Proszę O Sprawdzenie Loga

[kapi13]

Mam problem z kompem bo ostatnio antywirus wykrył jakiegoś trojana ale nie mogę go usunąć.

Logfile of HijackThis v1.99.1

Scan saved at 19:08:24, on 2008-03-07

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Neostrada TP\taskbaricon.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Kalendarz XP\Kalendarz.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Documents and Settings\Kapi\Moje dokumenty\Hijackthis\Kapi.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe

O4 - Startup: HDDlife.lnk = C:\Program Files\BinarySense\HDDlife\HDDlifePro.exe

O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Dodaj do Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B3183AA3-71A3-4298-8817-BCD6FE3BF380}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

oraz log nr.2

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"IncrediMail" = "C:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]

"Komunikator" = "C:\Program Files\Tlen.pl\tlen.exe" ["o2.pl Sp. z o.o."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\Program Files\Neostrada TP\taskbaricon.exe" ["France Télécom R&D"]

"Easy-PrintToolBox" = "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"sunasDtServ" = "C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe" ["Sunbelt Software Inc."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"kis" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"

-> {HKLM...CLSID} = "BitComet Helper"

\InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll" ["BitComet"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)

-> {HKLM...CLSID} = "FlashGet GetFlash Class"

\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {HKLM...CLSID} = "AlcoholShellEx"

\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Ochrona WWW"

-> {HKLM...CLSID} = "Ochrona WWW"

\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "C:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"

-> {HKLM...CLSID} = "Sony Ericsson File Manager"

\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32\(Default) = "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<<!>> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> klogon\DLLName = "C:\WINDOWS\System32\klogon.dll" ["Kaspersky Lab"]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "C:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

-> {HKLM...CLSID} = "JetFlExt"

\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll" ["Kaspersky Lab"]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "C:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Kapi\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\Kapi.bmp"

[Kolobos]

Oczywiscie nie napiszesz jaki to trojan, w jakim plik i gdzie sie ten plik znajduje?

[kapi13]

C:\Documents and Settings\Kapi\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ODUNSLQ7

Nazywa sie to g...o :Trjan Downloader.Win32.Agent.kht

Sorki że nie podałem jego nazwy 8O

[kapi13]

Oto log z Combofix:

ComboFix 08-03-07.4 - Kapi 2008-03-08 14:13:08.3 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.255 [GMT 1:00]

Running from: C:\Documents and Settings\Kapi\Moje dokumenty\kapi1973\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))

.

 

2008-03-08 00:09 . 2008-03-08 14:10 3,145,782 --a------ C:\WINDOWS\Kapi.bmp

2008-03-07 21:26 . 2008-03-07 21:26 <DIR> d--hs---- C:\FOUND.021

2008-03-04 16:22 . 2008-03-08 00:15 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2008-03-01 16:18 . 2008-03-01 16:18 <DIR> d-------- C:\Program Files\TVUPlayer

2008-03-01 16:18 . 2008-03-01 16:18 <DIR> d-------- C:\Documents and Settings\Kapi\Dane aplikacji\TVU networks

2008-03-01 16:18 . 2008-03-01 16:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\TVU networks

2008-03-01 09:53 . 2008-03-01 09:53 <DIR> d-------- C:\Program Files\FlashGet

2008-02-29 23:40 . 2008-02-29 23:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-02-29 23:40 . 2008-02-29 23:41 1,409 --a------ C:\WINDOWS\QTFont.for

2008-02-26 18:18 . 2008-02-26 18:18 <DIR> d--hs---- C:\FOUND.020

2008-02-25 18:44 . 2008-02-25 18:44 <DIR> d--hs---- C:\FOUND.019

2008-02-25 18:06 . 2008-02-25 18:06 <DIR> d-------- C:\Program Files\CDex_150

2008-02-18 23:47 . 2008-02-18 23:47 <DIR> d-------- C:\Program Files\MegauploadToolbar

2008-02-18 23:47 . 2008-02-18 23:47 <DIR> d-------- C:\Documents and Settings\Kapi\Dane aplikacji\MegauploadToolbar

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-08 00:07 64,028 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2008-03-08 00:07 557,056 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2008-03-08 00:07 49,100 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-03-08 00:07 3,587,616 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-12 12:09 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-01-12 12:09 --------- d--h--r C:\Documents and Settings\Kapi\Dane aplikacji\SecuROM

2008-01-06 11:49 32 ----a-w C:\DOCUME~1\ALLUSE~1\DANEAP~1\ezsid.dat

2008-01-05 22:32 98,304 ----a-w C:\WINDOWS\system32\qttask.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2006-10-31 14:06 204843]

"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [2007-10-16 11:53 6234112]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 19:07 24576]

"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 19:07 20480]

"WOOTASKBARICON"="C:\Program Files\Neostrada TP\taskbaricon.exe" [2003-10-16 19:07 53248]

"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 13:10 409600]

"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"sunasDtServ"="C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe" [2005-03-18 14:04 843776]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09 139367]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 17:22 7618560]

"SoundMan"="SOUNDMAN.EXE" [2003-08-15 09:34 57344 C:\WINDOWS\SOUNDMAN.EXE]

"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2008-01-05 23:32 98304]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 18:05 13312]

 

C:\Documents and Settings\Kapi\Menu Start\Programy\Autostart\

HDDlife.lnk - C:\Program Files\BinarySense\HDDlife\HDDlifePro.exe [2006-10-03 12:34:28 811520]

 

C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\

Kalendarz XP.lnk - C:\Program Files\Kalendarz XP\Kalendarz.exe [2006-07-05 20:24:48 882176]

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-04 10:54:23 113664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\PPMate\\PPMate\\ppmate.exe"=

 

R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2006-07-13 10:25]

S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 09:05]

S3 iMSPQMn;iMSPQMn;C:\DOCUME~1\Kapi\USTAWI~1\Temp\iMSPQMn.sys [2001-08-14 12:16]

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\System32\DRIVERS\k510bus.sys [2006-09-25 19:59]

S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\k510mdfl.sys [2006-09-25 19:59]

S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\System32\DRIVERS\k510mdm.sys [2006-09-25 19:59]

S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\System32\DRIVERS\k510mgmt.sys [2006-09-25 19:59]

S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\System32\DRIVERS\k510obex.sys [2006-09-25 19:59]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 01:32]

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-08 14:15:17

Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet007\Services\msdirectxsp]

"ImagePath"=""

.

Completion time: 2008-03-08 14:16:20

ComboFix2.txt 2007-09-23 10:08:46

ComboFix-quarantined-files.txt 2008-03-08 13:16:20

Edytowane 8 Marca 2008 przez kapi13

[Kolobos]

Usun z dysku wszystkie C:\FOUND.*, pomysl tez o zamianie systemu plikow na NTFS. Uzyj ATF Cleaner i usun wszystko z IE Temp, temp itd.

[kapi13]

Wydaje mi sie że zrobiłem to co pisałeś ale antywirus nadal pokazuje że robal jest.

[Kolobos]

Wjedz do: C:\Documents and Settings\Kapi\Ustawienia lokalne\Temporary Internet Files\ i usun caly katalog Content.IE5.

[kapi13]

Wywaliłem z tamtąd wszystko a antywir pokazuje że nadal tam coś jest 8O

[kapi13]

Oto log:

SDFix: Version 1.154

 

Run by Kapi on 2008-03-09 at 19:31

 

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\SYSTEM32\KAVSVC.EXE - Deleted

C:\WINDOWS\system32\TFTP672 - Deleted

C:\WINDOWS\system32\TFTP3788 - Deleted

C:\WINDOWS\system32\TFTP2700 - Deleted

C:\WINDOWS\system32\TFTP3552 - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-09 19:35:18

Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Program Files\\PPMate\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\PPMate\\ppmate.exe:*:Enabled:PPMate"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Tue 11 Dec 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"

Wed 16 Aug 2006 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"

Wed 16 Aug 2006 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"

 

Finished!

[kapi13]

anty wir cały czas pokazuje że te dziadostwo jest:

BAD_STATUS(5) Koń trojański Trojan-Downloader.Win32.Agent.kht Plik: C:\Documents and Settings\Kapi\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ODUNSLQ7\appH[1].cab

[kapi13]

No i log z tego programu:

http://rapidshare.com/files/98407605/scan_2.txt.html

[kapi13]

Mam mam.Oto i on:

Malwarebytes' Anti-Malware 1.08

Database version: 475

 

Scan type: Full Scan (A:\|C:\|F:\|G:\|)

Objects scanned: 100243

Time elapsed: 47 minute(s), 38 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\urlsearchhook.softomateurlsearchhook (Adware.Softomate) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\urlsearchhook.softomateurlsearchhook.1 (Adware.Softomate) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\URLSearchHook.SoftomateURLSearchHook (Adware.Softomate) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

[kapi13]

Zrobiłem tak jak pisałeś ale antywir nie wzruszony pokazuje ten sam komunikat .

[Kolobos]

Czy usunales katalog: C:\Documents and Settings\Kapi\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ tak jak pisalem?

Do usuwania uzyj Total Commander'a po kasacji zrob reset i zobacz czy po resecie znowu cos wykryje.