Skocz do zawartości
PhoeeeniX

Brak Dźwieku - Wczensiej Usuniete Trojany

Rekomendowane odpowiedzi

Witam,

pare dni temu scigalem sobie cracka do gry i jakiegos shita sciagnolem. Od teog czasu mialem jakiegos syfa w kompie mianowicie czerwona tarcza z krzyzem w trayu, potem jakies konie trojanskie w tym !update.exe

Wszytsko juz usunolem, przeczyscilem kompa wiec jestem czysty ale nie jestem pewny co do Loga.

Dzwiek mi zjadlo tez wiec sciagnolem stery do mojej mobo ale to nie pomoglo bo jak wlaczalem winampa to plul sie ze zle stery. Nie chcemi sie instalowac drugi raz windy i chce to tak zalatwic. Wkrotce i tak na auroxa chyba sie przesiade 8O

Bylbym wdzieczny gdyyby ktos tego loga przejrzal i cos poradzil co z tym dzwiekiem zrobic 8O

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

F:\Logitech\iTouch\iTouch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

F:\FinePixViewer\QuickDCF2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

f:\pinnacle\shared files\programs\mediaserver\pmshost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

F:\Konnekt\konnekt.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\PhoeniX\Pulpit\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5} - C:\WINDOWS\system32\wpm.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [zBrowser Launcher] F:\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [NBJ] "F:\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [Ortd] "C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt yazb

O4 - HKCU\..\Run: [Hilg] C:\WINDOWS\?icrosoft\n?tdde.exe

O4 - HKCU\..\Run: [Ofn] C:\WINDOWS\??mbols\??anregw.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Exif Launcher 2.lnk = ?

O4 - Global Startup: Image Transfer.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - F:\PACIFI~1\pacificpoker.exe

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5EE64A38-F284-44A1-AD61-EB19F1E1A595}: NameServer = 194.204.159.1,194.204.152.34

O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)

O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - f:\pinnacle\shared files\programs\mediaserver\pmshost.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

O2 - BHO: (no name) - {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5} - C:\WINDOWS\system32\wpm.dll

O4 - HKCU\..\Run: [Hilg] C:\WINDOWS\?icrosoft\n?tdde.exe

O4 - HKCU\..\Run: [Ofn] C:\WINDOWS\??mbols\??anregw.exe

O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)

Zacznij usuwać w-g tych 2 instrukcji:

 

http://cybertrash.pl/images/tata/PurityScan.html

 

+

 

Użyj: SmitFraudFix z opcji 2 w trybie awaryjnym.

- Log z pracy programu znajduje się tutaj: C:\raport.txt - wklej go na forum.

 

Po zabiegach wklej logi z HijackThis, Silent Runners i ComboFix.

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

OK zrobilem co sie dalo lecz OIuinstaller nie chce mi sie zainstalowac z teog linka co dales i z innych raczej tez.

Uruchomiłem SmitfraudFix w safemode: znalazł pliki ale przy usuwaniu nie mógł znalesc odpowiedniej sciezki, nie wiem dlaczego. Reszte zrobilem. Aha chciałem dodac ze

I jak się 3yma ? Oto logi:

 

Logfile of HijackThis v1.99.1

Scan saved at 16:25:47, on 2007-06-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

F:\Logitech\iTouch\iTouch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

F:\FinePixViewer\QuickDCF2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

f:\pinnacle\shared files\programs\mediaserver\pmshost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\PhoeniX\Pulpit\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5} - C:\WINDOWS\system32\wpm.dll (file missing)

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [zBrowser Launcher] F:\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [NBJ] "F:\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [Ortd] "C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv

O4 - HKCU\..\Run: [Hilg] C:\WINDOWS\?icrosoft\n?tdde.exe

O4 - HKCU\..\Run: [Ofn] C:\WINDOWS\??mbols\??anregw.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Exif Launcher 2.lnk = ?

O4 - Global Startup: Image Transfer.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - F:\PACIFI~1\pacificpoker.exe

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5EE64A38-F284-44A1-AD61-EB19F1E1A595}: NameServer = 194.204.159.1,194.204.152.34

O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)

O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - f:\pinnacle\shared files\programs\mediaserver\pmshost.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

 

 

 

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"wlnlogon" = "C:\WINDOWS\System.exe" [file not found]

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found]

"NBJ" = ""F:\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]

"Ortd" = ""C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv" [file not found]

"Hilg" = "C:\WINDOWS\*icrosoft\n*tdde.exe" (unwritable string) [file not found]

"Ofn" = "C:\WINDOWS\**mbols\**anregw.exe" (unwritable string) [file not found]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"zBrowser Launcher" = "F:\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

"SpyHunter" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."]

"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

{B7593C1D-F58C-AB2D-8A06-F8ADD89529E5}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\wpm.dll" [file not found]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

\InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32\(Default) = "C:\Program Files\Real Player\rpshell.dll" ["RealNetworks, Inc."]

"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"

-> {HKLM...CLSID} = "Studio.Project"

\InProcServer32\(Default) = "F:\Pinnacle\Studio 10\programs\BlueShellExt.dll" [null data]

 

 

 

 

 

ComboFix 07-06-11.3 - C:\Documents and Settings\PhoeniX\Pulpit\ComboFix.exe

"PhoeniX" - 2007-06-13 16:26:16 - Dodatek Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

 

 

2007-06-13 16:20 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-06-13 16:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-06-13 16:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-06-13 16:20 2,138 --a------ C:\WINDOWS\system32\tmp.reg

2007-06-12 17:50 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-12 17:46 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-11 20:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-06-11 20:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Talkback

2007-06-11 20:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji

2007-06-11 20:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start

2007-06-11 20:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty

2007-06-11 20:21 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-06-11 20:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne

2007-06-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Lang

2007-06-10 15:21 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe

2007-06-10 15:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager

2007-06-10 15:21 <DIR> d-------- C:\Program Files\AvRack

2007-06-10 15:20 577,536 --a------ C:\WINDOWS\soundman.exe

2007-06-10 15:20 4,019,072 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys

2007-06-10 15:20 315,392 --a------ C:\WINDOWS\alcupd.exe

2007-06-10 15:20 217,088 --a------ C:\WINDOWS\Alcrmv.exe

2007-06-10 15:20 143,360 --a------ C:\WINDOWS\system32\RtlCPAPI.dll

2007-06-10 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe

2007-06-10 15:20 <DIR> d-------- C:\Program Files\Realtek AC97

2007-06-09 17:52 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL

2007-06-08 12:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2007-06-08 12:57 3,440 --a------ C:\WINDOWS\undo.reg

2007-06-08 12:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2007-06-07 14:58 81,920 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\ezpinst.exe

2007-06-07 14:58 <DIR> d-------- C:\Program Files\vso

2007-06-07 14:07 92,208 -ra------ C:\WINDOWS\system32\WING.DLL

2007-06-07 13:53 87,608 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\inst.exe

2007-06-07 13:53 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys

2007-06-07 13:53 47,360 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\pcouffin.sys

2007-06-07 13:53 <DIR> d-------- C:\DOCUME~1\PhoeniX\DANEAP~1\Vso

2007-06-07 12:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData

2007-06-03 20:51 71,680 --a------ C:\WINDOWS\g21546875.exe

2007-06-03 20:29 71,680 --a------ C:\WINDOWS\g20218875.exe

2007-06-03 20:07 71,680 --a------ C:\WINDOWS\g18907718.exe

2007-06-03 19:45 71,680 --a------ C:\WINDOWS\g17579984.exe

2007-06-03 19:23 71,680 --a------ C:\WINDOWS\g16257156.exe

2007-06-03 19:03 71,680 --a------ C:\WINDOWS\g15056671.exe

2007-06-03 15:25 71,680 --a------ C:\WINDOWS\g1972609.exe

2007-06-03 14:55 71,680 --a------ C:\WINDOWS\g172625.exe

2007-06-03 10:41 71,680 --a------ C:\WINDOWS\g293906.exe

2007-06-02 21:20 71,680 --a------ C:\WINDOWS\g22524062.exe

2007-06-02 19:50 71,680 --a------ C:\WINDOWS\g17112234.exe

2007-06-02 19:28 71,680 --a------ C:\WINDOWS\g15791984.exe

2007-06-02 19:08 71,680 --a------ C:\WINDOWS\g14591968.exe

2007-06-02 18:46 71,680 --a------ C:\WINDOWS\g13268812.exe

2007-06-02 18:24 71,680 --a------ C:\WINDOWS\g11947546.exe

2007-06-02 18:02 71,680 --a------ C:\WINDOWS\g10625703.exe

2007-06-02 17:40 71,680 --a------ C:\WINDOWS\g9307359.exe

2007-06-02 17:18 206 --a------ C:\WINDOWS\g7982234.exe

2007-06-02 14:12 206 --a------ C:\WINDOWS\g5490046.exe

2007-06-02 13:50 206 --a------ C:\WINDOWS\g4169718.exe

2007-06-02 13:28 206 --a------ C:\WINDOWS\g2849437.exe

2007-06-02 13:06 206 --a------ C:\WINDOWS\g1529093.exe

2007-06-02 12:44 206 --a------ C:\WINDOWS\g208734.exe

2007-06-01 19:43 206 --a------ C:\WINDOWS\g14707406.exe

2007-06-01 15:41 206 --a------ C:\WINDOWS\g175125.exe

2007-06-01 12:07 206 --a------ C:\WINDOWS\g1973812.exe

2007-06-01 11:37 206 --a------ C:\WINDOWS\g174015.exe

2007-05-31 20:51 206 --a------ C:\WINDOWS\g174828.exe

2007-05-31 15:25 206 --a------ C:\WINDOWS\g296171.exe

2007-05-30 17:45 206 --a------ C:\WINDOWS\g7084203.exe

2007-05-30 13:43 206 --a------ C:\WINDOWS\g1853062.exe

2007-05-30 13:15 206 --a------ C:\WINDOWS\g173000.exe

2007-05-29 22:22 206 --a------ C:\WINDOWS\g6915515.exe

2007-05-29 18:03 206 --a------ C:\WINDOWS\g1735765.exe

2007-05-29 13:43 206 --a------ C:\WINDOWS\g1853140.exe

2007-05-29 13:15 206 --a------ C:\WINDOWS\g172828.exe

2007-05-28 20:13 206 --a------ C:\WINDOWS\g297312.exe

2007-05-28 14:37 206 --a------ C:\WINDOWS\g294265.exe

2007-05-27 23:00 206 --a------ C:\WINDOWS\g1861140.exe

2007-05-27 14:10 206 --a------ C:\WINDOWS\g14720468.exe

2007-05-27 11:02 <DIR> d-------- C:\Program Files\WinPcap

2007-05-27 10:38 206 --a------ C:\WINDOWS\g1972546.exe

2007-05-27 10:08 206 --a------ C:\WINDOWS\g172593.exe

2007-05-26 20:45 206 --a------ C:\WINDOWS\g2709296.exe

2007-05-26 20:25 206 --a------ C:\WINDOWS\g1498359.exe

2007-05-26 20:05 206 --a------ C:\WINDOWS\g292562.exe

2007-05-26 16:11 206 --a------ C:\WINDOWS\g2431906.exe

2007-05-26 15:43 206 --a------ C:\WINDOWS\g751359.exe

2007-05-26 15:22 206 --a------ C:\WINDOWS\g153156.exe

2007-05-26 15:08 206 --a------ C:\WINDOWS\g3656906.exe

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-13 14:26:44 74,694 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-06-13 14:26:44 453,808 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-06-13 13:54:26 -------- d-----w C:\Program Files\Mozilla Thunderbird

2007-06-12 15:40:20 -------- d-----w C:\Program Files\Yahoo!

2007-06-10 21:08:58 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\Skype

2007-06-10 13:20:47 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-05 09:16:35 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-04-27 16:35:05 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\AdobeUM

2007-04-21 12:25:34 -------- d-----w C:\Program Files\SkanerOnline

2007-04-21 11:57:02 6,144 ----a-w C:\WINDOWS\vbstub.exe

2007-04-21 11:57:01 9,728 ----a-w C:\WINDOWS\libHide.dll

2007-04-14 11:08:17 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\FUJIFILM

2007-04-14 10:54:11 -------- d-----w C:\Program Files\REGSHAVE

2007-03-19 18:13:10 6,422,611 ----a-w C:\Program Files\frostwire-4.13.1.6.windows.exe

2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll

2006-10-27 12:00:34 24,576 --sha-r C:\WINDOWS\system32\inetsrv.exe~

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{B7593C1D-F58C-AB2D-8A06-F8ADD89529E5}=C:\WINDOWS\system32\wpm.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-06 11:31]

"zBrowser Launcher"="F:\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]

"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 14:30]

"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []

"NBJ"="F:\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25]

"Ortd"="C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" []

"Hilg"="C:\WINDOWS\?icrosoft\n?tdde.exe" []

"Ofn"="C:\WINDOWS\??mbols\??anregw.exe" []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

"wlnlogon"=C:\WINDOWS\System.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingdm32]

wingdm32.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb]

C:\WINDOWS\system32\wudb.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PhoeniX^Menu Start^Programy^Autostart^Adobe Gamma.lnk]

path=C:\Documents and Settings\PhoeniX\Menu Start\Programy\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"F:\D-Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]

"F:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

C:\WINDOWS\system32\\PSDrvCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

F:\Trojan Remover\Trjscan.exe

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aace37e-0e15-11dc-b7c0-000e2e8c2dde}]

AutoRun\command- K:\.\Recycled\Driveinfo.exe

Open\Command- K:\.\Recycled\Driveinfo.exe

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-13 16:27:36

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-13 16:28:06

C:\ComboFix-quarantined-files.txt ... 2007-06-13 16:28

C:\ComboFix2.txt ... 2007-06-12 17:57

 

--- E O F ---

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

1. Ściągnij: WWDC

- Zmień wszystkie opcje z disable na enable i uruchom ponownie komputer.

- Prawidłowy układ portów przedstawia zdjęcie:

http://www.firewallleaktester.com/images_site/wwdc.jpg

* NetBIOS może być żółty.

 

Pobierz i uruchom narzędzie : The Avenger

Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

 

Files to delete:

 

C:\WINDOWS\System.exe

C:\WINDOWS\**mbols\**anregw.exe

C:\WINDOWS\*icrosoft\n*tdde.exe

C:\WINDOWS\system32\wpm.dll

C:\WINDOWS\system32\Process.exe

C:\WINDOWS\system32\dumphive.exe

C:\WINDOWS\system32\SrchSTS.exe

C:\WINDOWS\system32\tmp.reg

C:\WINDOWS\nircmd.exe

C:\WINDOWS\g21546875.exe

C:\WINDOWS\g20218875.exe

C:\WINDOWS\g18907718.exe

C:\WINDOWS\g17579984.exe

C:\WINDOWS\g16257156.exe

C:\WINDOWS\g15056671.exe

C:\WINDOWS\g1972609.exe

C:\WINDOWS\g172625.exe

C:\WINDOWS\g293906.exe

C:\WINDOWS\g22524062.exe

C:\WINDOWS\g17112234.exe

C:\WINDOWS\g15791984.exe

C:\WINDOWS\g14591968.exe

C:\WINDOWS\g13268812.exe

C:\WINDOWS\g11947546.exe

C:\WINDOWS\g10625703.exe

C:\WINDOWS\g9307359.exe

C:\WINDOWS\g7982234.exe

C:\WINDOWS\g5490046.exe

C:\WINDOWS\g4169718.exe

C:\WINDOWS\g2849437.exe

C:\WINDOWS\g1529093.exe

C:\WINDOWS\g208734.exe

C:\WINDOWS\g14707406.exe

C:\WINDOWS\g175125.exe

C:\WINDOWS\g1973812.exe

C:\WINDOWS\g174015.exe

C:\WINDOWS\g174828.exe

C:\WINDOWS\g296171.exe

C:\WINDOWS\g7084203.exe

C:\WINDOWS\g1853062.exe

C:\WINDOWS\g173000.exe

C:\WINDOWS\g6915515.exe

C:\WINDOWS\g1735765.exe

C:\WINDOWS\g1853140.exe

C:\WINDOWS\g172828.exe

C:\WINDOWS\g297312.exe

C:\WINDOWS\g294265.exe

C:\WINDOWS\g1861140.exe

C:\WINDOWS\g14720468.exe

C:\WINDOWS\g1972546.exe

C:\WINDOWS\g172593.exe

C:\WINDOWS\g2709296.exe

C:\WINDOWS\g1498359.exe

C:\WINDOWS\g292562.exe

C:\WINDOWS\g2431906.exe

C:\WINDOWS\g751359.exe

C:\WINDOWS\g153156.exe

C:\WINDOWS\g3656906.exe

C:\WINDOWS\vbstub.exe

C:\WINDOWS\libHide.dll

C:\Program Files\frostwire-4.13.1.6.windows.exe

C:\WINDOWS\system32\inetsrv.exe~

 

Folders to delete:

 

C:\WINDOWS\?icrosoft

C:\WINDOWS\??mbols

Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK.

Po restarcie w HijackThis usuwasz wpis/wpisy:

O2 - BHO: (no name) - {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5} - C:\WINDOWS\system32\wpm.dll (file missing)

O4 - HKCU\..\Run: [Hilg] C:\WINDOWS\?icrosoft\n?tdde.exe

O4 - HKCU\..\Run: [Ofn] C:\WINDOWS\??mbols\??anregw.exe

O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + log z HijackThis + log z Silent Runners + log z ComboFix.

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

ojj widze że pełno syfu miałem, dzięki za twój czas z góry 8O

Wsyztsko zrobiłem, ale po usunięciu plików a Avenger, dałem to zielone swiatelko nad lupą lecz wystapil nastepujacy bład:

Selected file does not appear to be a valid script.

Co jest źle ?

LOGI:

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:10:12, on 2007-06-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

F:\Logitech\iTouch\iTouch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\ctfmon.exe

F:\FinePixViewer\QuickDCF2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

f:\pinnacle\shared files\programs\mediaserver\pmshost.exe

F:\Konnekt\konnekt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\PhoeniX\Pulpit\wwdc.exe

C:\Documents and Settings\PhoeniX\Pulpit\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [zBrowser Launcher] F:\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [NBJ] "F:\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [Ortd] "C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Exif Launcher 2.lnk = ?

O4 - Global Startup: Image Transfer.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - F:\PACIFI~1\pacificpoker.exe

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5EE64A38-F284-44A1-AD61-EB19F1E1A595}: NameServer = 194.204.159.1,194.204.152.34

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)

O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - f:\pinnacle\shared files\programs\mediaserver\pmshost.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

 

 

 

 

 

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"wlnlogon" = "C:\WINDOWS\System.exe" [file not found]

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found]

"NBJ" = ""F:\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]

"Ortd" = ""C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv" [file not found]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"zBrowser Launcher" = "F:\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

"SpyHunter" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

\InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32\(Default) = "C:\Program Files\Real Player\rpshell.dll" ["RealNetworks, Inc."]

"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"

-> {HKLM...CLSID} = "Studio.Project"

\InProcServer32\(Default) = "F:\Pinnacle\Studio 10\programs\BlueShellExt.dll" [null data]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"

-> {HKLM...CLSID} = "Sony Ericsson File Manager"

\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]

"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"

-> {HKLM...CLSID} = "Trojan Remover Shell Extension"

\InProcServer32\(Default) = "F:\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

"{46E22146-59C0-4136-9233-FB7720E777B2}" = "EzCddax extension"

-> {HKLM...CLSID} = "EzCddax Class"

\InProcServer32\(Default) = "F:\Easy CD-DA Extractor 10\ezcddax10.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

EzCddax\(Default) = "{46E22146-59C0-4136-9233-FB7720E777B2}"

-> {HKLM...CLSID} = "EzCddax Class"

\InProcServer32\(Default) = "F:\Easy CD-DA Extractor 10\ezcddax10.dll" [null data]

MyPhoneExplorer\(Default) = "{2D30AAA2-9084-4686-B8B9-B9B62EEFFD4E}"

-> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt"

\InProcServer32\(Default) = "F:\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

-> {HKLM...CLSID} = "Trojan Remover Shell Extension"

\InProcServer32\(Default) = "F:\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

-> {HKLM...CLSID} = "Trojan Remover Shell Extension"

\InProcServer32\(Default) = "F:\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\PhoeniX\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "PhoeniX" & "All Users" startup folders:

---------------------------------------------------------

 

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Exif Launcher 2" -> shortcut to: "F:\FinePixViewer\QuickDCF2.exe" ["FUJI PHOTO FILM CO., LTD."]

"Image Transfer" -> shortcut to: "F:\Sony Corporation\Image Transfer\SonyTray.exe" [file not found]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Explorer Bars

 

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

 

{94EDF7B4-4272-4AF3-8F8B-4E2F68E225B7}\

"ButtonText" = "PacificPoker"

"Exec" = "F:\PACIFI~1\pacificpoker.exe" ["Cassava Ent."]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]

B's Recorder GOLD Library General Service, bgsvcgen, "C:\WINDOWS\system32\bgsvcgen.exe" ["B.H.A Corporation"]

LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]

MSSQL$PINNACLESYS, MSSQL$PINNACLESYS, ""F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS" [MS]

Pinnacle Systems Media Service, PinnacleSys.MediaServer, "f:\pinnacle\shared files\programs\mediaserver\pmshost.exe" [null data]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

----------

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 47 seconds, including 4 seconds for message boxes)

 

 

 

 

ComboFix 07-06-11.3 - C:\Documents and Settings\PhoeniX\Pulpit\ComboFix.exe

"PhoeniX" - 2007-06-13 22:17:56 - Dodatek Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

 

 

2007-06-13 16:20 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-06-13 16:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-06-13 16:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-06-13 16:20 2,138 --a------ C:\WINDOWS\system32\tmp.reg

2007-06-12 17:50 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-12 17:46 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-11 20:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-06-11 20:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Talkback

2007-06-11 20:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji

2007-06-11 20:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start

2007-06-11 20:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty

2007-06-11 20:21 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-06-11 20:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne

2007-06-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Lang

2007-06-10 15:21 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe

2007-06-10 15:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager

2007-06-10 15:21 <DIR> d-------- C:\Program Files\AvRack

2007-06-10 15:20 577,536 --a------ C:\WINDOWS\soundman.exe

2007-06-10 15:20 4,019,072 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys

2007-06-10 15:20 315,392 --a------ C:\WINDOWS\alcupd.exe

2007-06-10 15:20 217,088 --a------ C:\WINDOWS\Alcrmv.exe

2007-06-10 15:20 143,360 --a------ C:\WINDOWS\system32\RtlCPAPI.dll

2007-06-10 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe

2007-06-10 15:20 <DIR> d-------- C:\Program Files\Realtek AC97

2007-06-09 17:52 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL

2007-06-08 12:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2007-06-08 12:57 3,440 --a------ C:\WINDOWS\undo.reg

2007-06-08 12:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2007-06-07 14:58 81,920 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\ezpinst.exe

2007-06-07 14:58 <DIR> d-------- C:\Program Files\vso

2007-06-07 14:07 92,208 -ra------ C:\WINDOWS\system32\WING.DLL

2007-06-07 13:53 87,608 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\inst.exe

2007-06-07 13:53 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys

2007-06-07 13:53 47,360 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\pcouffin.sys

2007-06-07 13:53 <DIR> d-------- C:\DOCUME~1\PhoeniX\DANEAP~1\Vso

2007-06-07 12:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData

2007-06-03 20:51 71,680 --a------ C:\WINDOWS\g21546875.exe

2007-06-03 20:29 71,680 --a------ C:\WINDOWS\g20218875.exe

2007-06-03 20:07 71,680 --a------ C:\WINDOWS\g18907718.exe

2007-06-03 19:45 71,680 --a------ C:\WINDOWS\g17579984.exe

2007-06-03 19:23 71,680 --a------ C:\WINDOWS\g16257156.exe

2007-06-03 19:03 71,680 --a------ C:\WINDOWS\g15056671.exe

2007-06-03 15:25 71,680 --a------ C:\WINDOWS\g1972609.exe

2007-06-03 14:55 71,680 --a------ C:\WINDOWS\g172625.exe

2007-06-03 10:41 71,680 --a------ C:\WINDOWS\g293906.exe

2007-06-02 21:20 71,680 --a------ C:\WINDOWS\g22524062.exe

2007-06-02 19:50 71,680 --a------ C:\WINDOWS\g17112234.exe

2007-06-02 19:28 71,680 --a------ C:\WINDOWS\g15791984.exe

2007-06-02 19:08 71,680 --a------ C:\WINDOWS\g14591968.exe

2007-06-02 18:46 71,680 --a------ C:\WINDOWS\g13268812.exe

2007-06-02 18:24 71,680 --a------ C:\WINDOWS\g11947546.exe

2007-06-02 18:02 71,680 --a------ C:\WINDOWS\g10625703.exe

2007-06-02 17:40 71,680 --a------ C:\WINDOWS\g9307359.exe

2007-06-02 17:18 206 --a------ C:\WINDOWS\g7982234.exe

2007-06-02 14:12 206 --a------ C:\WINDOWS\g5490046.exe

2007-06-02 13:50 206 --a------ C:\WINDOWS\g4169718.exe

2007-06-02 13:28 206 --a------ C:\WINDOWS\g2849437.exe

2007-06-02 13:06 206 --a------ C:\WINDOWS\g1529093.exe

2007-06-02 12:44 206 --a------ C:\WINDOWS\g208734.exe

2007-06-01 19:43 206 --a------ C:\WINDOWS\g14707406.exe

2007-06-01 15:41 206 --a------ C:\WINDOWS\g175125.exe

2007-06-01 12:07 206 --a------ C:\WINDOWS\g1973812.exe

2007-06-01 11:37 206 --a------ C:\WINDOWS\g174015.exe

2007-05-31 20:51 206 --a------ C:\WINDOWS\g174828.exe

2007-05-31 15:25 206 --a------ C:\WINDOWS\g296171.exe

2007-05-30 17:45 206 --a------ C:\WINDOWS\g7084203.exe

2007-05-30 13:43 206 --a------ C:\WINDOWS\g1853062.exe

2007-05-30 13:15 206 --a------ C:\WINDOWS\g173000.exe

2007-05-29 22:22 206 --a------ C:\WINDOWS\g6915515.exe

2007-05-29 18:03 206 --a------ C:\WINDOWS\g1735765.exe

2007-05-29 13:43 206 --a------ C:\WINDOWS\g1853140.exe

2007-05-29 13:15 206 --a------ C:\WINDOWS\g172828.exe

2007-05-28 20:13 206 --a------ C:\WINDOWS\g297312.exe

2007-05-28 14:37 206 --a------ C:\WINDOWS\g294265.exe

2007-05-27 23:00 206 --a------ C:\WINDOWS\g1861140.exe

2007-05-27 14:10 206 --a------ C:\WINDOWS\g14720468.exe

2007-05-27 11:02 <DIR> d-------- C:\Program Files\WinPcap

2007-05-27 10:38 206 --a------ C:\WINDOWS\g1972546.exe

2007-05-27 10:08 206 --a------ C:\WINDOWS\g172593.exe

2007-05-26 20:45 206 --a------ C:\WINDOWS\g2709296.exe

2007-05-26 20:25 206 --a------ C:\WINDOWS\g1498359.exe

2007-05-26 20:05 206 --a------ C:\WINDOWS\g292562.exe

2007-05-26 16:11 206 --a------ C:\WINDOWS\g2431906.exe

2007-05-26 15:43 206 --a------ C:\WINDOWS\g751359.exe

2007-05-26 15:22 206 --a------ C:\WINDOWS\g153156.exe

2007-05-26 15:08 206 --a------ C:\WINDOWS\g3656906.exe

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-13 20:07:01 74,694 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-06-13 20:07:01 453,808 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-06-13 19:42:29 -------- d-----w C:\Program Files\Mozilla Thunderbird

2007-06-12 15:40:20 -------- d-----w C:\Program Files\Yahoo!

2007-06-10 21:08:58 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\Skype

2007-06-10 13:20:47 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-05 09:16:35 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-04-27 16:35:05 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\AdobeUM

2007-04-21 12:25:34 -------- d-----w C:\Program Files\SkanerOnline

2007-04-21 11:57:02 6,144 ----a-w C:\WINDOWS\vbstub.exe

2007-04-21 11:57:01 9,728 ----a-w C:\WINDOWS\libHide.dll

2007-04-14 11:08:17 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\FUJIFILM

2007-04-14 10:54:11 -------- d-----w C:\Program Files\REGSHAVE

2007-03-19 18:13:10 6,422,611 ----a-w C:\Program Files\frostwire-4.13.1.6.windows.exe

2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll

2006-10-27 12:00:34 24,576 --sha-r C:\WINDOWS\system32\inetsrv.exe~

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-06 11:31]

"zBrowser Launcher"="F:\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]

"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 14:30]

"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []

"NBJ"="F:\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25]

"Ortd"="C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

"wlnlogon"=C:\WINDOWS\System.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PhoeniX^Menu Start^Programy^Autostart^Adobe Gamma.lnk]

path=C:\Documents and Settings\PhoeniX\Menu Start\Programy\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"F:\D-Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]

"F:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

C:\WINDOWS\system32\\PSDrvCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

F:\Trojan Remover\Trjscan.exe

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aace37e-0e15-11dc-b7c0-000e2e8c2dde}]

AutoRun\command- K:\.\Recycled\Driveinfo.exe

Open\Command- K:\.\Recycled\Driveinfo.exe

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-13 22:18:48

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-13 22:19:09

C:\ComboFix-quarantined-files.txt ... 2007-06-13 22:19

 

--- E O F ---

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

Wszystko siedzi nadal... źle wkleiłeś skrypt. Masz wkleić tylko to do okienka:

 

Files to delete:

 

C:\WINDOWS\System.exe

C:\WINDOWS\**mbols\**anregw.exe

C:\WINDOWS\*icrosoft\n*tdde.exe

C:\WINDOWS\system32\wpm.dll

C:\WINDOWS\system32\Process.exe

C:\WINDOWS\system32\dumphive.exe

C:\WINDOWS\system32\SrchSTS.exe

C:\WINDOWS\system32\tmp.reg

C:\WINDOWS\nircmd.exe

C:\WINDOWS\g21546875.exe

C:\WINDOWS\g20218875.exe

C:\WINDOWS\g18907718.exe

C:\WINDOWS\g17579984.exe

C:\WINDOWS\g16257156.exe

C:\WINDOWS\g15056671.exe

C:\WINDOWS\g1972609.exe

C:\WINDOWS\g172625.exe

C:\WINDOWS\g293906.exe

C:\WINDOWS\g22524062.exe

C:\WINDOWS\g17112234.exe

C:\WINDOWS\g15791984.exe

C:\WINDOWS\g14591968.exe

C:\WINDOWS\g13268812.exe

C:\WINDOWS\g11947546.exe

C:\WINDOWS\g10625703.exe

C:\WINDOWS\g9307359.exe

C:\WINDOWS\g7982234.exe

C:\WINDOWS\g5490046.exe

C:\WINDOWS\g4169718.exe

C:\WINDOWS\g2849437.exe

C:\WINDOWS\g1529093.exe

C:\WINDOWS\g208734.exe

C:\WINDOWS\g14707406.exe

C:\WINDOWS\g175125.exe

C:\WINDOWS\g1973812.exe

C:\WINDOWS\g174015.exe

C:\WINDOWS\g174828.exe

C:\WINDOWS\g296171.exe

C:\WINDOWS\g7084203.exe

C:\WINDOWS\g1853062.exe

C:\WINDOWS\g173000.exe

C:\WINDOWS\g6915515.exe

C:\WINDOWS\g1735765.exe

C:\WINDOWS\g1853140.exe

C:\WINDOWS\g172828.exe

C:\WINDOWS\g297312.exe

C:\WINDOWS\g294265.exe

C:\WINDOWS\g1861140.exe

C:\WINDOWS\g14720468.exe

C:\WINDOWS\g1972546.exe

C:\WINDOWS\g172593.exe

C:\WINDOWS\g2709296.exe

C:\WINDOWS\g1498359.exe

C:\WINDOWS\g292562.exe

C:\WINDOWS\g2431906.exe

C:\WINDOWS\g751359.exe

C:\WINDOWS\g153156.exe

C:\WINDOWS\g3656906.exe

C:\WINDOWS\vbstub.exe

C:\WINDOWS\libHide.dll

C:\Program Files\frostwire-4.13.1.6.windows.exe

C:\WINDOWS\system32\inetsrv.exe~

 

Folders to delete:

 

C:\WINDOWS\?icrosoft

C:\WINDOWS\??mbols

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

Avenger pliki usunął a folderów nie. ZMienil sie log bo potem dałem jescze raz zeby usunał tylko foldery.

Jescze co z tymy folderami zrobic ?

LOGI:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\npvckdec

 

*******************

 

Script file located at: \??\C:\lgjkjchp.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

Could not open folder C:\WINDOWS\?icrosoft for deletion

Deletion of folder C:\WINDOWS\?icrosoft failed!

 

Could not process line:

C:\WINDOWS\?icrosoft

Status: 0xc0000033

 

 

 

Could not open folder C:\WINDOWS\??mbols for deletion

Deletion of folder C:\WINDOWS\??mbols failed!

 

Could not process line:

C:\WINDOWS\??mbols

Status: 0xc0000033

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

 

 

 

ComboFix 07-06-11.3 - C:\Documents and Settings\PhoeniX\Pulpit\ComboFix.exe

"PhoeniX" - 2007-06-15 18:27:22 - Dodatek Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))

 

 

2007-06-15 18:27 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-12 17:46 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-11 20:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-06-11 20:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Talkback

2007-06-11 20:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji

2007-06-11 20:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start

2007-06-11 20:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty

2007-06-11 20:21 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-06-11 20:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne

2007-06-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Lang

2007-06-10 15:21 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe

2007-06-10 15:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager

2007-06-10 15:21 <DIR> d-------- C:\Program Files\AvRack

2007-06-10 15:20 577,536 --a------ C:\WINDOWS\soundman.exe

2007-06-10 15:20 4,019,072 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys

2007-06-10 15:20 315,392 --a------ C:\WINDOWS\alcupd.exe

2007-06-10 15:20 217,088 --a------ C:\WINDOWS\Alcrmv.exe

2007-06-10 15:20 143,360 --a------ C:\WINDOWS\system32\RtlCPAPI.dll

2007-06-10 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe

2007-06-10 15:20 <DIR> d-------- C:\Program Files\Realtek AC97

2007-06-09 17:52 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL

2007-06-08 12:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2007-06-08 12:57 3,440 --a------ C:\WINDOWS\undo.reg

2007-06-08 12:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2007-06-07 14:58 81,920 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\ezpinst.exe

2007-06-07 14:58 <DIR> d-------- C:\Program Files\vso

2007-06-07 14:07 92,208 -ra------ C:\WINDOWS\system32\WING.DLL

2007-06-07 13:53 87,608 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\inst.exe

2007-06-07 13:53 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys

2007-06-07 13:53 47,360 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\pcouffin.sys

2007-06-07 13:53 <DIR> d-------- C:\DOCUME~1\PhoeniX\DANEAP~1\Vso

2007-06-07 12:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData

2007-05-27 11:02 <DIR> d-------- C:\Program Files\WinPcap

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-15 16:21:06 74,694 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-06-15 16:21:06 453,808 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-06-15 16:09:26 -------- d-----w C:\Program Files\Mozilla Thunderbird

2007-06-12 15:40:20 -------- d-----w C:\Program Files\Yahoo!

2007-06-10 21:08:58 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\Skype

2007-06-10 13:20:47 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-05 09:16:35 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-04-27 16:35:05 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\AdobeUM

2007-04-21 12:25:34 -------- d-----w C:\Program Files\SkanerOnline

2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-06 11:31]

"zBrowser Launcher"="F:\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]

"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-15 18:18]

"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []

"NBJ"="F:\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25]

"Ortd"="C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

"wlnlogon"=C:\WINDOWS\System.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PhoeniX^Menu Start^Programy^Autostart^Adobe Gamma.lnk]

path=C:\Documents and Settings\PhoeniX\Menu Start\Programy\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"F:\D-Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]

"F:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

C:\WINDOWS\system32\\PSDrvCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

F:\Trojan Remover\Trjscan.exe

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aace37e-0e15-11dc-b7c0-000e2e8c2dde}]

AutoRun\command- K:\.\Recycled\Driveinfo.exe

Open\Command- K:\.\Recycled\Driveinfo.exe

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-15 18:28:15

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-15 18:28:35

C:\ComboFix-quarantined-files.txt ... 2007-06-15 18:28

C:\ComboFix2.txt ... 2007-06-13 22:19

 

--- E O F ---

 

 

 

 

 

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"wlnlogon" = "C:\WINDOWS\System.exe" [file not found]

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found]

"NBJ" = ""F:\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]

"Ortd" = ""C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv" [file not found]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"zBrowser Launcher" = "F:\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

"SpyHunter" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data]

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 18:26:57, on 2007-06-15

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

F:\Logitech\iTouch\iTouch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

F:\FinePixViewer\QuickDCF2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

F:\Konnekt\konnekt.exe

C:\WINDOWS\system32\svchost.exe

f:\pinnacle\shared files\programs\mediaserver\pmshost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\PhoeniX\Pulpit\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [zBrowser Launcher] F:\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [NBJ] "F:\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [Ortd] "C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Exif Launcher 2.lnk = ?

O4 - Global Startup: Image Transfer.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - F:\PACIFI~1\pacificpoker.exe

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5EE64A38-F284-44A1-AD61-EB19F1E1A595}: NameServer = 194.204.159.1,194.204.152.34

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)

O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - f:\pinnacle\shared files\programs\mediaserver\pmshost.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

Otwórz Notatnik i wklej w nim to:

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

"wlnlogon"=-

 

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> Uruchom plik FIX.REG w trybie awaryjnym >>> Uruchom ponownie komputer.

 

- Pokaż mi tylko log z ComboFix`a po tym zabiegu.

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

I jak już jestem healthy ?? Chamskie te syfy trojany widze że trzeba aż tak usuwać. Jeszcze raz dzięki że pomagasz bo sam bym nic nie zrobił raczej 8O

 

 

 

 

 

ComboFix 07-06-11.3 - C:\Documents and Settings\PhoeniX\Pulpit\ComboFix.exe

"PhoeniX" - 2007-06-17 10:48:07 - Dodatek Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))

 

 

2007-06-15 18:27 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-12 17:46 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-11 20:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-06-11 20:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Talkback

2007-06-11 20:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji

2007-06-11 20:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start

2007-06-11 20:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit

2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty

2007-06-11 20:21 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-06-11 20:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne

2007-06-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Lang

2007-06-10 15:21 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe

2007-06-10 15:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager

2007-06-10 15:21 <DIR> d-------- C:\Program Files\AvRack

2007-06-10 15:20 577,536 --a------ C:\WINDOWS\soundman.exe

2007-06-10 15:20 4,019,072 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys

2007-06-10 15:20 315,392 --a------ C:\WINDOWS\alcupd.exe

2007-06-10 15:20 217,088 --a------ C:\WINDOWS\Alcrmv.exe

2007-06-10 15:20 143,360 --a------ C:\WINDOWS\system32\RtlCPAPI.dll

2007-06-10 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe

2007-06-10 15:20 <DIR> d-------- C:\Program Files\Realtek AC97

2007-06-09 17:52 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL

2007-06-08 12:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2007-06-08 12:57 3,440 --a------ C:\WINDOWS\undo.reg

2007-06-08 12:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2007-06-07 14:58 81,920 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\ezpinst.exe

2007-06-07 14:58 <DIR> d-------- C:\Program Files\vso

2007-06-07 14:07 92,208 -ra------ C:\WINDOWS\system32\WING.DLL

2007-06-07 13:53 87,608 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\inst.exe

2007-06-07 13:53 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys

2007-06-07 13:53 47,360 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\pcouffin.sys

2007-06-07 13:53 <DIR> d-------- C:\DOCUME~1\PhoeniX\DANEAP~1\Vso

2007-06-07 12:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData

2007-05-27 11:02 <DIR> d-------- C:\Program Files\WinPcap

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-17 08:34:03 74,694 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-06-17 08:34:03 453,808 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-06-17 08:30:32 -------- d-----w C:\Program Files\Mozilla Thunderbird

2007-06-12 15:40:20 -------- d-----w C:\Program Files\Yahoo!

2007-06-10 21:08:58 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\Skype

2007-06-10 13:20:47 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-05 09:16:35 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-04-27 16:35:05 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\AdobeUM

2007-04-21 12:25:34 -------- d-----w C:\Program Files\SkanerOnline

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-06 11:31]

"zBrowser Launcher"="F:\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]

"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-15 18:18]

"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []

"NBJ"="F:\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25]

"Ortd"="C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

"wlnlogon"=C:\WINDOWS\System.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PhoeniX^Menu Start^Programy^Autostart^Adobe Gamma.lnk]

path=C:\Documents and Settings\PhoeniX\Menu Start\Programy\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"F:\D-Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]

"F:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

C:\WINDOWS\system32\\PSDrvCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

F:\Trojan Remover\Trjscan.exe

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aace37e-0e15-11dc-b7c0-000e2e8c2dde}]

AutoRun\command- K:\.\Recycled\Driveinfo.exe

Open\Command- K:\.\Recycled\Driveinfo.exe

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-17 10:49:04

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-17 10:49:31

C:\ComboFix-quarantined-files.txt ... 2007-06-17 10:49

C:\ComboFix2.txt ... 2007-06-15 18:28

C:\ComboFix3.txt ... 2007-06-13 22:19

 

--- E O F ---

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

Czy posiadasz najnowszą wersję narzędzia ComboFix?

 

Użyj:

 

=> http://www.outerinfo.com/OiUninstaller.exe

=> http://www.spywareremove.com/SpywareScanner1325p2s2.exe

 

Pobierz narzędzie The Avenger.

 

Uruchom program w Trybie Awaryjnym i zaznacz opcję Input script manually. Następnie kliknij w "lupkę" po prawej stronie okna programu, a w okienku które Ci się otworzy wklej taki tekst:

 

Files to delete:C:\WINDOWS\System.exeRegistry values to delete: "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run" | "wlnlogon"

Kliknij klawisz Done, a następnie 'zielone światełko'. Na komunikat który się wyświetli odpowiadasz OK.

 

C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe

Plik na czerwono przeskanuj na Virustotal.com i podaj wyniki na Forum.

 

Czy w Folderze C:\Program Files\Common Files znajduje się jakiś Folder z pytajnikami ("?")? Najlepiej by było jakbyś pokazał screen`a z zawartości Folderu Common Files.

Edytowane przez Maciej13

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

A więc tak. Nie wiem czy posiadam najnowszego Combofixa. Zastosowałem twoje instrukcje ale:

Avenger przy usuwaniu wyrzucił taki bład ( to juz było w safemode, wczensiej zrobilem to w normlanym trybie i chyba usunął plik system.exe ) :

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.

Pliku C:\Windows\system.exe nie mam

ale w rejestrze mam to co wskazałeś i moge usunąć ręcznie ale nie usuwałem.

Nie rozumiem czemu mam to usuwać teraz jak wcześniej kolega mi zrobił wpis do rejestru właśnie z tym ?

Pliku ati2evxx.exe w tym katalogu C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe nie istnieje.

Mam taki ale w katalogu sterowników Omega od karty więc to raczej w porządku jest plik.

Aha szukałem tego pliku i znalazłem taki tylko że z rozszrzeniem VIR więc go usunołem.

W common files nie mam żadnego folderu z ? ale dla pewności masz screena.

CLICK !

Wszytsko OK ?No i co z tym dźwiękiem zrobić bo mnei powoli denerwuje słuchanie radiosatcji w kółko hehe 8O

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

Gość
Ten temat został zamknięty. Brak możliwości dodania odpowiedzi.


×
×
  • Dodaj nową pozycję...