Mateusz J. komentarz 13 stycznia 2009 komentarz 13 stycznia 2009 Log nie jest czysty. Proszę pobrać program ComboFix Do notatnika wkleić: File::C:\Users\Mati\AppData\Local\Temp\~tmpb.exeRegistry::[HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run]"Cognac"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.
matt09 komentarz 13 stycznia 2009 Autor komentarz 13 stycznia 2009 ComboFix 09-01-11.04 - Mati 2009-01-13 15:26:59.1 - NTFSx86Microsoft? Windows Vista? Home Basic 6.0.6001.1.1250.1.1045.18.1788.805 [GMT 1:00]Uruchomiony z: c:\users\Mati\Desktop\ComboFix.exeUżyto następujących komend :: c:\users\Mati\Desktop\CFScript.txtAV: avast! antivirus 4.8.1229 [VPS 090112-0] *On-access scanning disabled* (Outdated)FILE ::c:\users\Mati\AppData\Local\Temp\~tmpb.exe.((((((((((((((((((((((((( Pliki utworzone od 2008-12-13 do 2009-01-13 ))))))))))))))))))))))))))))))).2009-01-13 15:31 . 2009-01-13 15:31 17,408 --a------ c:\windows\System32\rpcnetp.exe2009-01-12 23:07 . 2007-05-16 00:08 112,640 --a------ c:\windows\System32\ackpbsc.dll2009-01-12 23:07 . 2008-10-09 03:33 27,176 --a------ c:\windows\snuvcdsm.exe2009-01-12 22:18 . 2009-01-13 15:31 17,408 --a------ c:\windows\System32\rpcnetp.dll2009-01-12 21:41 . 2009-01-12 21:41 <DIR> d-------- c:\users\Mati\AppData\Roaming\Uniblue2009-01-12 21:34 . 2009-01-12 21:34 94 --a------ c:\windows\wininit.ini2009-01-11 18:21 . 2009-01-11 18:21 56 --ah----- c:\windows\System32\ezsidmv.dat2009-01-10 22:41 . 2009-01-10 22:41 <DIR> d-------- c:\program files\Virtools2009-01-10 18:55 . 2009-01-10 18:55 <DIR> d-------- c:\program files\VstPlugins2009-01-10 18:55 . 2009-01-10 18:55 <DIR> d-------- c:\program files\Image-Line2009-01-10 18:55 . 2002-07-07 23:14 1,294,336 --a------ c:\windows\System32\vorbis.acm2009-01-10 18:55 . 2006-06-20 09:56 225,280 --a------ c:\windows\System32\rewire.dll2009-01-10 18:54 . 2009-01-10 18:55 <DIR> d-------- c:\program files\FL Studio 72009-01-09 21:14 . 2009-01-09 21:14 <DIR> d-------- c:\users\All Users\Temp2009-01-09 21:14 . 2009-01-09 21:14 <DIR> d-------- c:\programdata\Temp2009-01-09 18:24 . 2009-01-12 21:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy2009-01-05 11:59 . 2009-01-05 11:58 410,984 --a------ c:\windows\System32\deploytk.dll2009-01-02 17:47 . 2009-01-02 17:47 <DIR> d-------- c:\users\All Users\WindowsSearch2009-01-02 17:47 . 2009-01-02 17:47 <DIR> d-------- c:\programdata\WindowsSearch2008-12-29 12:39 . 2009-01-13 14:05 44,544 --a------ c:\windows\System32\agremove.exe2008-12-27 23:38 . 2009-01-11 23:44 103,736 --a------ c:\windows\System32\PnkBstrB.exe2008-12-27 23:38 . 2008-12-27 23:38 66,872 --a------ c:\windows\System32\PnkBstrA.exe2008-12-27 23:38 . 2009-01-11 23:44 22,328 --a------ c:\windows\System32\drivers\PnkBstrK.sys2008-12-27 20:35 . 2008-12-27 20:35 <DIR> d-------- c:\program files\Electronic Arts2008-12-23 22:41 . 2008-12-30 22:20 <DIR> d-------- c:\program files\Need for Speed Most Wanted2008-12-18 23:41 . 2008-12-18 23:41 <DIR> d-------- c:\program files\Opera2008-12-18 01:26 . 2009-01-10 11:33 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy2008-12-18 01:26 . 2009-01-10 11:33 <DIR> d-------- c:\programdata\Spybot - Search & Destroy.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-01-13 14:31 --------- d-----w c:\programdata\hpqLog2009-01-11 17:55 --------- d-----w c:\users\Mati\AppData\Roaming\Skype2009-01-11 17:21 --------- d-----w c:\users\Mati\AppData\Roaming\skypePM2009-01-10 11:03 --------- d-----w c:\users\Mati\AppData\Roaming\HPQLOG2009-01-09 22:55 --------- d--h--w c:\program files\InstallShield Installation Information2009-01-09 22:47 --------- d-----w c:\program files\CyberLink2009-01-05 10:58 --------- d-----w c:\program files\Java2008-12-28 22:04 --------- d-----w c:\users\Mati\AppData\Roaming\uTorrent2008-12-19 19:11 --------- d-----w c:\users\Mati\AppData\Roaming\BESTplayer2008-12-16 12:48 --------- d-----w c:\program files\Avast42008-12-10 12:31 --------- d-----w c:\programdata\Microsoft Help2008-12-10 12:22 --------- d-----w c:\program files\Windows Mail2008-12-08 13:48 --------- d-----w c:\program files\Activision2008-11-24 23:03 --------- d-----w c:\users\Mati\AppData\Roaming\Plogue2008-11-24 20:05 --------- d-----w c:\program files\Finale 20092008-11-24 14:25 --------- d-----w c:\users\Mati\AppData\Roaming\Garritan2008-11-24 14:25 --------- d-----w c:\program files\Plogue2008-11-20 15:27 --------- d-----w c:\program files\Hewlett-Packard2008-11-20 15:17 --------- d-----w c:\users\Mati\AppData\Roaming\Hewlett-Packard2008-11-20 15:03 --------- d-----w c:\program files\HP Webcam Application2008-11-20 14:53 --------- d-----w c:\programdata\Hewlett-Packard2008-11-20 00:02 --------- d-----w c:\program files\MediaCoder2008-11-16 18:12 --------- d-----w c:\users\Mati\AppData\Roaming\CyberLink2008-11-16 18:11 --------- d-----w c:\programdata\CyberLink2008-11-16 17:18 --------- d-----w c:\users\Mati\AppData\Roaming\Megaupload2008-11-13 22:46 --------- d-----w c:\program files\YouTube Downloader2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe2008-10-22 14:21 21,248 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini2008-10-04 20:59 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008100420081005\index.dat2008-10-05 21:40 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008100520081006\index.dat2008-10-06 21:11 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008100620081007\index.dat2008-10-07 09:55 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008100720081008\index.dat.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3134413B-49B4-425C-98A5-893C1F195601}]2008-05-14 18:54 110592 --a------ c:\program files\Hewlett-Packard\File Sanitizer\IEBHO.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Power2GoExpress"="NA" [X]"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-05-21 24848]"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-05-12 318488]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1314816]"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2008-07-19 78008]"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-24 197904]"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2008-05-14 10244096]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-16 293168]c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-05-13 727592]DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-06-23 197904][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableUIADesktopToggle"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=APSHook.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.l3codecp"= l3codecp.acm"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli ASWLNPkg[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]"{8FF4C037-60F8-4ACC-958B-95ACBE08AAD1}"= Disabled:TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook"{C8580636-522A-4FD4-A9E8-5D37D6DB6E31}"= Profile=Private|c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)"{19C7D1E9-E6A8-40B2-A068-23D63F95277C}"= c:\program files\Skype\Phone\Skype.exe:Skype"{A2D46B8F-34B7-4370-95B0-A733E4FFF49B}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove"{F944B73E-C422-4030-B003-C30BC5DAF669}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove"{75F99CEC-4553-4F59-BD14-23CB99E84AF6}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote"{C9B7574C-8C8B-43EF-A69A-165FEEDD9C6F}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote"{90017406-B597-47B2-AFC3-670F177B0F57}"= UDP:c:\program files\Avast4\ashAvast.exe:avast! Antivirus"{B25056A9-8A35-418A-A63A-580998DDB49A}"= TCP:c:\program files\Avast4\ashAvast.exe:avast! Antivirus"{629C5DB3-3847-42A0-A931-6E6EB2FFB5F7}"= Disabled:c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)"TCP Query User{69A5D986-304D-47BC-8D34-5F799C4D0817}c:\\program files\\gadu-gadu\\gg.exe"= UDP:c:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny"UDP Query User{E9F1977E-87C9-41A5-A37C-15046C21E69C}c:\\program files\\gadu-gadu\\gg.exe"= TCP:c:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny"{3309F1EE-F0C6-4E75-85E6-F2610A128BF5}"= UDP:c:\program files\uTorrent\uTorrent.exe:?Torrent (TCP-In)"{2A040BF0-0C68-4CA4-82FF-570E295AB9DD}"= TCP:c:\program files\uTorrent\uTorrent.exe:?Torrent (UDP-In)"TCP Query User{2787542F-2E0C-49F8-AE4D-A4C842C29C06}c:\\users\\mati\\desktop\\utorrent.exe"= UDP:c:\users\mati\desktop\utorrent.exe:utorrent.exe"UDP Query User{7127BB83-76E0-4D76-9075-6B73595057DC}c:\\users\\mati\\desktop\\utorrent.exe"= TCP:c:\users\mati\desktop\utorrent.exe:utorrent.exe"{089E3B53-BF9E-4100-A59B-210594D26FCD}"= UDP:c:\program files\BMW M3 Challenge\BMW.exe:BMW M3 Challenge"{ADC196C7-A91E-49E7-86F0-D4C87A344951}"= TCP:c:\program files\BMW M3 Challenge\BMW.exe:BMW M3 Challenge"TCP Query User{28036EE9-4CDD-4338-8317-35A460656220}c:\\program files\\pakoon! 2.many unlimited 2009\\pakoon2.exe"= UDP:c:\program files\pakoon! 2.many unlimited 2009\pakoon2.exe:downhill Pakoon2.MANY unlimited 2009"UDP Query User{940F03D9-3473-4F75-8F85-639FAD508812}c:\\program files\\pakoon! 2.many unlimited 2009\\pakoon2.exe"= TCP:c:\program files\pakoon! 2.many unlimited 2009\pakoon2.exe:downhill Pakoon2.MANY unlimited 2009"TCP Query User{5330056E-A6FA-484E-BCFF-AE45F5EF2424}c:\\users\\mati\\desktop\\racer\\racer.exe"= Disabled:UDP:c:\users\mati\desktop\racer\racer.exe:racer.exe"UDP Query User{B42E727B-8BE2-40B9-8A35-9B3D442DF31D}c:\\users\\mati\\desktop\\racer\\racer.exe"= Disabled:TCP:c:\users\mati\desktop\racer\racer.exe:racer.exe"TCP Query User{52079A71-8DDB-48D9-8DE0-E0EB97CED74F}c:\\program files\\call of duty 4 - modern warfare\\iw3mp.exe"= UDP:c:\program files\call of duty 4 - modern warfare\iw3mp.exe:iw3mp"UDP Query User{FDA1CBFB-4925-4D75-AF05-0BEBF523A3CA}c:\\program files\\call of duty 4 - modern warfare\\iw3mp.exe"= TCP:c:\program files\call of duty 4 - modern warfare\iw3mp.exe:iw3mp"TCP Query User{3185C8F7-AE0B-42FC-877A-7040D94B1989}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox"UDP Query User{E61BD3AD-3B7F-4E82-BE17-2D7D378D15AA}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox"TCP Query User{FEE579E2-F8A6-45A6-91E8-C78C230CE2EF}h:\\need for speed most wanted\\speed.exe"= UDP:h:\need for speed most wanted\speed.exe:speed"UDP Query User{F9131E77-058F-4445-AB5B-2D1E5B74988F}h:\\need for speed most wanted\\speed.exe"= TCP:h:\need for speed most wanted\speed.exe:speed"TCP Query User{1D1FE6A5-8CF7-4627-BE5D-29F566039310}c:\\users\\mati\\desktop\\need for speed most wanted\\speed.exe"= UDP:c:\users\mati\desktop\need for speed most wanted\speed.exe:speed.exe"UDP Query User{163F5F66-4E16-40F0-83FA-B30A627EA991}c:\\users\\mati\\desktop\\need for speed most wanted\\speed.exe"= TCP:c:\users\mati\desktop\need for speed most wanted\speed.exe:speed.exe"{E35BE780-B9E4-4961-ADEA-FBCB2322AF07}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty? - World at War"{2243EB5F-B192-42F6-972F-530BCD032FE2}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty? - World at War"{F7B358CB-C1BB-4799-9EA7-B248AC5A6192}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty? - World at War"{EA61D922-1F4F-4570-8F4A-1948080F844C}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty? - World at War"{19BEA0FB-93F2-47FD-8FDB-FC279A021E4E}"= UDP:c:\program files\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty? 4 - Modern Warfare "{529F416A-BA59-481D-8E98-549BD34F7B07}"= TCP:c:\program files\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty? 4 - Modern Warfare "TCP Query User{EABE483A-9F42-48BE-8BC6-86BC731F4C00}c:\\users\\public\\documents\\call ofduty4\\iw3mp.exe"= UDP:c:\users\public\documents\call ofduty4\iw3mp.exe:iw3mp"UDP Query User{6D08F592-17EF-403F-B912-5A2B290A57A1}c:\\users\\public\\documents\\call ofduty4\\iw3mp.exe"= TCP:c:\users\public\documents\call ofduty4\iw3mp.exe:iw3mp"TCP Query User{97F7E60E-6498-47EE-98C2-242174953130}c:\\users\\mati\\documents\\cod4\\call ofduty4\\iw3mp.exe"= UDP:c:\users\mati\documents\cod4\call ofduty4\iw3mp.exe:iw3mp.exe"UDP Query User{950E3B7D-12D8-4D9C-A7B5-8C929F36B5E5}c:\\users\\mati\\documents\\cod4\\call ofduty4\\iw3mp.exe"= TCP:c:\users\mati\documents\cod4\call ofduty4\iw3mp.exe:iw3mp.exe"TCP Query User{51CC22D3-75E8-4587-94A7-A537ABB1C445}c:\\program files\\need for speed most wanted\\speed.exe"= UDP:c:\program files\need for speed most wanted\speed.exe:speed"UDP Query User{A3CF35CB-E462-472D-8C01-CE8B9676B80F}c:\\program files\\need for speed most wanted\\speed.exe"= TCP:c:\program files\need for speed most wanted\speed.exe:speed"TCP Query User{DCE33DC9-3AFC-45C5-8D32-A7B65DD1FAA9}c:\\users\\mati\\desktop\\skróty\\utorrent.exe"= UDP:c:\users\mati\desktop\skróty\utorrent.exe:utorrent.exe"UDP Query User{724BEC31-DD29-4794-A3E7-2901F10937CC}c:\\users\\mati\\desktop\\skróty\\utorrent.exe"= TCP:c:\users\mati\desktop\skróty\utorrent.exe:utorrent.exe"TCP Query User{FEA5C66A-FC93-4141-9D03-820519B2B4A0}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser"UDP Query User{70EBC72A-8F7B-485C-8490-53D2FECC5F62}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser"TCP Query User{08CC3F67-D093-4CE1-A7E3-5879198DE0E5}c:\\program files\\electronic arts\\need for speed prostreet\\online\\bombd.exe"= UDP:c:\program files\electronic arts\need for speed prostreet\online\bombd.exe:bombd"UDP Query User{E9B245A8-1D7D-4862-93D6-63B2CE78F88B}c:\\program files\\electronic arts\\need for speed prostreet\\online\\bombd.exe"= TCP:c:\program files\electronic arts\need for speed prostreet\online\bombd.exe:bombd"TCP Query User{61783951-F0B4-451E-A3F4-B3D06D80F93C}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser"UDP Query User{7236DFA3-299F-4C84-8BDF-A7053A09BFB2}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]"DoNotAllowExceptions"= 0 (0x0)R0 SbAlg;SbAlg;c:\windows\System32\drivers\SbAlg.sys [2008-05-30 51376]R0 SbFsLock;SbFsLock;c:\windows\System32\drivers\SbFsLock.sys [2008-05-30 12928]R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-10-06 78416]R1 RsvLock;RsvLock;c:\windows\System32\drivers\rsvlock.sys [2008-05-30 12496]R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-06-23 193840]R4 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-05-16 182576]R4 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2008-01-21 21504]R4 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2008-01-21 21504]R4 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2008-10-06 20560]R4 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2008-10-06 51280]R4 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2008-06-02 18944]R4 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2008-05-30 256512]R4 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2008-06-23 77824]R4 hpsrv;HP Service;c:\windows\System32\hpservice.exe [2008-04-07 24880]R4 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-06-23 576024]R4 rpcnetp;rpcnetp; [x]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-01-21 179712]S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152]--- Inne Uslugi/Sterowniki w Pamieci ---*Deregistered* - sptd[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvcCognizance REG_MULTI_SZ ASBroker ASChannelHPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12bthsvcs REG_MULTI_SZ BthServ[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11a20698-b7fb-11dd-a63f-0022644b9e68}]\shell\AutoRun\command - G:\wdsync.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26dcdc1a-a032-11dd-8cd5-0022644b9e68}]\shell\AutoRun\command - G:\Autorun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bffe4601-a4ec-11dd-b6de-0022644b9e68}]\shell\AutoRun\command - h:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe\shell\open\command - h:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]"c:\program files\Common Files\LightScribe\LSRunOnce.exe".Zawartość folderu 'Zaplanowane zadania'2009-01-05 c:\windows\Tasks\HPCeeScheduleForMati.job- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-09-21 23:07].- - - - USUNIĘTO PUSTE WPISY - - - -HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\registrybooster\StartRegistryBooster.exe.------- Skan uzupełniający -------.uStart Page = about:blankmStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=pl_pl&c=83&bd=all&pf=cmnb.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-01-13 15:32:10Windows 6.0.6001 Service Pack 1 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... **************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'lsass.exe'(680)c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dllc:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll- - - - - - - > 'Explorer.exe'(5948)c:\windows\system32\btmmhook.dllc:\program files\Hewlett-Packard\File Sanitizer\HPPMDesktopIcon.dllc:\windows\system32\btncopy.dll.------------------------ Pozostałe uruchomione procesy ------------------------.c:\windows\System32\Ati2evxx.exec:\windows\System32\audiodg.exec:\windows\System32\Ati2evxx.exec:\windows\System32\AEADISRV.EXEc:\windows\System32\agrsmsvc.exec:\program files\Avast4\aswUpdSv.exec:\program files\Avast4\ashServ.exec:\program files\ActivIdentity\ActivClient\acevents.exec:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\windows\System32\PnkBstrA.exec:\windows\System32\rpcnetp.exec:\windows\servicing\TrustedInstaller.exec:\program files\Avast4\ashMaiSv.exec:\program files\Avast4\ashWebSv.exec:\program files\Hewlett-Packard\IAM\Bin\asghost.exec:\program files\Hewlett-Packard\Shared\hpqWmiEx.exec:\windows\System32\conime.exec:\program files\Avast4\ashDisp.exec:\combofix\hidec.exec:\program files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exec:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exec:\program files\Hewlett-Packard\Shared\HpqToaster.exec:\program files\ActivIdentity\ActivClient\acevents.exec:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exec:\program files\Synaptics\SynTP\SynTPHelper.exec:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exec:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exec:\combofix\Catchme.tmp.**************************************************************************.Czas ukończenia: 2009-01-13 15:37:48 - komputer został uruchomiony ponownieComboFix-quarantined-files.txt 2009-01-13 14:36:07Przed: 61 194 346 496 bajtów wolnychPo: 61,137,760,256 bajtów wolnych277 --- E O F --- 2009-01-12 16:58:22 oto i log z ComboFixa. Co właściwie zrobiłem? Co znaczył tamten plik temp? W jednym z logów pojawiło się kilka fraz: "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" [file not found]"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" [file not found]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" [file not found] a Nero już nie mam. Można więc to usunąć, prawda? W jaki sposób?Za pomocą tych programów się da?
Mateusz J. komentarz 13 stycznia 2009 komentarz 13 stycznia 2009 Do notatnika wklej: File::c:\windows\System32\rpcnetp.exec:\windows\snuvcdsm.exec:\windows\System32\rpcnetp.dllRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]"{B327765E-D724-4347-8B16-78AE18552FC3}"=-"{7F1CF152-04F8-453A-B34C-E609530A9DC8}"=-[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default)][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Power2GoExpress"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. c:\windows\System32\agremove.exe Przeskanuj plik na stronie www.virustotal.com Co znaczył tamten plik temp?Był to wirus.
matt09 komentarz 13 stycznia 2009 Autor komentarz 13 stycznia 2009 ComboFix 09-01-13.03 - Mati 2009-01-13 22:17:56.2 - NTFSx86Microsoft? Windows Vista? Home Basic 6.0.6001.1.1250.1.1045.18.1788.931 [GMT 1:00]Uruchomiony z: c:\users\Mati\Desktop\ComboFix.exeUżyto następujących komend :: c:\users\Mati\Desktop\CFScript.txt.txtAV: avast! antivirus 4.8.1229 [VPS 090112-0] *On-access scanning disabled* (Outdated)FILE ::c:\windows\snuvcdsm.exec:\windows\System32\rpcnetp.dllc:\windows\System32\rpcnetp.exe.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\System32\rpcnetp.dllc:\windows\System32\rpcnetp.exe.((((((((((((((((((((((((( Pliki utworzone od 2008-12-13 do 2009-01-13 ))))))))))))))))))))))))))))))).2009-01-13 16:09 . 2009-01-13 16:09 <DIR> d-------- c:\program files\CCleaner2009-01-12 21:41 . 2009-01-12 21:41 <DIR> d-------- c:\users\Mati\AppData\Roaming\Uniblue2009-01-12 21:34 . 2009-01-13 20:53 151 --a------ c:\windows\wininit.ini2009-01-11 18:21 . 2009-01-11 18:21 56 --ah----- c:\windows\System32\ezsidmv.dat2009-01-10 22:41 . 2009-01-10 22:41 <DIR> d-------- c:\program files\Virtools2009-01-10 18:55 . 2009-01-10 18:55 <DIR> d-------- c:\program files\VstPlugins2009-01-10 18:55 . 2009-01-10 18:55 <DIR> d-------- c:\program files\Image-Line2009-01-10 18:55 . 2002-07-07 23:14 1,294,336 --a------ c:\windows\System32\vorbis.acm2009-01-10 18:55 . 2006-06-20 09:56 225,280 --a------ c:\windows\System32\rewire.dll2009-01-10 18:54 . 2009-01-10 18:55 <DIR> d-------- c:\program files\FL Studio 72009-01-09 21:14 . 2009-01-09 21:14 <DIR> d-------- c:\users\All Users\Temp2009-01-09 21:14 . 2009-01-09 21:14 <DIR> d-------- c:\programdata\Temp2009-01-09 18:24 . 2009-01-12 21:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy2009-01-05 11:59 . 2009-01-05 11:58 410,984 --a------ c:\windows\System32\deploytk.dll2009-01-02 17:47 . 2009-01-02 17:47 <DIR> d-------- c:\users\All Users\WindowsSearch2009-01-02 17:47 . 2009-01-02 17:47 <DIR> d-------- c:\programdata\WindowsSearch2008-12-29 12:39 . 2009-01-13 22:15 44,544 --a------ c:\windows\System32\agremove.exe2008-12-27 23:38 . 2009-01-11 23:44 103,736 --a------ c:\windows\System32\PnkBstrB.exe2008-12-27 23:38 . 2008-12-27 23:38 66,872 --a------ c:\windows\System32\PnkBstrA.exe2008-12-27 23:38 . 2009-01-11 23:44 22,328 --a------ c:\windows\System32\drivers\PnkBstrK.sys2008-12-27 20:35 . 2008-12-27 20:35 <DIR> d-------- c:\program files\Electronic Arts2008-12-23 22:41 . 2008-12-30 22:20 <DIR> d-------- c:\program files\Need for Speed Most Wanted2008-12-18 23:41 . 2008-12-18 23:41 <DIR> d-------- c:\program files\Opera2008-12-18 01:26 . 2009-01-10 11:33 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy2008-12-18 01:26 . 2009-01-10 11:33 <DIR> d-------- c:\programdata\Spybot - Search & Destroy.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-01-13 21:26 --------- d-----w c:\programdata\hpqLog2009-01-11 17:55 --------- d-----w c:\users\Mati\AppData\Roaming\Skype2009-01-11 17:21 --------- d-----w c:\users\Mati\AppData\Roaming\skypePM2009-01-10 11:03 --------- d-----w c:\users\Mati\AppData\Roaming\HPQLOG2009-01-09 22:55 --------- d--h--w c:\program files\InstallShield Installation Information2009-01-09 22:47 --------- d-----w c:\program files\CyberLink2009-01-05 10:58 --------- d-----w c:\program files\Java2008-12-28 22:04 --------- d-----w c:\users\Mati\AppData\Roaming\uTorrent2008-12-19 19:11 --------- d-----w c:\users\Mati\AppData\Roaming\BESTplayer2008-12-16 12:48 --------- d-----w c:\program files\Avast42008-12-10 12:31 --------- d-----w c:\programdata\Microsoft Help2008-12-10 12:22 --------- d-----w c:\program files\Windows Mail2008-12-08 13:48 --------- d-----w c:\program files\Activision2008-11-24 23:03 --------- d-----w c:\users\Mati\AppData\Roaming\Plogue2008-11-24 20:05 --------- d-----w c:\program files\Finale 20092008-11-24 14:25 --------- d-----w c:\users\Mati\AppData\Roaming\Garritan2008-11-24 14:25 --------- d-----w c:\program files\Plogue2008-11-20 15:27 --------- d-----w c:\program files\Hewlett-Packard2008-11-20 15:17 --------- d-----w c:\users\Mati\AppData\Roaming\Hewlett-Packard2008-11-20 15:03 --------- d-----w c:\program files\HP Webcam Application2008-11-20 14:53 --------- d-----w c:\programdata\Hewlett-Packard2008-11-20 00:02 --------- d-----w c:\program files\MediaCoder2008-11-16 18:12 --------- d-----w c:\users\Mati\AppData\Roaming\CyberLink2008-11-16 18:11 --------- d-----w c:\programdata\CyberLink2008-11-16 17:18 --------- d-----w c:\users\Mati\AppData\Roaming\Megaupload2008-11-13 22:46 --------- d-----w c:\program files\YouTube Downloader2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe2008-10-22 14:21 21,248 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini2008-10-04 20:59 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008100420081005\index.dat2008-10-05 21:40 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008100520081006\index.dat2008-10-06 21:11 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008100620081007\index.dat2008-10-07 09:55 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008100720081008\index.dat.((((((((((((((((((((((((((((( snapshot@2009-01-13_15.35.20.56 ))))))))))))))))))))))))))))))))))))))))).- 2009-01-13 14:32:01 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT+ 2009-01-13 21:26:23 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT+ 2009-01-13 21:26:23 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1- 2009-01-13 14:31:59 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT+ 2009-01-13 21:26:23 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT+ 2009-01-13 21:26:23 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1- 2009-01-13 12:29:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat+ 2009-01-13 15:09:33 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat- 2009-01-13 12:29:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat+ 2009-01-13 15:09:33 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat- 2009-01-13 12:29:21 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat+ 2009-01-13 15:09:33 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat- 2009-01-13 14:26:39 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat+ 2009-01-13 21:17:20 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat+ 2009-01-13 21:17:20 262,144 ---ha-w c:\windows\System32\config\systemprofile\ntuser.dat.LOG1- 2009-01-13 12:33:44 106,120 ----a-w c:\windows\System32\perfc009.dat+ 2009-01-13 21:15:38 106,120 ----a-w c:\windows\System32\perfc009.dat- 2009-01-13 12:33:44 133,678 ----a-w c:\windows\System32\perfc015.dat+ 2009-01-13 21:15:38 133,678 ----a-w c:\windows\System32\perfc015.dat- 2009-01-13 12:33:44 598,850 ----a-w c:\windows\System32\perfh009.dat+ 2009-01-13 21:15:38 598,850 ----a-w c:\windows\System32\perfh009.dat- 2009-01-13 12:33:44 675,014 ----a-w c:\windows\System32\perfh015.dat+ 2009-01-13 21:15:38 675,014 ----a-w c:\windows\System32\perfh015.dat- 2009-01-13 12:31:20 10,268 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3946924319-284130512-1865388785-1004_UserData.bin+ 2009-01-13 21:12:21 10,578 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3946924319-284130512-1865388785-1004_UserData.bin- 2009-01-13 12:31:20 102,250 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin+ 2009-01-13 21:12:21 102,600 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin- 2009-01-13 12:31:19 48,620 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin+ 2009-01-13 21:12:19 48,668 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin- 2009-01-13 12:24:52 362,544 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin+ 2009-01-13 18:02:00 363,832 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin.-- Migawka wyzerowana --.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3134413B-49B4-425C-98A5-893C1F195601}]2008-05-14 18:54 110592 --a------ c:\program files\Hewlett-Packard\File Sanitizer\IEBHO.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-05-21 24848]"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-05-12 318488]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1314816]"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2008-07-19 78008]"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-24 197904]"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2008-05-14 10244096]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-16 293168]c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-05-13 727592]DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-06-23 197904][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableUIADesktopToggle"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=APSHook.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.l3codecp"= l3codecp.acm"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli ASWLNPkg[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]"{8FF4C037-60F8-4ACC-958B-95ACBE08AAD1}"= Disabled:TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook"{C8580636-522A-4FD4-A9E8-5D37D6DB6E31}"= Profile=Private|c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)"{19C7D1E9-E6A8-40B2-A068-23D63F95277C}"= c:\program files\Skype\Phone\Skype.exe:Skype"{A2D46B8F-34B7-4370-95B0-A733E4FFF49B}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove"{F944B73E-C422-4030-B003-C30BC5DAF669}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove"{75F99CEC-4553-4F59-BD14-23CB99E84AF6}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote"{C9B7574C-8C8B-43EF-A69A-165FEEDD9C6F}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote"{90017406-B597-47B2-AFC3-670F177B0F57}"= UDP:c:\program files\Avast4\ashAvast.exe:avast! Antivirus"{B25056A9-8A35-418A-A63A-580998DDB49A}"= TCP:c:\program files\Avast4\ashAvast.exe:avast! Antivirus"{629C5DB3-3847-42A0-A931-6E6EB2FFB5F7}"= Disabled:c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)"TCP Query User{69A5D986-304D-47BC-8D34-5F799C4D0817}c:\\program files\\gadu-gadu\\gg.exe"= UDP:c:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny"UDP Query User{E9F1977E-87C9-41A5-A37C-15046C21E69C}c:\\program files\\gadu-gadu\\gg.exe"= TCP:c:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny"{3309F1EE-F0C6-4E75-85E6-F2610A128BF5}"= UDP:c:\program files\uTorrent\uTorrent.exe:?Torrent (TCP-In)"{2A040BF0-0C68-4CA4-82FF-570E295AB9DD}"= TCP:c:\program files\uTorrent\uTorrent.exe:?Torrent (UDP-In)"TCP Query User{2787542F-2E0C-49F8-AE4D-A4C842C29C06}c:\\users\\mati\\desktop\\utorrent.exe"= UDP:c:\users\mati\desktop\utorrent.exe:utorrent.exe"UDP Query User{7127BB83-76E0-4D76-9075-6B73595057DC}c:\\users\\mati\\desktop\\utorrent.exe"= TCP:c:\users\mati\desktop\utorrent.exe:utorrent.exe"{089E3B53-BF9E-4100-A59B-210594D26FCD}"= UDP:c:\program files\BMW M3 Challenge\BMW.exe:BMW M3 Challenge"{ADC196C7-A91E-49E7-86F0-D4C87A344951}"= TCP:c:\program files\BMW M3 Challenge\BMW.exe:BMW M3 Challenge"TCP Query User{28036EE9-4CDD-4338-8317-35A460656220}c:\\program files\\pakoon! 2.many unlimited 2009\\pakoon2.exe"= UDP:c:\program files\pakoon! 2.many unlimited 2009\pakoon2.exe:downhill Pakoon2.MANY unlimited 2009"UDP Query User{940F03D9-3473-4F75-8F85-639FAD508812}c:\\program files\\pakoon! 2.many unlimited 2009\\pakoon2.exe"= TCP:c:\program files\pakoon! 2.many unlimited 2009\pakoon2.exe:downhill Pakoon2.MANY unlimited 2009"TCP Query User{5330056E-A6FA-484E-BCFF-AE45F5EF2424}c:\\users\\mati\\desktop\\racer\\racer.exe"= Disabled:UDP:c:\users\mati\desktop\racer\racer.exe:racer.exe"UDP Query User{B42E727B-8BE2-40B9-8A35-9B3D442DF31D}c:\\users\\mati\\desktop\\racer\\racer.exe"= Disabled:TCP:c:\users\mati\desktop\racer\racer.exe:racer.exe"TCP Query User{52079A71-8DDB-48D9-8DE0-E0EB97CED74F}c:\\program files\\call of duty 4 - modern warfare\\iw3mp.exe"= UDP:c:\program files\call of duty 4 - modern warfare\iw3mp.exe:iw3mp"UDP Query User{FDA1CBFB-4925-4D75-AF05-0BEBF523A3CA}c:\\program files\\call of duty 4 - modern warfare\\iw3mp.exe"= TCP:c:\program files\call of duty 4 - modern warfare\iw3mp.exe:iw3mp"TCP Query User{3185C8F7-AE0B-42FC-877A-7040D94B1989}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox"UDP Query User{E61BD3AD-3B7F-4E82-BE17-2D7D378D15AA}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox"TCP Query User{FEE579E2-F8A6-45A6-91E8-C78C230CE2EF}h:\\need for speed most wanted\\speed.exe"= UDP:h:\need for speed most wanted\speed.exe:speed"UDP Query User{F9131E77-058F-4445-AB5B-2D1E5B74988F}h:\\need for speed most wanted\\speed.exe"= TCP:h:\need for speed most wanted\speed.exe:speed"TCP Query User{1D1FE6A5-8CF7-4627-BE5D-29F566039310}c:\\users\\mati\\desktop\\need for speed most wanted\\speed.exe"= UDP:c:\users\mati\desktop\need for speed most wanted\speed.exe:speed.exe"UDP Query User{163F5F66-4E16-40F0-83FA-B30A627EA991}c:\\users\\mati\\desktop\\need for speed most wanted\\speed.exe"= TCP:c:\users\mati\desktop\need for speed most wanted\speed.exe:speed.exe"{E35BE780-B9E4-4961-ADEA-FBCB2322AF07}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty? - World at War"{2243EB5F-B192-42F6-972F-530BCD032FE2}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty? - World at War"{F7B358CB-C1BB-4799-9EA7-B248AC5A6192}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty? - World at War"{EA61D922-1F4F-4570-8F4A-1948080F844C}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty? - World at War"{19BEA0FB-93F2-47FD-8FDB-FC279A021E4E}"= UDP:c:\program files\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty? 4 - Modern Warfare "{529F416A-BA59-481D-8E98-549BD34F7B07}"= TCP:c:\program files\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty? 4 - Modern Warfare "TCP Query User{EABE483A-9F42-48BE-8BC6-86BC731F4C00}c:\\users\\public\\documents\\call ofduty4\\iw3mp.exe"= UDP:c:\users\public\documents\call ofduty4\iw3mp.exe:iw3mp"UDP Query User{6D08F592-17EF-403F-B912-5A2B290A57A1}c:\\users\\public\\documents\\call ofduty4\\iw3mp.exe"= TCP:c:\users\public\documents\call ofduty4\iw3mp.exe:iw3mp"TCP Query User{97F7E60E-6498-47EE-98C2-242174953130}c:\\users\\mati\\documents\\cod4\\call ofduty4\\iw3mp.exe"= UDP:c:\users\mati\documents\cod4\call ofduty4\iw3mp.exe:iw3mp.exe"UDP Query User{950E3B7D-12D8-4D9C-A7B5-8C929F36B5E5}c:\\users\\mati\\documents\\cod4\\call ofduty4\\iw3mp.exe"= TCP:c:\users\mati\documents\cod4\call ofduty4\iw3mp.exe:iw3mp.exe"TCP Query User{51CC22D3-75E8-4587-94A7-A537ABB1C445}c:\\program files\\need for speed most wanted\\speed.exe"= UDP:c:\program files\need for speed most wanted\speed.exe:speed"UDP Query User{A3CF35CB-E462-472D-8C01-CE8B9676B80F}c:\\program files\\need for speed most wanted\\speed.exe"= TCP:c:\program files\need for speed most wanted\speed.exe:speed"TCP Query User{DCE33DC9-3AFC-45C5-8D32-A7B65DD1FAA9}c:\\users\\mati\\desktop\\skróty\\utorrent.exe"= UDP:c:\users\mati\desktop\skróty\utorrent.exe:utorrent.exe"UDP Query User{724BEC31-DD29-4794-A3E7-2901F10937CC}c:\\users\\mati\\desktop\\skróty\\utorrent.exe"= TCP:c:\users\mati\desktop\skróty\utorrent.exe:utorrent.exe"TCP Query User{FEA5C66A-FC93-4141-9D03-820519B2B4A0}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser"UDP Query User{70EBC72A-8F7B-485C-8490-53D2FECC5F62}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser"TCP Query User{08CC3F67-D093-4CE1-A7E3-5879198DE0E5}c:\\program files\\electronic arts\\need for speed prostreet\\online\\bombd.exe"= UDP:c:\program files\electronic arts\need for speed prostreet\online\bombd.exe:bombd"UDP Query User{E9B245A8-1D7D-4862-93D6-63B2CE78F88B}c:\\program files\\electronic arts\\need for speed prostreet\\online\\bombd.exe"= TCP:c:\program files\electronic arts\need for speed prostreet\online\bombd.exe:bombd"TCP Query User{61783951-F0B4-451E-A3F4-B3D06D80F93C}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser"UDP Query User{7236DFA3-299F-4C84-8BDF-A7053A09BFB2}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]"DoNotAllowExceptions"= 0 (0x0)R0 SbAlg;SbAlg;c:\windows\System32\drivers\SbAlg.sys [2008-05-30 51376]R0 SbFsLock;SbFsLock;c:\windows\System32\drivers\SbFsLock.sys [2008-05-30 12928]R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-10-06 78416]R1 RsvLock;RsvLock;c:\windows\System32\drivers\rsvlock.sys [2008-05-30 12496]R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-06-23 193840]R4 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-05-16 182576]R4 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2008-01-21 21504]R4 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2008-01-21 21504]R4 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2008-10-06 20560]R4 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2008-10-06 51280]R4 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2008-06-02 18944]R4 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2008-05-30 256512]R4 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2008-06-23 77824]R4 hpsrv;HP Service;c:\windows\System32\hpservice.exe [2008-04-07 24880]R4 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-06-23 576024]R4 rpcnetp;rpcnetp; [x]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-01-21 179712]S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152]--- Inne Uslugi/Sterowniki w Pamieci ---*Deregistered* - sptd[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvcCognizance REG_MULTI_SZ ASBroker ASChannelHPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12bthsvcs REG_MULTI_SZ BthServ[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11a20698-b7fb-11dd-a63f-0022644b9e68}]\shell\AutoRun\command - G:\wdsync.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26dcdc1a-a032-11dd-8cd5-0022644b9e68}]\shell\AutoRun\command - G:\Autorun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bffe4601-a4ec-11dd-b6de-0022644b9e68}]\shell\AutoRun\command - h:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe\shell\open\command - h:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]"c:\program files\Common Files\LightScribe\LSRunOnce.exe".Zawartość folderu 'Zaplanowane zadania'2009-01-05 c:\windows\Tasks\HPCeeScheduleForMati.job- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-09-21 23:07]..------- Skan uzupełniający -------.uStart Page = about:blankmStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=pl_pl&c=83&bd=all&pf=cmnb.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-01-13 22:26:34Windows 6.0.6001 Service Pack 1 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'lsass.exe'(668)c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dllc:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll- - - - - - - > 'Explorer.exe'(4884)c:\windows\system32\btmmhook.dll.------------------------ Pozostałe uruchomione procesy ------------------------.c:\windows\System32\Ati2evxx.exec:\windows\System32\audiodg.exec:\windows\System32\Ati2evxx.exec:\program files\Hewlett-Packard\IAM\Bin\asghost.exec:\windows\System32\AEADISRV.EXEc:\windows\System32\agrsmsvc.exec:\program files\Avast4\aswUpdSv.exec:\program files\Avast4\ashServ.exec:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\windows\System32\PnkBstrA.exec:\windows\System32\rpcnetp.exec:\windows\servicing\TrustedInstaller.exec:\program files\Avast4\ashMaiSv.exec:\program files\Avast4\ashWebSv.exec:\windows\System32\conime.exec:\program files\Hewlett-Packard\Shared\hpqWmiEx.exec:\program files\Avast4\ashDisp.exec:\program files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exec:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exec:\program files\Hewlett-Packard\Shared\HpqToaster.exec:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exec:\program files\Synaptics\SynTP\SynTPHelper.exec:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exec:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exec:\windows\System32\dllhost.exe.**************************************************************************.Czas ukończenia: 2009-01-13 22:31:18 - komputer został uruchomiony ponownieComboFix-quarantined-files.txt 2009-01-13 21:31:11ComboFix2.txt 2009-01-13 14:37:49Przed: 65 494 810 624 bajtów wolnychPo: 65,145,176,064 bajtów wolnych313 --- E O F --- 2009-01-12 16:58:22 Przy starcie krzyczy do tego ActivClient... accrdsub.exe, że nie może znaleźć ackpbsc.dll. Niestety w bazach dll nie ma takiego do pobrania :/ agremove.exe-> po sprawdzeniu wyszło tylko: Plik został już przeskanowany:MD5: 9f2457cd8ec5e60ae852bf333385f2acFirst received: 2007.09.14 20:56:44 (CET)Data: 2009.01.02 03:39:41 (CET) [>11D]Wyniki: 1/38 Panda uznała to za podejrzany plik
Mateusz J. komentarz 14 stycznia 2009 komentarz 14 stycznia 2009 Poszukaj pliku ackpbsc.dll w folderze c:\QooBox\Quarantine Następnie wytnij plik i wklej go do c:\windows\System32
matt09 komentarz 14 stycznia 2009 Autor komentarz 14 stycznia 2009 Niestety w c:\QooBox\Quarantine nie ma żadnego z plików o których krzyczy system. Są jedynie 2 z dodanym rozszerzeniem ".vir" , rozumiem - tego nie ruszać... Na razie wyłączyłem usługę ActivClient z autostartu. Szukałem w innym komputerze HP z Vistą moich zgub, ale bez skutku... Jedyne ślady to zzipowane pliki w folderze Recover programu Spybot S&D...to są te uszkodzone przez wirusa pliki? może z tego udałoby się odzyskać brakujące elementy??
Mateusz J. komentarz 15 stycznia 2009 komentarz 15 stycznia 2009 accrdsub.exe.vir jest tam taki plik? Jeśli tak usuń końcówkę .vir i przenieś plik do c:\windows\System32
matt09 komentarz 15 stycznia 2009 Autor komentarz 15 stycznia 2009 Niestety. Są tam jedynie pliki: "rpcnetp.exe.vir" oraz rpcnetp.dll.vir. Nie mam pojęcia skąd one się tam wzięły...
Mateusz J. komentarz 15 stycznia 2009 komentarz 15 stycznia 2009 ahmm..ale ze mnie gapa, czy jest tam plik ackpbsc.dll.vir ? Jeśli nie ma przeinstaluj oprogramowanie. Log czysty.
matt09 komentarz 15 stycznia 2009 Autor komentarz 15 stycznia 2009 Nie ma. O ile dobrze pamiętam to usunąłem ten plik Spybotem, jak przywróce ten plik z poziomu tego programu to przy skanowaniu wyskakuje jako błąd... i tak w kółko.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.