Prośba O Sprawdzenie Loga...

Manhunt · 15 Maja 2008

Witam! Kumpel ma maly problemik bo ma zasyfionego na maxa kompa 8O i stwierdziłem że mu pomogę. Proszę o sprawdzenie loga i pokazanie mi co jest do wywalenia;)

Pozdrawiam

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "TU LOG"

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:57:59, on 2008-05-15

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\yayvwtt.dll (file missing)

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: IE Custom Tools - {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - C:\Program Files\Video Add-on\ictmdl.dll

O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ.exe

O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe

O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolgate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolgate.com/redirect.php (file missing)

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll (file missing)

O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)

O20 - Winlogon Notify: yayvwtt - yayvwtt.dll (file missing)

O22 - SharedTaskScheduler: esperantido - {67dc0736-075a-4647-95f5-d5421b838fed} - C:\WINDOWS\system32\svxmhpz.dll

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 5739 bytes

**ULLISSES** · 15 Maja 2008

Na szybko:

Wszystkie BHO, Extra button i Toolbar do wywalenia, bo i tak nikt normalny nie używa IE6.

Procesy SVCHOST na 4 pozycjach też w kosz. Podobnie jak wpisy z "file missing" oraz te robaki:

O22 - SharedTaskScheduler: esperantido - {67dc0736-075a-4647-95f5-d5421b838fed} - C:\WINDOWS\system32\svxmhpz.dll

O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe

O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe

Zaznaczasz, wciskasz Fix i po problemie.

Wcześniej menedżerem zadań zamykasz oba procesy. Do usunięcia pierwszego pliku może być konieczne zamknięcie: winamp.exe, gg.exe, explorer.exe, iexplore.exe

Manhunt · 15 Maja 2008

Ogólnie teraz pykam skana kompa KIS'em 7.0125 8O

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "log"

ComboFix 08-05-12.1 - kobra 2008-05-15 20:50:23.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1211 [GMT 2:00]

Running from: C:\Documents and Settings\kobra\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Menu Start\Online Security Guide.url

C:\Documents and Settings\All Users\Menu Start\Security Troubleshooting.url

C:\Documents and Settings\kobra\Dane aplikacji\ShoppingReport

C:\Documents and Settings\kobra\Dane aplikacji\ShoppingReport\cs\Config.xml

C:\Documents and Settings\kobra\Dane aplikacji\ShoppingReport\cs\db\Aliases.dbs

C:\Documents and Settings\kobra\Dane aplikacji\ShoppingReport\cs\db\Sites.dbs

C:\Documents and Settings\kobra\Dane aplikacji\ShoppingReport\cs\dwld\WhiteList.xip

C:\Documents and Settings\kobra\Dane aplikacji\ShoppingReport\cs\report\aggr_storage.xml

C:\Documents and Settings\kobra\Dane aplikacji\ShoppingReport\cs\report\send_storage.xml

C:\Documents and Settings\kobra\Dane aplikacji\ShoppingReport\cs\res2\WhiteList.dbs

C:\Documents and Settings\kobra\Ulubione\Online Security Test.url

C:\Program Files\Helper

C:\Program Files\ShoppingReport

C:\Program Files\ShoppingReport\Uninst.exe

C:\Program Files\Video Add-on

C:\Program Files\Video Add-on\ot.ico

C:\Program Files\Video Add-on\ts.ico

C:\Program Files\Video Add-on\uninst.exe

C:\WINDOWS\system32\drivers\retx2.sys

C:\WINDOWS\system32\pqstv.ini2

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSUPDATE

-------\Service_retx2

((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))

.

2008-05-15 20:17 . 2008-05-15 20:17 <DIR> d-------- C:\Program Files\Kaspersky Lab

2008-05-15 20:17 . 2008-05-15 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2008-05-15 20:17 . 2008-05-15 21:05 2,874,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-05-15 20:17 . 2008-05-15 20:27 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat

2008-05-15 20:17 . 2008-05-15 20:27 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat

2008-05-15 20:17 . 2008-05-15 21:03 39,524 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-05-15 20:17 . 2008-05-15 21:04 6,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2008-05-15 20:17 . 2008-05-15 21:03 1,628 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2008-05-15 20:08 . 2008-05-15 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files

2008-05-15 19:57 . 2008-05-15 19:57 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-15 17:37 . 2008-05-15 17:37 <DIR> d-------- C:\Program Files\Ventrilo

2008-05-15 17:37 . 2008-05-15 17:41 <DIR> d-------- C:\Documents and Settings\kobra\Dane aplikacji\Ventrilo

2008-05-15 17:36 . 2008-05-15 17:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-01 13:14 . 2008-05-01 13:14 <DIR> d-------- C:\Program Files\GraveLand.pl

2008-04-28 20:26 . 2008-04-28 20:26 <DIR> d-------- C:\Program Files\Common Files\INCA Shared

2008-04-28 19:44 . 2007-03-16 10:19 5,174 -ra------ C:\WINDOWS\system32\nppt9x.vxd

2008-04-28 19:44 . 2007-03-16 10:19 4,682 -ra------ C:\WINDOWS\system32\npptNT2.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-15 18:11 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-05-15 17:51 --------- d-----w C:\Program Files\Save

2008-04-28 17:36 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-10 19:29 --------- d-----w C:\Program Files\sfmp3search2.6.1

2008-04-10 19:28 738,304 ----a-w C:\WINDOWS\GPInstall.exe

2008-04-02 17:30 --------- d-----w C:\Program Files\Ahead

2008-03-16 20:34 --------- d-----w C:\Program Files\ffdshow

2008-03-06 16:29 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-03-06 15:23 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe

2008-03-06 15:23 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2008-03-06 15:23 22,328 ----a-w C:\Documents and Settings\kobra\Dane aplikacji\PnkBstrK.sys

2008-03-06 15:23 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]

2007-12-04 14:53 1502232 --a------ C:\Program Files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{8113B5DE-F7EB-4154-A311-497FB80D8BD0}"= "C:\Program Files\Video Add-on\ictmdl.dll" [ ]

"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= "C:\Program Files\free-downloads.net\tbfree.dll" [2007-12-04 14:53 1502232]

[HKEY_CLASSES_ROOT\clsid\{8113b5de-f7eb-4154-a311-497fb80d8bd0}]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{8113B5DE-F7EB-4154-A311-497FB80D8BD0}"= C:\Program Files\Video Add-on\ictmdl.dll [ ]

"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= C:\Program Files\free-downloads.net\tbfree.dll [2007-12-04 14:53 1502232]

[HKEY_CLASSES_ROOT\clsid\{8113b5de-f7eb-4154-a311-497fb80d8bd0}]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AQQ"="C:\PROGRA~1\WapSter\AQQ\AQQ.exe" [2007-02-28 14:18 2351864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]

"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjks32]

winjks32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvwtt]

yayvwtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= ctwdm32.dll

"vidc.avrn"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL

"vidc.advj"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL

"vidc.mszh"= C:\PROGRA~1\ACEMEG~1\SystemS\avimszh.dll

"vidc.zlib"= C:\PROGRA~1\ACEMEG~1\SystemS\avizlib.dll

"vidc.cscd"= C:\PROGRA~1\ACEMEG~1\SystemS\camcodec.dll

"vidc.em2v"= C:\PROGRA~1\ACEMEG~1\SystemS\etxcodec.dll

"vidc.mkvc"= C:\PROGRA~1\ACEMEG~1\SystemS\kmvidc32.dll

"vidc.hfyu"= C:\PROGRA~1\ACEMEG~1\SystemS\huffyuv.dll

"msacm.lameacm"= C:\PROGRA~1\ACEMEG~1\SystemS\lameacm.acm

"msacm.lhacm"= C:\PROGRA~1\ACEMEG~1\SystemS\lhacm.acm

"msacm.l3acm"= C:\PROGRA~1\ACEMEG~1\SystemS\l3codecp.acm

"vidc.sjpg"= C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll

"vidc.dmb2"= C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll

"vidc.gepj"= C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll

"vidc.qpeg"= C:\PROGRA~1\ACEMEG~1\SystemS\Qpeg32.dll

"vidc.q1.0"= C:\PROGRA~1\ACEMEG~1\SystemS\Qpeg32.dll

"vidc.tscc"= C:\PROGRA~1\ACEMEG~1\SystemS\tsccvid.dll

"vidc.vifp"= C:\PROGRA~1\ACEMEG~1\SystemS\vfcodec.dll

"vidc.wrpr"= C:\PROGRA~1\ACEMEG~1\SystemS\aviwrap.dll

"vidc.wnv1"= C:\PROGRA~1\ACEMEG~1\SystemS\wnvplay1.dll

"vidc.advs"= C:\PROGRA~1\ACEMEG~1\SystemS\Adaptec\Dvc.dll

"vidc.aflc"= C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\FLCCOD~1.DLL

"vidc.afli"= C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\FLCCOD~1.DLL

"vidc.aasc"= C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\Aasc32.dll

"vidc.aas4"= C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\Aasc32.dll

"vidc.asv1"= C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv1.dll

"vidc.asv2"= C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv2.dll

"vidc.asvx"= C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv2.dll

"vidc.vcr1"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\ativcr1.dll

"vidc.vcr2"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\ativcr2.dll

"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL

"vidc.mwv1"= C:\PROGRA~1\ACEMEG~1\SystemS\Aware\icmw_32.dll

"vidc.bt20"= C:\PROGRA~1\ACEMEG~1\SystemS\BROOKT~1\btvvc32.drv

"vidc.y41p"= C:\PROGRA~1\ACEMEG~1\SystemS\BROOKT~1\btvvc32.drv

"msacm.pcdv"= C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\pcdv.acm

"vidc.cdvc"= C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\CSCCDVC.DLL

"vidc.ddvc"= C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\CSCdvsd.DLL

"vidc.png1"= C:\PROGRA~1\ACEMEG~1\SystemS\Core\COREPN~1.DLL

"msacm.CoreFLAC_ACM"= C:\PROGRA~1\ACEMEG~1\SystemS\Core\COREFL~1.ACM

"vidc.davc"= C:\PROGRA~1\ACEMEG~1\SystemS\dicas\davcvfw.dll

"vidc.div3"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll

"vidc.div5"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll

"vidc.mpg3"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll

"vidc.div4"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll

"vidc.div6"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll

"vidc.ap41"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll

"vidc.dvx4"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\divx4.dll

"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll

"msacm.divxa32"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\divxa32.acm

"vidc.frwd"= C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwd.dll

"vidc.frwt"= C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwd.dll

"vidc.frwa"= C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwt.dll

"vidc.frwu"= C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwu.dll

"vidc.glzw"= C:\PROGRA~1\ACEMEG~1\SystemS\Gabest\GLZW.dll

"vidc.gpeg"= C:\PROGRA~1\ACEMEG~1\SystemS\Gabest\GPEG.dll

"vidc.i263"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\i263_32.drv

"vidc.iv30"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll

"vidc.iv33"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll

"vidc.iv34"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll

"vidc.iv35"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll

"vidc.iv36"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll

"vidc.iv37"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll

"vidc.iv38"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll

"vidc.iv39"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll

"vidc.iv40"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.iv42"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.iv43"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.iv44"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.iv45"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.iv46"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.iv47"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.iv48"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.iv49"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll

"vidc.ir21"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IR21_R.DLL

"vidc.rt21"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IR21_R.DLL

"msacm.imc"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IMC32.ACM

"vidc.lead"= C:\PROGRA~1\ACEMEG~1\SystemS\LEAD\LCODCCMP.DLL

"vidc.dvsd"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL

"vidc.dvc"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL

"vidc.dvcs"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL

"vidc.dcmj"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL

"vidc.avi1"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL

"vidc.avi2"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL

"vidc.cram"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msvidc32.dll

"vidc.mpg4"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll

"vidc.mp41"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll

"vidc.mp42"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll

"vidc.mp43"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll

"vidc.mp4s"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll

"vidc.mp4v"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll

"vidc.wmv3"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\WMV9VCM.dll

"vidc.vixl"= C:\PROGRA~1\ACEMEG~1\SystemS\Miro\miroxl32.dll

"vidc.nt00"= C:\PROGRA~1\ACEMEG~1\SystemS\Newtek\ntcodec.dll

"msacm.vorbis"= C:\PROGRA~1\ACEMEG~1\SystemS\OGG\vorbis.acm

"vidc.vp30"= C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp31vfw.dll

"vidc.vp31"= C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp31vfw.dll

"vidc.vp60"= C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp6vfw.dll

"vidc.vp61"= C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp6vfw.dll

"vidc.pdvc"= C:\PROGRA~1\ACEMEG~1\SystemS\PANASO~1\idvcodec.dll

"vidc.ipdv"= C:\PROGRA~1\ACEMEG~1\SystemS\PANASO~1\idvcodec.dll

"vidc.pvw2"= C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvwv220.dll

"vidc.pimj"= C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvljpg20.dll

"vidc.mjpx"= C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvmjpg21.dll

"vidc.miro"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\MIRODV~1.DLL

"vidc.dcap"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\MIRODV~1.DLL

"vidc.mjpa"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\RTMJPG~1.DLL

"vidc.gpjm"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\RTMJPG~1.DLL

"vidc.pim1"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\pclepim1.dll

"msacm.qmpeg"= C:\PROGRA~1\ACEMEG~1\SystemS\QDesign\qmpeg.acm

"vidc.rmp4"= C:\PROGRA~1\ACEMEG~1\SystemS\REALMA~1\rmp4.dll

"vidc.rud0"= C:\PROGRA~1\ACEMEG~1\SystemS\Rududu\rududu.dll

"msacm.at3"= C:\PROGRA~1\ACEMEG~1\SystemS\SONY\atrac3.acm

"vidc.sony"= C:\PROGRA~1\ACEMEG~1\SystemS\SONY\sonydv.dll

"vidc.dvcp"= C:\PROGRA~1\ACEMEG~1\SystemS\SONY\sonydv.dll

"vidc.s422"= C:\PROGRA~1\ACEMEG~1\SystemS\Tekram\tekyuv.dll

"vidc.t420"= C:\PROGRA~1\ACEMEG~1\SystemS\Toshiba\tsbyuv.dll

"vidc.y411"= C:\PROGRA~1\ACEMEG~1\SystemS\Toshiba\tsbyuv.dll

"vidc.vssv"= C:\PROGRA~1\ACEMEG~1\SystemS\VANGUA~1\vsscodec.dll

"msacm.voxacm160"= C:\PROGRA~1\ACEMEG~1\SystemS\VoxWare\vct3216.acm

"vidc.xvid"= C:\PROGRA~1\ACEMEG~1\SystemS\XviD\xvidvfw.dll

"aux1"= ctwdm32.dll

"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 12:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

--a------ 2007-07-02 12:27 219520 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BySoft FreeRAM]

--a------ 2004-12-17 22:44 318976 C:\Program Files\BySoft FreeRAM\FreeRAM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2008-02-14 01:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]

--a------ 2007-12-04 19:01 214456 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

C:\WINDOWS\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 01:55 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-12-05 02:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamCleaner]

--a------ 2007-10-13 18:26 71680 C:\Program Files\RamCleaner\ramcore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

-ra------ 2006-11-14 11:21 16270848 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

-ra------ 2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

--a------ 2006-08-25 15:45 803184 C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"C:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe"=

"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"C:\\gry\\Codemasters\\DiRT Demo\\DiRTDemo.exe"=

"C:\\Program Files\\WapSter\\AQQ\\AQQ.exe"=

"C:\\Program Files\\Gadu-Gadu\\gg.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\gry\\THQ\\Dawn of War\\W40k.exe"=

"C:\\Program Files\\Soulseek-Test\\slsk.exe"=

"C:\\gry\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"C:\\gry\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\gry\\Empire Interactive\\FlatOut2\\FlatOut2.exe"=

"C:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\Polish\\setup.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-02-07 19:15]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-12-24 14:21]

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-15 21:04:49

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

.

**************************************************************************

.

Completion time: 2008-05-15 21:07:47 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-15 19:07:42

Pre-Run: 15,076,630,528 bajtów wolnych

Post-Run: 17,691,295,744 bajt˘w wolnych

310

Kolobos · 15 Maja 2008

Jeszcze: C:\Program Files\Save oraz wpisy dotyczace Video-Addon, to pewnie tez: C:\Program Files\sfmp3search2.6.1

Manhunt · 16 Maja 2008

Świeży log

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "LOG"

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:16:25, on 2008-05-16

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\PROGRA~1\WapSter\AQQ\AQQ.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Ventrilo\Ventrilo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\PROGRA~1\INCRED~1\bin\IncMail.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKCU\..\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 2948 bytes

Manhunt · 16 Maja 2008

ComboFix

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "LOG"

ComboFix 08-05-12.1 - kobra 2008-05-16 16:47:35.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1677 [GMT 2:00]

Running from: C:\Documents and Settings\kobra\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\kobra\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows Media\10.0\WMSDKNSD.XML

E:\copy.exe

E:\host.exe

.

((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))

.

2008-05-15 20:17 . 2008-05-15 20:17 <DIR> d-------- C:\Program Files\Kaspersky Lab

2008-05-15 20:17 . 2008-05-16 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2008-05-15 20:17 . 2008-05-16 16:36 4,437,024 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-05-15 20:17 . 2008-05-15 20:27 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat

2008-05-15 20:17 . 2008-05-15 20:27 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat

2008-05-15 20:17 . 2008-05-16 16:36 40,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-05-15 20:17 . 2008-05-16 16:36 12,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2008-05-15 20:17 . 2008-05-16 16:36 1,724 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx