slavok Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 (edytowane) otóż od pewnego czasu męczę się z jakimś badziewiem co mi wyskakuje i expolorerze jak tylko wejdę do netu... (korzystam z ff) (jakieś cholerstwo stara się otworzyć taką stronę: http://pl.errorsafe.com/download/2006/index.php - no i wyskakuje monit, że system może być zagrożony...) przeskanowałem system AdAwarem, mam zainstalowanego Avasta, przeskanowałem, AntiSpyWare Doctorem, zapuściłem XP repair PRO... torche syfu to wszystko pousuwało ale nadal mi wyskakują te okna i nie wiem jak sobie z tym poradzić.... Oto LOG: Logfile of HijackThis v1.99.1Scan saved at 11:39:08, on 2007-06-07Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\DAEMON Tools\daemon.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\kxmixer.exeC:\Program Files\InkSaver\InkSaver.exeC:\Program Files\Picasa2\PicasaMediaDetector.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\MICROS~3\wcescomm.exeC:\Program Files\Kalendarz XP\Kalendarz.exeC:\WINDOWS\system32\drivers\CDAC11BA.EXEC:\PROGRA~1\MICROS~3\rapimgr.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Kerio\Personal Firewall\persfw.exeC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\Program Files\Photodex\ProShowGold\ScsiAccess.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Wapster\AQQ\AQQ.exeC:\Program Files\The Bat!\thebat.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\Documents and Settings\slavOK\Pulpit\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startupO4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hideO4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exeO4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\dhqbdalw.dll",realsetO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) np. teraz mi sie samoistnie otworzył taki adres w ff: http://89.188.16.10/trafc-2/rfe.php?cmp=wa...amp;lid=soft%3E i jeszcze log z SR » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « "Silent Runners.vbs", revision R50, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]"H/PC Connection Agent" = ""C:\PROGRA~1\MICROS~3\wcescomm.exe"" [MS]HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]"kX Mixer" = "C:\WINDOWS\system32\kxmixer.exe --startup" ["Eugene Gavrilov"]"InkSaver" = "C:\Program Files\InkSaver\InkSaver.exe hide" ["Strydent Software, Inc."]"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]"ApachInc" = "rundll32.exe "C:\WINDOWS\system32\dhqbdalw.dll",realset" [MS]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{12E82C5F-5308-445D-B5A0-C00F045FB616}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\vtsqn.dll" [null data]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]{92A444D2-F945-4dd9-89A1-896A6C2D8D22}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\crtkpyeg.dll" [null data]{B71FA585-B351-4E48-8DA8-22F6F705EC73}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\gebayxu.dll" [null data]HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]"{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension" -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Wapster\AQQ\System\AQQSHE~1.DLL" [null data]"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]"{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}" = "Wyślij na Fotosik.pl" -> {HKLM...CLSID} = "Wyślij na Fotosik.pl" \InProcServer32\(Default) = "C:\PROGRA~1\FOTOSI~1\FOTOSI~1.DLL" [null data]"{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" = "DOPMenu" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview" -> {HKLM...CLSID} = "ACTHUMBNAIL" \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Ikona obsługi nakładki Podpisów cyfrowych AutoCAD" -> {HKLM...CLSID} = "AcSignIcon" \InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device" -> {HKLM...CLSID} = "Urządzenie przenośne" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Wcesview.dll" [MS]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\<<!>> "{B71FA585-B351-4E48-8DA8-22F6F705EC73}" = "*_" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\gebayxu.dll" [null data]HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> awvts\DLLName = "C:\WINDOWS\system32\awvts.dll" [file not found]<<!>> gebayxu\DLLName = "gebayxu.dll" [null data]<<!>> vtsqn\DLLName = "C:\WINDOWS\system32\vtsqn.dll" [null data]HKLM\Software\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]HKLM\Software\Classes\*\shellex\ContextMenuHandlers\AQQFileTransfer\(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Wapster\AQQ\System\AQQSHE~1.DLL" [null data]avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]DOPMenu\(Default) = "{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\DOPMenu\(Default) = "{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}\(Default) = "{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}" -> {HKLM...CLSID} = "Wyślij na Fotosik.pl" \InProcServer32\(Default) = "C:\PROGRA~1\FOTOSI~1\FOTOSI~1.DLL" [null data]HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]Default executables:--------------------HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = (REG_DWORD) hex:0x00000000{User Configuration|Administrative Templates|System|Prevent access to registry editing tools}HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) hex:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\slavOK\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Startup items in "slavOK" & "All Users" startup folders:--------------------------------------------------------C:\Documents and Settings\slavOK\Menu Start\Programy\Autostart"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart"Kalendarz XP" -> shortcut to: "C:\Program Files\Kalendarz XP\Kalendarz.exe" [null data]"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06Toolbars, Explorer Bars, Extensions:------------------------------------Explorer BarsHKLM\Software\Microsoft\Internet Explorer\Explorer Bars\HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\Software\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.5.0_09" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_09" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\"ButtonText" = "Create Mobile Favorite""CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\INetRepl.dll" [MS]{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\"MenuText" = "Utwórz łącze Ulubione dla urządzenia przenośnego...""CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\INetRepl.dll" [MS]{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Badanie"{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"]Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared files\RichVideo.exe"" [empty string]Kerio Personal Firewall, PersFw, ""C:\Program Files\Kerio\Personal Firewall\persfw.exe"" ["Kerio Technologies"]NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]ScsiAccess, ScsiAccess, "C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe" [null data]StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]Print Monitors:---------------HKLM\System\CurrentControlSet\Control\Print\Monitors\Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]----------<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 19 seconds.---------- (total run time: 53 seconds) Edytowane 7 Czerwca 2007 przez slavOK Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
ULLISSES Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 Na początek Spybot S&D i wywal wszystko co znajdzie. Potem: Tryb->Tryb zaawansowany, następnie po lewej Narzędzia i zaznacz na środku ActiveX i BHO, potem kliknij na każde z nich po lewej i usuń wszystkie składniki. Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
slavok Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 (edytowane) wszystko ładnie pousuwał tylko nie może sobie poradzić z errorsafe ;/ nie wiem jak to wyplenić :/ noooo wyrwałem chwasta 8O w takich przypadkach polecam program VundoFix. a wcześniej w awaryjnym wyczyszczenie katalogu temp i cokies Edytowane 7 Czerwca 2007 przez slavOK Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 Faktycznie jest Vundo: O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\dhqbdalw.dll",realset Ale to nie koniec! 8O Koniecznie daj logi z ComboFix i Gmera z 2 opcji! Vundo nie usuwa się tylko automatem. 8O Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
slavok Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 (edytowane) To mnie pocieszyłeś 8O log z ComboFixa: » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « "slavOK" - 2007-06-07 19:05:20 Dodatek Service Pack 2 NTFS ComboFix 07-06-3B - Running from: "C:\Documents and Settings\slavOK\Pulpit\"((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))C:\Program Files\install.log((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))2007-06-07 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Spybot - Search & Destroy2007-06-06 23:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT2007-06-06 23:58 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji2007-06-06 23:58 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start2007-06-06 23:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne2007-06-06 23:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty2007-06-06 23:40 <DIR> d-------- C:\Program Files\XP Repair Pro 20072007-06-06 23:14 905,438 ---hs---- C:\WINDOWS\system32\ilkkj.ini22007-06-06 23:14 903,677 ---hs---- C:\WINDOWS\system32\ilkkj.bak12007-06-06 22:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll2007-06-06 22:14 55,316 --a------ C:\WINDOWS\system32\crtkpyeg.dll2007-06-06 15:27 <DIR> d-------- C:\Program Files\JPEGCrops2007-06-06 10:28 <DIR> d-------- C:\Program Files\FLVPlayer2007-06-05 22:12 14,868 --a------ C:\WINDOWS\system32\dfnyalag.exe2007-06-05 22:12 10,752 --a------ C:\WINDOWS\system32\j8261634.dll2007-06-04 22:16 2,580 --a------ C:\WINDOWS\system32\hdgdwtfp.exe2007-06-04 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Apple Computer2007-06-04 18:33 106,912 --a------ C:\WINDOWS\hpqins13.dat2007-06-03 22:23 2,580 --a------ C:\WINDOWS\system32\sxaopfcr.exe2007-06-02 22:10 2,580 --a------ C:\WINDOWS\system32\lychdndb.exe2007-06-02 20:27 796,672 --a------ C:\WINDOWS\GPInstall.exe2007-06-01 22:14 2,580 --a------ C:\WINDOWS\system32\txtrpmke.exe2007-06-01 20:28 231,936 --a------ C:\WINDOWS\epsuninst.exe2007-05-31 16:16 <DIR> d-------- C:\Program Files\Photodex Presenter2007-05-31 16:16 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Netscape2007-05-31 16:15 <DIR> d-------- C:\Program Files\Photodex2007-05-31 16:09 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Photodex2007-05-31 14:02 0 --a------ C:\DOCUME~1\slavOK\system_conf.dat2007-05-29 23:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\nView_Profiles2007-05-29 15:04 <DIR> d-------- C:\Program Files\Microsoft ActiveSync2007-05-29 15:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations2007-05-28 20:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Test Drive Unlimited2007-05-27 18:01 41,984 --a------ C:\WINDOWS\system32\drivers\Xprotector.sys2007-05-26 19:16 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Opera2007-05-23 23:08 <DIR> d-------- C:\Program Files\Hamachi2007-05-23 22:46 77,824 --a------ C:\WINDOWS\system32\btw_ci.dll2007-05-23 21:55 <DIR> d-------- C:\Program Files\QuickTime2007-05-23 21:55 <DIR> d-------- C:\Program Files\ImTOO2007-05-23 20:03 95,424 --a------ C:\WINDOWS\system32\drivers\slnthal.sys2007-05-23 20:03 9,344 --a------ C:\WINDOWS\system32\drivers\tosrfec.sys2007-05-23 20:03 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys2007-05-23 20:03 862,340 -ra------ C:\WINDOWS\system32\drivers\smserial.sys2007-05-23 20:03 8,278 --a------ C:\WINDOWS\system32\drivers\SynScan.sys2007-05-23 20:03 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys2007-05-23 20:03 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys2007-05-23 20:03 720,470 --a------ C:\WINDOWS\system32\drivers\SynMini.sys2007-05-23 20:03 7,424 -ra------ C:\WINDOWS\system32\drivers\MMIOPORT.SYS2007-05-23 20:03 685,056 --a------ C:\WINDOWS\system32\drivers\hsfcxts2.sys2007-05-23 20:03 685,056 --a------ C:\WINDOWS\system32\drivers\hardlock.sys2007-05-23 20:03 644,424 --a------ C:\WINDOWS\system32\drivers\SynPin.sys2007-05-23 20:03 64,896 --a------ C:\WINDOWS\system32\drivers\tosrfcom.sys2007-05-23 20:03 62,848 --a------ C:\WINDOWS\system32\drivers\tosrfhid.sys2007-05-23 20:03 61,067 -ra------ C:\WINDOWS\system32\drivers\ftser2k.sys2007-05-23 20:03 6,016 --a------ C:\WINDOWS\system32\drivers\smbali.sys2007-05-23 20:03 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys2007-05-23 20:03 53,504 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys2007-05-23 20:03 52,864 --a------ C:\WINDOWS\system32\drivers\tosrfsnd.sys2007-05-23 20:03 51,328 --a------ C:\WINDOWS\system32\drivers\rimsptsk.sys2007-05-23 20:03 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys2007-05-23 20:03 48,640 --a------ C:\WINDOWS\system32\drivers\tosdbt.sys2007-05-23 20:03 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys2007-05-23 20:03 47,249 -ra------ C:\WINDOWS\system32\drivers\ftdibus.sys2007-05-23 20:03 47,104 --a------ C:\WINDOWS\system32\drivers\tosporte.sys2007-05-23 20:03 46,464 --a------ C:\WINDOWS\system32\drivers\gagp30kx.sys2007-05-23 20:03 452,736 --a------ C:\WINDOWS\system32\drivers\mtxparhm.sys2007-05-23 20:03 44,672 --a------ C:\WINDOWS\system32\drivers\uagp35.sys2007-05-23 20:03 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys2007-05-23 20:03 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys2007-05-23 20:03 404,990 --a------ C:\WINDOWS\system32\drivers\slntamr.sys2007-05-23 20:03 40,832 --a------ C:\WINDOWS\system32\drivers\irbus.sys2007-05-23 20:03 4,381,184 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.Sys2007-05-23 20:03 39,808 --a------ C:\WINDOWS\system32\drivers\tosrfusb.sys2007-05-23 20:03 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys2007-05-23 20:03 37,632 --a------ C:\WINDOWS\system32\drivers\tosrfbnp.sys2007-05-23 20:03 35,456 --a------ C:\WINDOWS\system32\drivers\bthprint.sys2007-05-23 20:03 30,592 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys2007-05-23 20:03 3,901 --a------ C:\WINDOWS\system32\drivers\siint5.dll2007-05-23 20:03 3,712 --a------ C:\WINDOWS\system32\drivers\toshidpt.sys2007-05-23 20:03 275,200 --a------ C:\WINDOWS\system32\drivers\bthport.sys2007-05-23 20:03 27,904 --a------ C:\WINDOWS\system32\drivers\risdptsk.sys2007-05-23 20:03 25,728 --a------ C:\WINDOWS\system32\drivers\hidbth.sys2007-05-23 20:03 25,471 --a------ C:\WINDOWS\system32\drivers\watv10nt.sys2007-05-23 20:03 25,420 --a------ C:\WINDOWS\system32\drivers\tosrflan.sys2007-05-23 20:03 226,688 --a------ C:\WINDOWS\system32\drivers\SynCamd.sys2007-05-23 20:03 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys2007-05-23 20:03 220,032 --a------ C:\WINDOWS\system32\drivers\hsfbs2s2.sys2007-05-23 20:03 22,271 --a------ C:\WINDOWS\system32\drivers\watv06nt.sys2007-05-23 20:03 21,120 --a------ C:\WINDOWS\system32\drivers\tosbtsd2.sys2007-05-23 20:03 191,936 --a------ C:\WINDOWS\system32\drivers\SynTP.sys2007-05-23 20:03 180,360 --a------ C:\WINDOWS\system32\drivers\ntmtlfax.sys2007-05-23 20:03 18,944 --a------ C:\WINDOWS\system32\drivers\bthusb.sys2007-05-23 20:03 18,670 --a------ C:\WINDOWS\system32\drivers\FS008usb.sys2007-05-23 20:03 18,612 --a------ C:\WINDOWS\system32\drivers\tosrfnds.sys2007-05-23 20:03 17,024 --a------ C:\WINDOWS\system32\drivers\bthenum.sys2007-05-23 20:03 166,912 --a------ C:\WINDOWS\system32\drivers\s3gnbm.sys2007-05-23 20:03 160,672 --a------ C:\WINDOWS\system32\drivers\tosrfpcc.sys2007-05-23 20:03 16,320 --a------ C:\WINDOWS\system32\drivers\tostrans.sys(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2007-06-07 17:06:19 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Azureus2007-06-07 15:57:03 -------- d-----w C:\Program Files\Kalendarz XP2007-06-07 09:19:21 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\The Bat!2007-06-03 17:16:09 -------- d--h--w C:\Program Files\InstallShield Installation Information2007-06-01 20:44:08 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Skype2007-05-31 14:10:42 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Real2007-05-29 19:58:40 79,188 ----a-w C:\WINDOWS\system32\perfc015.dat2007-05-29 19:58:40 457,678 ----a-w C:\WINDOWS\system32\perfh015.dat2007-05-17 12:05:42 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Command & Conquer 3 Tiberium Wars2007-05-03 18:30:57 -------- d-----w C:\Program Files\Common Files\PACE Anti-Piracy2007-05-03 18:28:45 -------- d-----w C:\Program Files\DxO Labs2007-05-03 09:02:39 -------- d-----w C:\Program Files\Fotosik Manager2007-05-02 21:04:47 -------- d-----w C:\Program Files\InkSaver2007-05-02 14:50:23 -------- d-----w C:\Program Files\kX Project2007-05-02 14:49:59 -------- d-----w C:\Program Files\Creative2007-05-01 10:24:27 -------- d-----w C:\Program Files\MyGlobalSearch2007-05-01 10:05:05 -------- d-----w C:\Program Files\Kerio2007-04-30 16:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe2007-04-30 16:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys2007-04-30 16:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys2007-04-30 16:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys2007-04-30 16:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys2007-04-30 16:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys2007-04-30 16:35:28 95,872 ----a-w C:\WINDOWS\system32\AvastSS.scr2007-04-30 10:57:52 -------- d-----w C:\Program Files\Alwil Software2007-04-30 10:55:57 -------- d-----w C:\Program Files\Azureus2007-04-23 18:11:18 287,256 ----a-r C:\WINDOWS\system32\AbaleZip.dll2007-04-21 12:52:54 57,426 ----a-w C:\WINDOWS\system32\btfunc.dll((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 01:17]{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25]{92A444D2-F945-4dd9-89A1-896A6C2D8D22}=C:\WINDOWS\system32\crtkpyeg.dll [2007-06-06 22:14][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMan"="SOUNDMAN.EXE" [2005-11-11 08:07 C:\WINDOWS\soundman.exe]"nwiz"="nwiz.exe" [2006-04-16 16:51 C:\WINDOWS\system32\nwiz.exe]"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 18:42]"InkSaver"="C:\Program Files\InkSaver\InkSaver.exe" [2003-10-20 18:47]"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-04-24 00:12][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-27 01:54][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvts]C:\WINDOWS\system32\awvts.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j8261634]rundll32 C:\WINDOWS\system32\j8261634.dll sook[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs**Newly Created Service* - GMER**************************************************************************catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-06-07 19:06:51Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ...scanning hidden autostart entries ...scanning hidden files ...**************************************************************************Completion time: 2007-06-07 19:07:44C:\ComboFix-quarantined-files.txt ... 2007-06-07 19:07 --- E O F --- a jeżeli chodzi o Gmera, to nie za bardzo wiem która to "2ga opcja" wiec wklejam loga z zakładki Rootkit: » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « GMER 1.0.12.12244 - http://www.gmer.netRootkit scan 2007-06-07 19:09:37Windows 5.1.2600 Dodatek Service Pack 2---- System - GMER 1.0.12 ----SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCloseSSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateFileSSDT sptd.sys ZwCreateKeySSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateProcessSSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateProcessExSSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateSectionSSDT sptd.sys ZwEnumerateKeySSDT sptd.sys ZwEnumeratevaluateueKeySSDT sptd.sys ZwOpenKeySSDT sptd.sys ZwQueryKeySSDT sptd.sys ZwQueryValueKeySSDT sptd.sys ZwSetValueKey---- Kernel code sections - GMER 1.0.12 ----? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.PAGENDSM NDIS.sys!NdisMIndicateStatus F729BA5F 6 Bytes JMP F460F6D8 \SystemRoot\system32\Drivers\fwdrv.sys.text USBPORT.SYS!DllUnload F6E2962C 5 Bytes JMP 86427670 ? System32\Drivers\abgj300r.SYS Nie można odnaleźć określonego pliku.? System32\Drivers\arz74nvo.SYS Nie można odnaleźć określonego pliku.? C:\WINDOWS\system32\DRIVERS\update.sys ---- Devices - GMER 1.0.12 ----Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 867641D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 867641D8Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 86466380Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 86466380Device \Driver\NetBT \Device\NetBT_Tcpip_{C1F4A1D6-CA7E-462A-9EFB-240179DC01FC} IRP_MJ_CREATE 864541D8Device \Driver\NetBT \Device\NetBT_Tcpip_{C1F4A1D6-CA7E-462A-9EFB-240179DC01FC} IRP_MJ_CLOSE 864541D8Device \Driver\NetBT \Device\NetBT_Tcpip_{C1F4A1D6-CA7E-462A-9EFB-240179DC01FC} IRP_MJ_DEVICE_CONTROL 864541D8Device \Driver\NetBT \Device\NetBT_Tcpip_{C1F4A1D6-CA7E-462A-9EFB-240179DC01FC} IRP_MJ_INTERNAL_DEVICE_CONTROL 864541D8Device \Driver\NetBT \Device\NetBT_Tcpip_{C1F4A1D6-CA7E-462A-9EFB-240179DC01FC} IRP_MJ_CLEANUP 864541D8Device \Driver\NetBT \Device\NetBT_Tcpip_{C1F4A1D6-CA7E-462A-9EFB-240179DC01FC} IRP_MJ_PNP 864541D8Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 864261D8Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 864261D8Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 864261D8Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 864261D8Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 864261D8Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 864261D8Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 864261D8Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CREATE 864261D8Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CLOSE 864261D8Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 864261D8Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL @CatchMe resp dla Ciebie - masz moje uznanie za to co robisz ! 8O Edytowane 7 Czerwca 2007 przez slavOK Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
kamilo23 Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 a jeżeli chodzi o Gmera, to nie za bardzo wiem która to "2ga opcja" wiec wklejam loga z zakładki Rootkit: Ściagnij: Gmer`a * Rootkit >>> zaznaczone Pokaż wszystko >>> wskazane tylko Usługi >>> Szukaj >>> Kopiuj >>> CTRL+V na www.wklej.org * Rootkit >>> odznaczone Pokaż wszystko >>> wskazane wszystkie obiekty do skanu >>> Szukaj>>> Kopiuj >>> CTRL+V na www.wklej.org - W rezultacie otrzymujemy 2 logi, które wklejamy na www.wklej.org a linki podajemy na forum. Tą pogrubioną. 8O Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 Przeczucie nie myliło... syfu tyle, że aż strach się bać 8O 1. Ściągnij: WWDC - Zmień wszystkie opcje z disable na enable i uruchom ponownie komputer. - Prawidłowy układ portów przedstawia zdjęcie: http://www.firewallleaktester.com/images_site/wwdc.jpg * NetBIOS może być żółty. Pobierz i uruchom narzędzie : The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz: Files to delete: C:\WINDOWS\system32\crtkpyeg.dll C:\WINDOWS\system32\awvts.dll C:\WINDOWS\system32\j8261634.dll C:\WINDOWS\system32\ilkkj.ini2 C:\WINDOWS\system32\ilkkj.bak1 C:\WINDOWS\system32\crtkpyeg.dll C:\WINDOWS\system32\dfnyalag.exe C:\WINDOWS\system32\j8261634.dll C:\WINDOWS\system32\hdgdwtfp.exe C:\WINDOWS\system32\sxaopfcr.exe C:\WINDOWS\system32\lychdndb.exe Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK. Otwórz Notatnik i wklej w nim to: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {92A444D2-F945-4dd9-89A1-896A6C2D8D22}=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvts] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j8261634] Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> Uruchom plik FIX.REG w trybie awaryjnym >>> Uruchom ponownie komputer. Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + log z HijackThis + log z Silent Runners + log z ComboFix + Gmer: Ściagnij: Gmer`a * Rootkit >>> zaznaczone Pokaż wszystko >>> wskazane tylko Usługi >>> Szukaj >>> Kopiuj >>> CTRL+V na www.wklej.org * Rootkit >>> odznaczone Pokaż wszystko >>> wskazane wszystkie obiekty do skanu >>> Szukaj>>> Kopiuj >>> CTRL+V na www.wklej.org - W rezultacie otrzymujemy 2 logi, które wklejamy na www.wklej.org a linki podajemy na forum. Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
slavok Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 (edytowane) OK My Master 8O Zrobione 8O Log z Avenger'a » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « Logfile of The Avenger version 1, by Swandog46Running from registry key:\Registry\Machine\System\CurrentControlSet\Services\idextyrt*******************Script file located at: \??\C:\WINDOWS\system32\nvorcgoy.txtScript file opened successfully.Script file read successfullyBackups directory opened successfully at C:\Avenger*******************Beginning to process script file:File C:\WINDOWS\system32\crtkpyeg.dll deleted successfully.File C:\WINDOWS\system32\awvts.dll not found!Deletion of file C:\WINDOWS\system32\awvts.dll failed!Could not process line:C:\WINDOWS\system32\awvts.dllStatus: 0xc0000034File C:\WINDOWS\system32\j8261634.dll deleted successfully.File C:\WINDOWS\system32\ilkkj.ini2 deleted successfully.File C:\WINDOWS\system32\ilkkj.bak1 deleted successfully.File C:\WINDOWS\system32\crtkpyeg.dll not found!Deletion of file C:\WINDOWS\system32\crtkpyeg.dll failed!Could not process line:C:\WINDOWS\system32\crtkpyeg.dllStatus: 0xc0000034File C:\WINDOWS\system32\dfnyalag.exe deleted successfully.File C:\WINDOWS\system32\j8261634.dll not found!Deletion of file C:\WINDOWS\system32\j8261634.dll failed!Could not process line:C:\WINDOWS\system32\j8261634.dllStatus: 0xc0000034File C:\WINDOWS\system32\hdgdwtfp.exe deleted successfully.File C:\WINDOWS\system32\sxaopfcr.exe deleted successfully.File C:\WINDOWS\system32\lychdndb.exe deleted successfully.Completed script processing.*******************Finished! Terminate. LOG HiJackThis » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « Logfile of HijackThis v1.99.1Scan saved at 20:56:50, on 2007-06-07Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\DAEMON Tools\daemon.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\InkSaver\InkSaver.exeC:\Program Files\Picasa2\PicasaMediaDetector.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\MICROS~3\wcescomm.exeC:\PROGRA~1\MICROS~3\rapimgr.exeC:\Program Files\Kalendarz XP\Kalendarz.exeC:\WINDOWS\system32\drivers\CDAC11BA.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Kerio\Personal Firewall\persfw.exeC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\Program Files\Photodex\ProShowGold\ScsiAccess.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\Mozilla Firefox\firefox.exeC:\Program Files\Wapster\AQQ\AQQ.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\NOTEPAD.EXEF:\Odrobaczanie\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO2 - BHO: (no name) - {8C258E7E-5FCB-4385-B8FD-6FCD1E985B41} - (no file)O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\crtkpyeg.dll (file missing)O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hideO4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: CLSID - C:\WINDOWS\O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXEO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exeO23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exeO23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe Silent LOG: » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « "Silent Runners.vbs", revision R50, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]"H/PC Connection Agent" = ""C:\PROGRA~1\MICROS~3\wcescomm.exe"" [MS]HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]"InkSaver" = "C:\Program Files\InkSaver\InkSaver.exe hide" ["Strydent Software, Inc."]"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]{92A444D2-F945-4dd9-89A1-896A6C2D8D22}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\crtkpyeg.dll" [file not found]HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]"{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension" -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Wapster\AQQ\System\AQQSHE~1.DLL" [null data]"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]"{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}" = "Wyślij na Fotosik.pl" -> {HKLM...CLSID} = "Wyślij na Fotosik.pl" \InProcServer32\(Default) = "C:\PROGRA~1\FOTOSI~1\FOTOSI~1.DLL" [null data]"{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" = "DOPMenu" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview" -> {HKLM...CLSID} = "ACTHUMBNAIL" \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Ikona obsługi nakładki Podpisów cyfrowych AutoCAD" -> {HKLM...CLSID} = "AcSignIcon" \InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device" -> {HKLM...CLSID} = "Urządzenie przenośne" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Wcesview.dll" [MS]HKLM\Software\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]HKLM\Software\Classes\*\shellex\ContextMenuHandlers\AQQFileTransfer\(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Wapster\AQQ\System\AQQSHE~1.DLL" [null data]avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]DOPMenu\(Default) = "{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\DOPMenu\(Default) = "{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}\(Default) = "{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}" -> {HKLM...CLSID} = "Wyślij na Fotosik.pl" \InProcServer32\(Default) = "C:\PROGRA~1\FOTOSI~1\FOTOSI~1.DLL" [null data]HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]Default executables:--------------------HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]Group Policies {GPedit.msc branch and setting}: ComboFix LOG: » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « "slavOK" - 2007-06-07 19:05:20 Dodatek Service Pack 2 NTFS ComboFix 07-06-3B - Running from: "C:\Documents and Settings\slavOK\Pulpit\"((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))C:\Program Files\install.log((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))2007-06-07 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Spybot - Search & Destroy2007-06-06 23:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT2007-06-06 23:58 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji2007-06-06 23:58 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start2007-06-06 23:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne2007-06-06 23:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty2007-06-06 23:40 <DIR> d-------- C:\Program Files\XP Repair Pro 20072007-06-06 23:14 905,438 ---hs---- C:\WINDOWS\system32\ilkkj.ini22007-06-06 23:14 903,677 ---hs---- C:\WINDOWS\system32\ilkkj.bak12007-06-06 22:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll2007-06-06 22:14 55,316 --a------ C:\WINDOWS\system32\crtkpyeg.dll2007-06-06 15:27 <DIR> d-------- C:\Program Files\JPEGCrops2007-06-06 10:28 <DIR> d-------- C:\Program Files\FLVPlayer2007-06-05 22:12 14,868 --a------ C:\WINDOWS\system32\dfnyalag.exe2007-06-05 22:12 10,752 --a------ C:\WINDOWS\system32\j8261634.dll2007-06-04 22:16 2,580 --a------ C:\WINDOWS\system32\hdgdwtfp.exe2007-06-04 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Apple Computer2007-06-04 18:33 106,912 --a------ C:\WINDOWS\hpqins13.dat2007-06-03 22:23 2,580 --a------ C:\WINDOWS\system32\sxaopfcr.exe2007-06-02 22:10 2,580 --a------ C:\WINDOWS\system32\lychdndb.exe2007-06-02 20:27 796,672 --a------ C:\WINDOWS\GPInstall.exe2007-06-01 22:14 2,580 --a------ C:\WINDOWS\system32\txtrpmke.exe2007-06-01 20:28 231,936 --a------ C:\WINDOWS\epsuninst.exe2007-05-31 16:16 <DIR> d-------- C:\Program Files\Photodex Presenter2007-05-31 16:16 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Netscape2007-05-31 16:15 <DIR> d-------- C:\Program Files\Photodex2007-05-31 16:09 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Photodex2007-05-31 14:02 0 --a------ C:\DOCUME~1\slavOK\system_conf.dat2007-05-29 23:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\nView_Profiles2007-05-29 15:04 <DIR> d-------- C:\Program Files\Microsoft ActiveSync2007-05-29 15:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations2007-05-28 20:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Test Drive Unlimited2007-05-27 18:01 41,984 --a------ C:\WINDOWS\system32\drivers\Xprotector.sys2007-05-26 19:16 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Opera2007-05-23 23:08 <DIR> d-------- C:\Program Files\Hamachi2007-05-23 22:46 77,824 --a------ C:\WINDOWS\system32\btw_ci.dll2007-05-23 21:55 <DIR> d-------- C:\Program Files\QuickTime2007-05-23 21:55 <DIR> d-------- C:\Program Files\ImTOO2007-05-23 20:03 95,424 --a------ C:\WINDOWS\system32\drivers\slnthal.sys2007-05-23 20:03 9,344 --a------ C:\WINDOWS\system32\drivers\tosrfec.sys2007-05-23 20:03 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys2007-05-23 20:03 862,340 -ra------ C:\WINDOWS\system32\drivers\smserial.sys2007-05-23 20:03 8,278 --a------ C:\WINDOWS\system32\drivers\SynScan.sys2007-05-23 20:03 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys2007-05-23 20:03 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys2007-05-23 20:03 720,470 --a------ C:\WINDOWS\system32\drivers\SynMini.sys2007-05-23 20:03 7,424 -ra------ C:\WINDOWS\system32\drivers\MMIOPORT.SYS2007-05-23 20:03 685,056 --a------ C:\WINDOWS\system32\drivers\hsfcxts2.sys2007-05-23 20:03 685,056 --a------ C:\WINDOWS\system32\drivers\hardlock.sys2007-05-23 20:03 644,424 --a------ C:\WINDOWS\system32\drivers\SynPin.sys2007-05-23 20:03 64,896 --a------ C:\WINDOWS\system32\drivers\tosrfcom.sys2007-05-23 20:03 62,848 --a------ C:\WINDOWS\system32\drivers\tosrfhid.sys2007-05-23 20:03 61,067 -ra------ C:\WINDOWS\system32\drivers\ftser2k.sys2007-05-23 20:03 6,016 --a------ C:\WINDOWS\system32\drivers\smbali.sys2007-05-23 20:03 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys2007-05-23 20:03 53,504 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys2007-05-23 20:03 52,864 --a------ C:\WINDOWS\system32\drivers\tosrfsnd.sys2007-05-23 20:03 51,328 --a------ C:\WINDOWS\system32\drivers\rimsptsk.sys2007-05-23 20:03 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys2007-05-23 20:03 48,640 --a------ C:\WINDOWS\system32\drivers\tosdbt.sys2007-05-23 20:03 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys2007-05-23 20:03 47,249 -ra------ C:\WINDOWS\system32\drivers\ftdibus.sys2007-05-23 20:03 47,104 --a------ C:\WINDOWS\system32\drivers\tosporte.sys2007-05-23 20:03 46,464 --a------ C:\WINDOWS\system32\drivers\gagp30kx.sys2007-05-23 20:03 452,736 --a------ C:\WINDOWS\system32\drivers\mtxparhm.sys2007-05-23 20:03 44,672 --a------ C:\WINDOWS\system32\drivers\uagp35.sys2007-05-23 20:03 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys2007-05-23 20:03 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys2007-05-23 20:03 404,990 --a------ C:\WINDOWS\system32\drivers\slntamr.sys2007-05-23 20:03 40,832 --a------ C:\WINDOWS\system32\drivers\irbus.sys2007-05-23 20:03 4,381,184 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.Sys2007-05-23 20:03 39,808 --a------ C:\WINDOWS\system32\drivers\tosrfusb.sys2007-05-23 20:03 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys2007-05-23 20:03 37,632 --a------ C:\WINDOWS\system32\drivers\tosrfbnp.sys2007-05-23 20:03 35,456 --a------ C:\WINDOWS\system32\drivers\bthprint.sys2007-05-23 20:03 30,592 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys2007-05-23 20:03 3,901 --a------ C:\WINDOWS\system32\drivers\siint5.dll2007-05-23 20:03 3,712 --a------ C:\WINDOWS\system32\drivers\toshidpt.sys2007-05-23 20:03 275,200 --a------ C:\WINDOWS\system32\drivers\bthport.sys2007-05-23 20:03 27,904 --a------ C:\WINDOWS\system32\drivers\risdptsk.sys2007-05-23 20:03 25,728 --a------ C:\WINDOWS\system32\drivers\hidbth.sys2007-05-23 20:03 25,471 --a------ C:\WINDOWS\system32\drivers\watv10nt.sys2007-05-23 20:03 25,420 --a------ C:\WINDOWS\system32\drivers\tosrflan.sys2007-05-23 20:03 226,688 --a------ C:\WINDOWS\system32\drivers\SynCamd.sys2007-05-23 20:03 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys2007-05-23 20:03 220,032 --a------ C:\WINDOWS\system32\drivers\hsfbs2s2.sys2007-05-23 20:03 22,271 --a------ C:\WINDOWS\system32\drivers\watv06nt.sys2007-05-23 20:03 21,120 --a------ C:\WINDOWS\system32\drivers\tosbtsd2.sys2007-05-23 20:03 191,936 --a------ C:\WINDOWS\system32\drivers\SynTP.sys2007-05-23 20:03 180,360 --a------ C:\WINDOWS\system32\drivers\ntmtlfax.sys2007-05-23 20:03 18,944 --a------ C:\WINDOWS\system32\drivers\bthusb.sys2007-05-23 20:03 18,670 --a------ C:\WINDOWS\system32\drivers\FS008usb.sys2007-05-23 20:03 18,612 --a------ C:\WINDOWS\system32\drivers\tosrfnds.sys2007-05-23 20:03 17,024 --a------ C:\WINDOWS\system32\drivers\bthenum.sys2007-05-23 20:03 166,912 --a------ C:\WINDOWS\system32\drivers\s3gnbm.sys2007-05-23 20:03 160,672 --a------ C:\WINDOWS\system32\drivers\tosrfpcc.sys2007-05-23 20:03 16,320 --a------ C:\WINDOWS\system32\drivers\tostrans.sys(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2007-06-07 17:06:19 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Azureus2007-06-07 15:57:03 -------- d-----w C:\Program Files\Kalendarz XP2007-06-07 09:19:21 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\The Bat!2007-06-03 17:16:09 -------- d--h--w C:\Program Files\InstallShield Installation Information2007-06-01 20:44:08 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Skype2007-05-31 14:10:42 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Real GMER LOG: » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « GMER 1.0.12.12244 - [url=http://www.gmer.net]http://www.gmer.net[/url]Rootkit scan 2007-06-07 21:06:45Windows 5.1.2600 Dodatek Service Pack 2---- System - GMER 1.0.12 ----SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCloseSSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateFileSSDT sptd.sys ZwCreateKeySSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateProcessSSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateProcessExSSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateSectionSSDT sptd.sys ZwEnumerateKeySSDT sptd.sys ZwEnumeratevaluateueKeySSDT sptd.sys ZwOpenKeySSDT sptd.sys ZwQueryKeySSDT sptd.sys ZwQueryValueKeySSDT sptd.sys ZwSetValueKey---- Kernel code sections - GMER 1.0.12 ----? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.PAGENDSM NDIS.sys!NdisMIndicateStatus F729BA5F 6 Bytes JMP F460F6D8 \SystemRoot\system32\Drivers\fwdrv.sys.text USBPORT.SYS!DllUnload F6E5962C 5 Bytes JMP 8659D6E0 ? System32\Drivers\aeuq3s96.SYS Nie można odnaleźć określonego pliku.? System32\Drivers\a9fe844x.SYS Nie można odnaleźć określonego pliku.? C:\WINDOWS\system32\DRIVERS\update.sys ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Nie można odnaleźć określonego pliku.---- Devices - GMER 1.0.12 ----Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 867D11D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 867D11D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867D11D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 867D11D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 867D11D8Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION Edytowane 7 Czerwca 2007 przez slavOK Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 (edytowane) W HijackThis kasujesz resztówki: O2 - BHO: (no name) - {8C258E7E-5FCB-4385-B8FD-6FCD1E985B41} - (no file) O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\crtkpyeg.dll (file missing) O20 - Winlogon Notify: CLSID - C:\WINDOWS\ - Silent Runners nie został wygenerowany do końca. (Jest urwany)8O - Poza tym dałeś mi stary log z ComboFix i nie mogę ocenić sytuacji. - Proszę o uzupełnienie braków. 8O Edytowane 7 Czerwca 2007 przez CatchMe Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
slavok Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 (edytowane) Ok, juz tyle tych logów, że sam się w nich połapać nie mogę 8O CoomboFix » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « "slavOK" - 2007-06-07 21:19:18 Dodatek Service Pack 2 NTFS ComboFix 07-06-3B - Running from: "F:\Odrobaczanie\"((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))2007-06-07 20:47 354 --a------ C:\FIX.reg2007-06-07 19:07 49,152 --a------ C:\WINDOWS\nircmd.exe2007-06-07 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Spybot - Search & Destroy2007-06-06 23:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT2007-06-06 23:58 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji2007-06-06 23:58 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start2007-06-06 23:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne2007-06-06 23:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty2007-06-06 23:40 <DIR> d-------- C:\Program Files\XP Repair Pro 20072007-06-06 22:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll2007-06-06 15:27 <DIR> d-------- C:\Program Files\JPEGCrops2007-06-06 10:28 <DIR> d-------- C:\Program Files\FLVPlayer2007-06-04 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Apple Computer2007-06-04 18:33 106,912 --a------ C:\WINDOWS\hpqins13.dat2007-06-02 20:27 796,672 --a------ C:\WINDOWS\GPInstall.exe2007-06-01 22:14 2,580 --a------ C:\WINDOWS\system32\txtrpmke.exe2007-06-01 20:28 231,936 --a------ C:\WINDOWS\epsuninst.exe2007-05-31 16:16 <DIR> d-------- C:\Program Files\Photodex Presenter2007-05-31 16:16 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Netscape2007-05-31 16:15 <DIR> d-------- C:\Program Files\Photodex2007-05-31 16:09 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Photodex2007-05-31 14:02 0 --a------ C:\DOCUME~1\slavOK\system_conf.dat2007-05-29 23:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\nView_Profiles2007-05-29 15:04 <DIR> d-------- C:\Program Files\Microsoft ActiveSync2007-05-29 15:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations2007-05-28 20:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Test Drive Unlimited2007-05-27 18:01 41,984 --a------ C:\WINDOWS\system32\drivers\Xprotector.sys2007-05-26 19:16 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Opera2007-05-23 23:08 <DIR> d-------- C:\Program Files\Hamachi2007-05-23 22:46 77,824 --a------ C:\WINDOWS\system32\btw_ci.dll2007-05-23 21:55 <DIR> d-------- C:\Program Files\QuickTime2007-05-23 21:55 <DIR> d-------- C:\Program Files\ImTOO2007-05-23 20:03 95,424 --a------ C:\WINDOWS\system32\drivers\slnthal.sys2007-05-23 20:03 9,344 --a------ C:\WINDOWS\system32\drivers\tosrfec.sys2007-05-23 20:03 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys2007-05-23 20:03 862,340 -ra------ C:\WINDOWS\system32\drivers\smserial.sys2007-05-23 20:03 8,278 --a------ C:\WINDOWS\system32\drivers\SynScan.sys2007-05-23 20:03 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys2007-05-23 20:03 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys2007-05-23 20:03 720,470 --a------ C:\WINDOWS\system32\drivers\SynMini.sys2007-05-23 20:03 7,424 -ra------ C:\WINDOWS\system32\drivers\MMIOPORT.SYS2007-05-23 20:03 685,056 --a------ C:\WINDOWS\system32\drivers\hsfcxts2.sys2007-05-23 20:03 685,056 --a------ C:\WINDOWS\system32\drivers\hardlock.sys2007-05-23 20:03 644,424 --a------ C:\WINDOWS\system32\drivers\SynPin.sys2007-05-23 20:03 64,896 --a------ C:\WINDOWS\system32\drivers\tosrfcom.sys2007-05-23 20:03 62,848 --a------ C:\WINDOWS\system32\drivers\tosrfhid.sys2007-05-23 20:03 61,067 -ra------ C:\WINDOWS\system32\drivers\ftser2k.sys2007-05-23 20:03 6,016 --a------ C:\WINDOWS\system32\drivers\smbali.sys2007-05-23 20:03 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys2007-05-23 20:03 53,504 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys2007-05-23 20:03 52,864 --a------ C:\WINDOWS\system32\drivers\tosrfsnd.sys2007-05-23 20:03 51,328 --a------ C:\WINDOWS\system32\drivers\rimsptsk.sys2007-05-23 20:03 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys2007-05-23 20:03 48,640 --a------ C:\WINDOWS\system32\drivers\tosdbt.sys2007-05-23 20:03 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys2007-05-23 20:03 47,249 -ra------ C:\WINDOWS\system32\drivers\ftdibus.sys2007-05-23 20:03 47,104 --a------ C:\WINDOWS\system32\drivers\tosporte.sys2007-05-23 20:03 46,464 --a------ C:\WINDOWS\system32\drivers\gagp30kx.sys2007-05-23 20:03 452,736 --a------ C:\WINDOWS\system32\drivers\mtxparhm.sys2007-05-23 20:03 44,672 --a------ C:\WINDOWS\system32\drivers\uagp35.sys2007-05-23 20:03 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys2007-05-23 20:03 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys2007-05-23 20:03 404,990 --a------ C:\WINDOWS\system32\drivers\slntamr.sys2007-05-23 20:03 40,832 --a------ C:\WINDOWS\system32\drivers\irbus.sys2007-05-23 20:03 4,381,184 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.Sys2007-05-23 20:03 39,808 --a------ C:\WINDOWS\system32\drivers\tosrfusb.sys2007-05-23 20:03 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys2007-05-23 20:03 37,632 --a------ C:\WINDOWS\system32\drivers\tosrfbnp.sys2007-05-23 20:03 35,456 --a------ C:\WINDOWS\system32\drivers\bthprint.sys2007-05-23 20:03 30,592 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys2007-05-23 20:03 3,901 --a------ C:\WINDOWS\system32\drivers\siint5.dll2007-05-23 20:03 3,712 --a------ C:\WINDOWS\system32\drivers\toshidpt.sys2007-05-23 20:03 275,200 --a------ C:\WINDOWS\system32\drivers\bthport.sys2007-05-23 20:03 27,904 --a------ C:\WINDOWS\system32\drivers\risdptsk.sys2007-05-23 20:03 25,728 --a------ C:\WINDOWS\system32\drivers\hidbth.sys2007-05-23 20:03 25,471 --a------ C:\WINDOWS\system32\drivers\watv10nt.sys2007-05-23 20:03 25,420 --a------ C:\WINDOWS\system32\drivers\tosrflan.sys2007-05-23 20:03 226,688 --a------ C:\WINDOWS\system32\drivers\SynCamd.sys2007-05-23 20:03 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys2007-05-23 20:03 220,032 --a------ C:\WINDOWS\system32\drivers\hsfbs2s2.sys2007-05-23 20:03 22,271 --a------ C:\WINDOWS\system32\drivers\watv06nt.sys2007-05-23 20:03 21,120 --a------ C:\WINDOWS\system32\drivers\tosbtsd2.sys2007-05-23 20:03 191,936 --a------ C:\WINDOWS\system32\drivers\SynTP.sys2007-05-23 20:03 180,360 --a------ C:\WINDOWS\system32\drivers\ntmtlfax.sys2007-05-23 20:03 18,944 --a------ C:\WINDOWS\system32\drivers\bthusb.sys2007-05-23 20:03 18,670 --a------ C:\WINDOWS\system32\drivers\FS008usb.sys2007-05-23 20:03 18,612 --a------ C:\WINDOWS\system32\drivers\tosrfnds.sys2007-05-23 20:03 17,024 --a------ C:\WINDOWS\system32\drivers\bthenum.sys2007-05-23 20:03 166,912 --a------ C:\WINDOWS\system32\drivers\s3gnbm.sys2007-05-23 20:03 160,672 --a------ C:\WINDOWS\system32\drivers\tosrfpcc.sys2007-05-23 20:03 16,320 --a------ C:\WINDOWS\system32\drivers\tostrans.sys2007-05-23 20:03 15,796 --a------ C:\WINDOWS\system32\drivers\SynSam.sys2007-05-23 20:03 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys2007-05-23 20:03 15,423 --a------ C:\WINDOWS\system32\drivers\ch7xxnt5.dll2007-05-23 20:03 15,360 --a------ C:\WINDOWS\system32\drivers\mpe.sys2007-05-23 20:03 15,104 --a------ C:\WINDOWS\system32\drivers\hidir.sys2007-05-23 20:03 145,920 --a------ C:\WINDOWS\system32\drivers\Hdaudio.sys(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2007-06-07 19:02:19 -------- d-----w C:\Program Files\Kalendarz XP2007-06-07 17:40:36 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Azureus2007-06-07 09:19:21 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\The Bat!2007-06-03 17:16:09 -------- d--h--w C:\Program Files\InstallShield Installation Information2007-06-01 20:44:08 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Skype2007-05-31 14:10:42 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Real2007-05-29 19:58:40 79,188 ----a-w C:\WINDOWS\system32\perfc015.dat2007-05-29 19:58:40 457,678 ----a-w C:\WINDOWS\system32\perfh015.dat2007-05-17 12:05:42 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Command & Conquer 3 Tiberium Wars2007-05-03 18:30:57 -------- d-----w C:\Program Files\Common Files\PACE Anti-Piracy2007-05-03 18:28:45 -------- d-----w C:\Program Files\DxO Labs2007-05-03 09:02:39 -------- d-----w C:\Program Files\Fotosik Manager2007-05-02 21:04:47 -------- d-----w C:\Program Files\InkSaver2007-05-02 14:50:23 -------- d-----w C:\Program Files\kX Project2007-05-02 14:49:59 -------- d-----w C:\Program Files\Creative2007-05-01 10:24:27 -------- d-----w C:\Program Files\MyGlobalSearch2007-05-01 10:05:05 -------- d-----w C:\Program Files\Kerio2007-04-30 16:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe2007-04-30 16:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys2007-04-30 16:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys2007-04-30 16:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys2007-04-30 16:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys2007-04-30 16:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys2007-04-30 16:35:28 95,872 ----a-w C:\WINDOWS\system32\AvastSS.scr2007-04-30 10:57:52 -------- d-----w C:\Program Files\Alwil Software2007-04-30 10:55:57 -------- d-----w C:\Program Files\Azureus2007-04-23 18:11:18 287,256 ----a-r C:\WINDOWS\system32\AbaleZip.dll2007-04-21 12:52:54 57,426 ----a-w C:\WINDOWS\system32\btfunc.dll((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 01:17]{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMan"="SOUNDMAN.EXE" [2005-11-11 08:07 C:\WINDOWS\soundman.exe]"nwiz"="nwiz.exe" [2006-04-16 16:51 C:\WINDOWS\system32\nwiz.exe]"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 18:42]"InkSaver"="C:\Program Files\InkSaver\InkSaver.exe" [2003-10-20 18:47]"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-04-24 00:12][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-27 01:54][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs***************************************************************************catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-06-07 21:19:37Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ...scanning hidden autostart entries ...scanning hidden files ...scan completed successfullyhidden files: 0**************************************************************************Completion time: 2007-06-07 21:19:56C:\ComboFix-quarantined-files.txt ... 2007-06-07 21:19 --- E O F --- SilentRuner, mam nadzieje, że tym razem dobrze wygenerował: » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « "Silent Runners.vbs", revision R50, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]"H/PC Connection Agent" = ""C:\PROGRA~1\MICROS~3\wcescomm.exe"" [MS]HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]"InkSaver" = "C:\Program Files\InkSaver\InkSaver.exe hide" ["Strydent Software, Inc."]"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]"{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension" -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Wapster\AQQ\System\AQQSHE~1.DLL" [null data]"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]"{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}" = "Wyślij na Fotosik.pl" -> {HKLM...CLSID} = "Wyślij na Fotosik.pl" \InProcServer32\(Default) = "C:\PROGRA~1\FOTOSI~1\FOTOSI~1.DLL" [null data]"{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" = "DOPMenu" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview" -> {HKLM...CLSID} = "ACTHUMBNAIL" \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Ikona obsługi nakładki Podpisów cyfrowych AutoCAD" -> {HKLM...CLSID} = "AcSignIcon" \InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device" -> {HKLM...CLSID} = "Urządzenie przenośne" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Wcesview.dll" [MS]HKLM\Software\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]HKLM\Software\Classes\*\shellex\ContextMenuHandlers\AQQFileTransfer\(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Wapster\AQQ\System\AQQSHE~1.DLL" [null data]avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]DOPMenu\(Default) = "{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\DOPMenu\(Default) = "{E8CF73E1-2D2B-465D-9740-8E85349FD65A}" -> {HKLM...CLSID} = "DOPMenu" \InProcServer32\(Default) = "C:\Program Files\DxO Labs\DxO Optics Pro v4\DOPMenu.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}\(Default) = "{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}" -> {HKLM...CLSID} = "Wyślij na Fotosik.pl" \InProcServer32\(Default) = "C:\PROGRA~1\FOTOSI~1\FOTOSI~1.DLL" [null data]HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]Default executables:--------------------HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) hex:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\slavOK\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Startup items in "slavOK" & "All Users" startup folders:--------------------------------------------------------C:\Documents and Settings\slavOK\Menu Start\Programy\Autostart"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart"Kalendarz XP" -> shortcut to: "C:\Program Files\Kalendarz XP\Kalendarz.exe" [null data]"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06Toolbars, Explorer Bars, Extensions:------------------------------------Explorer BarsHKLM\Software\Microsoft\Internet Explorer\Explorer Bars\HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\Software\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.5.0_09" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_09" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\"ButtonText" = "Create Mobile Favorite""CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\INetRepl.dll" [MS]{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\"MenuText" = "Utwórz łącze Ulubione dla urządzenia przenośnego...""CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\INetRepl.dll" [MS]{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Badanie"{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"]Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared files\RichVideo.exe"" [empty string]Kerio Personal Firewall, PersFw, ""C:\Program Files\Kerio\Personal Firewall\persfw.exe"" ["Kerio Technologies"]NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]ScsiAccess, ScsiAccess, "C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe" [null data]StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]Print Monitors:---------------HKLM\System\CurrentControlSet\Control\Print\Monitors\Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]----------<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 11 seconds.---------- (total run time: 32 seconds) chyba prosciej postawic system na nowo 8O i profilaktycznie Hijack: » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « Logfile of HijackThis v1.99.1Scan saved at 21:25:48, on 2007-06-07Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\DAEMON Tools\daemon.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\InkSaver\InkSaver.exeC:\Program Files\Picasa2\PicasaMediaDetector.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\MICROS~3\wcescomm.exeC:\PROGRA~1\MICROS~3\rapimgr.exeC:\Program Files\Kalendarz XP\Kalendarz.exeC:\WINDOWS\system32\drivers\CDAC11BA.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Kerio\Personal Firewall\persfw.exeC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\Program Files\Photodex\ProShowGold\ScsiAccess.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\Mozilla Firefox\firefox.exeC:\Program Files\Wapster\AQQ\AQQ.exeC:\ComboFix\26135.cfexeC:\WINDOWS\explorer.exeF:\Odrobaczanie\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hideO4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXEO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exeO23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exeO23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe Edytowane 7 Czerwca 2007 przez slavOK Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 Jeszcze tylko to: Pobierz i uruchom narzędzie : The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz: Files to delete: C:\WINDOWS\System32\Drivers\aeuq3s96.SYS C:\WINDOWS\System32\Drivers\a9fe844x.SYS C:\WINDOWS\system32\txtrpmke.exe Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK. - Po akcji pokazać logi Gmera i ComboFix. Takie czynności wymagając czasu... nic nie poradzę. Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
slavok Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 (edytowane) Powiedz mi jeszcze skąd tyle tego syfu sie nabrało 8O system stoi moze 2 miesiące, zapore windowsowska mam włączoną, nie wchodzę na jakieś syfne strony, nie ściągam nie wiadomo czego... używam tylko azureusa... Jak się na przyszłość zabezpieczyć przed takim guanem w systemie… combofix » Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... « "slavOK" - 2007-06-07 21:56:07 Dodatek Service Pack 2 NTFS ComboFix 07-06-3B - Running from: "F:\Odrobaczanie\"((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))2007-06-07 21:49 <DIR> d-------- C:\avenger2007-06-07 20:47 354 --a------ C:\FIX.reg2007-06-07 19:07 49,152 --a------ C:\WINDOWS\nircmd.exe2007-06-07 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Spybot - Search & Destroy2007-06-06 23:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT2007-06-06 23:58 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji2007-06-06 23:58 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start2007-06-06 23:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne2007-06-06 23:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit2007-06-06 23:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty2007-06-06 23:40 <DIR> d-------- C:\Program Files\XP Repair Pro 20072007-06-06 22:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll2007-06-06 15:27 <DIR> d-------- C:\Program Files\JPEGCrops2007-06-06 10:28 <DIR> d-------- C:\Program Files\FLVPlayer2007-06-04 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Apple Computer2007-06-04 18:33 106,912 --a------ C:\WINDOWS\hpqins13.dat2007-06-02 20:27 796,672 --a------ C:\WINDOWS\GPInstall.exe2007-06-01 20:28 231,936 --a------ C:\WINDOWS\epsuninst.exe2007-05-31 16:16 <DIR> d-------- C:\Program Files\Photodex Presenter2007-05-31 16:16 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Netscape2007-05-31 16:15 <DIR> d-------- C:\Program Files\Photodex2007-05-31 16:09 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Photodex2007-05-31 14:02 0 --a------ C:\DOCUME~1\slavOK\system_conf.dat2007-05-29 23:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\nView_Profiles2007-05-29 15:04 <DIR> d-------- C:\Program Files\Microsoft ActiveSync2007-05-29 15:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations2007-05-28 20:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Test Drive Unlimited2007-05-27 18:01 41,984 --a------ C:\WINDOWS\system32\drivers\Xprotector.sys2007-05-26 19:16 <DIR> d-------- C:\DOCUME~1\slavOK\DANEAP~1\Opera2007-05-23 23:08 <DIR> d-------- C:\Program Files\Hamachi2007-05-23 22:46 77,824 --a------ C:\WINDOWS\system32\btw_ci.dll2007-05-23 21:55 <DIR> d-------- C:\Program Files\QuickTime2007-05-23 21:55 <DIR> d-------- C:\Program Files\ImTOO2007-05-23 20:03 95,424 --a------ C:\WINDOWS\system32\drivers\slnthal.sys2007-05-23 20:03 9,344 --a------ C:\WINDOWS\system32\drivers\tosrfec.sys2007-05-23 20:03 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys2007-05-23 20:03 862,340 -ra------ C:\WINDOWS\system32\drivers\smserial.sys2007-05-23 20:03 8,278 --a------ C:\WINDOWS\system32\drivers\SynScan.sys2007-05-23 20:03 78,976 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys2007-05-23 20:03 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys2007-05-23 20:03 720,470 --a------ C:\WINDOWS\system32\drivers\SynMini.sys2007-05-23 20:03 7,424 -ra------ C:\WINDOWS\system32\drivers\MMIOPORT.SYS2007-05-23 20:03 685,056 --a------ C:\WINDOWS\system32\drivers\hsfcxts2.sys2007-05-23 20:03 685,056 --a------ C:\WINDOWS\system32\drivers\hardlock.sys2007-05-23 20:03 644,424 --a------ C:\WINDOWS\system32\drivers\SynPin.sys2007-05-23 20:03 64,896 --a------ C:\WINDOWS\system32\drivers\tosrfcom.sys2007-05-23 20:03 62,848 --a------ C:\WINDOWS\system32\drivers\tosrfhid.sys2007-05-23 20:03 61,067 -ra------ C:\WINDOWS\system32\drivers\ftser2k.sys2007-05-23 20:03 6,016 --a------ C:\WINDOWS\system32\drivers\smbali.sys2007-05-23 20:03 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys2007-05-23 20:03 53,504 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys2007-05-23 20:03 52,864 --a------ C:\WINDOWS\system32\drivers\tosrfsnd.sys2007-05-23 20:03 51,328 --a------ C:\WINDOWS\system32\drivers\rimsptsk.sys2007-05-23 20:03 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys2007-05-23 20:03 48,640 --a------ C:\WINDOWS\system32\drivers\tosdbt.sys2007-05-23 20:03 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys2007-05-23 20:03 47,249 -ra------ C:\WINDOWS\system32\drivers\ftdibus.sys2007-05-23 20:03 47,104 --a------ C:\WINDOWS\system32\drivers\tosporte.sys2007-05-23 20:03 46,464 --a------ C:\WINDOWS\system32\drivers\gagp30kx.sys2007-05-23 20:03 452,736 --a------ C:\WINDOWS\system32\drivers\mtxparhm.sys2007-05-23 20:03 44,672 --a------ C:\WINDOWS\system32\drivers\uagp35.sys2007-05-23 20:03 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys2007-05-23 20:03 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys2007-05-23 20:03 404,990 --a------ C:\WINDOWS\system32\drivers\slntamr.sys2007-05-23 20:03 40,832 --a------ C:\WINDOWS\system32\drivers\irbus.sys2007-05-23 20:03 4,381,184 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.Sys2007-05-23 20:03 39,808 --a------ C:\WINDOWS\system32\drivers\tosrfusb.sys2007-05-23 20:03 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys2007-05-23 20:03 37,632 --a------ C:\WINDOWS\system32\drivers\tosrfbnp.sys2007-05-23 20:03 35,456 --a------ C:\WINDOWS\system32\drivers\bthprint.sys2007-05-23 20:03 30,592 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys2007-05-23 20:03 3,901 --a------ C:\WINDOWS\system32\drivers\siint5.dll2007-05-23 20:03 3,712 --a------ C:\WINDOWS\system32\drivers\toshidpt.sys2007-05-23 20:03 275,200 --a------ C:\WINDOWS\system32\drivers\bthport.sys2007-05-23 20:03 27,904 --a------ C:\WINDOWS\system32\drivers\risdptsk.sys2007-05-23 20:03 25,728 --a------ C:\WINDOWS\system32\drivers\hidbth.sys2007-05-23 20:03 25,471 --a------ C:\WINDOWS\system32\drivers\watv10nt.sys2007-05-23 20:03 25,420 --a------ C:\WINDOWS\system32\drivers\tosrflan.sys2007-05-23 20:03 226,688 --a------ C:\WINDOWS\system32\drivers\SynCamd.sys2007-05-23 20:03 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys2007-05-23 20:03 220,032 --a------ C:\WINDOWS\system32\drivers\hsfbs2s2.sys2007-05-23 20:03 22,271 --a------ C:\WINDOWS\system32\drivers\watv06nt.sys2007-05-23 20:03 21,120 --a------ C:\WINDOWS\system32\drivers\tosbtsd2.sys2007-05-23 20:03 191,936 --a------ C:\WINDOWS\system32\drivers\SynTP.sys2007-05-23 20:03 180,360 --a------ C:\WINDOWS\system32\drivers\ntmtlfax.sys2007-05-23 20:03 18,944 --a------ C:\WINDOWS\system32\drivers\bthusb.sys2007-05-23 20:03 18,670 --a------ C:\WINDOWS\system32\drivers\FS008usb.sys2007-05-23 20:03 18,612 --a------ C:\WINDOWS\system32\drivers\tosrfnds.sys2007-05-23 20:03 17,024 --a------ C:\WINDOWS\system32\drivers\bthenum.sys2007-05-23 20:03 166,912 --a------ C:\WINDOWS\system32\drivers\s3gnbm.sys2007-05-23 20:03 160,672 --a------ C:\WINDOWS\system32\drivers\tosrfpcc.sys2007-05-23 20:03 16,320 --a------ C:\WINDOWS\system32\drivers\tostrans.sys2007-05-23 20:03 15,796 --a------ C:\WINDOWS\system32\drivers\SynSam.sys2007-05-23 20:03 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys2007-05-23 20:03 15,423 --a------ C:\WINDOWS\system32\drivers\ch7xxnt5.dll2007-05-23 20:03 15,360 --a------ C:\WINDOWS\system32\drivers\mpe.sys2007-05-23 20:03 15,104 --a------ C:\WINDOWS\system32\drivers\hidir.sys2007-05-23 20:03 145,920 --a------ C:\WINDOWS\system32\drivers\Hdaudio.sys(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2007-06-07 19:47:50 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Azureus2007-06-07 19:47:45 -------- d-----w C:\Program Files\Kalendarz XP2007-06-07 09:19:21 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\The Bat!2007-06-03 17:16:09 -------- d--h--w C:\Program Files\InstallShield Installation Information2007-06-01 20:44:08 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Skype2007-05-31 14:10:42 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Real2007-05-29 19:58:40 79,188 ----a-w C:\WINDOWS\system32\perfc015.dat2007-05-29 19:58:40 457,678 ----a-w C:\WINDOWS\system32\perfh015.dat2007-05-17 12:05:42 -------- d-----w C:\DOCUME~1\slavOK\DANEAP~1\Command & Conquer 3 Tiberium Wars2007-05-03 18:30:57 -------- d-----w C:\Program Files\Common Files\PACE Anti-Piracy2007-05-03 18:28:45 -------- d-----w C:\Program Files\DxO Labs2007-05-03 09:02:39 -------- d-----w C:\Program Files\Fotosik Manager2007-05-02 21:04:47 -------- d-----w C:\Program Files\InkSaver2007-05-02 14:50:23 -------- d-----w C:\Program Files\kX Project2007-05-02 14:49:59 -------- d-----w C:\Program Files\Creative2007-05-01 10:24:27 -------- d-----w C:\Program Files\MyGlobalSearch2007-05-01 10:05:05 -------- d-----w C:\Program Files\Kerio2007-04-30 16:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe2007-04-30 16:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys2007-04-30 16:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys2007-04-30 16:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys2007-04-30 16:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys2007-04-30 16:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys2007-04-30 16:35:28 95,872 ----a-w C:\WINDOWS\system32\AvastSS.scr2007-04-30 10:57:52 -------- d-----w C:\Program Files\Alwil Software2007-04-30 10:55:57 -------- d-----w C:\Program Files\Azureus2007-04-23 18:11:18 287,256 ----a-r C:\WINDOWS\system32\AbaleZip.dll2007-04-21 12:52:54 57,426 ----a-w C:\WINDOWS\system32\btfunc.dll((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 01:17]{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMan"="SOUNDMAN.EXE" [2005-11-11 08:07 C:\WINDOWS\soundman.exe]"nwiz"="nwiz.exe" [2006-04-16 16:51 C:\WINDOWS\system32\nwiz.exe]"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 18:42]"InkSaver"="C:\Program Files\InkSaver\InkSaver.exe" [2003-10-20 18:47]"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-04-24 00:12][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-27 01:54][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs***************************************************************************catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-06-07 21:56:36Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ...scanning hidden autostart entries ...scanning hidden files ...scan completed successfullyhidden files: 0**************************************************************************Completion time: 2007-06-07 21:57:01C:\ComboFix-quarantined-files.txt ... 2007-06-07 21:56C:\ComboFix2.txt ... 2007-06-07 21:19 --- E O F --- GMER http://www.wklej.org/id/42390d1270 Edytowane 7 Czerwca 2007 przez slavOK Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 (edytowane) No właśnie... zapora windowsowska nic nie daje - jest beznadziejnie dziurawa poza tym nie chroni przed niczym. 8O Wybierz sobie coś z tego zestawu: http://forum.purepc.pl/index.php?showtopic=235710 Wejdz na www.virustotal.com i przeskanuj te pliki. Wklej raporty. C:\WINDOWS\System32\Drivers\a3t072w3.SYS C:\WINDOWS\System32\Drivers\ascxlt93.SYS Edytowane 7 Czerwca 2007 przez CatchMe Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
slavok Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 Wejdz na www.virustotal.com i przeskanuj te pliki. Wklej raporty. C:\WINDOWS\System32\Drivers\a3t072w3.SYS C:\WINDOWS\System32\Drivers\ascxlt93.SYS najśmieszniejsze jest to, że tych plików nie ma w tym katalogu 8O Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
ULLISSES Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 Czyżby NTFS streams? http://www.avgpolska.pl/art,id,120.html (opis) http://www.heysoft.de/nt/ep-lads.htm (program) A może tylko ukryte/systemowe pliki. Polecam używać Total Commander z opcją "Pokaż ukryte". I jeszcze: http://dobreprogramy.pl/index.php?dz=22&id=1497&t=55 http://www.grzegorz.net/articles/index.php?id=ntfsstreams http://bezpieczenstwo.idg.pl/artykuly/51769.html Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
SGJ Napisano 7 Czerwca 2007 Zgłoś Napisano 7 Czerwca 2007 Raczej ukryte. Za pomocą strumieni sie ukrywa pliki "w" innych plikach. Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
