Sasser Albo Coś Podobnego

[shaqal]

Problem: Znane ofiarom Sassera okienko z odliczaniem 1 minuty do zamknięcia systemu (jak się znowu pojawi postaram się wrzucić screena). Ponieważ robak ten jest dość stary liczyłem, że sobie poradzę, ale niestety nie mogę, więc zwracam się z prośbą do Forumowiczów.

 

System: WinXP SP2 + poprawki z ostatniego Autopatchera + SP3 v.3180. Przywracanie systemu oczywiśćie wyłączone na wszystkich dyskach. Do tego Kaspersky Internet Security 7 jako AV z firewallem. W WWDC wyłączone co niepotrzebne. Komp w LANie po radiu (sieciówka Ethernet 100 spięta kablem z AP jako klient sieci). Do netu używana głównie Opera, z rzadka Firefox (aktualki przeglądarek na bieżąco; tak, wiem, że Sasser atakuje NetBIOS, a nie HTTP). IE6 odpaliłem dopiero na okoliczność skanu online (dziwna sprawa, że IE7 się instaluje ale i tak mam IE6).

 

Co już zrobiłem i efektu nie przyniosło:

- format C: (bardziej z zemsty niż z potrzeby serca, bo drażnił mnie okrutnie 8O),

- MS Windows Malicious Software Removal Tool najnowszy - nic nie wykrył,

- kilka godzin skanu KIS po wszystkich dyskach, MBR-ach itepe - jak wyżej,

- HiJackThis i SilentRunner (logi poniżej, ja tam nic specjalnego nie widzę),

- FxSasser od Symanteca - zawiesza się podczas skanowania.

 

Logi:

HiJackThis:

» Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... «

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:26:12, on 2008-02-06Platform: Windows XP SP3, v.3180 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\system32\kxmixer.exeC:\Program Files\Mouse\Amoumain.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\Program Files\DU Meter\DUMeter.exeC:\Program Files\Internet Download Manager\IDMan.exeC:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exeC:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exeC:\Program Files\Internet Download Manager\IEMonitor.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Opera\Opera.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse\Amoumain.exeO4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exeO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onbootO4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Ustawienia lokalne\Temp" (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Ustawienia lokalne\Temp" (User 'NETWORK SERVICE')O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exeO4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exeO4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exeO8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htmO8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htmO8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htmO8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cabO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{5F67F0B4-F276-47FD-9735-A5626A2C2084}: NameServer = 192.168.0.1O17 - HKLM\System\CS1\Services\Tcpip\..\{5F67F0B4-F276-47FD-9735-A5626A2C2084}: NameServer = 192.168.0.1O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dllO23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe--End of file - 5413 bytes

SilentRunner

» Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... «

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/Operating System: Windows XPOutput limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"IDMan" = "C:\Program Files\Internet Download Manager\IDMan.exe /onboot" ["Tonec Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]"kX Mixer" = "C:\WINDOWS\system32\kxmixer.exe --startup" ["Eugene Gavrilov"]"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]"WheelMouse" = "C:\Program Files\Mouse\Amoumain.exe" [null data]"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"" ["Kaspersky Lab"]"DU Meter" = "C:\Program Files\DU Meter\DUMeter.exe" ["Hagel Technologies Ltd"]"CTHelper" = "CTHELPER.EXE" [file not found]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\(Default) = "IDM Helper"  -> {HKLM...CLSID} = "IDMIEHlprObj Class"				   \InProcServer32\(Default) = "C:\Program Files\Internet Download Manager\IDMIECC.dll" ["Tonec Inc."]{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"				   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"				   \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"  -> {HKLM...CLSID} = "IE Microsoft AutoComplete"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"  -> {HKLM...CLSID} = "History Band"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"  -> {HKLM...CLSID} = "DesktopContext Class"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"  -> {HKLM...CLSID} = "Desktop Explorer"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"  -> {HKLM...CLSID} = (no title provided)				   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"  -> {HKLM...CLSID} = "nView Desktop Context Menu"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"  -> {HKLM...CLSID} = "NVIDIA CPL Extension"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"  -> {HKLM...CLSID} = "WinRAR"				   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"  -> {HKLM...CLSID} = (no title provided)				   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]"{1F77B17B-F531-44DB-ACA4-76ABB5010A28}" = "AIMP2: Shell Extention"  -> {HKLM...CLSID} = "AIMP2: Shell Extention"				   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]"{ABC70703-32AF-11d4-90C4-D483A70F4825}" = "CMenuExtender"  -> {HKLM...CLSID} = "CMenuExtender"				   \InProcServer32\(Default) = "C:\WINDOWS\BricoPacks\Vista Inspirat 2\iColorFolder\CMExt.dll" ["Revenger inc."]"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki dla ochrony WWW"  -> {HKLM...CLSID} = "Statystyki dla ochrony WWW"				   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"  -> {HKLM...CLSID} = "AlcoholShellEx"				   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"  -> {HKLM...CLSID} = "TuneUp Theme Extension"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"  -> {HKLM...CLSID} = "UnlockerShellExtension"				   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"  -> {HKLM...CLSID} = "WPDShServiceObj Class"				   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\<<!>> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"  -> {HKLM...CLSID} = "PDF Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}"  -> {HKLM...CLSID} = "AIMP2: Shell Extention"				   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"  -> {HKLM...CLSID} = (no title provided)				   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"				   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}"  -> {HKLM...CLSID} = "AIMP2: Shell Extention"				   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]CMenuExtender\(Default) = "{ABC70703-32AF-11d4-90C4-D483A70F4825}"  -> {HKLM...CLSID} = "CMenuExtender"				   \InProcServer32\(Default) = "C:\WINDOWS\BricoPacks\Vista Inspirat 2\iColorFolder\CMExt.dll" ["Revenger inc."]TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"				   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"  -> {HKLM...CLSID} = (no title provided)				   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"  -> {HKLM...CLSID} = "UnlockerShellExtension"				   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"				   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"  -> {HKLM...CLSID} = "UnlockerShellExtension"				   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoSharedDocuments" = (REG_DWORD) dword:0x00000001{User Configuration|Administrative Templates|Windows Components|Windows Explorer|Remove Shared Documents from My Computer}"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001{unrecognized setting}"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001{unrecognized setting}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\Dom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Startup items in "Dom" & "All Users" startup folders:-----------------------------------------------------C:\Documents and Settings\Dom\Menu Start\Programy\Autostart"TransBar" -> shortcut to: "C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe /s" ["AKSoftware"]"UberIcon" -> shortcut to: "C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe" [null data]"Y'z Shadow" -> shortcut to: "C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe" ["Y'z@Home"]Enabled Scheduled Tasks:------------------------"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:C:\WINDOWS\system32\idmmbc.dll ["Tonec Inc."], 01 - 05, 17%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10Toolbars, Explorer Bars, Extensions:------------------------------------Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki dla ochrony WWW"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\"ButtonText" = "Statystyki dla ochrony WWW"{E2E2DD38-D088-4134-82B7-F2BA38496583}\"MenuText" = "@xpsp3res.dll,-20001""Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]Miscellaneous IE Hijack Points------------------------------HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css" [file not found]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------Kaspersky Internet Security 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r" ["Kaspersky Lab"]NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]TuneUp Design Expansion, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}---------- (launch time: 2008-02-06 18:08:38)<<!>>: Suspicious data at a malware launch point.<<H>>: Suspicious data at a browser hijack point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds,  launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives  took 163 seconds.---------- (total run time: 254 seconds)

ComboFix

» Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... «

ComboFix 08-02.05.3 - Dom 2008-02-06 21:30:37.1 - NTFSx86Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.136 [GMT 1:00]Running from: E:\progsy\sec\ComboFix.exe[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color].(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\icqmlib.exeC:\WINDOWS\system32\iepref32.dllC:\WINDOWS\system32\ierplc.dllC:\WINDOWS\system32\ips.dllC:\WINDOWS\system32\lanmandrv.sysC:\WINDOWS\system32\lanmanwrk.exeC:\WINDOWS\system32\laprxy.dllexeC:\WINDOWS\system32\ocxapi.dllC:\WINDOWS\system32\ocxloader.exeC:\WINDOWS\system32\qmopt.dll.(((((((((((((((((((((((((   Files Created from 2008-01-06 to 2008-02-06  ))))))))))))))))))))))))))))))).2008-02-06 20:09 . 2008-02-06 20:09	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab2008-02-06 20:05 . 2008-02-06 20:05	<DIR>	d--------	C:\Program Files\EsetOnlineScanner2008-02-05 20:01 . 2008-02-05 20:01	<DIR>	d--------	C:\WINDOWS\system32\Data2008-02-05 20:01 . 2008-02-05 20:01	<DIR>	d--------	C:\Program Files\Creative2008-02-05 20:01 . 2003-01-08 12:39	49,152	--a------	C:\WINDOWS\CTDCRES.DLL2008-02-05 20:01 . 2003-01-08 12:08	20,480	--a------	C:\WINDOWS\INRES.DLL2008-02-05 20:01 . 2002-06-14 13:49	10,194	---------	C:\WINDOWS\system32\PFMODNT.SYS2008-02-05 20:01 . 2003-01-08 12:08	5,609	--a------	C:\WINDOWS\system32\ctucom.ini2008-02-05 20:01 . 2003-01-08 12:08	28	--a------	C:\WINDOWS\system32\ctzapxx.ini2008-02-05 18:26 . 2008-02-05 18:28	<DIR>	d--------	C:\Program Files\Unlocker2008-02-05 17:24 . 2004-12-05 21:21	142,976	--a------	C:\WINDOWS\system32\DllCache\usbport.sys2008-02-05 17:20 . 2008-01-21 22:58	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Ustawienia lokalne2008-02-05 17:20 . 2008-01-21 22:58	<DIR>	d--------	C:\Documents and Settings\Administrator\Ulubione2008-02-05 17:20 . 2008-01-21 22:06	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Szablony2008-02-05 17:20 . 2008-01-21 22:58	<DIR>	d--------	C:\Documents and Settings\Administrator\Pulpit2008-02-05 17:20 . 2008-01-21 22:58	<DIR>	d--------	C:\Documents and Settings\Administrator\Moje dokumenty2008-02-05 17:20 . 2008-01-21 22:58	<DIR>	dr-------	C:\Documents and Settings\Administrator\Menu Start2008-02-05 17:20 . 2008-01-21 22:58	<DIR>	dr-h-----	C:\Documents and Settings\Administrator\Dane aplikacji2008-02-05 16:13 . 2006-12-19 16:53	24,072	--a------	C:\WINDOWS\system32\uxtuneup.dll2008-02-05 16:12 . 2008-02-05 16:13	<DIR>	d--------	C:\Program Files\TuneUp Utilities 20072008-02-05 16:12 . 2008-02-05 16:12	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard2008-02-05 16:12 . 2008-02-05 16:12	<DIR>	d--------	C:\Documents and Settings\Dom\Dane aplikacji\TuneUp Software2008-02-05 16:12 . 2008-02-05 16:18	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\TuneUp Software2008-02-05 16:10 . 2007-07-19 05:59	415,744	--a------	C:\kmd.exe2008-02-05 15:58 . 2008-02-05 15:58	250	--a------	C:\WINDOWS\gmer.ini2008-02-04 21:37 . 2008-02-04 21:37	<DIR>	d--------	C:\Temp2008-02-04 20:58 . 1998-10-07 12:54	327,168	--a------	C:\WINDOWS\IsUn0415.exe2008-02-04 16:57 . 2008-02-04 16:57	54,156	--ah-----	C:\WINDOWS\QTFont.qfn2008-02-04 16:57 . 2008-02-04 16:57	1,409	--a------	C:\WINDOWS\QTFont.for2008-02-04 15:52 . 2008-02-04 15:52	577,536	--a------	C:\WINDOWS\system32\ac3filter.ax2008-02-04 15:51 . 2008-02-04 15:51	1,415,680	--a------	C:\WINDOWS\system32\WMV9VCM.dll2008-02-04 15:51 . 2008-02-04 15:51	921,600	--a------	C:\WINDOWS\system32\vorbisenc.dll2008-02-04 15:51 . 2008-02-04 15:51	892,928	--a------	C:\WINDOWS\system32\iconv.dll2008-02-04 15:51 . 2008-02-04 15:51	237,568	--a------	C:\WINDOWS\system32\OggDS.dll2008-02-04 15:51 . 2008-02-04 15:51	188,416	--a------	C:\WINDOWS\system32\vorbis.dll2008-02-04 15:51 . 2008-02-04 15:51	45,056	--a------	C:\WINDOWS\system32\ogg.dll2008-02-04 15:50 . 2008-02-04 15:50	729,088	--a------	C:\WINDOWS\system32\divxdec.ax2008-02-04 15:50 . 2008-02-04 15:50	352,401	--a------	C:\WINDOWS\system32\DivXMedia.ax2008-02-04 15:50 . 2008-02-04 15:50	245,760	--a------	C:\WINDOWS\system32\mplvpx.dll2008-02-04 15:50 . 2008-02-04 15:50	106,496	--a------	C:\WINDOWS\system32\lmpgspl.ax2008-02-04 15:50 . 2008-02-04 15:50	94,208	--a------	C:\WINDOWS\system32\lmpgvd.ax2008-02-04 15:50 . 2008-02-04 15:50	86,528	--a------	C:\WINDOWS\system32\DVDVideo.ax2008-02-04 15:50 . 2008-02-04 15:50	9,216	--a------	C:\WINDOWS\system32\cpuinf32.dll2008-02-04 15:49 . 2008-02-04 15:49	1,559,040	--a------	C:\WINDOWS\system32\xvidcore.dll2008-02-04 15:49 . 2008-02-04 15:49	77,824	--a------	C:\WINDOWS\system32\xvid.ax2008-02-03 20:35 . 2008-02-03 20:35	<DIR>	d--------	C:\Program Files\Trend Micro2008-01-26 17:37 . 2008-01-26 17:37	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\InstallShield2008-01-26 12:20 . 2008-01-26 12:20	<DIR>	d--------	C:\Program Files\Google2008-01-25 17:17 . 2007-07-19 00:40	26,368	--a------	C:\WINDOWS\system32\DllCache\usbstor.sys2008-01-23 15:29 . 2008-01-23 15:29	<DIR>	d--------	C:\Documents and Settings\Dom\Dane aplikacji\Nero2008-01-22 22:03 . 2008-02-04 20:28	<DIR>	d--------	C:\Documents and Settings\Dom\Dane aplikacji\Tlen.pl2008-01-22 22:01 . 2008-01-22 22:02	<DIR>	d--------	C:\Program Files\Tlen.pl2008-01-22 21:13 . 2008-01-22 21:13	<DIR>	d--------	C:\Program Files\foobar20002008-01-22 21:13 . 2008-02-05 18:00	<DIR>	d--------	C:\Documents and Settings\Dom\Dane aplikacji\foobar20002008-01-22 21:01 . 2008-02-05 16:16	<DIR>	d--------	C:\Program Files\Internet Download Manager2008-01-22 21:01 . 2008-01-22 21:09	<DIR>	d--------	C:\Documents and Settings\Dom\Dane aplikacji\IDM2008-01-22 21:01 . 2008-02-06 22:04	<DIR>	d--------	C:\Documents and Settings\Dom\Dane aplikacji\DMCache2008-01-22 20:58 . 2005-04-25 10:43	159,616	--a------	C:\WINDOWS\system32\drivers\Vax347b.sys2008-01-22 20:58 . 2004-04-30 09:33	5,248	--a------	C:\WINDOWS\system32\drivers\Vax347s.sys2008-01-22 20:57 . 2008-01-22 20:57	<DIR>	d--------	C:\Program Files\Alcohol Soft2008-01-22 18:56 . 2008-02-05 18:25	<DIR>	d--------	C:\Program Files\DU Meter2008-01-22 18:56 . 2008-01-22 18:56	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Hagel Technologies2008-01-22 00:49 . 2008-01-22 00:49	<DIR>	d--------	C:\Program Files\xp-AntiSpy2008-01-22 00:30 . 2008-01-22 00:30	<DIR>	d--------	C:\Program Files\Kaspersky Lab2008-01-22 00:30 . 2008-02-06 22:04	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab2008-01-22 00:30 . 2008-02-06 21:58	6,216,480	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat2008-01-22 00:30 . 2008-02-06 19:40	139,040	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat2008-01-22 00:30 . 2008-01-31 19:41	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat2008-01-22 00:30 . 2008-01-22 19:06	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat2008-01-22 00:30 . 2008-02-06 19:40	85,064	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx2008-01-22 00:30 . 2008-02-06 19:40	13,628	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx2008-01-22 00:24 . 2008-01-22 00:24	2,359,350	--a------	C:\WINDOWS\BricoPack Wallpaper.bmp2008-01-22 00:24 . 2008-01-22 00:24	64,716	--a------	C:\WINDOWS\BricoPackUninst.cmd2008-01-22 00:23 . 2008-01-22 00:24	6,110	--a------	C:\WINDOWS\BricoPackFoldersDelete.cmd2008-01-22 00:22 . 2008-01-22 00:22	<DIR>	d--------	C:\WINDOWS\BricoPacks2008-01-22 00:18 . 2008-01-22 00:18	<DIR>	d--------	C:\Program Files\Opera2008-01-22 00:17 . 2008-01-22 00:17	<DIR>	d--------	C:\Program Files\IrfanView2008-01-22 00:16 . 2008-01-22 00:16	<DIR>	d--------	C:\Program Files\MarBit2008-01-22 00:16 . 2008-02-05 17:56	<DIR>	d--------	C:\Program Files\AIMP22008-01-22 00:14 . 2008-01-22 00:14	<DIR>	d--------	C:\Program Files\K-Lite Codec Pack2008-01-22 00:14 . 2008-01-22 00:14	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer2008-01-22 00:11 . 2008-01-22 00:12	<DIR>	d--------	C:\Program Files\Common Files\Adobe2008-01-22 00:09 . 2008-01-22 00:09	<DIR>	d--------	C:\Program Files\Microsoft Works2008-01-22 00:08 . 2008-01-22 00:08	<DIR>	d--------	C:\Program Files\Microsoft.NET2008-01-22 00:04 . 2008-01-22 00:05	<DIR>	d--------	C:\WINDOWS\SHELLNEW2008-01-22 00:04 . 2008-01-22 00:04	<DIR>	dr-h-----	C:\MSOCache2008-01-22 00:04 . 2008-01-22 00:10	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help2008-01-21 23:58 . 2008-01-21 23:58	<DIR>	d--------	C:\WINDOWS\USB Vibration2008-01-21 23:58 . 2008-01-21 23:58	<DIR>	d--------	C:\Program Files\USB Vibration Joystick2008-01-21 23:55 . 2008-01-21 23:55	<DIR>	d--------	C:\Program Files\Mouse2008-01-21 23:55 . 2007-04-07 12:22	32,768	--a------	C:\WINDOWS\system32\Amhooker.dll2008-01-21 23:55 . 2007-04-19 07:31	14,336	--a------	C:\WINDOWS\system32\drivers\Amusbprt.sys2008-01-21 23:55 . 2007-04-06 06:53	14,336	--a------	C:\WINDOWS\system32\drivers\Amps2prt.sys2008-01-21 23:55 . 2006-04-11 06:56	10,240	--a------	C:\WINDOWS\system32\drivers\Arfumx86.sys2008-01-21 23:55 . 2007-04-06 06:51	8,704	--a------	C:\WINDOWS\system32\drivers\Amfilter.sys2008-01-21 23:43 . 2007-07-19 06:00	90,624	--a------	C:\WINDOWS\system32\DllCache\muisetup.exe2008-01-21 23:40 . 2008-01-21 23:40	<DIR>	d--------	C:\WINDOWS\system32\xircom2008-01-21 23:40 . 2008-01-21 23:40	<DIR>	d--------	C:\Program Files\microsoft frontpage2008-01-21 23:40 . 2008-01-21 23:40	<DIR>	d--------	C:\Documents and Settings\All Users\Documents2008-01-21 23:31 . 2008-01-21 23:31	<DIR>	d--------	C:\WINDOWS\ServicePackFiles.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-02-04 15:57	12,464	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys2008-02-04 15:50	---------	d--h--w	C:\Program Files\InstallShield Installation Information2008-01-26 16:33	---------	d-----w	C:\Program Files\Common Files\InstallShield2008-01-21 23:51	361,088	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys2008-01-21 21:58	---------	d-----w	C:\Program Files\Reference Assemblies2008-01-21 21:53	---------	d-----w	C:\Program Files\Microsoft Bootvis2008-01-21 21:53	---------	d-----w	C:\Program Files\HighMAT CD Writing Wizard2008-01-21 21:45	---------	d-----w	C:\Program Files\AutoPatcher2008-01-21 21:37	---------	d-----w	C:\Program Files\TC UP2008-01-21 21:32	---------	d-----w	C:\Documents and Settings\Dom\Dane aplikacji\HEXelon2008-01-21 21:29	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles2008-01-21 21:21	---------	d-----w	C:\Program Files\Realtek2008-01-21 21:21	---------	d-----w	C:\Documents and Settings\Dom\Dane aplikacji\InstallShield2008-01-21 21:20	---------	d-----w	C:\Program Files\Intel2008-01-21 21:09	---------	d-----w	C:\Program Files\Usługi online.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-02-03 20:27 920064][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]"kX Mixer"="C:\WINDOWS\system32\kxmixer.exe" [2004-02-16 23:19 438784]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]"WheelMouse"="C:\Program Files\Mouse\Amoumain.exe" [2007-04-19 09:30 237568]"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2006-11-27 15:18 1582616]"CTHelper"="CTHELPER.EXE" []C:\Documents and Settings\Dom\Menu Start\Programy\Autostart\TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 20:41:18 65536]UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 08:43:08 180224]Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 08:43:14 155648][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"ForceClassicControlPanel"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startR1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 14:00]R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2007-07-19 06:00]R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]R3 kxwdmdrv;kX WDM Driver Service;C:\WINDOWS\system32\drivers\kx.sys [2004-02-16 23:19]S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2007-07-19 00:40]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcsUxTuneUp.Contents of the 'Scheduled Tasks' folder"2008-02-05 15:13:26 C:\WINDOWS\Tasks\1-Click Maintenance.job"- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe.**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-02-06 22:04:53Windows 5.1.2600 Service Pack 3, v.3180 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\Program Files\Internet Download Manager\IEMonitor.exe.**************************************************************************.Completion time: 2008-02-06 22:07:06 - machine was rebooted [Dom]ComboFix-quarantined-files.txt  2008-02-06 21:06:50

 

Właśnie leci skan online kaspra, jak skończy, a nie znajdzie, poleci skan z innego av online (NOD32 online nie latać 8O)

 

Z istotnych rzeczy: jak się pojawia to okienko odliczania, anuluje restart poleceniem

shutdown -a

w Menu Start -> Uruchom, to wywala się sterownik dźwięku (kx Project). Poza tym system dość znacznie się zamula.

 

Za wszystkie odpowiedzi będę bardzo wdzięczny.

 

UPDATE: Dodany log ComboFixa. Seconfig XP zrobiony. Proszę o dalsze sugestie.

 

UPDATE2: Skany online kaspra i F-Secure bez efektu.

Edytowane 7 Lutego 2008 przez shaqal

[shaqal]

Log z ComboFix na Wklej.org: http://wklej.org/id/5dec6f4d9b

Na prośbę XaD'a.

 

UPDATE: Screen z okienkiem odliczającym

Edytowane 11 Lutego 2008 przez shaqal

[shaqal]

Sorka, że tak długo nie odpowiadałem, ale trochę czasu nie miałem. Do rzeczy:

 

Niedawno robiony był znowu format (system po tych restartach juz był mocno zmulony) i nadal to samo - odliczanie nadal się pojawia. Przed pojawieniem się odliczania wyskakuje informacja "Wystąpił błąd w services.exe" kliknij w "zamknij", żeby zamknąć program. Po ok. minucie od pojawienia się błędu pojawia się odliczanie (nie ma znaczenia czy kliknie się "zamknij" czy nie przy błędzie services.exe). Nadal też wywala sterowniki karty dźwiękowej przy pojawieniu się odliczania i następuje ogólna zmuła systemu.

 

Logi:

 

ComboFix: http://wklej.org/id/f774a98511

SDFix: http://wklej.org/id/7f33593df3

ComboFix po SDFix: http://wklej.org/id/e96b235308

SilentRunners: http://wklej.org/id/a18c90c279

HiJackThis: http://wklej.org/id/5d0d685819

 

Będę wdzięczny za wszelką pomoc.

Edytowane 23 Lutego 2008 przez shaqal

[shaqal]

Po wszystkich skanach, problem jakby zelżał. Już jakiś czas okienka nie widzę. Dla pewności dodaję jeszcze logi z Gmera wedle zaleceń XaDa:

 

Wszystko: http://wklej.org/id/2004867b40

Usługi: http://wklej.org/id/0d6fe0d48a

 

Pozdrawiam i dzięki za pomoc.