Trojany Na Kompie

[Kameelll]

Kaspersky Internet Security wykrywa mi trojana na kompie i pisze że po ponownym uruchomieniu wirus zostanie skasowany, problem w tym że i Kaspersy i Malvarebytes w trakcie skanowania zaiweszają się a po resecie wirus nadal istnieje. Zamieszczam logi z HijackThis.

 

HijackThis

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:52:01, on 2009-08-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (file missing)

O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Startup: ikowin32.exe

O8 - Extra context menu item: dodaj do listy blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4395DC-5696-4E0B-8BC2-4C3257ECE987}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\ mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\ KASPER~1\kloehk.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast!UpdateAgent.exe - Unknown owner - C:\WINDOWS\System32\avast!UpdateAgent.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: Usługa Google Update (gupdate1ca0ab8ed296efa) (gupdate1ca0ab8ed296efa) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 5360 bytes

logi z RSIT

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - LOG

info.txt logfile of random's system information tool 1.06 2009-08-25 19:02:57

 

======Uninstall list======

 

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

4Story 1.5-->"E:\4Story\unins000.exe"

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Reader 7.0 - Polish-->MsiExec.exe /I{AC76BA86-7AD7-1045-7B44-A70000000000}

Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Advent Rising-->D:\[gluteus maximus] sraka\System\Setup.exe uninstall "Advent"

Aktualizator Google-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall

Angielski w pigułce 3.0-->"D:\English Translator 3\Angielski w pigulce 3.0\unins000.exe"

Archiwizator WinRAR-->C:\Program Files\WinRAR\uninstall.exe

ArtMoney SE v7.31-->"C:\Program Files\ArtMoney\Uninstall\unins000.exe"

ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

AutoConnect v0.1.2.5-->C:\Program Files\AutoConnect\uninst.exe

Cheat Engine 5.5-->"C:\Program Files\Cheat Engine\unins000.exe"

EA Download Manager-->C:\Program Files\Electronic Arts\EADM\Uninstall.exe

Earth 2160-->E:\EARTH2~1\Uninstall_Earth2160.exe /U E:\EARTH2~1\install.log

ffdshow [rev 3029] [2009-07-10]-->"C:\Program Files\ffdshow\unins000.exe"

GameSpy Arcade-->C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG

Google Chrome-->"C:\Program Files\Google\Chrome\Application\2.0.172.39\Installer\setup.exe" --uninstall --system-level

Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}

Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall

Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}

Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

Hamachi 1.0.3.0-->C:\Program Files\Hamachi\uninstall.exe

High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst. exe"

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe

IVONA - syntezator mowy, wersja rehabilitacyjna-->C:\Program Files\ivo\Ivona_Rehab-1.0\UsunIvonaRehab.exe

Java™ 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}

Kaspersky Internet Security 2009-->MsiExec.exe /I{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}

Kaspersky Internet Security 2009-->MsiExec.exe /I{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}

Knights of Honor - patch polonizujący 1.05-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver. exe /M{F6D8E60A-D3E1-4BF0-BEDE-3DF57D99A21E}

Knights of Honor-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver. exe /M{D51E56E9-2FD4-45EA-BC5F-806AD9B87945}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Nowe Gadu-Gadu-->C:\Program Files\Nowe Gadu-Gadu\Uninstall.exe

PDF-Viewer-->"C:\Program Files\Tracker Software\PDF Viewer\unins000.exe"

PhotoFiltre-->"C:\Program Files\PhotoFiltre\Uninst.exe"

Real Alternative 1.9.0-->"C:\Program Files\Real Alternative\unins000.exe"

Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\ Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x15 -removeonly

Sid Meier's Civilization 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\ Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly

Skype web features-->MsiExec.exe /I{F1362843-0E0E-4F74-8662-724CF101ADCE}

Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}

Sp5-->MsiExec.exe /I{560F47F7-EB23-44B1-AAFC-667F1CD8FE5C}

Sp5Intl-->MsiExec.exe /I{FD4B33E1-24AE-4535-AA7B-162B30FB57CD}

Sp5TTInt-->MsiExec.exe /I{E415C943-37E5-473F-8BAE-043C56734124}

SpCommon-->MsiExec.exe /I{6C3959C6-943E-44B3-BAAD-570B04B134E5}

SpeedTouch USB Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe" /l0009 -Control_Panel

SPORE™ — śmieszne i straszne części stworów-->"C:\Program Files\InstallShield Installation Information\{C07F8D75-7A8D-400E-A8F9-A3F396B49BB1}\SPORE_BP1Setup.exe" -runfromtemp -l0x0015 -removeonly

SpPhones-->MsiExec.exe /I{4DFF1415-4C29-44A8-BFD4-2BCE249C4991}

TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"

Total Commander (Remove or Repair)-->c:\totalcmd\tcuninst.exe

UEFA EURO 2008™-->MsiExec.exe /X{94894501-EC12-432B-B8E2-AA8470CC6266}

Uplink-->MsiExec.exe /X{3546E51D-9682-41E3-B7E8-8E01727F8936}

VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver. exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}

WapSter AQQ-->C:\Program Files\WapSter\WapSter AQQ\uninstall.exe

 

======Hosts File======

 

127.0.0.1 serial.alcohol-soft.com

127.0.0.1 www.alcohol-soft.com

127.0.0.1 images.alcohol-soft.com

127.0.0.1 trial.alcohol-soft.com

127.0.0.1 alcohol-soft.com

 

======System event log======

 

Computer Name: KOMPUTER-A47909

Event Code: 7

Message: W urządzeniu \Device\CdRom0 wystąpił zły blok.

 

Record Number: 3968

Source Name: Cdrom

Time Written: 20090811140457.000000+120

Event Type: błąd

User:

 

Computer Name: KOMPUTER-A47909

Event Code: 7

Message: W urządzeniu \Device\CdRom0 wystąpił zły blok.

 

Record Number: 3967

Source Name: Cdrom

Time Written: 20090811140457.000000+120

Event Type: błąd

User:

 

Computer Name: KOMPUTER-A47909

Event Code: 7

Message: W urządzeniu \Device\CdRom0 wystąpił zły blok.

 

Record Number: 3966

Source Name: Cdrom

Time Written: 20090811140457.000000+120

Event Type: błąd

User:

 

Computer Name: KOMPUTER-A47909

Event Code: 7

Message: W urządzeniu \Device\CdRom0 wystąpił zły blok.

 

Record Number: 3965

Source Name: Cdrom

Time Written: 20090811140457.000000+120

Event Type: błąd

User:

 

Computer Name: KOMPUTER-A47909

Event Code: 7

Message: W urządzeniu \Device\CdRom0 wystąpił zły blok.

 

Record Number: 3964

Source Name: Cdrom

Time Written: 20090811140457.000000+120

Event Type: błąd

User:

 

=====Application event log=====

 

Computer Name: KOMPUTER-A47909

Event Code: 105

Message: The service was started.

 

Record Number: 1337

Source Name: ATI Smart

Time Written: 20090819140454.000000+120

Event Type: informacje

User:

 

Computer Name: KOMPUTER-A47909

Event Code: 1517

Message: System Windows zapisał rejestr użytkownika KOMPUTER-A47909\Zygmunt, kiedy aplikacja lub usługa nadal użytkowała rejestr podczas wylogowania. Pamięć używana przez rejestr użytkownika nie została zwolniona. Rejestr zostanie zwolniony, kiedy nie będzie używany.

 

 

Najczęstszą tego przyczyną są usługi uruchamiane z konta użytkownika. Próbuj skonfigurować te usługi, aby były uruchamiane z konta LocalService lub NetworkService.

 

Record Number: 1336

Source Name: Userenv

Time Written: 20090819135929.000000+120

Event Type: ostrzeżenie

User: ZARZĄDZANIE NT\SYSTEM

 

Computer Name: KOMPUTER-A47909

Event Code: 0

Message:

Record Number: 1335

Source Name: gusvc

Time Written: 20090819125000.000000+120

Event Type: informacje

User:

 

Computer Name: KOMPUTER-A47909

Event Code: 0

Message:

Record Number: 1334

Source Name: gusvc

Time Written: 20090819124900.000000+120

Event Type: informacje

User:

 

Computer Name: KOMPUTER-A47909

Event Code: 0

Message:

Record Number: 1333

Source Name: gusvc

Time Written: 20090819102113.000000+120

Event Type: informacje

User:

 

======Environment variables======

 

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=15

"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel

"PROCESSOR_REVISION"=0407

"NUMBER_OF_PROCESSORS"=2

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

 

-----------------EOF-----------------

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - LOG

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Zygmunt\Pulpit\OTL.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

C:\Documents and Settings\Zygmunt\Pulpit\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\Zygmunt.exe

C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (file missing)

O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Startup: ikowin32.exe

O8 - Extra context menu item: dodaj do listy blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4395DC-5696-4E0B-8BC2-4C3257ECE987}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast!UpdateAgent.exe - Unknown owner - C:\WINDOWS\System32\avast!UpdateAgent.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: Usługa Google Update (gupdate1ca0ab8ed296efa) (gupdate1ca0ab8ed296efa) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 5439 bytes

 

======Scheduled tasks folder======

 

C:\WINDOWS\tasks\Google Software Updater.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]

IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll [2008-11-11 62728]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]

PDF-XChange Viewer IE-Plugin - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll [2009-08-14 1093400]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]

Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll []

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"SpeedTouch USB Diagnostics"=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [2003-09-05 878080]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-10 148888]

"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-04-17 16143872]

"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]

"Regedit32"=C:\WINDOWS\system32\regedit.exe []

"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [2009-07-24 208616]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

"AutoConnect"=C:\Program Files\AutoConnect\AutoConnect.exe [2004-08-28 295424]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

C:\Program Files\Alcohol Soft\aaAlcohol 120\axcmd.exe [2009-04-24 203928]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQQ]

C:\PROGRA~1\WapSter\WAPSTE~1\AQQ.exe [2009-06-12 5047808]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

C:\Program Files\Electronic Arts\EADM\Core.exe [2009-04-29 3338240]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Antivirus 2010]

C:\Program Files\HomeAntivirus2010\HomeAntivirus2010.exe /hide []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nowe Gadu-Gadu]

C:\Program Files\Nowe Gadu-Gadu\gg.exe [2009-05-28 10486376]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

C:\Program Files\VIA\RAID\raid_tool.exe [2005-11-23 1060864]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

C:\Program Files\Skype\Phone\Skype.exe [2009-06-26 25604904]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]

C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe [2009-07-12 5113430]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2004-12-14 29696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Zygmunt^Menu Start^Programy^Autostart^ikowin32.exe]

C:\Documents and Settings\Zygmunt\Menu Start\Programy\Autostart\ikowin32.exe [2004-08-04 23040]

 

C:\Documents and Settings\Zygmunt\Menu Start\Programy\Autostart

ikowin32.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

C:\WINDOWS\system32\Ati2evxx.dll [2008-02-26 126976]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]

C:\WINDOWS\system32\klogon.dll [2008-11-11 218376]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\isyriy]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\isyriy]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoSMMyPictures"=1

"NoDriveAutoRun"=67108863

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ explorer]

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\ firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled: @xpsp2res.dll,-22019"

"C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe"="C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"

"C:\Program Files\Nowe Gadu-Gadu\gg.exe"="C:\Program Files\Nowe Gadu-Gadu\gg.exe:*:Enabled:Nowe Gadu-Gadu"

"C:\Program Files\Midway Home Entertainment\Rise and Fall\RiseAndFall.exe"="C:\Program Files\Midway Home Entertainment\Rise and Fall\RiseAndFall.exe:*:Enabled:Rise And Fall"

"E:\Civilization IV\Civilization4.exe"="E:\Civilization IV\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"

"E:\Blood Bowl\BB.exe"="E:\Blood Bowl\BB.exe:*:Enabled:Blood Bowl"

"E:\Blood Bowl\Autorun\Exe\Autorun.exe"="E:\Blood Bowl\Autorun\Exe\Autorun.exe:*:Enabled:Blood Bowl - AutoRun"

"E:\Earth 2160\Earth2160_NO_SSE.exe"="E:\Earth 2160\Earth2160_NO_SSE.exe:*:Enabled:Earth 2160"

"E:\Earth 2160\Earth2160_SSE.exe"="E:\Earth 2160\Earth2160_SSE.exe:*:Enabled:Earth 2160"

"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

"C:\WINDOWS\system32\services.exe"="C:\WINDOWS\system32\ services.exe:*:Enabled:services"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\ firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled: @xpsp2res.dll,-22019"

 

======List of files/folders created in the last 1 months======

 

2009-08-25 19:02:49 ----D---- C:\rsit

2009-08-25 18:56:48 ----D---- C:\WINDOWS\ERDNT

2009-08-25 18:56:47 ----SD---- C:\ComboFix

2009-08-25 18:56:11 ----D---- C:\Qoobox

2009-08-25 18:51:50 ----D---- C:\Program Files\Trend Micro

2009-08-25 14:14:54 ----A---- C:\WINDOWS\system32\avast!UpdateAgent.exe

2009-08-24 18:44:51 ----D---- C:\Program Files\Techland

2009-08-23 19:59:18 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Vidalia

2009-08-23 19:41:03 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Tor

2009-08-23 19:41:02 ----D---- C:\Program Files\Vidalia Bundle

2009-08-22 21:39:38 ----D---- C:\totalcmd

2009-08-22 21:39:38 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\GHISLER

2009-08-20 22:11:07 ----D---- C:\Documents and Settings\All Users\Dane aplikacji\Google

2009-08-20 22:11:02 ----D---- C:\Program Files\IrfanView

2009-08-20 14:10:36 ----D---- C:\WINDOWS\speech

2009-08-20 14:10:22 ----D---- C:\Program Files\ivo

2009-08-20 13:37:44 ----D---- C:\Program Files\Tracker Software

2009-08-15 11:52:29 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Black Sea Studios

2009-08-14 23:09:41 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\AdobeUM

2009-08-12 22:35:15 ----D---- C:\Program Files\PhotoFiltre

2009-08-12 12:33:27 ----D---- C:\Documents and Settings\All Users\Dane aplikacji\Electronic Arts

2009-08-11 21:32:18 ----D---- C:\WINDOWS\system32\appmgmt

2009-08-11 21:26:00 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Hide IP NG

2009-08-11 16:36:29 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\SPORE

2009-08-10 18:32:24 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\CityInteractive

2009-08-04 13:39:52 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\My Games

2009-07-26 14:33:08 ----A---- C:\WINDOWS\War3Unin.exe

 

======List of files/folders modified in the last 1 months======

 

2009-08-25 19:02:54 ----D---- C:\WINDOWS\Temp

2009-08-25 19:02:06 ----D---- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2009-08-25 18:57:32 ----D---- C:\WINDOWS

2009-08-25 18:57:27 ----D---- C:\WINDOWS\system32

2009-08-25 18:51:50 ----RD---- C:\Program Files

2009-08-25 18:48:25 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-08-25 18:44:27 ----D---- C:\Program Files\Mozilla Firefox

2009-08-25 18:44:13 ----D---- C:\Program Files\AutoConnect

2009-08-25 18:42:38 ----D---- C:\WINDOWS\system32\CatRoot2

2009-08-25 18:41:19 ----D---- C:\Program Files\Google

2009-08-25 18:38:22 ----SD---- C:\WINDOWS\Tasks

2009-08-25 18:36:28 ----SH---- C:\boot.ini

2009-08-25 18:36:28 ----A---- C:\WINDOWS\win.ini

2009-08-25 18:36:28 ----A---- C:\WINDOWS\system.ini

2009-08-25 18:36:27 ----D---- C:\WINDOWS\pss

2009-08-25 17:08:58 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-08-25 14:15:04 ----D---- C:\WINDOWS\Prefetch

2009-08-25 14:15:00 ----D---- C:\WINDOWS\system32\drivers

2009-08-25 14:12:48 ----SD---- C:\WINDOWS\Downloaded Program Files

2009-08-25 14:12:48 ----HD---- C:\WINDOWS\inf

2009-08-24 21:54:20 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Skype

2009-08-24 20:20:26 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\skypePM

2009-08-24 18:44:56 ----SHD---- C:\WINDOWS\Installer

2009-08-22 21:17:37 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Nowe Gadu-Gadu

2009-08-21 12:23:24 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Google

2009-08-20 14:12:55 ----SD---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Microsoft

2009-08-16 15:16:59 ----D---- C:\Program Files\ArtMoney

2009-08-12 12:31:42 ----D---- C:\Program Files\Electronic Arts

2009-08-12 09:15:27 ----HD---- C:\Program Files\InstallShield Installation Information

2009-08-11 16:33:12 ----A---- C:\WINDOWS\system32\CmdLineExt.dll

2009-08-11 13:54:44 ----D---- C:\WINDOWS\system32\DirectX

2009-08-10 22:29:16 ----D---- C:\WINDOWS\Microsoft.NET

2009-08-10 19:48:21 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\BESTplayer

2009-08-10 18:32:16 ----RSD---- C:\WINDOWS\assembly

2009-08-10 17:16:46 ----D---- C:\WINDOWS\WinSxS

2009-08-10 17:16:14 ----D---- C:\WINDOWS\system32\mui

2009-08-10 17:16:14 ----D---- C:\Program Files\Internet Explorer

2009-08-05 20:09:23 ----D---- C:\Program Files\Alcohol Soft

2009-08-04 14:27:51 ----RSD---- C:\WINDOWS\Fonts

2009-08-04 10:57:48 ----D---- C:\WINDOWS\system32\Macromed

2009-08-04 10:57:40 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Macromedia

2009-07-26 21:49:59 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\teamspeak2

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R1 intelppm;Sterownik procesora Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 40320]

R1 KLIF;Kaspersky Lab Driver; C:\WINDOWS\system32\DRIVERS\klif.sys [2009-07-24 226832]

R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-09-05 53600]

R3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-09-05 70624]

R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-02-26 2863616]

R3 FETNDIS;Sterownik NT karty VIA PCI 10/100Mb Fast Ethernet; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]

R3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-07-25 25280]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]

R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-04-17 4262912]

R3 KLFLTDEV;Kaspersky Lab KLFltDev; C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]

R3 mbamswissarmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []

R3 usbehci;Sterownik Miniport rozszerzonego kontrolera hosta USB 2.0 Microsoft; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]

R3 usbhub;Koncentrator z obsługą USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]

R3 usbuhci;Sterownik Miniport uniwersalnego kontrolera hosta USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]

S2 isyriy;isyriy; C:\WINDOWS\system32\drivers\isyriy.sys [2009-08-25 243712]

S3 af4f340i;af4f340i; C:\WINDOWS\system32\drivers\af4f340i.sys []

S3 HidUsb;Sterownik Microsoft klasy HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]

S3 usbprint;Klasa PRINTER USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]

S3 usbscan;Sterownik skanera USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]

S3 USBSTOR;Sterownik magazynu masowego USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-02-26 520192]

R2 AVP;Kaspersky Internet Security; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [2009-07-24 208616]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-10 152984]

S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-02-25 593920]

S2 avast!UpdateAgent.exe;avast!UpdateAgent.exe; C:\WINDOWS\System32\avast!UpdateAgent.exe [2009-08-25 36864]

S2 gupdate1ca0ab8ed296efa;Usługa Google Update (gupdate1ca0ab8ed296efa); C:\Program Files\Google\Update\GoogleUpdate.exe /svc []

S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []

S2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]

 

-----------------EOF-----------------

Edytowane 25 Sierpnia 2009 przez Kameelll

[ULLISSES]

W jakim niby pliku (na jakiej ścieżce) jest ten trojan. Tak na szybko to nic tam nie widzę poza ikowin32.exe

[Kameelll]

W jakim niby pliku (na jakiej ścieżce) jest ten trojan. Tak na szybko to nic tam nie widzę poza ikowin32.exe

Hmmm... teraz juz nie pokazuje się ze jest trojan bo HijackThisem usunąłem AvastUpdterAgent(nie wiem skąd to się wzięło bo nigdy nie miałem avasta), ale w kasperskym tak jak wtedy skanowanie zatrzymuje się na :

c:\windows\system32\drivers\hdaudbus.sys//PE_Patch

 

Ps. To co zrobić z tym ikowin32.exe ?

[zzizzy]

Usunąć, to malware.

 

http://www.prevx.com/filenames/X8667057905...OWIN32.EXE.html

[FiFU]

A co koledzy powiedzą o tym wpisie?

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

I rejestr:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Antivirus 2010]C:\Program Files\HomeAntivirus2010\HomeAntivirus2010.exe /hide []

Hm?

Edytowane 25 Sierpnia 2009 przez FiFU

[Kolobos]

Usun w hijackthis:

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (file missing)

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - Startup: ikowin32.exe

 

Uzyj CFScript.txt z combofix:

 

Driver::

isyriy

af4f340i

 

File::

C:\WINDOWS\system32\drivers\isyriy.sys

C:\Documents and Settings\Zygmunt\Menu Start\Programy\Autostart\ikowin32.exe

 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Antivirus 2010]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Zygmunt^Menu Start^Programy^Autostart^ikowin32.exe]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\isyriy]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\isyriy]

 

Po wykonaniu daj log z combofix, ktory sie utworzy.

[Kameelll]

Uzyj CFScript.txt z combofix:

 

Driver::

isyriy

af4f340i

 

File::

C:\WINDOWS\system32\drivers\isyriy.sys

C:\Documents and Settings\Zygmunt\Menu Start\Programy\Autostart\ikowin32.exe

 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Antivirus 2010]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Zygmunt^Menu Start^Programy^Autostart^ikowin32.exe]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\isyriy]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\isyriy]

 

Po wykonaniu daj log z combofix, ktory sie utworzy.

 

HijackThisem usunałem ale nie wiem co mam zrobic tym ComboFixem 8O

[Kolobos]

Utworz plik CFscript.txt, wklej do niego to co podalem, zapisz i przeciagnij go na ikone combofix.exe

Na przyszlosc naucz sie korzystac z internetu zamiast pisac, ze nie wiesz.

[Kameelll]

No i jest coś nie tak... zrobiłem wszystko tak jak piszesz i od 30 minut stoi na "Ukończono etap_17". I nawet nie da się tego wyłączyć 8O

Dziwne że podczas skanowania Malvarebytes i Kasperskym też w pewnym momencie się zawiesza i nie idzie dalej...

 

EDIT:// Zapomniałem doda że po uruchomieniu komputera w menedżerze zadań jest avast!UpdateAgent, chociaż wywaliłem go HijackThisem(nie mialem avasta)

Edytowane 26 Sierpnia 2009 przez Kameelll

[FiFU]

Kolobos, Home Antivirus 2010 wróci po ponownym uruchomieniu komputera.

 

@Autor,

 

pokaż loga z RSIT.

[Kameelll]

Kolobos, Home Antivirus 2010 wróci po ponownym uruchomieniu komputera.

 

@Autor,

 

pokaż loga z RSIT.

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - LOG z RSIT

Logfile of random's system information tool 1.06 (written by random/random)

Run by Zygmunt at 2009-08-27 20:11:08

Microsoft Windows XP Professional Dodatek Service Pack 2

System drive C: has 29 GB (49%) free of 60 GB

Total RAM: 1023 MB (54% free)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:11:10, on 2009-08-27

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\avast!UpdateAgent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Zygmunt\Pulpit\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\Zygmunt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: Dodaj do listy blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4395DC-5696-4E0B-8BC2-4C3257ECE987}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast!UpdateAgent.exe - Unknown owner - C:\WINDOWS\System32\avast!UpdateAgent.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: Usługa Google Update (gupdate1ca0ab8ed296efa) (gupdate1ca0ab8ed296efa) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 5651 bytes

 

======Scheduled tasks folder======

 

C:\WINDOWS\tasks\Google Software Updater.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]

IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll [2008-11-11 62728]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]

Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]

PDF-XChange Viewer IE-Plugin - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll [2009-08-14 1093400]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"SpeedTouch USB Diagnostics"=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [2003-09-05 878080]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-10 148888]

"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-04-17 16143872]

"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]

"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [2009-07-24 208616]

"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

"AutoConnect"=C:\Program Files\AutoConnect\AutoConnect.exe [2004-08-28 295424]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

C:\Program Files\Alcohol Soft\aaAlcohol 120\axcmd.exe [2009-04-24 203928]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQQ]

C:\PROGRA~1\WapSter\WAPSTE~1\AQQ.exe [2009-06-12 5047808]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

C:\Program Files\Electronic Arts\EADM\Core.exe [2009-04-29 3338240]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nowe Gadu-Gadu]

C:\Program Files\Nowe Gadu-Gadu\gg.exe [2009-05-28 10486376]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

C:\Program Files\VIA\RAID\raid_tool.exe [2005-11-23 1060864]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

C:\Program Files\Skype\Phone\Skype.exe [2009-06-26 25604904]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]

C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe [2009-07-12 5113430]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2004-12-14 29696]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

C:\WINDOWS\system32\Ati2evxx.dll [2008-02-26 126976]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]

C:\WINDOWS\system32\klogon.dll [2008-11-11 218376]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\isyriy]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\isyriy]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoSMMyPictures"=1

"NoDriveAutoRun"=67108863

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe"="C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"

"C:\Program Files\Nowe Gadu-Gadu\gg.exe"="C:\Program Files\Nowe Gadu-Gadu\gg.exe:*:Enabled:Nowe Gadu-Gadu"

"C:\Program Files\Midway Home Entertainment\Rise and Fall\RiseAndFall.exe"="C:\Program Files\Midway Home Entertainment\Rise and Fall\RiseAndFall.exe:*:Enabled:Rise And Fall"

"E:\Civilization IV\Civilization4.exe"="E:\Civilization IV\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"

"E:\Blood Bowl\BB.exe"="E:\Blood Bowl\BB.exe:*:Enabled:Blood Bowl"

"E:\Blood Bowl\Autorun\Exe\Autorun.exe"="E:\Blood Bowl\Autorun\Exe\Autorun.exe:*:Enabled:Blood Bowl - AutoRun"

"E:\Earth 2160\Earth2160_NO_SSE.exe"="E:\Earth 2160\Earth2160_NO_SSE.exe:*:Enabled:Earth 2160"

"E:\Earth 2160\Earth2160_SSE.exe"="E:\Earth 2160\Earth2160_SSE.exe:*:Enabled:Earth 2160"

"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

"C:\WINDOWS\system32\services.exe"="C:\WINDOWS\system32\services.exe:*:Enabled:services"

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

======List of files/folders created in the last 1 months======

 

2009-08-27 20:09:14 ----D---- C:\Program Files\SkanerOnline

2009-08-27 16:58:01 ----A---- C:\WINDOWS\system32\msonpmon.dll

2009-08-27 16:55:52 ----D---- C:\Program Files\Microsoft Works

2009-08-27 16:55:41 ----D---- C:\Program Files\MSBuild

2009-08-27 16:55:18 ----D---- C:\Program Files\Microsoft Visual Studio

2009-08-27 16:55:17 ----D---- C:\Program Files\Common Files\DESIGNER

2009-08-27 16:54:29 ----D---- C:\Program Files\Microsoft.NET

2009-08-27 16:52:34 ----D---- C:\Program Files\Microsoft Visual Studio 8

2009-08-27 16:51:40 ----D---- C:\WINDOWS\SHELLNEW

2009-08-27 16:51:10 ----D---- C:\Program Files\Microsoft Office

2009-08-27 16:51:08 ----D---- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2009-08-27 16:50:34 ----RHD---- C:\MSOCache

2009-08-26 22:28:37 ----A---- C:\Boot.bak

2009-08-26 22:28:33 ----RASHD---- C:\cmdcons

2009-08-26 22:26:58 ----A---- C:\WINDOWS\zip.exe

2009-08-26 22:26:58 ----A---- C:\WINDOWS\SWXCACLS.exe

2009-08-26 22:26:58 ----A---- C:\WINDOWS\SWSC.exe

2009-08-26 22:26:58 ----A---- C:\WINDOWS\SWREG.exe

2009-08-26 22:26:58 ----A---- C:\WINDOWS\sed.exe

2009-08-26 22:26:58 ----A---- C:\WINDOWS\PEV.exe

2009-08-26 22:26:58 ----A---- C:\WINDOWS\NIRCMD.exe

2009-08-26 22:26:58 ----A---- C:\WINDOWS\grep.exe

2009-08-26 22:26:49 ----SD---- C:\ComboFix

2009-08-26 22:26:49 ----A---- C:\WINDOWS\system32\CF11516.exe

2009-08-25 20:13:50 ----D---- C:\WINDOWS\Minidump

2009-08-25 19:02:49 ----D---- C:\rsit

2009-08-25 18:56:48 ----D---- C:\WINDOWS\ERDNT

2009-08-25 18:56:11 ----D---- C:\Qoobox

2009-08-25 18:51:50 ----D---- C:\Program Files\Trend Micro

2009-08-25 14:14:54 ----A---- C:\WINDOWS\system32\avast!UpdateAgent.exe

2009-08-24 18:44:51 ----D---- C:\Program Files\Techland

2009-08-23 19:59:18 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Vidalia

2009-08-23 19:41:03 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Tor

2009-08-23 19:41:02 ----D---- C:\Program Files\Vidalia Bundle

2009-08-22 21:39:38 ----D---- C:\totalcmd

2009-08-22 21:39:38 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\GHISLER

2009-08-20 22:11:07 ----D---- C:\Documents and Settings\All Users\Dane aplikacji\Google

2009-08-20 22:11:02 ----D---- C:\Program Files\IrfanView

2009-08-20 14:10:36 ----D---- C:\WINDOWS\speech

2009-08-20 14:10:22 ----D---- C:\Program Files\ivo

2009-08-20 13:37:44 ----D---- C:\Program Files\Tracker Software

2009-08-15 11:52:29 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Black Sea Studios

2009-08-14 23:09:41 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\AdobeUM

2009-08-12 22:35:15 ----D---- C:\Program Files\PhotoFiltre

2009-08-12 12:33:27 ----D---- C:\Documents and Settings\All Users\Dane aplikacji\Electronic Arts

2009-08-11 21:32:18 ----D---- C:\WINDOWS\system32\appmgmt

2009-08-11 21:26:00 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Hide IP NG

2009-08-11 16:36:29 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\SPORE

2009-08-10 18:32:24 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\CityInteractive

2009-08-04 13:39:52 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\My Games

 

======List of files/folders modified in the last 1 months======

 

2009-08-27 20:11:04 ----D---- C:\WINDOWS\Temp

2009-08-27 20:09:14 ----SD---- C:\WINDOWS\Downloaded Program Files

2009-08-27 20:09:14 ----RD---- C:\Program Files

2009-08-27 20:09:13 ----D---- C:\WINDOWS\system32

2009-08-27 20:09:12 ----D---- C:\WINDOWS\system32\CatRoot2

2009-08-27 20:06:08 ----D---- C:\Program Files\Mozilla Firefox

2009-08-27 19:54:47 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-08-27 19:50:59 ----D---- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2009-08-27 19:50:49 ----D---- C:\Program Files\AutoConnect

2009-08-27 17:22:51 ----SD---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Microsoft

2009-08-27 16:58:21 ----SHD---- C:\WINDOWS\Installer

2009-08-27 16:58:11 ----RSD---- C:\WINDOWS\assembly

2009-08-27 16:57:43 ----D---- C:\WINDOWS\system32\config

2009-08-27 16:55:47 ----D---- C:\Program Files\Common Files\Microsoft Shared

2009-08-27 16:55:44 ----D---- C:\WINDOWS\WinSxS

2009-08-27 16:55:17 ----D---- C:\Program Files\Common Files

2009-08-27 16:54:51 ----RSD---- C:\WINDOWS\Fonts

2009-08-27 16:54:30 ----SD---- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft

2009-08-27 16:52:10 ----A---- C:\WINDOWS\win.ini

2009-08-27 16:52:07 ----D---- C:\Program Files\Common Files\System

2009-08-27 16:51:40 ----D---- C:\WINDOWS

2009-08-27 16:51:10 ----HD---- C:\WINDOWS\inf

2009-08-27 09:52:21 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-08-26 22:29:04 ----D---- C:\WINDOWS\system32\drivers

2009-08-26 22:28:37 ----RASH---- C:\boot.ini

2009-08-25 18:41:19 ----D---- C:\Program Files\Google

2009-08-25 18:38:22 ----SD---- C:\WINDOWS\Tasks

2009-08-25 18:36:28 ----A---- C:\WINDOWS\system.ini

2009-08-25 18:36:27 ----D---- C:\WINDOWS\pss

2009-08-25 14:15:04 ----D---- C:\WINDOWS\Prefetch

2009-08-24 21:54:20 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Skype

2009-08-24 20:20:26 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\skypePM

2009-08-22 21:17:37 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Nowe Gadu-Gadu

2009-08-21 12:23:24 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Google

2009-08-16 15:16:59 ----D---- C:\Program Files\ArtMoney

2009-08-12 12:31:42 ----D---- C:\Program Files\Electronic Arts

2009-08-12 09:15:27 ----HD---- C:\Program Files\InstallShield Installation Information

2009-08-11 16:33:12 ----A---- C:\WINDOWS\system32\CmdLineExt.dll

2009-08-11 13:54:50 ----D---- C:\WINDOWS\system32\DirectX

2009-08-10 22:29:16 ----D---- C:\WINDOWS\Microsoft.NET

2009-08-10 19:48:21 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\BESTplayer

2009-08-10 17:16:14 ----D---- C:\WINDOWS\system32\mui

2009-08-10 17:16:14 ----D---- C:\Program Files\Internet Explorer

2009-08-05 20:09:23 ----D---- C:\Program Files\Alcohol Soft

2009-08-04 10:57:48 ----D---- C:\WINDOWS\system32\Macromed

2009-08-04 10:57:40 ----D---- C:\Documents and Settings\Zygmunt\Dane aplikacji\Macromedia

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R1 intelppm;Sterownik procesora Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 40320]

R1 KLIF;Kaspersky Lab Driver; C:\WINDOWS\system32\DRIVERS\klif.sys [2009-07-24 226832]

R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-09-05 53600]

R3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-09-05 70624]

R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-02-26 2863616]

R3 FETNDIS;Sterownik NT karty VIA PCI 10/100Mb Fast Ethernet; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]

R3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-07-25 25280]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]

R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-04-17 4262912]

R3 KLFLTDEV;Kaspersky Lab KLFltDev; C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]

R3 usbehci;Sterownik Miniport rozszerzonego kontrolera hosta USB 2.0 Microsoft; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]

R3 usbhub;Koncentrator z obsługą USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]

R3 usbprint;Klasa PRINTER USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]

R3 usbuhci;Sterownik Miniport uniwersalnego kontrolera hosta USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]

S1 6602d2ea;6602d2ea; C:\WINDOWS\System32\drivers\6602d2ea.sys []

S2 isyriy;isyriy; C:\WINDOWS\system32\drivers\isyriy.sys [2009-08-25 243712]

S2 ljaygr;ljaygr; \??\C:\WINDOWS\system32\Drivers\ljaygr.sys []

S3 a07piitd;a07piitd; C:\WINDOWS\system32\drivers\a07piitd.sys []

S3 catchme;catchme; \??\C:\DOCUME~1\Zygmunt\USTAWI~1\Temp\catchme.sys []

S3 HidUsb;Sterownik Microsoft klasy HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]

S3 mbamswissarmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []

S3 usbscan;Sterownik skanera USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]

S3 USBSTOR;Sterownik magazynu masowego USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-02-26 520192]

R2 avast!UpdateAgent.exe;avast!UpdateAgent.exe; C:\WINDOWS\System32\avast!UpdateAgent.exe [2009-08-25 36864]

R2 AVP;Kaspersky Internet Security; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [2009-07-24 208616]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-10 152984]

S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-02-25 593920]

S2 gupdate1ca0ab8ed296efa;Usługa Google Update (gupdate1ca0ab8ed296efa); C:\Program Files\Google\Update\GoogleUpdate.exe /svc []

S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []

S2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]

S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]

S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

 

-----------------EOF-----------------

 

EDIT:// Pomoże mi ktoś czy nie?!

 

Skanowałem komputer Kasperskym Internet Security 8, Malvarebytes i MKS-virem i za każdym razem skanowanie zatrzymuje się na C:/WINDOWS/system32/drivers/isapnp.sys lub C:/WINDOWS/system32/drivers/ipsec.sys ....

Edytowane 27 Sierpnia 2009 przez Kameelll

[Kolobos]

8O FiFU

Niby dlaczego?

 

8O Kameelll

Sprobuj uruchomic combofix z cfscript.txt w trybie awaryjnym.

 

Wczesniej wpisz w uruchom:

sc delete 6602d2ea

sc stop isyriy

sc delete isyriy

sc delete ljaygr

sc delete a07piitd

sc delete catchme

 

jezeli mozesz usun tez recznie:

C:\WINDOWS\system32\drivers\isyriy.sys

C:\Documents and Settings\Zygmunt\Menu Start\Programy\Autostart\ikowin32.exe

 

Po wykonaniu daj log z combofix.

[Kameelll]

jezeli mozesz usun tez recznie:

C:\WINDOWS\system32\drivers\isyriy.sys

C:\Documents and Settings\Zygmunt\Menu Start\Programy\Autostart\ikowin32.exe

 

Po wykonaniu daj log z combofix.

z C:\WINDOWS\system32\drivers\isyriy.sys nie da się usunać, wyskakuje że jest to plik systemowy(bla,bla,bla) naciskam żeby usunęło i nic sie nie dzieje. A w C:\Documents and Settings\Zygmunt\Menu Start\Programy\Autostart\ikowin32.exe nie pokazuje mi ikowin32.exe

 

Zaraz dam loga z combofixa.

 

EDIT:// Nie mogę wejść do trybu awaryjnego, podcza uruchamiania naciskam F8 wybieram tryb awaryjny, ładują sie jakieś pliki, a poźniej na dle wyskakuje "Press ESC to cancel loading SPTD.sys" naciskam ESC i w lewym górnym rogu pojawia się znak "_" miga i nic się nie dzieje :/

Edytowane 28 Sierpnia 2009 przez Kameelll

[Kolobos]

Sciagnij OTL, wklej do niego taki skrypt:

 

:OTL

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

 

:Files

C:\WINDOWS\system32\drivers\isyriy.sys

 

:Commands

[emptytemp]

[start explorer]

[Reboot]

 

Nacisnij Run Fix, po wykonaniu daj log utworzy z opcji Run Scan. Po wszystkim sprobuj tez uruchomic combofix.

Edytowane 28 Sierpnia 2009 przez Kolobos

[Kameelll]

Sciagnij OTL, wklej do niego taki skrypt:

 

:OTL

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

 

:Files

C:\WINDOWS\system32\drivers\isyriy.sys

 

:Commands

[emptytemp]

[start explorer]

[Reboot]

 

Nacisnij Run Fix, po wykonaniu daj log utworzy z opcji Run Scan. Po wszystkim sprobuj tez uruchomic combofix.

Nic z tego. Podczas "Moving file C:\WINDOWS\system32\drivers\isyriy.sys" OTL zawiesza się (pojawia się napis brak odpowiedzi) i pozostaje tylko reset komputera:(

[Kolobos]

W takim razie usun ten plik przy pomocy konsoli odzyskiwania.

[Kameelll]

W takim razie usun ten plik przy pomocy konsoli odzyskiwania.

Usunąłem go z konsoli odzyskiwania.

 

Użyć teraz CFScript'a z ComboFixem czy OTL?

Edytowane 29 Sierpnia 2009 przez Kameelll

[ULLISSES]

OTL służy do logów.

 

Pliki, które są oporne usuwa Unlocker.

 

Nie męcz się już więcej. Podepnij dysk do kompa z zainstalowaną Avirą i przeskanuj wszystkie partycje. Wywal wszystko co znajdzie.

Potem uruchom swój komp w awaryjnym i z jego poziomu przejedź kompa przy pomocy Spybot S&D.

[Kameelll]

OTL służy do logów.

 

Pliki, które są oporne usuwa Unlocker.

 

Nie męcz się już więcej. Podepnij dysk do kompa z zainstalowaną Avirą i przeskanuj wszystkie partycje. Wywal wszystko co znajdzie.

Potem uruchom swój komp w awaryjnym i z jego poziomu przejedź kompa przy pomocy Spybot S&D.

Nie mam możliwości podpięcia dysku do innego kompa, który ma Avirę.

 

U siebie odinstalowałem Kaspersky Internet Security, zainstalowałem Avirę, Outpoust Firewall Pro oraz Anti Trojan Elite. Z konsoli odzyskiwania usunąłem ten isyriy.sys, oraz avast!UpdateAgent(Avira wywalał ze jest to trojan, ale nie mógł go usunąć ani nic z nim zrobić). Teraz robie skany Anti Trojan Elite a później włączę skan Avirą.

Edytowane 29 Sierpnia 2009 przez Kameelll

[ULLISSES]

Wszystkie narzędzia do naprawy/leczenie uruchamiaj w trybie awaryjnym - wtedy jest większa szansa na ich usunięcie.

 

Najlepiej było by wybrać tryb awaryjny z wierszem poleceń, z niego odpalić np Total Commander lub cokolwiek innego niż Explorer (pulpit) i z jego poziomu uruchamiać narzędzia naprawy. Jeśli załaduje się pasek i menu start, to explorer działa i już część robactwa zostaje załadowane i zablokowane przed usunięciem.

[Kameelll]

Wszystkie narzędzia do naprawy/leczenie uruchamiaj w trybie awaryjnym - wtedy jest większa szansa na ich usunięcie.

 

Najlepiej było by wybrać tryb awaryjny z wierszem poleceń, z niego odpalić np Total Commander lub cokolwiek innego niż Explorer (pulpit) i z jego poziomu uruchamiać narzędzia naprawy. Jeśli załaduje się pasek i menu start, to explorer działa i już część robactwa zostaje załadowane i zablokowane przed usunięciem.

To jak skończy mi się skanować system avirą to włączę tryb awaryjny z wierszem poleceń i będę uruchamiał z TC.

[Kolobos]

Tak, uzyj CFScript.txt z combofix, ktory podalem wczesniej i daj log, ktory sie utworzy.