Prośba O Sprawdzenie Logów

[cripple]

Otóż od pewnego czasu mam problemy z Internetem i są raczej spowodowane jakimś robakiem bądź czymś podobnym, po formacie wszystko było super, 2 skany systemu wszystkim co mam do antispywarea i antywirusem, niby czysto, a teraz znów każda strona odpala się 10 razy dłużej i często wyskakuje błąd, że negocjacja połączenia jest zbyt długa. Ogólnie nie wiem gdzie szukać tego czegoś skoro moje programy nic nie znajdują, więc wrzucam to co wszyscy i proszę o jakieś rady.

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log Hijack this"

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:02:46, on 2008-07-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgfws8.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\PROGRA~1\Microsoft ActiveSync\rapimgr.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\TXP\Pulpit\HiJackThis.exe

 

O2 - BHO: IE7pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Vistadrv] C:\Program Files\VistaDrives\vsdrv.exe

O4 - HKLM\..\Run: [Licence] Licence.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000

O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll

O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe

O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

 

--

End of file - 5392 bytes

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log Silent Runner"

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"" [MS]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]

"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]

"Vistadrv" = "C:\Program Files\VistaDrives\vsdrv.exe" [null data]

"Licence" = "Licence.exe" [null data]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{00011268-E188-40DF-A514-835FCD78B1BF}\(Default) = "IE7pro"

-> {HKLM...CLSID} = "IE7pro BHO"

\InProcServer32\(Default) = "C:\Program Files\IE7pro\IE7pro.dll" ["IE7pro.com"]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"

-> {HKLM...CLSID} = "AVG Safe Search"

\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{19F500E0-9964-11cf-B63D-08002B317C03}" = "Desktop Icon Layout"

-> {HKLM...CLSID} = "Desktop Icon Layout"

\InProcServer32\(Default) = "Layout.dll" ["Microsoft"]

"{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" = "OODefrag"

-> {HKLM...CLSID} = "OODShellExtObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\oodsh.dll" ["O&O Software GmbH"]

"{ABC70703-32AF-11d4-90C4-D483A70F4825}" = "CMenuExtender"

-> {HKLM...CLSID} = "CMenuExtender"

\InProcServer32\(Default) = "C:\Program Files\iColorFolder\CMExt.dll" ["Revenger inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"

-> {HKLM...CLSID} = "AVG8 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"

-> {HKLM...CLSID} = "Urządzenie przenośne"

\InProcServer32\(Default) = "C:\PROGRA~1\Microsoft ActiveSync\Wcesview.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]| [file not found]| [file not found]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG8 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}"

-> {HKLM...CLSID} = "OODShellExtObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\oodsh.dll" ["O&O Software GmbH"]

UltraEdit-32\(Default) = "{b5eedee0-c06e-11cf-8c56-444553540000}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "ue32ctmn.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

CMenuExtender\(Default) = "{ABC70703-32AF-11d4-90C4-D483A70F4825}"

-> {HKLM...CLSID} = "CMenuExtender"

\InProcServer32\(Default) = "C:\Program Files\iColorFolder\CMExt.dll" ["Revenger inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG8 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

IconLayout\(Default) = "{19F500E0-9964-11cf-B63D-08002B317C03}"

-> {HKLM...CLSID} = "Desktop Icon Layout"

\InProcServer32\(Default) = "Layout.dll" ["Microsoft"]

OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}"

-> {HKLM...CLSID} = "OODShellExtObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\oodsh.dll" ["O&O Software GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoSMHelp" = (REG_DWORD) dword:0x00000001

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Help menu from Start Menu}

 

"NoSMBalloonTip" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"NoUserNameInStartMenu" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoSMConfigurePrograms" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoExpandedNewMenu" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoResolveTrack" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoResolveSearch" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoSharedDocuments" = (REG_DWORD) dword:0x00000001

{User Configuration|Administrative Templates|Windows Components|Windows Explorer|

Remove Shared Documents from My Computer}

 

"NoThumbnailCache" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoTaskGrouping" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoDesktopCleanupWizard" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoSMHelp" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoRemoteRecursiveEvents" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoWelcomeScreen" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"NoSharedDocuments" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"DisableStatusMessages" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"SynchronousMachineGroupPolicy" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"SynchronousUserGroupPolicy" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\TXP\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

MSWPDShellNamespaceHandler\

"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = " "

-> {HKLM...CLSID} = "WPDShextAutoplay"

\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

 

VLCPlayCDAudioOnArrival\

"Provider" = "VideoLAN VLC media player"

"InvokeProgID" = "VLC.CDAudio"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

 

VLCPlayDVDMovieOnArrival\

"Provider" = "VideoLAN VLC media player"

"InvokeProgID" = "VLC.DVDMovie"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

 

 

Startup items in "TXP" & "All Users" startup folders:

-----------------------------------------------------

 

C:\Documents and Settings\TXP\Menu Start\Programy\Autostart

"MagicDisc" -> shortcut to: "C:\Program Files\MagicDisc\MagicDisc.exe" ["MagicISO, Inc."]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{0026439F-A980-4F18-8C95-4F1CBBF9C1D8}\

"ButtonText" = "IE7pro Preferences"

"MenuText" = "IE7pro Preferences"

"CLSIDExtension" = "{B119EB0C-C021-46CF-85B0-34A760E0D5FE}"

-> {HKLM...CLSID} = "IE7pro ToolsExt"

\InProcServer32\(Default) = "C:\Program Files\IE7pro\IE7pro.dll" ["IE7pro.com"]

 

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

"ButtonText" = "Create Mobile Favorite"

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {HKLM...CLSID} = "Create Mobile Favorite"

\InProcServer32\(Default) = "C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll" [MS]

 

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

"MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..."

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {HKLM...CLSID} = "Create Mobile Favorite"

\InProcServer32\(Default) = "C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll" [MS]

 

{49783ED4-258D-4F9F-BE11-137C18D3E543}\

"ButtonText" = "Titan Poker"

"MenuText" = "Titan Poker"

"Exec" = "C:\Poker\Titan Poker\casino.exe" [null data]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

"MenuText" = "Spybot - Search && Destroy Configuration"

"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AVG8 Firewall, avgfws8, "C:\PROGRA~1\AVG\AVG8\avgfws8.exe" ["AVG Technologies CZ, s.r.o."]

AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]

 

 

---------- (launch time: 2008-07-21 17:04:54)

<>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 25 seconds.

---------- (total run time: 42 seconds)

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log z SDFix tryb awaryjny"

SDFix: Version 1.208

Run by Administrator on 2008-07-26 at 10:07

 

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\DOCUME~1\Administrator\Pulpit\SDFix

 

Checking Services :

 

 

Infected ip6fw.sys Found!

 

ip6fw.sys File Locations:

 

"C:\WINDOWS\system32\drivers\ip6fw.sys" 29056 2004-08-04 00:00

 

Infected File Listed Below:

 

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM

 

File copied to Backups Folder

Attempting to replace ip6fw.sys with original version

 

Unable To Replace Infected File!

Deleting Patched File!

 

 

Infected taskmgr.exe Found!

 

taskmgr.exe File Locations:

 

"C:\WINDOWS\system32\taskmgr.exe" 3623736 2006-11-09 16:30

 

Infected File Listed Below:

 

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM

 

File copied to Backups Folder

Attempting to replace taskmgr.exe with original version

 

Unable To Replace Infected File!

 

"C:\WINDOWS\system32\taskmgr.exe" 3623736 2006-11-09 16:30

 

 

Restoring Default Security Values

Restoring Default Hosts File

Restoring Missing Security Center Service

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\system32\drivers\ip6fw.sys - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-26 10:09:34

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2b1c3573

"s2"=dword:15c1ffe8

"h0"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:5b,4a,64,c0,49,10,18,30,be,2c,51,d0,8b,8c,75,78,79,71,9e,7d,a2,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,43,ae,9a,10,c8,d2,d0,b3,bf,e8,7b,44,35,e5,d8,45,e5,..

"khjeh"=hex:24,40,67,71,94,c3,8f,58,8e,40,2d,d3,7d,0b,a5,0e,75,e5,09,33,98,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:f0,7e,1f,4a,4d,ba,d5,ea,1c,89,6a,66,16,0b,f9,c8,2f,51,1c,c8,b6,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:5b,4a,64,c0,49,10,18,30,be,2c,51,d0,8b,8c,75,78,79,71,9e,7d,a2,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,43,ae,9a,10,c8,d2,d0,b3,bf,e8,7b,44,35,e5,d8,45,e5,..

"khjeh"=hex:24,40,67,71,94,c3,8f,58,8e,40,2d,d3,7d,0b,a5,0e,75,e5,09,33,98,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:f0,7e,1f,4a,4d,ba,d5,ea,1c,89,6a,66,16,0b,f9,c8,2f,51,1c,c8,b6,..

 

scanning hidden registry entries ...

 

source file error: C:\Documents and Settings\TXP\ntuser.dat

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

 

Remaining Files :

 

 

File Backups: - C:\DOCUME~1\Administrator\Pulpit\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Nie moľna wykona† C:\DOCUME~1\ADMINISTRATOR\PULPIT\SDFIX\APPS\LOCATE.COM

 

Finished!

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "ComboFix log"

ComboFix 08-07-25.4 - TXP 2008-07-26 10:18:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1606 [GMT 2:00]

Running from: C:\Documents and Settings\TXP\Pulpit\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))

.

 

2008-07-26 10:09 . 2008-07-26 10:18 d--h----- C:\Documents and Settings\LocalService\Ustawienia lokalne

2008-07-26 10:09 . 2008-07-26 10:09 d-------- C:\Documents and Settings\LocalService\Dane aplikacji

2008-07-26 10:09 . 2008-07-26 10:09 d--hs---- C:\Documents and Settings\LocalService

2008-07-26 10:06 . 2008-07-26 10:06 d-------- C:\WINDOWS\ERUNT

2008-07-26 10:03 . 2008-07-26 10:18 d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne

2008-07-26 10:03 . 2008-07-15 15:41 d-------- C:\Documents and Settings\Administrator\Ulubione

2008-07-26 10:03 . 2008-07-15 15:41 d--h----- C:\Documents and Settings\Administrator\Szablony

2008-07-26 10:03 . 2008-07-26 10:04 d-------- C:\Documents and Settings\Administrator\Pulpit

2008-07-26 10:03 . 2008-07-15 15:41 d-------- C:\Documents and Settings\Administrator\Moje dokumenty

2008-07-26 10:03 . 2007-01-18 14:01 d-------- C:\Documents and Settings\Administrator\Menu Start

2008-07-26 10:03 . 2008-07-26 10:05 d-------- C:\Documents and Settings\Administrator\Dane aplikacji

2008-07-26 10:03 . 2008-07-15 13:51 d-------- C:\Documents and Settings\Administrator\AI4B3.tmp

2008-07-26 10:03 . 2008-07-26 10:03 d-------- C:\Documents and Settings\Administrator

2008-07-25 23:19 . 2008-07-25 23:19 d-------- C:\Program Files\PokerEV

2008-07-25 20:44 . 2008-07-25 20:44 d-------- C:\Documents and Settings\TXP\DoctorWeb

2008-07-25 19:36 . 2008-07-26 02:00 47,136 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-07-25 19:36 . 2008-07-26 02:00 1,628 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-07-23 14:43 . 2008-07-23 14:43 d-------- C:\Program Files\14 Degrees East

2008-07-23 14:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe

2008-07-22 08:34 . 2008-07-22 08:34 d-------- C:\Program Files\Common Files\DirectX

2008-07-22 07:59 . 2008-07-22 07:59 d-------- C:\Program Files\Codemasters

2008-07-22 07:57 . 2008-07-22 07:57 d-------- C:\Documents and Settings\TXP\Dane aplikacji\InstallShield

2008-07-21 20:38 . 2008-07-21 20:38 d-------- C:\Program Files\Ubisoft

2008-07-21 17:23 . 2008-07-21 17:24 d-------- C:\Program Files\Trojan Remover

2008-07-21 17:23 . 2008-07-21 17:23 d-------- C:\Documents and Settings\TXP\Dane aplikacji\Simply Super Software

2008-07-21 17:23 . 2008-07-21 17:23 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Simply Super Software

2008-07-21 17:23 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll

2008-07-21 17:23 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2008-07-21 17:23 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll

2008-07-21 17:23 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll

2008-07-21 17:21 . 2008-07-25 13:15 250 --a------ C:\WINDOWS\gmer.ini

2008-07-20 21:20 . 2008-07-20 21:22 d-------- C:\Program Files\Safer Networking

2008-07-20 19:50 . 2008-07-20 19:50 d-------- C:\Program Files\Spybot - Search & Destroy

2008-07-20 19:50 . 2008-07-20 19:50 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy

2008-07-20 19:23 . 2008-07-20 19:42 988 --a------ C:\WINDOWS\system32\tmp.reg

2008-07-20 00:21 . 2008-07-21 20:27 d-------- C:\Downloads

2008-07-18 22:49 . 2008-07-18 22:49 d-------- C:\Program Files\PokerStrategy

2008-07-18 16:42 . 2008-07-18 16:49 d-------- C:\Program Files\Manta GPS-410 Unlock v1.04

2008-07-18 16:31 . 2008-07-18 17:33 d-------- C:\Program Files\CeRegEditor

2008-07-18 13:00 . 2008-07-25 20:03 d--h----- C:\$AVG8.VAULT$

2008-07-18 12:57 . 2008-07-18 12:57 d-------- C:\Program Files\Microsoft.NET

2008-07-18 12:57 . 2008-07-18 12:57 d-------- C:\Program Files\Microsoft Works

2008-07-18 12:55 . 2008-07-18 12:55 d-------- C:\WINDOWS\SHELLNEW

2008-07-18 12:54 . 2008-07-18 12:54 dr-h----- C:\MSOCache

2008-07-17 17:46 . 2008-07-17 19:01 d-------- C:\Program Files\Common Files\Adobe

2008-07-17 17:45 . 2008-07-17 17:45 d-------- C:\WINDOWS\system32\DllCache

2008-07-17 17:45 . 2008-07-17 17:45 d-------- C:\WINDOWS\Cache

2008-07-17 17:45 . 2006-10-04 16:06 1,197,294 --------- C:\WINDOWS\system32\DllCache\sysmain.sdb

2008-07-17 17:45 . 2006-10-04 16:06 764,868 --------- C:\WINDOWS\system32\DllCache\apph_sp.sdb

2008-07-17 17:45 . 2006-10-04 16:06 217,118 --------- C:\WINDOWS\system32\DllCache\apphelp.sdb

2008-07-17 17:44 . 2008-07-17 17:44 d-------- C:\Program Files\Windows Media Connect 2

2008-07-17 17:43 . 2008-07-17 17:43 d-------- C:\WINDOWS\system32\LogFiles

2008-07-17 17:43 . 2008-07-17 17:44 d-------- C:\WINDOWS\system32\drivers\UMDF

2008-07-17 17:40 . 2008-07-17 17:40 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Symantec

2008-07-17 00:04 . 2008-07-17 00:04 d-------- C:\Documents and Settings\TXP\Dane aplikacji\vlc

2008-07-16 23:45 . 2008-07-16 23:48 d-------- C:\Program Files\Poker Grapher

2008-07-16 22:55 . 2008-07-16 22:55 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2008-07-16 22:30 . 2008-07-16 22:30 d-------- C:\Program Files\Hamachi

2008-07-16 22:30 . 2008-07-23 15:39 d-------- C:\Documents and Settings\TXP\Dane aplikacji\Hamachi

2008-07-16 22:30 . 2008-07-16 22:44 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys

2008-07-16 21:57 . 2008-07-22 07:59 d--h----- C:\Program Files\InstallShield Installation Information

2008-07-16 20:08 . 2008-07-25 22:09 d-------- C:\WINDOWS\system32\drivers\Avg

2008-07-16 20:08 . 2008-07-26 10:01 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-16 20:08 . 2008-07-16 20:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys

2008-07-16 20:08 . 2008-07-16 20:22 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll

2008-07-16 20:08 . 2008-07-16 20:22 23,296 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys

2008-07-16 20:08 . 2008-07-16 20:22 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys

2008-07-16 20:08 . 2008-07-16 20:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll

2008-07-16 19:14 . 2008-07-16 19:14 d-------- C:\Program Files\PokerAce Hud

2008-07-16 19:03 . 2008-07-25 23:22 d-------- C:\Program Files\Poker Tracker V2

2008-07-16 19:03 . 2008-07-25 23:21 d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-07-16 19:03 . 2003-06-26 14:52 464,128 --a------ C:\WINDOWS\system32\csimxctl.ocx

2008-07-16 19:03 . 2003-06-17 14:54 87,280 --a------ C:\WINDOWS\system32\wsatrace.dll

2008-07-15 23:14 . 2008-07-15 23:14 d-------- C:\Documents and Settings\TXP\Dane aplikacji\Gadu-Gadu

2008-07-15 14:52 . 2008-07-15 14:53 d-------- C:\Program Files\MagicDisc

2008-07-15 14:52 . 2008-05-27 12:11 96,896 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys

2008-07-15 14:40 . 2008-07-15 14:40 d-------- C:\Program Files\Gadu-Gadu

2008-07-15 14:40 . 2008-07-15 14:49 d-------- C:\Documents and Settings\TXP\Gadu-Gadu

2008-07-15 14:36 . 2008-07-15 14:36 0 --a------ C:\WINDOWS\nsreg.dat

2008-07-15 14:30 . 2008-07-15 14:30 d-------- C:\Program Files\MSECache

2008-07-15 14:24 . 2008-07-15 14:24 d-------- C:\Program Files\AVG

2008-07-15 14:24 . 2008-07-16 20:08 d-------- C:\Documents and Settings\All Users\Dane aplikacji\avg8

2008-07-15 14:20 . 2008-07-15 14:20 d---s---- C:\Documents and Settings\TXP\Ulubione

2008-07-15 14:20 . 2008-07-26 10:11 d-------- C:\Documents and Settings\TXP\Dane aplikacji\Skype

2008-07-15 14:20 . 2007-01-03 17:29 1,179 --a------ C:\Documents and Settings\TXP\Licence.reg

2008-07-15 14:19 . 2008-07-26 10:08 9,603 --a------ C:\WINDOWS\system32\OODBS.lor

2008-07-15 14:13 . 2008-07-15 14:13 d-------- C:\WINDOWS\system32\backups

2008-07-15 14:13 . 2006-11-08 10:51 62,336 --------- C:\WINDOWS\system32\drivers\rspndr.sys

2008-07-15 14:13 . 2008-07-15 14:13 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe

2008-07-15 14:13 . 2006-11-08 10:51 10,752 --------- C:\WINDOWS\system32\rspndr.exe

2008-07-15 14:12 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2008-07-15 14:10 . 2008-07-18 12:58 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2008-07-15 14:06 . 2008-07-15 14:06 d-------- C:\WINDOWS\Driver Cache

2008-07-15 14:06 . 2008-07-17 00:01 d-------- C:\Program Files\NAPI-PROJEKT

2008-07-15 14:06 . 2008-07-18 13:33 d-------- C:\Program Files\Microsoft ActiveSync

2008-07-15 14:06 . 2008-07-15 14:06 d-------- C:\Program Files\Java

2008-07-15 14:06 . 2008-07-15 14:06 d-------- C:\Program Files\Common Files\Java

2008-07-15 14:06 . 2008-07-15 14:06 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-07-15 14:06 . 2005-10-21 03:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys

2008-07-15 14:06 . 2005-10-21 03:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Program Files\VideoLAN

2008-07-15 14:05 . 2008-07-17 17:57 d-------- C:\Program Files\uTorrent

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Program Files\SubEdit-Player

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Program Files\Skype

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Program Files\Nero

2008-07-15 14:05 . 2008-07-17 20:56 d-------- C:\Program Files\Google

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Program Files\foobar2000

2008-07-15 14:05 . 2008-07-15 14:14 d-------- C:\Program Files\DAEMON Tools

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Program Files\Common Files\Skype

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Program Files\Common Files\Ahead

2008-07-15 14:05 . 2008-07-23 15:39 d-------- C:\Documents and Settings\TXP\Dane aplikacji\uTorrent

2008-07-15 14:05 . 2008-07-24 00:17 d-------- C:\Documents and Settings\TXP\Dane aplikacji\foobar2000

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-07-15 14:05 . 2008-07-15 14:05 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Nero

2008-07-15 14:05 . 2004-07-26 16:16 1,568,768 --a------ C:\WINDOWS\system32\imagX7.dll

2008-07-15 14:05 . 2003-03-19 06:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

2008-07-15 14:05 . 2003-03-18 20:12 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll

2008-07-15 14:05 . 2003-03-18 22:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

2008-07-15 14:05 . 2004-07-26 16:16 476,320 --a------ C:\WINDOWS\system32\imagXpr7.dll

2008-07-15 14:05 . 2004-07-26 16:16 471,040 --a------ C:\WINDOWS\system32\imagXRA7.dll

2008-07-15 14:05 . 2004-07-09 08:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll

2008-07-15 14:05 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

2008-07-15 14:05 . 2004-07-26 16:16 262,144 --a------ C:\WINDOWS\system32\imagXR7.dll

2008-07-15 14:03 . 2008-07-15 14:18 d-------- C:\WINDOWS\system32\oodag

2008-07-15 14:00 . 2008-07-15 14:00 646,392 --a------ C:\WINDOWS\system32\drivers\sptd.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-25 18:03 --------- d-----w C:\Program Files\VistaDrives

2008-07-21 18:37 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-07-15 13:20 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles

2008-07-15 12:22 --------- d-----w C:\Documents and Settings\TXP\Dane aplikacji\IE7pro

2008-07-15 11:54 --------- d-----w C:\Program Files\Paint.NET

2008-07-15 11:53 --------- d-----w C:\Program Files\Real Alternative

2008-07-15 11:53 --------- d-----w C:\Program Files\iColorFolder

2008-07-15 11:53 --------- d-----w C:\Program Files\Combined Community Codec Pack

2008-07-15 11:52 --------- d-----w C:\Documents and Settings\TXP\Dane aplikacji\IDMComp

2008-07-15 11:51 --------- d-----w C:\Program Files\IE7pro

2008-07-15 11:49 --------- d-----w C:\Program Files\UPHClean

2008-07-15 11:49 --------- d-----w C:\Program Files\HighMAT CD Writing Wizard

2008-05-16 09:48 446,464 ----a-w C:\WINDOWS\system32\NVUNINST.EXE

.

 

------- Sigcheck -------

 

2007-02-17 12:03 578560 6a93565be9b8422eb7538c66ac732d76 C:\WINDOWS\system32\user32.dll

 

2007-02-17 12:03 667648 b9cd00815effa790279a1d2f0d07323f C:\WINDOWS\ie7\wininet.dll

2007-01-12 10:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\system32\wininet.dll

 

2007-02-17 12:33 360576 bd8686216e34e22c4ed45a2320b2bea1 C:\WINDOWS\system32\drivers\tcpip.sys

 

2007-02-17 12:02 2018816 54df9001110934c98ecff5691b332f5f C:\WINDOWS\system32\ntkrnlpa.exe

 

2007-02-17 12:02 2139136 22b96841df0b4186fce1498d8f695bdf C:\WINDOWS\system32\ntoskrnl.exe

 

2007-01-15 16:12 1549312 e5241037518f63e806dcf75f78dc84a8 C:\WINDOWS\explorer.exe

 

2007-02-17 12:03 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 16:00 25388584]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:57 1289000]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Vistadrv"="C:\Program Files\VistaDrives\vsdrv.exe" [2006-07-30 03:37 121089]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-26 10:01 1235736]

"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-06-03 20:33 878672]

"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 12:12 16062464 C:\WINDOWS\RTHDCPL.EXE]

"SkyTel"="SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]

"Licence"="Licence.exe" [2007-01-08 20:49 101651 C:\WINDOWS\system32\Licence.exe]

"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]

 

C:\Documents and Settings\TXP\Menu Start\Programy\Autostart\

MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-07-15 14:52:53 547840]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableStatusMessages"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDesktopCleanupWizard"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMBalloonTip"= 0 (0x0)

"NoUserNameInStartMenu"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoExpandedNewMenu"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

"NoThumbnailCache"= 1 (0x1)

"NoTaskGrouping"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMBalloonTip"= 0 (0x0)

"StartMenuLogoff"= 0 (0x0)

"NoUserNameInStartMenu"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoExpandedNewMenu"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

"NoThumbnailCache"= 1 (0x1)

"NoTaskGrouping"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

"VIDC.WMV3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3478:UDP"= 3478:UDP:stun

"3479:UDP"= 3479:UDP:stun 2

"6112:UDP"= 6112:UDP:stun 3

"5730:UDP"= 5730:UDP:game

"5739:UDP"= 5739:UDP:game 1

"9001:TCP"= 9001:TCP:game 2

"11881:TCP"= 11881:TCP:game 3

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

 

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-16 20:22]

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-26 10:01]

R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 10:01]

R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-07-26 10:01]

R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-16 20:22]

R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-07-16 20:22]

S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-07-16 20:22]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

 

*Newly Created Service* - PROCEXP90

*Newly Created Service* - SPEEDFAN

*Newly Created Service* - WUAUSERV

.

.

------- Supplementary Scan -------

.

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s

O8 -: E&ksportuj do programu Microsoft Excel - C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-26 10:18:51

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-07-26 10:19:21

ComboFix-quarantined-files.txt 2008-07-26 08:19:19

 

Pre-Run: 7,061,118,976 bajtów wolnych

Post-Run: 7,277,047,808 bajtów wolnych

 

266

Edytowane 26 Lipca 2008 przez cripple

[Kolobos]

Wszystko wyglada ok, moze masz jakies problemy z laczem.

[cripple]

Problem w tym, że nie, na 2 komputerze wszystko jest ok. Na tym wcześniej wszystko zaczęło spowalniać ( mówię o transmisji ) aż w końcu nic prawie nie działało i komputer zaczął się sam co pare minut restartować. Skończyły mi się opcje więc zrobiłem format a przed nim dokładnie posprawdzałem i pousuwałem wszystko co było. I zaraz po nim było fajnie, lecz minęło kilka dni i znów Internet nie działa tak jak powinienen, głównie chodzi o protokół http, gdyż samo ściąganie i inne rzeczy jak na razie dobrze działają. Poza tym wcześniej ten robak chyba podczepiał się pod Gadu Gadu i często wyskakiwał mi jakiś błąd ActiveX, teraz po formacie także z 2 razy wyskoczył mi jakiś błąd ActiveX( co ciekawe też pod FF, którego używam, a on podobno ActiveX nie obsługuje). Od tamtego czasu błędów nie ma żadnych, ale połączenie nie działa do końca jak należy. Może jakaś porada gdzie szukać jakichś pomocy, lekarstw na wiry,wormy itd z ActiveX ?

[cripple]

Właśnie znów mi net odłączyło ;/ Najpierw podczas rozmów na gg wyskakują jakieś błędy skryptów ActiveX a potem się cuda dzieją, jak można w durnym gg ustawić, żeby nie włączał reklam i nie używał durnego IE ?

[Kolobos]

Nie mozna, jak Ci to przeszkadza to zmien klienta GG na innego. Jest ich pelno: tlen, stefan, miranda, ekg itd.

[cripple]

Ok problem jednak chyba nie jest z ActiveX tylko dziś po włączeniu komputera od razu AVG wykrył zagrożenie dla procesu Firefox.exe, a jest nim plik v.freefl.info/day.js, a zagrożenie to wg. AVG Program wykorzystujący lukę zabezpieczeń MDAC injection (type 268). Co z tym zrobić ? Wcześniej sprawdzałem antirootkitem, antiwirusem, antispyware i paroma innymi, wszystko to mam ciągle działające w systamie, a te zagrożenia i tak wchodzą 8O

 

Edit: Regularnie teraz blokuje mi dostęp do Internetu, ciągle na stronach wyskakuje mi takie coś:

Przerwane połączenie

Połączenie z serwerem zostało zresetowane podczas wczytywania strony.

Połączenie sieciowe zostało przerwane podczas negocjacji. Spróbuj ponownie.

 

Będę wdzięczny jak ktoś wie jak się tego pozbyć, bo teraz to nawet nie bardzo mam jak poszukać rozwiązania, edytuję tego posta od 20 min, licząc, że w końcu przejdzie. Nie mam dostatecznej wiedzy by samemu usunąć tego wirusa, skoro antywirus i inne oprogramowanie go nie widzi.

Edytowane 25 Lipca 2008 przez cripple

[Kolobos]

Uzyj konsoli odzyskiwania i podmien zainfekowany plik taskmgr.exe oraz ip6fw.sys na czysty wypakowany z plyty instalacyjnej XP (plik ip6fw.sys musi pochodzic z CD XP z SP2, jezeli Twoja plyta instalacyjna nie ma zintegrowanego SP2 to napisz dam Ci swoj plik). Nastepnie daj nowy log z sdfix (przed uzyciem wylacz antywirusy itp).

Edytowane 26 Lipca 2008 przez Kolobos

[cripple]

Nie mogę na swojej płycie instalacyjnej z SP2 znaleźć pliku taskmgr.exe, po przeszukiwaniu pokazuje mi, że takowego tam nie ma. Z drugim jest to samo. Co do konsoli odzyskiwania chodzi o tego DOSa, który można uruchomić z płyty instalacyjnej windows xp ?

[Kolobos]

Tak, chodzi o jak to nazwales "dosa", ktorgo mozna uruchomic z plyty instalacyjnej XP, a co do samych plikow to X:\i386\taskmgr.ex_ oraz X:\i386\ip6fw.sy_. Jezeli nie potrafisz korzystac z konsoli to wystarczy uzyc google, jest pelno opisow jak jej uzywac i jak wypakowac pliki: http://www.google.pl/search?hl=pl&q=konsola+odzyskiwania

Ewentualnie mozesz wypakowac pliki pod windows i zgrac gdzie trzeba, taksmgr usuniesz bez problemu, a drugi plik usunal juz sdfix.

[cripple]

Tak, chodzi o jak to nazwales "dosa", ktorgo mozna uruchomic z plyty instalacyjnej XP, a co do samych plikow to X:\i386\taskmgr.ex_ oraz X:\i386\ip6fw.sy_. Jezeli nie potrafisz korzystac z konsoli to wystarczy uzyc google, jest pelno opisow jak jej uzywac i jak wypakowac pliki: http://www.google.pl/search?hl=pl&q=konsola+odzyskiwania

Ewentualnie mozesz wypakowac pliki pod windows i zgrac gdzie trzeba, taksmgr usuniesz bez problemu, a drugi plik usunal juz sdfix.

Ok znalazłem pliki, nie wiedziałem, że mają ostatni znak zmieniony na _. Ok to zaraz je po podmieniam. Zobaczymy czy pomoże. Mimo wszystko dzięki za pomoc. I zakładam, że wgrywam je do Windows/system32, bo niestety nie mam ani 1 ani 2 w swoim systemie, wiec antywiruisy pewnie juz usunely oba.

 

Ok przegrałem je z płyty do system32 bez problemu jednak zmiana nazwy nie była możliwa ciągle access denied, mimo że zmieniałem niby te parametry set. Ale po włączeniu windowsa o dziwo bez problemu usunąłem stary taskmgr.exe i w 2 nowych plikach zmieniłem nazwy na odpowiednie bez tego _ na końcu. U mnie do menadżer zadań jest inni niż ten domyślny wbudowany w system, więc nie miałem blokady dostępu, używam trochę zmodyfikowanego windowsa na własne potrzeby. Zobaczymy czy w końcu będzie dobrze, teraz zrobię ten ponowny skan i zaraz wrzucę tutaj. Jednak tak na marginesie czy te programy sprawdzają obszar startowy dysku twardego oraz inne partycje ? bo mnie najbardziej zaskoczyło, że po formacie C:\ po kilku dniach znów miałem problemy :/, a jak widać te oprogramowanie anty- jest słabe skoro nic nie wykrywa.

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Dzisiejszy log z SDFix"

SDFix: Version 1.208

Run by TXP on 2008-07-27 at 12:24

 

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\DOCUME~1\TXP\Pulpit\sdfix\SDFix

 

Checking Services :

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

No Trojan Files Found

 

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-27 12:27:15

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2b1c3573

"s2"=dword:15c1ffe8

"h0"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:5b,4a,64,c0,49,10,18,30,be,2c,51,d0,8b,8c,75,78,79,71,9e,7d,a2,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,43,ae,9a,10,c8,d2,d0,b3,bf,e8,7b,44,35,e5,d8,45,e5,..

"khjeh"=hex:24,40,67,71,94,c3,8f,58,8e,40,2d,d3,7d,0b,a5,0e,75,e5,09,33,98,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:f0,7e,1f,4a,4d,ba,d5,ea,1c,89,6a,66,16,0b,f9,c8,2f,51,1c,c8,b6,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:5b,4a,64,c0,49,10,18,30,be,2c,51,d0,8b,8c,75,78,79,71,9e,7d,a2,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,43,ae,9a,10,c8,d2,d0,b3,bf,e8,7b,44,35,e5,d8,45,e5,..

"khjeh"=hex:24,40,67,71,94,c3,8f,58,8e,40,2d,d3,7d,0b,a5,0e,75,e5,09,33,98,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:f0,7e,1f,4a,4d,ba,d5,ea,1c,89,6a,66,16,0b,f9,c8,2f,51,1c,c8,b6,..

 

scanning hidden registry entries ...

 

source file error: C:\Documents and Settings\TXP\ntuser.dat

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"D:\\Gry\\pes\\PES2008.exe"="D:\\Gry\\pes\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

 

Remaining Files :

 

 

 

Files with Hidden Attributes :

 

Tue 15 Jul 2008 126,976 A..H. --- "C:\Documents and Settings\NetworkService\NTUSER.bak"

Tue 15 Jul 2008 786,432 A..H. --- "C:\Documents and Settings\TXP\NTUSER.bak"

Thu 17 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Tue 15 Jul 2008 262,144 A..H. --- "C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.bak"

Tue 15 Jul 2008 262,144 A..H. --- "C:\Documents and Settings\TXP\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.bak"

 

Finished!

 

Edytowane 27 Lipca 2008 przez cripple

[Kolobos]

Oczywiscie wypakowales te pliki przy pomocy extract.exe?

 

Lokalizacje masz podane w logach, ktore sam dales:

C:\WINDOWS\system32\drivers\ip6fw.sys

C:\WINDOWS\system32\taskmgr.exe

 

Log wyglada ok.

[cripple]

Oczywiście nie bo o tym nie wiedziałem, a więc gdzie jest ten extract.exe i jak go użyć. Jeśli jest to, to samo co expand, to nie będzie problemu z użyciem, przy okazji pytam ponownie jak to jest z tym, że po formacie to wróciło ?

Edytowane 27 Lipca 2008 przez cripple

[Kolobos]

Przeciez juz raz Ci napisalem!

Jezeli nie potrafisz korzystac z konsoli to wystarczy uzyc google, jest pelno opisow jak jej uzywac i jak wypakowac pliki: http://www.google.pl/search?hl=pl&q=konsola+odzyskiwania

To juz Twoj problem, ze Ci sie nie chcialo.

 

Zainfekowales sobie ponownie system to wrocilo. Brak aktualizacji, wchodzenie na podejrzane strony, klikanie w linki z gg i poczty, uzywanie IE, sciaganie programow z sieci p2p i infekcja gotowa.

[cripple]

Przeciez juz raz Ci napisalem!

 

To juz Twoj problem, ze Ci sie nie chcialo.

 

Zainfekowales sobie ponownie system to wrocilo. Brak aktualizacji, wchodzenie na podejrzane strony, klikanie w linki z gg i poczty, uzywanie IE, sciaganie programow z sieci p2p i infekcja gotowa.

Jeśli tam jest napisane to ok przepraszam wrócę i się doszkole, bo wcześniej przeczytałem tylko pierwsze kilka stron.

To ciekawe co piszesz, ale po 1 aktualizacje ściągam od razu po instalacji do wszystkiego softu i systemu, w życiu nie kliknąłem linku gg, problem był z reklamami, które włączają się same, nie używam IE, o ile FF mi nie przestanie działać, a jak na razie działa, z p2p też nie ściągam praktycznie nic. Mimo wszystko dziękuję za pomoc.