kwik1 utworzono 12 września 2008 utworzono 12 września 2008 prosze o sprawdzenie loga bo juz szau dostaje dziekuje z gory Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:40:25, on 2008-09-12Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Documents and Settings\All Users\Dane aplikacji\cfofqjaf\arwvirot.exeC:\WINDOWS\system32\RunDll32.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exeC:\WINDOWS\system32\Rundll32.exeD:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXEC:\Program Files\SAV\sav.exeC:\Program Files\Gadu-Gadu\gg.exeC:\DOCUME~1\bartek\USTAWI~1\Temp\video1018.cfg.exeC:\DOCUME~1\bartek\USTAWI~1\Temp\c.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Program Files\Mozilla Firefox\firefox.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssbR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssbR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssbR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLLO2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - E:\Program Files\ivo\Expressivo\IH_iexplore.dllO2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLLO3 - Toolbar: (no name) - {7D787886-3B24-401C-A7BC-AF950A1C3CAC} - (no file)O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - E:\Program Files\ivo\Expressivo\IH_iexplore.dllO3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dllO4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exeO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17HelperO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startupO4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exeO4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -hO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [somefox] C:\DOCUME~1\bartek\USTAWI~1\Temp\video1018.cfg.exeO4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exeO4 - HKLM\..\Policies\Explorer\Run: [1ssDaerYQ0] C:\Documents and Settings\All Users\Dane aplikacji\cfofqjaf\arwvirot.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.htmlO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{2DC13438-A0B0-4BFF-954B-AC9E03F29119}: NameServer = 213.241.79.37 83.238.255.76O17 - HKLM\System\CS2\Services\Tcpip\..\{2DC13438-A0B0-4BFF-954B-AC9E03F29119}: NameServer = 213.241.79.37 83.238.255.76O17 - HKLM\System\CS3\Services\Tcpip\..\{2DC13438-A0B0-4BFF-954B-AC9E03F29119}: NameServer = 213.241.79.37 83.238.255.76O21 - SSODL: hjoqor - {1C6CB0B2-F6C9-4C24-99CD-DB255ABE8D69} - (no file)O21 - SSODL: xcvwer - {44FD0CFF-78F4-451F-8A87-6694EA67508C} - (no file)O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm--End of file - 8255 bytes "Silent Runners.vbs", revision 58, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"ares" = ""C:\Program Files\Ares\Ares.exe" -h" [file not found]"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]"Somefox" = "C:\DOCUME~1\bartek\USTAWI~1\Temp\video1018.cfg.exe" [null data]"Antivirus" = "C:\Program Files\SAV\sav.exe" [empty string]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}"1ssDaerYQ0" = "C:\Documents and Settings\All Users\Dane aplikacji\cfofqjaf\arwvirot.exe" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]"CTSysVol" = "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"]"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]"QuickTime Task" = ""C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime" ["Apple Inc."]"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]"PCSuiteTrayApplication" = "D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup" ["Nokia"]"Antivirus" = "C:\Program Files\SAV\sav.exe" [empty string]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{37B85A21-692B-4205-9CAD-2626E4993404}\(Default) = "My Global Search Bar BHO" -> {HKLM...CLSID} = "My Global Search Bar BHO" \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]{500BCA15-57A7-4eaf-8143-8C619470B13D}\(Default) = "XML module" -> {HKLM...CLSID} = "XML Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\msxml71.dll" [null data]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]{85F685C3-20D9-4943-95E4-EB4224056C3F}\(Default) = (no title provided) -> {HKLM...CLSID} = "Expressivo" \InProcServer32\(Default) = "E:\Program Files\ivo\Expressivo\IH_iexplore.dll" ["IVO Software Sp. z o.o."]{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx" -> {HKLM...CLSID} = "AlcoholShellEx" \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll" ["Alcohol Soft Development Team"]"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser" -> {HKLM...CLSID} = "Nokia Phone Browser" \InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\bartek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACDSeeAcquirePicturesOnArrival\"Provider" = "ACDSee""InvokeProgID" = "ACDSee.AutoPlayHandlerAcquire""InvokeVerb" = "Acquire"HKLM\SOFTWARE\Classes\ACDSee.AutoPlayHandlerAcquire\shell\Acquire\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" /detect:%1" ["ACD Systems Ltd."]ACDSeeShowPicturesOnArrival\"Provider" = "ACDSee""InvokeProgID" = "ACDSee.AutoPlayHandler""InvokeVerb" = "Open"HKLM\SOFTWARE\Classes\ACDSee.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" "%1"" ["ACD Systems Ltd."]AlcoholAutoPlayV2.BurnDisc\"Provider" = "Alcohol 120%""InvokeProgID" = "AlcoholAutoPlayV2""InvokeVerb" = "BurnDisc"HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""C:\Program Files\Alcohol Soft\Alcohol 120\alcohol__.exe" %1" ["Alcohol Soft Development Team"]AlcoholAutoPlayV2.ReadDisc\"Provider" = "Alcohol 120%""InvokeProgID" = "AlcoholAutoPlayV2""InvokeVerb" = "ReadDisc"HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command\(Default) = ""C:\Program Files\Alcohol Soft\Alcohol 120\alcohol__.exe" %1" ["Alcohol Soft Development Team"]CTPlayAudioOnArrivalu\"Provider" = "Creative MediaSource 5 Player""InvokeProgID" = "CTAutoPLu.AudioCDPlayer.1""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\CTAutoPLu.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource5\CTCMSu.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]CTPlayMusicFilesOnArrivalu\"Provider" = "Creative MediaSource 5 Player""InvokeProgID" = "CTAutoPLu.MusicFilesPlayer.1""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\CTAutoPLu.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource5\CTCMSu.exe" /PlayNow "%L"" ["Creative Technology Ltd"]MPCPlayCDAudioOnArrival\"Provider" = "Media Player Classic""InvokeProgID" = "MediaPlayerClassic.Autorun""InvokeVerb" = "PlayCDAudio"HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"]MPCPlayDVDMovieOnArrival\"Provider" = "Media Player Classic""InvokeProgID" = "MediaPlayerClassic.Autorun""InvokeVerb" = "PlayDVDMovie"HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"]MPCPlayMusicFilesOnArrival\"Provider" = "Media Player Classic""InvokeProgID" = "MediaPlayerClassic.Autorun""InvokeVerb" = "PlayMusicFiles"HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]MPCPlayVideoFilesOnArrival\"Provider" = "Media Player Classic""InvokeProgID" = "MediaPlayerClassic.Autorun""InvokeVerb" = "PlayVideoFiles"HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]NeroAutoPlayEmptyCD\"Provider" = "Nero StartSmart""InvokeProgID" = "Nero.AutoPlay""InvokeVerb" = "EmptyCD"HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Program Files\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]NMMPlayCDAudioOnArrival\"Provider" = "Nokia Music Manager""InvokeProgID" = "NokiaMusicManager""InvokeVerb" = "NMMPlayCD"HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD "%L"" ["Nokia"]NMMRipCDAudioOnArrival\"Provider" = "Nokia Music Manager""InvokeProgID" = "NokiaMusicManager""InvokeVerb" = "NMMRipCD"HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD "%L"" ["Nokia"]WinampMTPHandler\"Provider" = "Winamp""ProgID" = "Shell.HWEventHandlerShellExecute""InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]Enabled Scheduled Tasks:------------------------"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\"{37B85A29-692B-4205-9CAD-2626E4993404}" -> {HKLM...CLSID} = "My Global Search Bar" \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]"{37B85A29-692B-4205-9CAD-2626E4993404}" -> {HKLM...CLSID} = "My Global Search Bar" \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]"{32099AAC-C132-4136-9E9A-4E364A424E17}" -> {HKLM...CLSID} = "DAEMON Tools Toolbar" \InProcServer32\(Default) = "C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll" [null data]HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]"{37B85A29-692B-4205-9CAD-2626E4993404}" = (no title provided) -> {HKLM...CLSID} = "My Global Search Bar" \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]"{85F685C3-20D9-4943-95E4-EB4224056C3F}" = "Expressivo" -> {HKLM...CLSID} = "Expressivo" \InProcServer32\(Default) = "E:\Program Files\ivo\Expressivo\IH_iexplore.dll" ["IVO Software Sp. z o.o."]"{32099AAC-C132-4136-9E9A-4E364A424E17}" = (no title provided) -> {HKLM...CLSID} = "DAEMON Tools Toolbar" \InProcServer32\(Default) = "C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll" [null data]Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Badanie"{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\"ButtonText" = "FlashGet""MenuText" = "&FlashGet""Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]ServiceLayer, ServiceLayer, ""C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"" ["Nokia."]Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]---------- (launch time: 2008-09-12 13:43:13)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 90 seconds.---------- (total run time: 189 seconds)
nitro07 komentarz 12 września 2008 komentarz 12 września 2008 HiJackThis: C:\WINDOWS\System32\svchost.exeC:\Documents and Settings\All Users\Dane aplikacji\cfofqjaf\arwvirot.exeC:\Program Files\SAV\sav.exeC:\DOCUME~1\bartek\USTAWI~1\Temp\c.exeO2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)O21 - SSODL: hjoqor - {1C6CB0B2-F6C9-4C24-99CD-DB255ABE8D69} - (no file)O21 - SSODL: xcvwer - {44FD0CFF-78F4-451F-8A87-6694EA67508C} - (no file)O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.h
snip91 komentarz 12 września 2008 komentarz 12 września 2008 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare. com/sidebar.html?src=ssbR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare. com/sidebar.html?src=ssbR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare. com/sidebar.html?src=ssbR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLLO2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dllO2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLLO3 - Toolbar: (no name) - {7D787886-3B24-401C-A7BC-AF950A1C3CAC} - (no file)O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exeO4 - HKCU\..\Run: [somefox] C:\DOCUME~1\bartek\USTAWI~1\Temp\video1018.cfg.exeO4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exeO4 - HKLM\..\Policies\Explorer\Run: [1ssDaerYQ0] C:\Documents and Settings\All Users\Dane aplikacji\cfofqjaf\arwvirot.exeO21 - SSODL: hjoqor - {1C6CB0B2-F6C9-4C24-99CD-DB255ABE8D69} - (no file)O21 - SSODL: xcvwer - {44FD0CFF-78F4-451F-8A87-6694EA67508C} - (no file)O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm FIX w HJT. Pobierz ComboFix i bez uruchamiania... ...do notatnika wklej: File::C:\WINDOWS\system32\msxml71.dllC:\Program Files\SAV\sav.exeC:\Documents and Settings\All Users\Dane aplikacji\cfofqjaf\arwvirot.exeFolder::C:\Program Files\MyGlobalSearchRegistry::[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"Somefox"=-"Antivirus"=-[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"Antivirus"=-[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]"1ssDaerYQ0"=-[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]"{37B85A21-692B-4205-9CAD-2626E4993404}"=-"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=- W notatniku zakładka Plik --> Zapisz jako --> zapisz pod nazwą CFScript.txt i zapisz go w tym samym katalogu, w którym jest ComboFix. Wystartuj tryb awaryjny (F8 podczas ładowania systemu). Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt tak, jak na obrazku: Rozpocznie się usuwanie i powstanie log, który pokazujesz na forum. Po restarcie usuń ręcznie folder C:\Qoobox.
Mateusz J. komentarz 12 września 2008 komentarz 12 września 2008 C:\Documents and Settings\All Users\Dane aplikacji\cfofqjafC:\Program Files\SAV tutaj należy wywalić całe foldery, czyli dodaj te 2 ścieżki do sekcji Folder:: A katalog Temp wyczyść programem ATF Cleaner. Zaznaczając opcje: -Windows Temp -current user Temp -All users Temp Prócz utworzonego loga z ComboFix pokazujesz nowego loga z HijackThis.
kwik1 komentarz 12 września 2008 Autor komentarz 12 września 2008 combo fix ComboFix 08-09-11.02 - bartek 2008-09-12 17:43:36.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.76 [GMT 2:00]Uruchomiony z: E:\ComboFix.exe[b]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/b].((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.datC:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.datC:\Program Files\aklC:\Program Files\akl\akl.dllC:\Program Files\akl\akl.exeC:\Program Files\akl\uninstall.exeC:\Program Files\akl\unsetup.exeC:\Program Files\Inet DeliveryC:\Program Files\Inet Delivery\inetdl.exeC:\Program Files\Inet Delivery\intdel.exeC:\Program Files\myglobalsearchC:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JARC:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFESTC:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JARC:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFESTC:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLLC:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLLC:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLLC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]0013509C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]00161E8C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]001D8FCC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]001DEDAC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]001E24BC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]001E7D9C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]00252B8C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]002BD52.binC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]002D814.binC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]002DD47.binC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]003BBABC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]00563D5C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]005C7AAC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]0125EA9C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]02F5359C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]03AB219C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]043F76E.binC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]043FAEA.binC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]043FD4D.binC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]06373BBC:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]0CBF2E5C:\Program Files\myglobalsearch\bar\Cache\[u]0[/u]147E097C:\Program Files\myglobalsearch\bar\Cache\files.iniC:\Program Files\myglobalsearch\bar\History\searchC:\Program Files\myglobalsearch\bar\Settings\prevcfg.htmC:\WINDOWS\a.batC:\WINDOWS\base64.tmpC:\WINDOWS\bdn.comC:\WINDOWS\binret.exeC:\WINDOWS\dat.txtC:\WINDOWS\FVProtect.exeC:\WINDOWS\iTunesMusic.exeC:\WINDOWS\mslagentC:\WINDOWS\mslagent\2_mslagent.dllC:\WINDOWS\mslagent\mslagent.exeC:\WINDOWS\mslagent\uninstall.exeC:\WINDOWS\mssecu.exeC:\WINDOWS\privacy_dangerC:\WINDOWS\privacy_danger\images\capt.gifC:\WINDOWS\privacy_danger\images\danger.jpgC:\WINDOWS\privacy_danger\images\down.gifC:\WINDOWS\privacy_danger\images\spacer.gifC:\WINDOWS\privacy_danger\index.htmC:\WINDOWS\rs.txtC:\WINDOWS\search_res.txtC:\WINDOWS\system32\akttzn.exeC:\WINDOWS\system32\anticipator.dllC:\WINDOWS\system32\awtoolb.dllC:\WINDOWS\system32\bdn.comC:\WINDOWS\system32\bsva-egihsg52.exeC:\WINDOWS\system32\dpcproxy.exeC:\WINDOWS\system32\emesx.dllC:\WINDOWS\system32\h@tkeysh@@k.dllC:\WINDOWS\system32\hoproxy.dllC:\WINDOWS\system32\hxiwlgpm.datC:\WINDOWS\system32\hxiwlgpm.exeC:\WINDOWS\system32\medup012.dllC:\WINDOWS\system32\medup020.dllC:\WINDOWS\system32\msgp.exeC:\WINDOWS\system32\msnbho.dllC:\WINDOWS\system32\mssecu.exeC:\WINDOWS\system32\msvchost.exeC:\WINDOWS\system32\mtr2.exeC:\WINDOWS\system32\mwin32.exeC:\WINDOWS\system32\netode.exeC:\WINDOWS\system32\newsd32.exeC:\WINDOWS\system32\ps1.exeC:\WINDOWS\system32\psof1.exeC:\WINDOWS\system32\psoft1.exeC:\WINDOWS\system32\regc64.dllC:\WINDOWS\system32\regm64.dllC:\WINDOWS\system32\Rundl1.exeC:\WINDOWS\system32\smpC:\WINDOWS\system32\smp\msrc.exeC:\WINDOWS\system32\sncntr.exeC:\WINDOWS\system32\ssurf022.dllC:\WINDOWS\system32\ssvchost.comC:\WINDOWS\system32\ssvchost.exeC:\WINDOWS\system32\sysreq.exeC:\WINDOWS\system32\taack.datC:\WINDOWS\system32\taack.exeC:\WINDOWS\system32\temp#01.exeC:\WINDOWS\system32\thun.dllC:\WINDOWS\system32\thun32.dllC:\WINDOWS\system32\VBIEWER.OCXC:\WINDOWS\system32\vbsys2.dllC:\WINDOWS\system32\vcatchpi.dllC:\WINDOWS\system32\winlogonpc.exeC:\WINDOWS\system32\winsystem.exeC:\WINDOWS\system32\WINWGPX.EXEC:\WINDOWS\userconfig9x.dllC:\WINDOWS\winsystem.exeC:\WINDOWS\zip1.tmpC:\WINDOWS\zip2.tmpC:\WINDOWS\zip3.tmpC:\WINDOWS\zipped.tmp----- BITS: Możliwe zainfekowane strony -----http://77.91.227.196.((((((((((((((((((((((((( Pliki utworzone od 2008-08-12 do 2008-09-12 ))))))))))))))))))))))))))))))).2008-09-12 13:59 . 2008-09-12 13:59 94,208 --a------ C:\WINDOWS\system32\mxevydmp.exe2008-09-12 12:18 . 2008-09-12 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\cfofqjaf2008-09-12 12:17 . 2008-09-12 12:17 <DIR> d-------- C:\Temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}2008-09-12 12:17 . 2002-08-09 00:02 <DIR> d-------- C:\Program Files\SAV2008-09-12 12:17 . 2008-09-08 13:12 165,888 --a------ C:\WINDOWS\system32\sav.cpl2008-09-07 17:34 . 2008-09-07 17:34 <DIR> d-------- C:\Documents and Settings\Pablo\Dane aplikacji\DataLayer2008-09-07 17:30 . 2008-09-08 17:59 <DIR> d-------- C:\Documents and Settings\Pablo\Phone Browser2008-09-07 17:25 . 2008-09-11 13:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn2008-09-07 17:25 . 2008-09-07 17:25 1,409 --a------ C:\WINDOWS\QTFont.for2008-09-07 17:24 . 2008-09-07 17:24 <DIR> d-------- C:\Program Files\DIFX2008-09-07 17:24 . 2008-09-07 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite2008-09-07 17:22 . 2008-09-07 17:22 <DIR> d-------- C:\Program Files\Common Files\PCSuite2008-09-07 17:22 . 2008-09-07 17:22 <DIR> d-------- C:\Program Files\Common Files\Nokia2008-09-02 23:50 . 2008-09-03 00:15 600 --a------ C:\WINDOWS\Rtcw.INI2008-08-27 23:03 . 2008-08-27 23:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-09-12 10:10 43,520 -c--a-w C:\WINDOWS\system32\CmdLineExt03.dll2008-09-11 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-09-11 17:53 --------- d-----w C:\Documents and Settings\bartek\Dane aplikacji\BitTorrent2008-09-11 15:24 138,056 -c--a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys2008-09-11 15:23 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe2008-09-07 21:27 --------- d-----w C:\Program Files\Winamp2008-09-07 20:35 --------- d-----w C:\Program Files\Soulseek2008-09-07 15:24 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\PC Suite2008-09-07 15:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Installations2008-09-06 13:23 --------- d-----w C:\Documents and Settings\bartek\Dane aplikacji\DNA2008-09-06 13:08 --------- d-----w C:\Program Files\DNA2008-09-04 16:09 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\Xfire2008-08-11 12:13 --------- d-----w C:\Documents and Settings\bartek\Dane aplikacji\Black Sea Studios2008-08-08 22:08 --------- d-----w C:\Program Files\Java2008-07-30 19:58 --------- d-----w C:\Program Files\DAEMON Tools Toolbar2008-07-30 14:55 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys2008-07-30 14:55 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\DAEMON Tools2008-07-23 20:52 98,304 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll2008-07-23 20:52 --------- d--h--r C:\Documents and Settings\bartek\Dane aplikacji\SecuROM2008-07-21 13:34 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\gtk-2.02008-07-18 15:27 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\BESTplayer2008-06-04 15:34 22,328 -c--a-w C:\Documents and Settings\Pablo\Dane aplikacji\PnkBstrK.sys2008-04-17 15:20 32 -c--a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL2000-12-31 12:52 6,154 -c--a-w C:\Program Files\license.txt.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]"smartgen"="C:\WINDOWS\system32\mxevydmp.exe" [2008-09-12 94208][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 102400]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2007-10-19 286720]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"PCSuiteTrayApplication"="D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-04-07 237568]"P17Helper"="P17.dll" [2005-05-03 C:\WINDOWS\system32\P17.dll][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.ACDV"= ACDV.dll"VIDC.XFR1"= xfcodec.dll"VIDC.YV12"= yv12vfw.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnkbackup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]--a--c--- 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\DNA\\btdna.exe"="E:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\BitTorrent.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"24965:TCP"= 24965:TCP:BitComet 24965 TCP"24965:UDP"= 24965:UDP:BitComet 24965 UDPR1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 78416]R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 20560]S3 gUSBSTOi;gUSBSTOi;C:\DOCUME~1\bartek\USTAWI~1\Temp\gUSBSTOi.sys [ ]S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e296a20-d0d1-11db-ae4c-000ae627c1db}]\Shell\AutoRun\command - ntde1ect.com\Shell\explore\Command - ntde1ect.com\Shell\open\Command - ntde1ect.com[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{668c01f1-3328-11dd-8478-000ae627c1db}]\Shell\AutoRun\command - H:\8de.bat\Shell\explore\Command - H:\8de.bat\Shell\open\Command - H:\8de.bat[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef6005f0-f4d3-11db-afb3-000ae627c1db}]\Shell\AutoRun\command - ntde1ect.com\Shell\explore\Command - ntde1ect.com\Shell\open\Command - ntde1ect.com*Newly Created Service* - CATCHME*Newly Created Service* - PROCEXP90.Zawartość folderu 'Zaplanowane zadania'.- - - - USUNIĘTO PUSTE WPISY - - - -HKCU-Run-ares - C:\Program Files\Ares\Ares.exeHKLM-Run-Cmaudio - cmicnfg.cplMSConfigStartUp-BearFlix - C:\Program Files\BearFlix\BearFlix.exe.------- Skan uzupełniający -------.FireFox -: Profile - C:\Documents and Settings\bartek\Dane aplikacji\Mozilla\Firefox\Profiles\seaidy0c.default\FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q=FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dllFF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dllFF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-09-12 17:45:49Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.Czas ukończenia: 2008-09-12 17:48:00ComboFix-quarantined-files.txt 2008-09-12 15:47:52Przed: 48,066,560 bajt˘w wolnychPo: 916,480,000 bajt˘w wolnych266 nowy log z HJT Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:56:25, on 2008-09-12Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exeD:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXEC:\WINDOWS\system32\mxevydmp.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\notepad.exeC:\WINDOWS\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\mxevydmp.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - E:\Program Files\ivo\Expressivo\IH_iexplore.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - E:\Program Files\ivo\Expressivo\IH_iexplore.dllO4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17HelperO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startupO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [smartgen] C:\WINDOWS\system32\mxevydmp.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.htmlO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{2DC13438-A0B0-4BFF-954B-AC9E03F29119}: NameServer = 213.241.79.37 83.238.255.76O17 - HKLM\System\CS2\Services\Tcpip\..\{2DC13438-A0B0-4BFF-954B-AC9E03F29119}: NameServer = 213.241.79.37 83.238.255.76O17 - HKLM\System\CS3\Services\Tcpip\..\{2DC13438-A0B0-4BFF-954B-AC9E03F29119}: NameServer = 213.241.79.37 83.238.255.76O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe--End of file - 6721 bytes
Gość komentarz 12 września 2008 komentarz 12 września 2008 1) Wylecz pendriva lub kartę pamięci Perlovga Removal Tool Flash Disinfector lub format 2) Wklej do Notatnika: File::C:\WINDOWS\system32\mxevydmp.exeC:\DOCUME~1\bartek\USTAWI~1\Temp\gUSBSTOi.sysC:\WINDOWS\system32\sav.cplC:\8de.batE:\8de.batH:\8de.batFolder::C:\Documents and Settings\All Users\Dane aplikacji\cfofqjafC:\Temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}C:\Program Files\SAVDriver::gUSBSTOiRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"smartgen"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] >>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe --> Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania. Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.
kwik1 komentarz 12 września 2008 Autor komentarz 12 września 2008 juz mi nie szaleje kompa, zadne strony sie nie otwieraja ani nie mam tego slynnego "dymka" a to z przeciaganiem zrobilem tylko jakos mi zniknal ten pliczek aa i dziekuje za pomoc cheers
Gość komentarz 12 września 2008 komentarz 12 września 2008 Daj log po usuwaniu! Powinnien się znajdować w: C:\ComboFix.txt
kwik1 komentarz 12 września 2008 Autor komentarz 12 września 2008 Daj log po usuwaniu! Powinnien się znajdować w: C:\ComboFix.txt ComboFix 08-09-11.02 - bartek 2008-09-12 18:05:55.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.82 [GMT 2:00]Uruchomiony z: E:\ComboFix.exeCommand switches used :: E:\CFScript.txt * Utworzono nowy punkt przywracania[b]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/b].((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\All Users\Dane aplikacji\cfofqjafC:\Program Files\SAVC:\Program Files\SAV\sav.cplC:\Program Files\SAV\sav0.datC:\Program Files\SAV\sav1.datC:\Temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}C:\Temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}\chrome.manifestC:\Temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}\chrome\su.jarC:\Temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}\install.rdfC:\Temp\{871ce3c5-6e97-3363-a174-3208198ce6fd}\su.regC:\WINDOWS\system32\mxevydmp.exeC:\WINDOWS\system32\sav.cpl.((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_GUSBSTOI-------\Service_gUSBSTOi((((((((((((((((((((((((( Pliki utworzone od 2008-08-12 do 2008-09-12 ))))))))))))))))))))))))))))))).2008-09-12 18:02 . 2008-09-12 18:07 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne2008-09-12 18:02 . 2007-03-10 19:10 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione2008-09-12 18:02 . 2007-03-10 18:20 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony2008-09-12 18:02 . 2007-03-10 19:10 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit2008-09-12 18:02 . 2007-03-10 19:10 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty2008-09-12 18:02 . 2007-03-10 19:10 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start2008-09-12 18:02 . 2007-03-10 19:10 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji2008-09-12 18:02 . 2008-09-12 18:02 <DIR> d-------- C:\Documents and Settings\Administrator2008-09-12 17:52 . 2008-09-12 17:52 36,864 --a------ C:\Temp\ATF-Cleaner.exe2008-09-07 17:34 . 2008-09-07 17:34 <DIR> d-------- C:\Documents and Settings\Pablo\Dane aplikacji\DataLayer2008-09-07 17:30 . 2008-09-08 17:59 <DIR> d-------- C:\Documents and Settings\Pablo\Phone Browser2008-09-07 17:25 . 2008-09-11 13:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn2008-09-07 17:25 . 2008-09-07 17:25 1,409 --a------ C:\WINDOWS\QTFont.for2008-09-07 17:24 . 2008-09-07 17:24 <DIR> d-------- C:\Program Files\DIFX2008-09-07 17:24 . 2008-09-07 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite2008-09-07 17:22 . 2008-09-07 17:22 <DIR> d-------- C:\Program Files\Common Files\PCSuite2008-09-07 17:22 . 2008-09-07 17:22 <DIR> d-------- C:\Program Files\Common Files\Nokia2008-09-02 23:50 . 2008-09-03 00:15 600 --a------ C:\WINDOWS\Rtcw.INI2008-08-27 23:03 . 2008-08-27 23:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-09-12 10:10 43,520 -c--a-w C:\WINDOWS\system32\CmdLineExt03.dll2008-09-11 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-09-11 17:53 --------- d-----w C:\Documents and Settings\bartek\Dane aplikacji\BitTorrent2008-09-11 15:24 138,056 -c--a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys2008-09-11 15:23 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe2008-09-07 21:27 --------- d-----w C:\Program Files\Winamp2008-09-07 20:35 --------- d-----w C:\Program Files\Soulseek2008-09-07 15:24 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\PC Suite2008-09-07 15:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Installations2008-09-06 13:23 --------- d-----w C:\Documents and Settings\bartek\Dane aplikacji\DNA2008-09-06 13:08 --------- d-----w C:\Program Files\DNA2008-09-04 16:09 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\Xfire2008-08-11 12:13 --------- d-----w C:\Documents and Settings\bartek\Dane aplikacji\Black Sea Studios2008-08-08 22:08 --------- d-----w C:\Program Files\Java2008-07-30 19:58 --------- d-----w C:\Program Files\DAEMON Tools Toolbar2008-07-30 14:55 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys2008-07-30 14:55 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\DAEMON Tools2008-07-23 20:52 98,304 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll2008-07-23 20:52 --------- d--h--r C:\Documents and Settings\bartek\Dane aplikacji\SecuROM2008-07-21 13:34 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\gtk-2.02008-07-18 15:27 --------- d-----w C:\Documents and Settings\Pablo\Dane aplikacji\BESTplayer2008-06-04 15:34 22,328 -c--a-w C:\Documents and Settings\Pablo\Dane aplikacji\PnkBstrK.sys2008-04-17 15:20 32 -c--a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL2000-12-31 12:52 6,154 -c--a-w C:\Program Files\license.txt.((((((((((((((((((((((((((((( snapshot@2008-09-12_17.47.24.89 ))))))))))))))))))))))))))))))))))))))))).+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE+ 2008-09-12 16:09:21 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_528.dat.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 2127296][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 102400]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2007-10-19 286720]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"PCSuiteTrayApplication"="D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-04-07 237568]"P17Helper"="P17.dll" [2005-05-03 C:\WINDOWS\system32\P17.dll][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.ACDV"= ACDV.dll"VIDC.XFR1"= xfcodec.dll"VIDC.YV12"= yv12vfw.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnkbackup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]--a--c--- 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\DNA\\btdna.exe"="E:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\BitTorrent.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"24965:TCP"= 24965:TCP:BitComet 24965 TCP"24965:UDP"= 24965:UDP:BitComet 24965 UDPR1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 78416]R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 20560]S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496].Zawartość folderu 'Zaplanowane zadania'.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-09-12 18:10:09Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.------------------------ Pozostałe uruchomione procesy ------------------------.C:\WINDOWS\system32\ati2evxx.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\CTSVCCDA.EXEC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\wdfmgr.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\ati2evxx.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe.**************************************************************************.Czas ukończenia: 2008-09-12 18:14:23 - komputer został uruchomiony ponownieComboFix-quarantined-files.txt 2008-09-12 16:14:15ComboFix2.txt 2008-09-12 16:06:15ComboFix3.txt 2008-09-12 15:48:01Przed: 895,729,664 bajt˘w wolnychPo: 836,943,872 bajt˘w wolnych168 //Tak trudno wstawić loga w tagi CODE? //Jeszcze raz tego nie zrobisz, a poleci warn +10% //jesiona
Gość komentarz 12 września 2008 komentarz 12 września 2008 Usuń ręcznie folder C:\Qoobox, Usuń instalkę ComboFix z dysku. Wykonaj optymalizację autostartu Przeczyść komputer Ccleanerem Wyłącz i włącz przywracanie systemu na wszystkich dyskach.Instrukcja Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum. lub Dr.WEB CureIt!.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.