Prosba O Sprawdzenie Loga I Pytanie.

[falar]

Witam mam dwie prośby.

Po pierwsze o sprawdzenie loga

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Hijack This"

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:51:41, on 2008-09-08

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\ANTIVI~1\ashDisp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\COMODO\Firewall\cfp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\antivirus\aswUpdSv.exe

C:\antivirus\ashServ.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe

C:\antivirus\ashMaiSv.exe

C:\antivirus\ashWebSv.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

F:\OFFICE\OFFICE11\WINWORD.EXE

C:\WINDOWS\msagent\AgentSvr.exe

F:\Winamp\winamp.exe

F:\instalatory\HiJackThis.exe

C:\WINDOWS\system32\taskmgr.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Free Download Manager\iefdm2.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avast!] C:\ANTIVI~1\ashDisp.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: Download video with Free Download Manager - file://F:\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\OFFICE\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pobierz w Free Download Manager - file://F:\Free Download Manager\dllink.htm

O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://F:\Free Download Manager\dlall.htm

O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://F:\Free Download Manager\dlselected.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\OFFICE\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virussca...can_unicode.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193779393968

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\antivirus\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\antivirus\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\antivirus\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\antivirus\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

 

--

End of file - 8183 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Sillent Runners"

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"avast!" = "C:\ANTIVI~1\ashDisp.exe" ["ALWIL Software"]

"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"COMODO Firewall Pro" = ""C:\Program Files\COMODO\Firewall\cfp.exe" -h" ["COMODO"]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

 

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"

\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)

-> {HKLM...CLSID} = "FDMIECookiesBHO Class"

\InProcServer32\(Default) = "F:\Free Download Manager\iefdm2.dll" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"

-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"

\InProcServer32\(Default) = "F:\OFFICE\Office\1045\UNBIND.DLL" [MS]

"{FEB7DAE0-E111-11D0-BFD7-444553540000}" = "ICEOWS"

-> {HKLM...CLSID} = "Folder Iceows"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"]

"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "F:\7-Zip\7-zip.dll" ["Igor Pavlov"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "F:\OFFICE\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

\InProcServer32\(Default) = "F:\OFFICE\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\OFFICE\OFFICE11\msohev.dll" [MS]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\antivirus\ashShell.dll" ["ALWIL Software"]

"{F49C55B9-D417-45A1-A6E7-D6E057946280}" = "FdmUplShlExt"

-> {HKLM...CLSID} = "FdmUplShlExt Class"

\InProcServer32\(Default) = "F:\Free Download Manager\FUM\fumshext.dll" [null data]

"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"

-> {HKLM...CLSID} = "KbLogiExt Class"

\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]

"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"

-> {HKLM...CLSID} = "LogiExt Class"

\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]

"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"

-> {HKLM...CLSID} = "Studio.Project"

\InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 11\programs\BlueShellExt.dll" [file not found]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "F:\7-Zip\7-zip.dll" ["Igor Pavlov"]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\antivirus\ashShell.dll" ["ALWIL Software"]

ICEOWS\(Default) = "{FEB7DAE0-E111-11D0-BFD7-444553540000}"

-> {HKLM...CLSID} = "Folder Iceows"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "F:\7-Zip\7-zip.dll" ["Igor Pavlov"]

ICEOWS\(Default) = "{FEB7DAE0-E111-11D0-BFD7-444553540000}"

-> {HKLM...CLSID} = "Folder Iceows"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\antivirus\ashShell.dll" ["ALWIL Software"]

A teraz pojawia się moja druga prosba, a raczej pytanie. Kaspersky wykrył mi wirusa w pliku: C:\WINDOWS\system32\ati2sgav.exe . Co to jest za plik? Czy mogę go usunąć bez szkody dla systemu, czy muszę go podmienić na jakąś zdrową wersję?

Pozdrawiam.

[Kolobos]

Daj log z combofix.

[falar]

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Combofix."

ComboFix 08-09-05.11 - użytkownik 2008-09-09 16:39:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1589 [GMT 2:00]
Running from: F:\instalatory\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\tmp65.tmp
C:\WINDOWS\system32\tmp66.tmp

.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-08 19:27 . 2008-09-08 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-09-08 19:26 . 2008-09-08 19:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-09-04 08:34 . 2004-08-04 00:44 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-09-04 08:34 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-04 08:34 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-04 08:34 . 2001-10-26 17:29 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 12:21 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-09-07 12:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-05 15:23 --------- d-----w C:\Program Files\Counter-Strike 1.6
2008-08-28 06:51 --------- d-----w C:\Program Files\PRO100
2008-08-23 16:48 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-05 14:26 --------- d-----w C:\Program Files\Kolekcja Klasyki
2008-08-04 08:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 08:35 --------- d-----w C:\Program Files\Kyodai Mahjongg 2006
2008-08-03 14:47 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Test Drive Unlimited
2008-08-01 19:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Codemasters
2008-08-01 19:24 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-01 19:21 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-08-01 19:21 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-08-01 19:21 --------- d-----w C:\Program Files\OpenAL
2008-08-01 19:01 --------- d-----w C:\Program Files\Codemasters
2008-07-21 15:26 --------- d-----w C:\Documents and Settings\użytkownik\Dane aplikacji\Free Download Manager
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-14 16:34 --------- d-----w C:\Program Files\EA SPORTS
2008-07-10 15:23 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\comodo
2008-07-10 15:00 87,056 ----a-w C:\WINDOWS\system32\drivers\cmdguard.sys
2008-07-10 15:00 24,208 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-07-10 15:00 143,104 ----a-w C:\WINDOWS\system32\guard32.dll
2008-07-10 15:00 --------- d-----w C:\Program Files\COMODO
2008-07-10 15:00 --------- d-----w C:\Documents and Settings\użytkownik\Dane aplikacji\Comodo
2008-07-09 13:00 --------- d-----w C:\Program Files\Odkurzacz
2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-30 19:16 76,712 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_06_30_21_11_29_small.dmp.zip
2008-06-30 19:16 66,786 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_06_30_21_11_23_small.dmp.zip
2008-06-30 19:16 65,650 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_06_30_21_11_30_small.dmp.zip
2008-06-30 19:16 46,903 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_06_30_21_11_22_small.dmp.zip
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-03-20 21:56 22,328 ----a-w C:\Documents and Settings\użytkownik\Dane aplikacji\PnkBstrK.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"avast!"="C:\ANTIVI~1\ashDisp.exe" [2008-07-19 78008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-10 1655552]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 C:\WINDOWS\RTHDCPL.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DualCoreCenter.lnk - C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2008-02-05 192512]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-01 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-01 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Image Zone - szybkie uruchamianie.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Image Zone - szybkie uruchamianie.lnk
backup=C:\WINDOWS\pss\HP Image Zone - szybkie uruchamianie.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^użytkownik^Pulpit^skróty^Autostart^Adobe Gamma.lnk]
path=C:\Documents and Settings\użytkownik\Pulpit\skróty\Autostart\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-23 18:05 143360 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 F:\DRUKARKA\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-12-05 22:55 54832 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 13:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Harmonogram automatycznej usługi LiveUpdate"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"F:\\DC++\\DCPlusPlus.exe"=
"F:\\Gadu-Gadu\\gg.exe"=
"F:\\gry\\battlefiel2\\BF2.exe"=
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"C:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"F:\\totalcmd\\TOTALCMD.EXE"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-10 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-10 24208]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 DualCoreCenter;DualCoreCenter;C:\Program Files\MSI\DualCoreCenter\NTGLM7X.sys [2007-12-18 28160]
R3 RushTopDevice2;RushTopDevice2;C:\Program Files\MSI\DualCoreCenter\RushTop.sys [2007-12-24 52736]
S3 CrystalSysInfo;CrystalSysInfo;C:\Program Files\OCCT\SysInfo.sys [ ]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys [ ]
S3 UCORESYS;UCORESYS;C:\PROGRA~1\MSI\LIVEUP~1\FlashUty\AMI\AFUWIN\UCORESYS.SYS [ ]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caa51aa2-25aa-11dd-9076-0019dbb544af}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-iTunesHelper - F:\iTunes\iTunesHelper.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\użytkownik\Dane aplikacji\Mozilla\Firefox\Profiles\wyuf9n5d.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - dobreprogramy.pl
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - F:\adobe\Reader\browser\nppdf32.dll
FF -: plugin - F:\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - F:\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
.
------- File Associations (Beta) -------
.
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-09-09 16:46:26
ComboFix-quarantined-files.txt 2008-09-09 14:43:44

Pre-Run: 14,103,224,320 bajtów wolnych
Post-Run: 14,983,225,344 bajtów wolnych

214 --- E O F --- 2008-08-23 16:52:41

Zgodnie z życzeniem 8O

Edytowane 10 Września 2008 przez Kolobos

[Kolobos]

W logu nie ma sladu infekcji. Plik C:\WINDOWS\system32\ati2sgav.exe usun o ile jeszcze go masz.