Brontok - Nie Wiem Jak Się Za Niego Zabrać, Logi

[cherrybloom]

Witam,

Przeszukałam google i znalazłam kilka stron, ale zupełnie się nie znam i mimo wszystko ciężko mi cokolwiek zrobić..

Wirus u mnie objawia się tym, że kiedy wchodzę na niektóre foldery, pojawia się sama tapeta pulpitu, potem powoli ikonki i cała reszta wracają, wyświetla się błąd i czasem zacina się cały komputer.

Bardzo proszę o pomoc 8O

 

 

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "log z HiJacka"

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:55:56, on 2009-09-13

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Last.fm\LastFM.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Dodaj do listy blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 6329 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log z Silent Runners"

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]

"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]

"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]

"Samsung Common SM" = ""C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun" ["Samsung Electronics."]

"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"" ["Kaspersky Lab"]

"WinampAgent" = ""C:\Program Files\Winamp\winampa.exe"" [null data]

"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]

"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]

 

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"

\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"

-> {HKLM...CLSID} = "Adobe PDF Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33}\(Default) = (no title provided)

-> {HKLM...CLSID} = "VMN Toolbar"

\InProcServer32\(Default) = "C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL" ["Visicom Media Inc. "]

{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}\(Default) = "IEVkbdBHO"

-> {HKLM...CLSID} = "IEVkbdBHO Class"

\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll" ["Kaspersky Lab"]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Groove GFS Browser Helper"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Java Plug-In 2 SSV Helper"

\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"

-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"

-> {HKLM...CLSID} = "Statystyki ochrony WWW"

\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll" ["Kaspersky Lab"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"

-> {HKLM...CLSID} = "Groove GFS Browser Helper"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"

-> {HKLM...CLSID} = "Groove Folder Synchronization"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"

-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"

-> {HKLM...CLSID} = "Groove XML Icon Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{1EBC3533-B289-409F-9924-B84B3F0717D2}" = "AceFTP Context Menu Shell Extension"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\ACEFTP~1\ftpcntxt.dll" ["Visicom Media Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AceFTP\(Default) = "{1EBC3533-B289-409F-9924-B84B3F0717D2}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\ACEFTP~1\ftpcntxt.dll" ["Visicom Media Inc."]

Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

AceFTP\(Default) = "{1EBC3533-B289-409F-9924-B84B3F0717D2}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\ACEFTP~1\ftpcntxt.dll" ["Visicom Media Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Madzia\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

NeroAutoPlay7CDAudio\

"Provider" = "Nero Express Essentials"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:AudioCD" ["Nero AG"]

 

NeroAutoPlay7CopyCD\

"Provider" = "Nero Express Essentials"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe -w /Dialog:DiscCopy" ["Nero AG"]

 

NeroAutoPlay7DataDisc\

"Provider" = "Nero Express Essentials"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "DataDisc_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:ISODisc" ["Nero AG"]

 

NeroAutoPlay7LaunchNeroStartSmart\

"Provider" = "Nero StartSmart Essentials"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

 

NeroAutoPlay7PlayAudioCD\

"Provider" = "Nero ShowTime Essentials"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

 

NeroAutoPlay7PlayDVD\

"Provider" = "Nero ShowTime Essentials"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

 

NeroAutoPlay7TranscodeVideo\

"Provider" = "Nero Recode Essentials"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

 

NeroAutoPlay7VideoCapture\

"Provider" = "Nero Vision Essentials"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

 

NeroAutoPlay7ViewPhotos\

"Provider" = "Nero PhotoSnap Viewer Essentials"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

 

Picasa2ImportPicturesOnArrival\

"Provider" = "Picasa3"

"InvokeProgID" = "picasa2.autoplay"

"InvokeVerb" = "import"

HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Google\Picasa3\Picasa3.exe "%1"" ["Google Inc."]

 

WinampPlayMediaOnArrival\

"Provider" = "Winamp"

"InvokeProgID" = "Winamp.File"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33}" = (no title provided)

-> {HKLM...CLSID} = "VMN Toolbar"

\InProcServer32\(Default) = "C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL" ["Visicom Media Inc. "]

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

 

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki ochrony WWW"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll" ["Kaspersky Lab"]

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\

"ButtonText" = "Statystyki ochrony WWW"

 

{2670000A-7350-4F3C-8081-5663EE0C6C49}\

"ButtonText" = "Wyślij do programu OneNote"

"MenuText" = "Wyślij &do programu OneNote"

"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"

-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<<H>> "Tabs" = "C:\Documents and Settings\Rodzina\Dane aplikacji\VMNTOOLBAR\tabwelcome_en.html" [file not found]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]

Kaspersky Internet Security, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r" ["Kaspersky Lab"]

NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

SUGS2 Langmon\Driver = "SUGS2LMK.DLL" ["Samsung Electronics."]

 

 

---------- (launch time: 2009-09-13 18:06:11)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 75 seconds.

---------- (total run time: 166 seconds)

 

Edytowane 13 Września 2009 przez cherrybloom

[Kolobos]

Zgauje, ze problem pojawia sie po wejsciu do katalogu z filmami avi? Wpisz w uruchom: Start->Uruchom->REGSVR32 /U SHMEDIA.DLL

 

Odinstaluj: VMN Toolbar + usun jego wpisy w hjt oraz usun katalog C:\PROGRA~1\VMNTOO~1\

[cherrybloom]

Zgauje, ze problem pojawia sie po wejsciu do katalogu z filmami avi? Wpisz w uruchom: Start->Uruchom->REGSVR32 /U SHMEDIA.DLL

 

Odinstaluj: VMN Toolbar + usun jego wpisy w hjt oraz usun katalog C:\PROGRA~1\VMNTOO~1\

Dziekuje, zaraz to zrobie. Niestety problem wystepuje u mnie glownie podczas wchodzenia na folder ze zdjeciami. Napisze jeszcze ze wirus załapał moj pendrive w punkcie druku i pierwszym objawem byl nowy folder w kazdym folderze na tym penie. Po wejsciu otwierały sie 'moje dokumenty'.

 

Edit: Nie wiem jak dotrzeć do katalogu C:\PROGRA~1\VMNTOO~1\ . Wyszukiwarka nie potrafi tego znalezc, w ukrytych plikach tez tego nie widze.

Czy poprzez usuniecie wpisow w HiJack mam rozumiec wklejenie w Delete an NT service.... poszczegolnych linijek z loga, ktore zawieraja "vmn" (np. O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL )?

 

Strasznie mi głupio, że pytam o rzeczy, które prawdopodobnie są banalne. Wole nie kombinować w takiej sprawie samodzielnie 8O)

Edytowane 13 Września 2009 przez cherrybloom

[Kolobos]

Wklej w uruchom: C:\PROGRA~1\VMNTOO~1\ to dotrzesz bez szukania..

 

W hijackthis zaznacz to co podalem i nacisnij Fix Checked.

 

Zrob skan przy pomocy Dr.Web CureIt oraz Malwarebytes Anti-Malware.

 

Daj log z combofix.

[cherrybloom]

Dr. Web coś znalazł i usunął (załącznik), w Malware pustki. W obu programach włączyłam pełne skanowanie. Mam jeszcze pytanie, czy jak komputer się wyleczy, to bez obaw będę mogla odpalić płytkę na której tez siedzi to świństwo (nagrywałam ja gdy już występowały problemy)?

 

I log:

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log z Combofix"

ComboFix 09-09-14.01 - Madzia 2009-09-14 20:44.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2942.2071 [GMT 2:00]

Uruchomiony z: c:\documents and settings\Madzia\Moje dokumenty\Pobieranie\ComboFix.exe

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

 

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

.

 

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\ieuinit.inf

 

.

((((((((((((((((((((((((( Pliki utworzone od 2009-08-14 do 2009-09-14 )))))))))))))))))))))))))))))))

.

 

2009-09-14 18:09 . 2009-09-14 18:09 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\Malwarebytes

2009-09-14 18:09 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-14 18:09 . 2009-09-14 18:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-14 18:09 . 2009-09-14 18:09 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes

2009-09-14 18:09 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-14 13:16 . 2009-09-14 13:16 -------- d-----w- c:\documents and settings\Madzia\DoctorWeb

2009-09-13 15:55 . 2009-09-13 15:55 -------- d-----w- c:\program files\Trend Micro

2009-09-06 16:23 . 2008-09-05 00:22 447752 ----a-r- c:\windows\system32\vp6vfw.dll

2009-09-06 16:23 . 2009-09-06 16:23 10134 ----a-r- c:\documents and settings\Madzia\Dane aplikacji\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe

2009-09-06 16:23 . 2009-09-06 16:23 -------- d-----w- c:\program files\Microsoft WSE

2009-09-06 16:23 . 2006-09-28 14:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2009-09-06 16:22 . 2009-09-06 16:22 -------- d-----w- c:\windows\Logs

2009-09-06 16:07 . 2009-09-06 16:07 -------- d-----w- c:\program files\Electronic Arts

2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\Thinstall

2009-09-03 12:58 . 2009-09-03 12:58 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\nView_Profiles

2009-09-03 12:57 . 2009-09-03 12:57 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\NVIDIA

2009-09-01 08:54 . 2009-09-01 08:54 -------- d-----w- c:\documents and settings\Rodzina\Ustawienia lokalne\Dane aplikacji\Google

2009-09-01 08:44 . 2009-09-01 08:45 -------- d-----w- c:\documents and settings\Rodzina\Ustawienia lokalne\Dane aplikacji\Microsoft

2009-09-01 08:44 . 2009-09-01 08:45 -------- d-----r- c:\documents and settings\Rodzina\Ulubione

2009-09-01 08:44 . 2009-08-25 15:27 -------- d-----w- c:\documents and settings\Rodzina\Pulpit

2009-09-01 08:44 . 2009-08-25 15:27 -------- d-----r- c:\documents and settings\Rodzina\Menu Start

2009-09-01 08:44 . 2009-08-25 14:31 -------- d--h--w- c:\documents and settings\Rodzina\Szablony

2009-08-30 22:13 . 2009-08-30 22:13 -------- d-----w- c:\windows\Sun

2009-08-30 22:10 . 2009-08-30 22:10 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-30 22:10 . 2009-08-30 22:10 -------- d-----w- c:\program files\Java

2009-08-30 22:09 . 2009-08-30 22:09 152576 ----a-w- c:\documents and settings\Madzia\Dane aplikacji\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-29 22:35 . 2009-08-29 22:35 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-29 22:33 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Madzia\Dane aplikacji\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-08-29 22:33 . 2009-08-29 22:33 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-08-29 22:32 . 2009-09-09 12:55 -------- d-----w- c:\documents and settings\Madzia\Ustawienia lokalne\Dane aplikacji\Adobe

2009-08-29 22:31 . 2009-08-30 20:18 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\NOS

2009-08-26 22:04 . 2009-08-26 22:04 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\Dynamic

2009-08-26 22:04 . 2009-08-26 22:17 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\Sites

2009-08-26 22:04 . 2009-08-26 22:05 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\SiteClasses

2009-08-26 22:03 . 2009-08-26 22:04 -------- d-----w- c:\program files\Visicom Media

2009-08-26 17:16 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2009-08-26 17:16 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2009-08-26 17:15 . 2009-08-26 17:16 -------- d-----w- c:\documents and settings\Madzia\Ustawienia lokalne\Dane aplikacji\Google

2009-08-26 17:15 . 2009-08-26 17:15 -------- d-----w- c:\windows\system32\IOSUBSYS

2009-08-26 17:15 . 2009-08-26 17:15 -------- d-----w- c:\program files\Google

2009-08-26 16:59 . 2009-08-26 16:59 -------- d-----w- c:\documents and settings\Madzia\Ustawienia lokalne\Dane aplikacji\CANON_INC

2009-08-26 16:59 . 2001-10-26 15:29 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-08-26 16:59 . 2008-04-14 20:50 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-08-26 16:59 . 2008-04-13 22:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-08-26 16:59 . 2008-04-13 22:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-08-26 12:24 . 2009-08-26 12:24 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Last.fm

2009-08-26 12:24 . 2009-09-14 14:15 -------- d-----w- c:\documents and settings\Madzia\Ustawienia lokalne\Dane aplikacji\Last.fm

2009-08-26 12:24 . 2009-08-26 12:24 -------- d-----w- c:\program files\Last.fm

2009-08-25 20:13 . 2009-09-14 18:31 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\gtk-2.0

2009-08-25 19:51 . 2009-08-25 19:51 -------- d-----w- c:\documents and settings\Madzia\.thumbnails

2009-08-25 19:43 . 2009-08-25 19:43 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\Canon

2009-08-25 18:27 . 2009-08-25 18:27 -------- d-----w- c:\documents and settings\Madzia\dwhelper

2009-08-25 18:11 . 2006-10-26 17:56 32592 ----a-w- c:\windows\system32\msonpmon.dll

2009-08-25 18:09 . 2009-08-25 18:09 -------- d-----w- c:\program files\Microsoft Works

2009-08-25 18:09 . 2009-08-25 18:09 -------- d-----w- c:\program files\MSBuild

2009-08-25 18:08 . 2009-08-25 18:08 -------- d-----w- c:\program files\Microsoft.NET

2009-08-25 18:06 . 2009-08-25 18:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-08-25 18:06 . 2009-08-25 18:08 -------- d-----w- c:\windows\SHELLNEW

2009-08-25 18:05 . 2009-08-25 18:05 -------- d-----w- c:\documents and settings\Madzia\Ustawienia lokalne\Dane aplikacji\Microsoft Help

2009-08-25 18:05 . 2009-08-25 18:11 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Microsoft Help

2009-08-25 18:05 . 2009-08-25 18:05 -------- d-----r- C:\MSOCache

2009-08-25 17:20 . 2009-09-14 13:24 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\Winamp

2009-08-25 17:20 . 2009-08-25 17:21 -------- d-----w- c:\program files\Winamp

2009-08-25 17:17 . 2009-09-14 18:31 -------- d-----w- c:\documents and settings\Madzia\.gimp-2.6

2009-08-25 17:17 . 2009-08-25 17:17 -------- d-----w- c:\program files\GIMP-2.0

 

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-14 18:50 . 2009-08-25 16:38 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab

2009-09-14 18:49 . 2009-08-25 16:38 393248 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-09-14 18:49 . 2009-08-25 16:38 4520 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-09-14 18:48 . 2009-08-25 16:38 3472928 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-14 18:48 . 2009-08-25 16:38 30308 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-14 18:04 . 2009-08-25 16:53 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-09-10 21:38 . 2009-08-25 16:39 95259 ----a-w- c:\windows\system32\drivers\klick.dat

2009-09-10 21:38 . 2009-08-25 16:39 107547 ----a-w- c:\windows\system32\drivers\klin.dat

2009-09-06 16:07 . 2009-08-25 15:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-01 08:54 . 2009-09-01 08:48 -------- d-----w- c:\documents and settings\Rodzina\Dane aplikacji\VMNTOOLBAR

2009-09-01 08:52 . 2009-09-01 08:52 -------- d-----w- c:\documents and settings\Rodzina\Dane aplikacji\gtk-2.0

2009-09-01 08:45 . 2009-09-01 08:45 69232 ----a-w- c:\documents and settings\Rodzina\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-08-27 16:37 . 2009-08-25 15:52 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\Ahead

2009-08-26 08:15 . 2009-08-25 15:25 69232 ----a-w- c:\documents and settings\Madzia\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-08-25 16:55 . 2009-08-25 16:55 -------- d-----w- c:\program files\MozBackup

2009-08-25 16:53 . 2009-08-25 16:53 -------- d-----w- c:\documents and settings\Madzia\Dane aplikacji\Thunderbird

2009-08-25 16:48 . 2008-01-29 15:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys

2009-08-25 16:47 . 2009-08-25 16:47 -------- d-----w- c:\program files\Gadu-Gadu

2009-08-25 16:38 . 2009-08-25 16:38 -------- d-----w- c:\program files\Kaspersky Lab

2009-08-25 16:38 . 2009-08-25 16:38 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files

2009-08-25 16:27 . 2001-10-26 16:15 74230 ----a-w- c:\windows\system32\perfc015.dat

2009-08-25 16:27 . 2001-10-26 16:15 448004 ----a-w- c:\windows\system32\perfh015.dat

2009-08-25 16:26 . 2009-08-25 16:26 0 ----a-w- c:\windows\nsreg.dat

2009-08-25 16:07 . 2009-08-25 16:07 -------- d-----w- c:\program files\Samsung ML-2010 Series

2009-08-25 16:07 . 2009-08-25 15:32 -------- d-----w- c:\program files\Common Files\InstallShield

2009-08-25 16:02 . 2009-08-25 16:01 -------- d-----w- c:\program files\Canon

2009-08-25 15:58 . 2009-08-25 15:58 -------- d-----w- c:\program files\Common Files\Canon

2009-08-25 15:52 . 2009-08-25 15:52 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Ahead

2009-08-25 15:52 . 2009-08-25 15:50 -------- d-----w- c:\program files\Common Files\Ahead

2009-08-25 15:50 . 2009-08-25 15:50 -------- d-----w- c:\program files\Nero

2009-08-25 15:50 . 2009-08-25 15:50 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Nero

2009-08-25 15:38 . 2009-08-25 15:38 -------- d-----w- c:\program files\Realtek

2009-08-25 15:38 . 2009-08-25 15:38 315392 ----a-w- c:\windows\HideWin.exe

2009-08-25 14:59 . 2009-08-25 14:32 23016 ----a-w- c:\windows\system32\emptyregdb.dat

2009-08-25 14:34 . 2009-08-25 14:34 -------- d-----w- c:\program files\microsoft frontpage

2009-08-25 14:31 . 2009-08-25 14:31 -------- d-----w- c:\program files\Usługi online

.

 

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2005-03-31 790528]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7630848]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-16 86016]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-08-25 208616]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-30 149280]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-16 1617920]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-12-19 16062464]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6773:TCP"= 6773:TCP:egjxb

 

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]

S2 dbhjs;Security Monitor;c:\windows\system32\svchost.exe -k netsvcs [2002-09-29 14336]

 

--- Inne Usługi/Sterowniki w Pamięci ---

 

*NewlyCreated* - DBHJS

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

dbhjs

.

.

------- Skan uzupełniający -------

.

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Madzia\Dane aplikacji\Mozilla\Firefox\Profiles\pl1qc6ir.default\

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-14 20:50

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

 

skanowanie ukrytych procesów ...

 

skanowanie ukrytych wpisów autostartu ...

 

skanowanie ukrytych plików ...

 

skanowanie pomyślnie ukończone

ukryte pliki: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbhjs]

"ServiceDll"="c:\windows\system32\jadnz.dll"

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

 

- - - - - - - > 'explorer.exe'(3412)

c:\windows\system32\nview.dll

c:\windows\system32\NVWRSPL.DLL

c:\windows\system32\nvwddi.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

.

**************************************************************************

.

Czas ukończenia: 2009-09-14 20:51 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2009-09-14 18:51

 

Przed: 18 193 580 032 bajtów wolnych

Po: 18 163 564 544 bajtów wolnych

 

209