Girolamo utworzono 9 października 2008 utworzono 9 października 2008 Witam, to znów ja. I znów mam problem ze swoim komputerem. Tym razem mam Wirusa na kompie którego mój AntyVisrus nie znajduje niestety. Na pulpicie ciągle mi się "robią" skróty o tematyce erotycznej i jakiś niby antyvirus "micro AV". Który jak sądzę sam jest wirusem. Nie wiem jak to usunąć :/ Prosze o pomoc Logi z combofixa ComboFix 08-09-27.03 - Micha 2008-10-09 22:13:20.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.157 [GMT 2:00]Uruchomiony z: H:\Documents and Settings\Micha\Pulpit\ComboFix.exe[b]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/b].- TRYB ZREDUKOWANEJ FUNKCJONALNOŚCI -.((((((((((((((((((((((((( Pliki utworzone od 2008-09-09 do 2008-10-09 ))))))))))))))))))))))))))))))).2008-10-09 21:49 . 61,440 H:\Documents and Settings\Michał\nkp2.exe2008-10-09 21:25 . 2008-10-07 08:14 3,262 --a------ H:\WINDOWS\system32\2.ico2008-10-09 21:24 . 2008-10-09 21:44 61,440 --a------ H:\Documents and Settings\Adam\nkp2.exe2008-10-09 20:36 . 2008-10-09 20:35 512,096 --a------ H:\WINDOWS\system32\drivers\amon.sys2008-10-09 20:36 . 2008-10-09 20:35 298,104 --a------ H:\WINDOWS\system32\imon.dll2008-10-09 20:36 . 2008-10-09 20:35 15,424 --a------ H:\WINDOWS\system32\drivers\nod32drv.sys2008-10-09 20:35 . 2008-10-09 20:35 <DIR> d-------- H:\Program Files\ESET2008-10-09 20:20 . 2008-10-09 21:49 <DIR> d-------- H:\Program Files\PCHealthCenter2008-10-09 20:20 . 2008-10-09 21:49 <DIR> d-------- H:\Program Files\MicroAV2008-10-09 20:20 . 2008-10-07 08:14 167,424 --a------ H:\WINDOWS\system32\MicroAV.cpl2008-10-09 20:20 . 2008-10-07 08:14 3,262 --a------ H:\WINDOWS\system32\1.ico2008-10-09 20:10 . 2008-10-09 22:14 103,394 --a------ H:\WINDOWS\system32\drivers\fd63ca1e.sys2008-10-09 20:10 . 2008-10-09 20:10 32,256 --a------ H:\WINDOWS\system32\winzdn32.dll2008-10-09 20:10 . 2008-10-09 20:10 23,040 --a------ H:\WINDOWS\system32\rs32net.exe2008-10-09 19:58 . 2003-12-21 17:24 140,800 --a------ H:\WINDOWS\system32\drivers\xmasbus.sys2008-10-09 19:58 . 2003-12-20 20:03 5,504 --a------ H:\WINDOWS\system32\drivers\xmasscsi.sys2008-10-09 19:52 . <DIR> H:\Documents and Settings\Michał\Dane aplikacji\DAEMON Tools Pro2008-10-05 21:28 . <DIR> H:\Documents and Settings\Michał\Dane aplikacji\Moyea2008-10-04 14:12 . 2008-10-06 21:41 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\ipla2008-10-04 14:12 . 2008-10-06 21:41 <DIR> d-------- H:\Documents and Settings\Adam\Dane aplikacji\ipla2008-10-04 14:11 . 2008-10-04 14:12 <DIR> d-------- H:\Program Files\ipla2008-10-02 21:41 . 2008-10-02 21:41 <DIR> d-------- H:\Program Files\Codec Pack - All In 12008-10-02 21:41 . 2008-10-02 21:41 737,280 --a------ H:\WINDOWS\iun6002.exe2008-10-01 15:55 . 2008-10-01 15:55 32 --a------ H:\WINDOWS\CD_Start.INI2008-09-28 14:42 . 2008-09-28 14:42 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\Avira2008-09-27 19:56 . 1999-12-17 10:13 86,016 --a------ H:\WINDOWS\unvise32.exe2008-09-27 19:41 . 2002-01-05 15:37 344,064 --a------ H:\WINDOWS\system32\msvcr70.dll2008-09-27 19:22 . 2008-09-27 19:22 <DIR> d-------- H:\Program Files\OJOsoft2008-09-27 19:22 . 2008-09-27 19:22 <DIR> d-------- H:\Program Files\Common Files\Common Share2008-09-27 18:16 . 2008-09-27 18:19 <DIR> d-------- H:\WINDOWS\ServicePackFiles2008-09-27 18:16 . 2008-04-14 22:51 294,912 -----c--- H:\WINDOWS\system32\dllcache\dlimport.exe2008-09-27 18:12 . 2006-12-29 00:31 19,569 --a------ H:\WINDOWS\[u]0[/u]02640_.tmp2008-09-27 18:10 . 2008-09-27 18:10 <DIR> d-------- H:\WINDOWS\EHome2008-09-27 18:07 . 2008-09-27 18:07 <DIR> d-------- H:\kopia zapasowa2008-09-27 17:34 . 2008-09-27 17:39 <DIR> d-------- H:\Program Files\Yahoo!2008-09-26 20:14 . <DIR> H:\Documents and Settings\Michał\UserData2008-09-24 14:44 . 2008-09-24 14:43 103,736 --a------ H:\WINDOWS\system32\PnkBstrB.exe2008-09-24 14:38 . 2008-09-24 14:38 <DIR> d-------- H:\WINDOWS\system32\LogFiles2008-09-21 15:38 . 2008-09-21 15:38 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-09-21 15:06 . 2008-09-27 16:48 4,096 --a------ H:\WINDOWS\system32\crash2008-09-21 13:57 . <DIR> H:\Documents and Settings\Michał\Dane aplikacji\Skype2008-09-20 13:43 . 2008-10-09 20:06 107,888 --a------ H:\WINDOWS\system32\CmdLineExt.dll2008-09-18 19:49 . 2008-10-09 11:33 <DIR> d-------- H:\Documents and Settings\Adam\Dane aplikacji\skypePM2008-09-18 19:49 . 2008-09-18 19:49 56 --ah----- H:\WINDOWS\system32\ezsidmv.dat2008-09-18 19:39 . 2008-09-18 19:39 <DIR> d-------- H:\Program Files\Skype2008-09-18 19:39 . 2008-09-18 19:39 <DIR> d-------- H:\Program Files\Common Files\Skype2008-09-18 19:39 . 2008-09-18 19:39 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\Skype2008-09-18 19:39 . 2008-10-09 16:36 <DIR> d-------- H:\Documents and Settings\Adam\Dane aplikacji\Skype2008-09-12 00:20 . 2008-09-12 00:20 <DIR> d-------- H:\Program Files\MSXML 4.02008-09-11 16:04 . 2008-10-01 17:58 <DIR> d-------- H:\Documents and Settings\Adam\Dane aplikacji\Printer Info Cache2008-09-11 16:04 . 2008-10-01 17:58 <DIR> d-------- H:\Documents and Settings\Adam\Dane aplikacji\Image Zone Express2008-09-11 16:03 . 2008-09-11 16:03 <DIR> d---s---- H:\Documents and Settings\Adam\UserData2008-09-11 14:39 . 2006-10-26 19:56 32,592 --a------ H:\WINDOWS\system32\msonpmon.dll2008-09-11 14:37 . 2008-09-11 14:37 <DIR> d-------- H:\Program Files\MSBuild2008-09-11 14:37 . 2008-09-11 14:37 <DIR> d-------- H:\Program Files\Microsoft Works2008-09-11 14:34 . 2008-09-11 14:34 <DIR> d-------- H:\Program Files\Microsoft.NET2008-09-11 14:31 . 2008-09-11 14:36 <DIR> d-------- H:\WINDOWS\SHELLNEW2008-09-11 14:30 . 2008-09-17 20:37 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help2008-09-11 12:18 . 2008-09-11 12:18 <DIR> d-------- H:\Program Files\Common Files\snpstd32008-09-11 12:18 . 2004-11-25 15:42 419,200 --a------ H:\WINDOWS\system32\drivers\snpstd3.sys2008-09-11 12:18 . 2004-07-30 18:50 286,720 --a------ H:\WINDOWS\vsnpstd3.exe2008-09-11 12:18 . 2004-08-09 17:43 94,208 --a------ H:\WINDOWS\amcap.exe2008-09-11 12:18 . 2004-02-16 13:59 61,440 --a------ H:\WINDOWS\system32\csnpstd3.dll2008-09-11 12:18 . 2004-11-26 10:33 57,344 --a------ H:\WINDOWS\system32\rsnpstd3.dll2008-09-11 12:18 . 2004-06-15 15:18 53,248 --a------ H:\WINDOWS\system32\dsnpstd3.dll2008-09-11 12:18 . 2004-11-25 12:59 36,864 --a------ H:\WINDOWS\system32\vsnpstd3.dll2008-09-11 12:18 . 2004-11-25 12:54 36,864 --a------ H:\WINDOWS\system32\dsnpstd3.ax2008-09-11 12:18 . 2004-08-06 15:48 20,480 --a------ H:\WINDOWS\usnpstd3.exe2008-09-11 12:18 . 2004-02-27 17:36 15,498 --a------ H:\WINDOWS\snpstd3.ini2008-09-11 12:18 . 2004-02-27 17:36 13,023 --a------ H:\WINDOWS\snpstd3.src2008-09-10 14:23 . <DIR> H:\Documents and Settings\Michał\Dane aplikacji\HP2008-09-10 13:32 . 2008-09-10 13:32 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\WEBREG2008-09-10 13:31 . 2008-09-11 16:02 <DIR> d-------- H:\Documents and Settings\Adam\Dane aplikacji\HP2008-09-10 13:28 . 2008-09-10 13:28 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\HPSSUPPLY2008-09-10 13:28 . 2008-09-10 13:29 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\HP2008-09-10 13:27 . 2008-09-10 13:27 <DIR> d-------- H:\Program Files\Hewlett-Packard2008-09-10 13:27 . 2008-09-10 13:30 <DIR> d-------- H:\Program Files\Common Files\HP2008-09-10 13:27 . 2008-09-10 13:27 <DIR> d-------- H:\Program Files\Common Files\Hewlett-Packard2008-09-10 13:26 . 2008-09-10 13:26 <DIR> d-------- H:\Documents and Settings\All Users\Dane aplikacji\Hewlett-Packard2008-09-10 13:26 . 2006-12-06 08:02 49,920 -ra------ H:\WINDOWS\system32\drivers\HPZid412.sys2008-09-10 13:26 . 2006-12-06 08:02 16,496 -ra------ H:\WINDOWS\system32\drivers\HPZipr12.sys2008-09-10 13:25 . 2006-12-06 08:00 675,840 -ra------ H:\WINDOWS\system32\hpowiax3.dll2008-09-10 13:25 . 2006-12-06 08:00 569,344 -ra------ H:\WINDOWS\system32\hpotscl3.dll2008-09-10 13:25 . 2006-12-06 08:02 364,544 -ra------ H:\WINDOWS\system32\hppldcoi.dll2008-09-10 13:25 . 2006-12-06 08:02 309,760 -ra------ H:\WINDOWS\system32\difxapi.dll2008-09-10 13:25 . 2006-12-06 08:00 294,912 -ra------ H:\WINDOWS\system32\hpovst10.dll2008-09-10 13:25 . 2006-12-15 18:04 258,048 -ra------ H:\WINDOWS\system32\hpzids01.dll2008-09-10 13:25 . 2006-12-30 15:49 117,760 --a------ H:\WINDOWS\system32\hpzll4v2.dll2008-09-10 13:25 . 2006-12-06 08:02 21,568 -ra------ H:\WINDOWS\system32\drivers\HPZius12.sys2008-09-10 13:25 . 2008-04-14 00:15 15,104 --a------ H:\WINDOWS\system32\drivers\usbscan.sys2008-09-10 13:23 . 2008-09-10 13:24 <DIR> d----c--- H:\WINDOWS\system32\DRVSTORE2008-09-10 13:23 . 2008-09-10 13:38 <DIR> d-------- H:\Program Files\HP2008-09-10 13:20 . 2008-10-08 19:46 141,290 --a------ H:\WINDOWS\hpoins12.dat2008-09-10 13:20 . 2007-01-22 18:05 1,470 --------- H:\WINDOWS\hpomdl12.dat2008-09-09 17:57 . 2008-09-09 17:57 <DIR> d--h----- H:\WINDOWS\PIF2008-09-09 16:22 . 2004-08-17 21:14 442,368 -ra------ H:\WINDOWS\system32\vp6vfw.dll2008-09-09 16:03 . <DIR> H:\Documents and Settings\Michał\Dane aplikacji\DAEMON Tools2008-09-09 16:03 . 2008-09-09 16:03 717,296 --a------ H:\WINDOWS\system32\drivers\sptd.sys2008-09-09 13:05 . 2008-04-14 00:17 25,856 --a------ H:\WINDOWS\system32\drivers\usbprint.sys2008-09-09 13:04 . 2008-04-14 00:15 32,128 --a------ H:\WINDOWS\system32\drivers\usbccgp.sys.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-10-09 18:12 --------- d-----w H:\Documents and Settings\Michał\Dane aplikacji\Adobe2008-10-08 16:50 --------- d-----w H:\Documents and Settings\Michał\Dane aplikacji\Tlen.pl2008-10-05 13:24 --------- d--h--w H:\Program Files\InstallShield Installation Information2008-10-03 17:21 --------- d-s---w H:\Documents and Settings\Michał\Dane aplikacji\Microsoft2008-09-29 08:22 --------- d-----w H:\Program Files\Gadu-Gadu2008-09-28 14:41 --------- d-----w H:\Program Files\Tlen.pl2008-09-07 18:30 --------- d-----w H:\Program Files\Picasa22008-09-07 18:30 --------- d-----w H:\Program Files\Google2008-09-07 11:17 --------- d-----w H:\Documents and Settings\Adam\Dane aplikacji\Winamp2008-09-06 21:06 --------- d-----w H:\Documents and Settings\Adam\Dane aplikacji\ATI2008-09-03 17:39 --------- d-----w H:\Program Files\Burn4Free2008-09-01 20:08 --------- d-----w H:\Program Files\Common Files\Adobe AIR2008-09-01 20:08 --------- d-----w H:\Program Files\Common Files\Adobe2008-09-01 20:08 --------- d-----w H:\Documents and Settings\Michał\Dane aplikacji\Macromedia2008-09-01 18:29 --------- d-----w H:\Documents and Settings\Michał\Dane aplikacji\Winamp2008-09-01 17:19 --------- d-----w H:\Documents and Settings\Michał\Dane aplikacji\ATI2008-09-01 17:14 --------- d-----w H:\Documents and Settings\All Users\Dane aplikacji\ESET2008-09-01 17:08 --------- d-----w H:\Program Files\ffdshow2008-09-01 16:58 --------- d-----w H:\Program Files\Common Files\ATI Technologies2008-09-01 16:55 --------- d-----w H:\Program Files\ATI Technologies2008-09-01 16:50 --------- d-----w H:\Program Files\Common Files\InstallShield2008-09-01 16:47 --------- d-----w H:\Documents and Settings\Michał\Dane aplikacji\Mozilla2008-09-01 16:41 --------- d-----w H:\Documents and Settings\Michał\Dane aplikacji\Identities2008-09-01 16:33 --------- d-----w H:\Program Files\Realtek AC972008-09-01 16:33 --------- d-----w H:\Program Files\AvRack2008-09-01 16:31 --------- d-----w H:\Program Files\AMD2008-09-01 16:30 4,096 ----a-w H:\WINDOWS\gdrv.sys2008-09-01 16:19 --------- d-----w H:\Program Files\Realtek Sound Manager2008-09-01 16:16 --------- d-----w H:\Program Files\Multimedia Card Reader2008-09-01 16:01 --------- d-----w H:\Program Files\microsoft frontpage2008-09-01 15:58 --------- d-----w H:\Program Files\Usługi online2008-07-19 05:08 719,872 ----a-w H:\WINDOWS\system32\devil.dll2008-07-19 05:08 351,744 ----a-w H:\WINDOWS\system32\avisynth.dll2008-07-18 20:10 94,920 ----a-w H:\WINDOWS\system32\cdm.dll2008-07-18 20:10 53,448 ----a-w H:\WINDOWS\system32\wuauclt.exe2008-07-18 20:10 45,768 ----a-w H:\WINDOWS\system32\wups2.dll2008-07-18 20:10 36,552 ----a-w H:\WINDOWS\system32\wups.dll2008-07-18 20:09 563,912 ----a-w H:\WINDOWS\system32\wuapi.dll2008-07-18 20:09 325,832 ----a-w H:\WINDOWS\system32\wucltui.dll2008-07-18 20:09 205,000 ----a-w H:\WINDOWS\system32\wuweb.dll2008-07-18 20:09 1,811,656 ----a-w H:\WINDOWS\system32\wuaueng.dll.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]"Komunikator"="H:\Program Files\Tlen.pl\tlen.exe" [2007-10-16 6234112]"MSMSGS"="H:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]"\YUR28.exe"="C:\Windows\system32\YUR28.exe" [2008-10-07 25088]"\YUR29.exe"="C:\Windows\system32\YUR29.exe" [2008-10-07 25088]"\YUR2A.exe"="C:\Windows\system32\YUR2A.exe" [2008-10-07 24064]"\YUR2B.exe"="C:\Windows\system32\YUR2B.exe" [2008-10-07 24064]"\YUR59.exe"="C:\Windows\system32\YUR59.exe" [2008-10-07 25088]"\YUR5A.exe"="C:\Windows\system32\YUR5A.exe" [2008-10-07 25088]"\YUR5B.exe"="C:\Windows\system32\YUR5B.exe" [2008-10-07 24064]"\YUR67.exe"="C:\Windows\system32\YUR67.exe" [2008-10-07 74752][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Sunkist2k"="H:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-02-25 131072]"ATICCC"="H:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]"WinampAgent"="E:\Winamp\winampa.exe" [2007-12-20 37376]"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-09-23 37761]"Picasa Media Detector"="H:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-09-23 368647]"HP Software Update"="H:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]"snpstd3"="H:\WINDOWS\vsnpstd3.exe" [2004-07-30 286720]"GrooveMonitor"="F:\office\Office12\GrooveMonitor.exe" [2008-09-24 32632]"avgnt"="E:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-09-28 274457]"\YUR28.exe"="C:\Windows\system32\YUR28.exe" [2008-10-07 25088]"\YUR29.exe"="C:\Windows\system32\YUR29.exe" [2008-10-07 25088]"\YUR2A.exe"="C:\Windows\system32\YUR2A.exe" [2008-10-07 24064]"\YUR2B.exe"="C:\Windows\system32\YUR2B.exe" [2008-10-07 24064]"nod32kui"="e:\Eset\nod32kui.exe" [2008-10-09 949376]"\YUR3C.exe"="C:\Windows\system32\YUR3C.exe" [2008-10-07 25088]"\YUR3D.exe"="C:\Windows\system32\YUR3D.exe" [2008-10-07 24064]"\YUR3E.exe"="C:\Windows\system32\YUR3E.exe" [2008-10-07 25088]"\YUR3F.exe"="C:\Windows\system32\YUR3F.exe" [2008-10-07 24064]"\YUR59.exe"="C:\Windows\system32\YUR59.exe" [2008-10-07 25088]"\YUR5A.exe"="C:\Windows\system32\YUR5A.exe" [2008-10-07 25088]"\YUR5B.exe"="C:\Windows\system32\YUR5B.exe" [2008-10-07 24064]"\YUR67.exe"="C:\Windows\system32\YUR67.exe" [2008-10-07 74752]"SoundMan"="SOUNDMAN.EXE" [2006-01-11 H:\WINDOWS\soundman.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="H:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]H:\Documents and Settings\Adam\Menu Start\Programy\Autostart\Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - F:\office\Office12\ONENOTEM.EXE [2006-10-26 98632]H:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzdn32]2008-10-09 20:10 32256 H:\WINDOWS\system32\winzdn32.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="H:\\Program Files\\Tlen.pl\\tlen.exe"="E:\\instalki\\DCPlusPlus.exe"="E:\\metin\\metin2.bin"="E:\\DC++\\DCPlusPlus.exe"="F:\\office\\Office12\\OUTLOOK.EXE"="F:\\office\\Office12\\groove.exe"="F:\\office\\Office12\\ONENOTE.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="H:\\Program Files\\Skype\\Phone\\Skype.exe"="H:\\WINDOWS\\system32\\winver.exe"="C:\\WINDOWS\\system32\\bvdmss.exe"="nkp2.exe"= nkp2.exe:BVDMSSR0 xmasbus;xmasbus;H:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 140800]R0 xmasscsi;xmasscsi;H:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-20 5504]S2 BVDMSS;Windows Network Data Management System Service;C:\WINDOWS\system32\bvdmss.exe [2008-10-09 61440]S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};H:\WINDOWS\System32\svchost.exe [2008-04-14 14336][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs{BEE686B9-4C84-4487-9D72-9F40F051E973}*Newly Created Service* - bvdmss*Newly Created Service* - ws2ifsl*Newly Created Service* - XMASSCSI[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612}]C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe.- - - - USUNIĘTO PUSTE WPISY - - - -HKCU-Run-\YUR58.exe - C:\Windows\system32\YUR58.exeHKLM-Run-\YUR58.exe - C:\Windows\system32\YUR58.exe.------- Skan uzupełniający -------.R0 -: HKCU-Main,Start Page = hxxp://www.startpage.reganam.comO8 -: E&ksportuj do programu Microsoft Excel - F:\office\Office12\EXCEL.EXE/3000.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-10-09 22:14:13Windows 5.1.2600 Dodatek Service Pack 3 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]"ServiceDll"="H:\DOCUME~1\Adam\USTAWI~1\Temp\1C88.tmp"[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fd63ca1e]"ImagePath"="\SystemRoot\System32\drivers\fd63ca1e.sys".Czas ukończenia: 2008-10-09 22:16:28ComboFix-quarantined-files.txt 2008-10-09 20:16:25ComboFix2.txt 2008-09-28 17:10:14Przed: 2˙190˙163˙968 bajt˘w wolnychPo: 2,221,461,504 bajt˘w wolnych263 --- E O F --- 2008-09-28 21:12:34 I HJ: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:21:56, on 2008-10-09Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:H:\WINDOWS\System32\smss.exeH:\WINDOWS\system32\winlogon.exeH:\WINDOWS\system32\services.exeH:\WINDOWS\system32\lsass.exeH:\WINDOWS\system32\Ati2evxx.exeH:\WINDOWS\system32\svchost.exeH:\WINDOWS\System32\svchost.exeH:\WINDOWS\system32\spoolsv.exeH:\WINDOWS\System32\svchost.exeH:\WINDOWS\System32\svchost.exee:\Alcohol 120\StarWind\StarWindServiceAE.exeH:\WINDOWS\system32\svchost.exeH:\WINDOWS\system32\svchost.exeH:\WINDOWS\system32\Ati2evxx.exeH:\Program Files\Multimedia Card Reader\shwicon2k.exeH:\Program Files\ATI Technologies\ATI.ACE\cli.exeE:\Winamp\winampa.exeH:\Program Files\HP\HP Software Update\HPWuSchd2.exeF:\office\Office12\GrooveMonitor.exeH:\WINDOWS\system32\ctfmon.exeH:\Documents and Settings\Michał\Dane aplikacji\Adobe\Player.exeC:\WINDOWS\system32\bvdmss.exeH:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeH:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeH:\Program Files\ATI Technologies\ATI.ACE\cli.exeH:\Program Files\ATI Technologies\ATI.ACE\cli.exeH:\WINDOWS\system32\wuauclt.exeH:\Program Files\Mozilla Firefox\firefox.exeE:\Trend Micro\HijackThis\HijackThis.exeH:\WINDOWS\explorer.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpage.reganam.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\office\Office12\GRA8E1~1.DLLO2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - e:\Moyea\FLV Downloader\MoyeaCth.dllO2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - H:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dllO4 - HKLM\..\Run: [sunkist2k] H:\Program Files\Multimedia Card Reader\shwicon2k.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [ATICCC] "H:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -DelayO4 - HKLM\..\Run: [WinampAgent] E:\Winamp\winampa.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exeO4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [snpstd3] H:\WINDOWS\vsnpstd3.exeO4 - HKLM\..\Run: [GrooveMonitor] "F:\office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [avgnt] "E:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [\YUR28.exe] C:\Windows\system32\YUR28.exeO4 - HKLM\..\Run: [\YUR29.exe] C:\Windows\system32\YUR29.exeO4 - HKLM\..\Run: [\YUR2A.exe] C:\Windows\system32\YUR2A.exeO4 - HKLM\..\Run: [\YUR2B.exe] C:\Windows\system32\YUR2B.exeO4 - HKLM\..\Run: [nod32kui] "e:\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [\YUR3C.exe] C:\Windows\system32\YUR3C.exeO4 - HKLM\..\Run: [\YUR3D.exe] C:\Windows\system32\YUR3D.exeO4 - HKLM\..\Run: [\YUR3E.exe] C:\Windows\system32\YUR3E.exeO4 - HKLM\..\Run: [\YUR3F.exe] C:\Windows\system32\YUR3F.exeO4 - HKLM\..\Run: [\YUR59.exe] C:\Windows\system32\YUR59.exeO4 - HKLM\..\Run: [\YUR5A.exe] C:\Windows\system32\YUR5A.exeO4 - HKLM\..\Run: [\YUR5B.exe] C:\Windows\system32\YUR5B.exeO4 - HKLM\..\Run: [\YUR67.exe] C:\Windows\system32\YUR67.exeO4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Komunikator] H:\Program Files\Tlen.pl\tlen.exeO4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [\YUR28.exe] C:\Windows\system32\YUR28.exeO4 - HKCU\..\Run: [\YUR29.exe] C:\Windows\system32\YUR29.exeO4 - HKCU\..\Run: [\YUR2A.exe] C:\Windows\system32\YUR2A.exeO4 - HKCU\..\Run: [\YUR2B.exe] C:\Windows\system32\YUR2B.exeO4 - HKCU\..\Run: [\YUR59.exe] C:\Windows\system32\YUR59.exeO4 - HKCU\..\Run: [\YUR5A.exe] C:\Windows\system32\YUR5A.exeO4 - HKCU\..\Run: [\YUR5B.exe] C:\Windows\system32\YUR5B.exeO4 - HKCU\..\Run: [\YUR67.exe] C:\Windows\system32\YUR67.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://F:\office\Office12\EXCEL.EXE/3000O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\office\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\office\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\office\Office12\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exeO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Program Files\Yahoo!\Common\yinsthelper.dllO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\office\Office12\GR99D3~1.DLLO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: winzdn32 - H:\WINDOWS\SYSTEM32\winzdn32.dllO23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Unknown owner - E:\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Unknown owner - E:\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exeO23 - Service: Windows Network Data Management System Service (bvdmss) - Unknown owner - C:\WINDOWS\system32\bvdmss.exeO23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NOD32 Kernel Service (nod32krn) - Eset - e:\Eset\nod32krn.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - e:\Alcohol 120\StarWind\StarWindServiceAE.exe--End of file - 7420 bytes Z góry dziękuje
Mateusz J. komentarz 10 października 2008 komentarz 10 października 2008 Do notatnika wklej: File::H:\Documents and Settings\Michał\nkp2.exeH:\Documents and Settings\Adam\nkp2.exeH:\WINDOWS\system32\2.icoH:\WINDOWS\system32\rs32net.exeH:\WINDOWS\system32\drivers\fd63ca1e.sysH:\WINDOWS\system32\winzdn32.dllH:\WINDOWS\system32\MicroAV.cplC:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exeFolder::H:\Program Files\MicroAVH:\Program Files\PCHealthCenterRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"\YUR28.exe"="-"\YUR29.exe"=-"\YUR2A.exe"=-"\YUR2B.exe"=-"\YUR59.exe"=-"\YUR5A.exe"=-"\YUR5B.exe"=-"\YUR67.exe"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"\YUR28.exe"=-"\YUR29.exe"=-"\YUR2A.exe"=-"\YUR2B.exe"=-"\YUR3C.exe"=-"\YUR3D.exe"=-"\YUR3E.exe"=-"\YUR3F.exe"=-"\YUR59.exe"=-"\YUR5A.exe"=-"\YUR5B.exe"=-"\YUR67.exe"=-[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612}] W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.