr2004-03-11 11:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-11-14 2131392]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]"nwiz"="nwiz.exe" [2004-07-12 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-07-05 219136]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Kalendarz XP.lnk - c:\program files\Kalendarz XP\Kalendarz.exe [2007-09-15 882176][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.l3acm"= l3codecp.acm"msacm.divxa32"= msaud32_divx.acm[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"="f:\\BearShare\\BearShare.exe"="c:\\WINDOWS\\system32\\LEXPPS.EXE"="e:\\Sopcast\\SopCast.exe"="e:\\Sopcast\\adv\\SopAdver.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"7601:TCP"= 7601:TCP:BitComet 7601 TCP"7601:UDP"= 7601:UDP:BitComet 7601 UDP"24319:TCP"= 24319:TCP:BitComet 24319 TCP"24319:UDP"= 24319:UDP:BitComet 24319 UDPR0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2007-09-12 51840]R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2007-09-12 45056]S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2007-11-15 58288]S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [2007-11-15 8336]S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [2007-11-15 94064]S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2007-11-15 85408]S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2007-11-15 83344]S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\drivers\s716bus.sys [2008-10-22 83208][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c517d06b-8236-11dd-a3e7-000fea2a6eef}]\Shell\AutoRun\command - K:\LaunchU3.exe -a.Zawartość folderu 'Zaplanowane zadania'2009-03-21 c:\windows\Tasks\At1.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At10.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At11.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At12.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At13.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At14.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At15.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At16.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At17.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At18.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At19.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At2.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At20.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At21.job- c:\windows\system32\1gOMNla5.exe []2009-03-22 c:\windows\Tasks\At22.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At23.job- c:\windows\system32\1gOMNla5.exe []2009-03-21 c:\windows\Tasks\At24.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At3.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At4.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At5.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At6.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At7.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At8.job- c:\windows\system32\1gOMNla5.exe []2009-03-20 c:\windows\Tasks\At9.job- c:\windows\system32\1gOMNla5.exe []..------- Skan uzupełniający -------.uStart Page = hxxp://www.google.pl/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200FF - ProfilePath - c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\[u]0[/u]bwpv566.default\FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=FF - component: c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\[u]0[/u]bwpv566.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dllFF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dllFF - plugin: e:\filmy\Real Alternative\browser\plugins\nppl3260.dllFF - plugin: e:\filmy\Real Alternative\browser\plugins\nprpjplug.dllFF - plugin: e:\programy\Google\Picasa3\npPicasa3.dllFF - plugin: f:\adobe reader\Reader\browser\nppdf32.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-22 21:39:01Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.Czas ukończenia: 2009-03-22 21:40:43ComboFix-quarantined-files.txt 2009-03-22 20:40:10ComboFix2.txt 2009-03-22 14:40:35Przed: 2 390 728 704 bajtów wolnychPo: 2,364,534,784 bajtów wolnych518 --- E O F --- 2009-03-14 10:06:13 //Logi wstawiamy w //Andziorka
Gość komentarz 23 marca 2009 komentarz 23 marca 2009 Wklej do Notatnika: File::c:\windows\system32\1gOMNla5.exec:\windows\Tasks\At1.jobc:\windows\Tasks\At10.jobc:\windows\Tasks\At11.jobc:\windows\Tasks\At12.jobc:\windows\Tasks\At13.jobc:\windows\Tasks\At14.jobc:\windows\Tasks\At15.jobc:\windows\Tasks\At16.jobc:\windows\Tasks\At17.jobc:\windows\Tasks\At18.jobc:\windows\Tasks\At19.jobc:\windows\Tasks\At2.jobc:\windows\Tasks\At20.jobc:\windows\Tasks\At21.jobc:\windows\Tasks\At22.jobc:\windows\Tasks\At23.jobc:\windows\Tasks\At24.jobc:\windows\Tasks\At3.jobc:\windows\Tasks\At4.jobc:\windows\Tasks\At5.jobc:\windows\Tasks\At6.jobc:\windows\Tasks\At7.jobc:\windows\Tasks\At8.jobc:\windows\Tasks\At9.job >>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe --> Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania. Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox. .
torson komentarz 23 marca 2009 komentarz 23 marca 2009 ComboFix 09-03-19.02 - Paweł 2009-03-23 19:44:32.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.226 [GMT 1:00]Uruchomiony z: F:\ComboFix.exeUżyto następujących komend :: F:\CFScript.txtAV: AVG 7.5.557 *On-access scanning enabled* (Updated) * Utworzono nowy punkt przywracaniaFILE ::c:\windows\system32\1gOMNla5.exec:\windows\Tasks\At1.jobc:\windows\Tasks\At10.jobc:\windows\Tasks\At11.jobc:\windows\Tasks\At12.jobc:\windows\Tasks\At13.jobc:\windows\Tasks\At14.jobc:\windows\Tasks\At15.jobc:\windows\Tasks\At16.jobc:\windows\Tasks\At17.jobc:\windows\Tasks\At18.jobc:\windows\Tasks\At19.jobc:\windows\Tasks\At2.jobc:\windows\Tasks\At20.jobc:\windows\Tasks\At21.jobc:\windows\Tasks\At22.jobc:\windows\Tasks\At23.jobc:\windows\Tasks\At24.jobc:\windows\Tasks\At3.jobc:\windows\Tasks\At4.jobc:\windows\Tasks\At5.jobc:\windows\Tasks\At6.jobc:\windows\Tasks\At7.jobc:\windows\Tasks\At8.jobc:\windows\Tasks\At9.job.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\Tasks\At1.jobc:\windows\Tasks\At10.jobc:\windows\Tasks\At11.jobc:\windows\Tasks\At12.jobc:\windows\Tasks\At13.jobc:\windows\Tasks\At14.jobc:\windows\Tasks\At15.jobc:\windows\Tasks\At16.jobc:\windows\Tasks\At17.jobc:\windows\Tasks\At18.jobc:\windows\Tasks\At19.jobc:\windows\Tasks\At2.jobc:\windows\Tasks\At20.jobc:\windows\Tasks\At21.jobc:\windows\Tasks\At22.jobc:\windows\Tasks\At23.jobc:\windows\Tasks\At24.jobc:\windows\Tasks\At3.jobc:\windows\Tasks\At4.jobc:\windows\Tasks\At5.jobc:\windows\Tasks\At6.jobc:\windows\Tasks\At7.jobc:\windows\Tasks\At8.jobc:\windows\Tasks\At9.job.((((((((((((((((((((((((( Pliki utworzone od 2009-02-23 do 2009-03-23 ))))))))))))))))))))))))))))))).2009-03-20 22:00 . 2009-03-20 22:00 <DIR> dr------- c:\documents and settings\NetworkService\Ulubione2009-03-12 21:58 . 2009-03-12 21:58 <DIR> d-------- c:\program files\Common Files\EZB Systems.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-23 18:43 --------- d-----w c:\program files\Kalendarz XP2009-03-23 08:31 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\AVG72009-03-19 16:12 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\U32009-03-16 18:31 --------- d-----w c:\program files\Faktura VAT 20092009-03-06 11:31 --------- d-----w c:\program files\Winamp2009-03-06 11:30 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\Winamp2009-02-22 19:27 63,488 ----a-w c:\windows\xobglu16.dll2009-02-22 19:27 23,552 ----a-w c:\windows\xobglu32.dll2009-02-22 17:33 --------- d-----w c:\program files\Lexmark X1100 Series2009-02-18 17:44 --------- d-----w c:\program files\Seventhsea2009-02-18 17:43 286,720 ----a-w c:\windows\iun506.exe2009-02-16 19:13 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\Skype2009-02-09 14:19 1,846,528 ----a-w c:\windows\system32\win32k.sys2009-02-04 11:42 --------- d-----w c:\program files\Christmas Package2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr2004-03-11 11:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-11-14 2131392]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]"nwiz"="nwiz.exe" [2004-07-12 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-07-05 219136]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Kalendarz XP.lnk - c:\program files\Kalendarz XP\Kalendarz.exe [2007-09-15 882176][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.l3acm"= l3codecp.acm"msacm.divxa32"= msaud32_divx.acm[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"="f:\\BearShare\\BearShare.exe"="c:\\WINDOWS\\system32\\LEXPPS.EXE"="e:\\Sopcast\\SopCast.exe"="e:\\Sopcast\\adv\\SopAdver.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"7601:TCP"= 7601:TCP:BitComet 7601 TCP"7601:UDP"= 7601:UDP:BitComet 7601 UDP"24319:TCP"= 24319:TCP:BitComet 24319 TCP"24319:UDP"= 24319:UDP:BitComet 24319 UDPR0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2007-09-12 51840]R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2007-09-12 45056]S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2007-11-15 58288]S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [2007-11-15 8336]S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [2007-11-15 94064]S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2007-11-15 85408]S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2007-11-15 83344]S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\drivers\s716bus.sys [2008-10-22 83208][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c517d06b-8236-11dd-a3e7-000fea2a6eef}]\Shell\AutoRun\command - K:\LaunchU3.exe -a..------- Skan uzupełniający -------.uStart Page = hxxp://www.google.pl/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200FF - ProfilePath - c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\[u]0[/u]bwpv566.default\FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=FF - component: c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\[u]0[/u]bwpv566.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dllFF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dllFF - plugin: e:\filmy\Real Alternative\browser\plugins\nppl3260.dllFF - plugin: e:\filmy\Real Alternative\browser\plugins\nprpjplug.dllFF - plugin: e:\programy\Google\Picasa3\npPicasa3.dllFF - plugin: f:\adobe reader\Reader\browser\nppdf32.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-23 19:46:06Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.Czas ukończenia: 2009-03-23 19:47:41ComboFix-quarantined-files.txt 2009-03-23 18:47:09Przed: 2 524 811 264 bajtów wolnychPo: 2,555,023,360 bajtów wolnych177 --- E O F --- 2009-03-14 10:06:13
Gość komentarz 23 marca 2009 komentarz 23 marca 2009 No i czysto. 1. Usuń ręcznie folder C:\Qoobox. 2. Z folderu "System Volume Information" usuniesz poprzez chwilowe wyłączenie "Przywracania Systemu": >Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy "Wyłącz przywracanie na wszystkich dyskach">Zastosuj>OK.Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka). 3. Wykonaj optymalizację systemu 4.Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum. .
torson komentarz 5 kwietnia 2009 komentarz 5 kwietnia 2009 (edytowane) moze mi ktos sprawdzic czy moj log jest czysty czy moze mam cos z nim zrobic..? ComboFix 09-04-04.01 - Paweł 2009-04-05 12:26:37.4 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.224 [GMT 2:00]Uruchomiony z: F:\ComboFix.exeAV: AVG 7.5.557 *On-access scanning enabled* (Updated) * Utworzono nowy punkt przywracania.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Paweł\Dane aplikacji\wiaserva.log.((((((((((((((((((((((((( Pliki utworzone od 2009-03-05 do 2009-04-05 ))))))))))))))))))))))))))))))).2009-03-20 23:00 . 2009-03-20 23:00 <DIR> dr------- c:\documents and settings\NetworkService\Ulubione2009-03-12 22:58 . 2009-03-12 22:58 <DIR> d-------- c:\program files\Common Files\EZB Systems.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-04-05 10:11 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\AVG72009-04-05 09:36 --------- d-----w c:\program files\Kalendarz XP2009-03-30 17:26 --------- d-----w c:\program files\NAPI-PROJEKT2009-03-27 08:50 --------- d--h--w c:\program files\InstallShield Installation Information2009-03-19 16:12 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\U32009-03-16 18:31 --------- d-----w c:\program files\Faktura VAT 20092009-03-06 11:31 --------- d-----w c:\program files\Winamp2009-03-06 11:30 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\Winamp2009-02-22 19:27 63,488 ----a-w c:\windows\xobglu16.dll2009-02-22 19:27 23,552 ----a-w c:\windows\xobglu32.dll2009-02-22 17:33 --------- d-----w c:\program files\Lexmark X1100 Series2009-02-18 17:44 --------- d-----w c:\program files\Seventhsea2009-02-18 17:43 286,720 ----a-w c:\windows\iun506.exe2009-02-16 19:13 --------- d-----w c:\documents and settings\Paweł\Dane aplikacji\Skype2009-02-09 14:19 1,846,528 ----a-w c:\windows\system32\win32k.sys2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr2004-03-11 11:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-11-14 2131392]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]"DAEMON Tools Lite"="f:\daemon tools lite\daemon.exe" [2008-07-24 490952][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]"nwiz"="nwiz.exe" [2004-07-12 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-07-05 219136]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Kalendarz XP.lnk - c:\program files\Kalendarz XP\Kalendarz.exe [2007-09-15 882176][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.l3acm"= l3codecp.acm"msacm.divxa32"= msaud32_divx.acm[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"="f:\\BearShare\\BearShare.exe"="c:\\WINDOWS\\system32\\LEXPPS.EXE"="e:\\Sopcast\\SopCast.exe"="e:\\Sopcast\\adv\\SopAdver.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"7601:TCP"= 7601:TCP:BitComet 7601 TCP"7601:UDP"= 7601:UDP:BitComet 7601 UDP"24319:TCP"= 24319:TCP:BitComet 24319 TCP"24319:UDP"= 24319:UDP:BitComet 24319 UDPR0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2007-09-12 51840]R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2007-09-12 45056]S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2007-11-15 58288]S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [2007-11-15 8336]S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [2007-11-15 94064]S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2007-11-15 85408]S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2007-11-15 83344]S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\drivers\s716bus.sys [2008-10-22 83208][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c517d06b-8236-11dd-a3e7-000fea2a6eef}]\Shell\AutoRun\command - J:\LaunchU3.exe -a..------- Skan uzupełniający -------.uStart Page = hxxp://www.google.pl/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200FF - ProfilePath - c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\[u]0[/u]bwpv566.default\FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=FF - component: c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\[u]0[/u]bwpv566.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dllFF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dllFF - plugin: e:\filmy\Real Alternative\browser\plugins\nppl3260.dllFF - plugin: e:\filmy\Real Alternative\browser\plugins\nprpjplug.dllFF - plugin: e:\programy\Google\Picasa3\npPicasa3.dllFF - plugin: f:\adobe reader\Reader\browser\nppdf32.dll.**************************************************************************catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-05 12:27:59Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.Czas ukończenia: 2009-04-05 12:29:10ComboFix-quarantined-files.txt 2009-04-05 10:29:04Przed: 2 980 020 224 bajtów wolnychPo: 2,984,124,416 bajtów wolnych129 --- E O F --- 2009-03-14 10:06:13 Edytowane 5 kwietnia 2009 przez Michał Paluch Tagi wpisujemy bez gwiazdek, poprawiam //Michał Paluch
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.