Logi. Problemy po formacie, część rozwiązana.

[ferenchy]

Hej, formatowałem dysk, ale mam problem z robaczkami itp. Usunąłem problem zacinania się kompa po ok. 2 minutach od włączenia. Ale coś nadal siedzi, winmgrd.exe (wyczaiłem, skasować?) i msdll.exe chcą się łączyć z netem.

HiJack This

Kod: Zaznacz cały

Logfile of HijackThis v1.99.1
Scan saved at 02:28, on 2007-06-07
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system\msdll.exe
D:\Programy\Sygate\SPF\smc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SmcService] D:\Programy\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SYSTEM] winmgrd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exe
O4 - HKLM\..\RunServices: [SYSTEM] winmgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SYSTEM] winmgrd.exe
O4 - HKCU\..\RunServices: [SYSTEM] winmgrd.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6698C29F-41AC-447C-A599-52F7CBA1334F}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: msdll - Unknown owner - C:\WINDOWS\system\msdll.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Programy\Sygate\SPF\smc.exe

Silent Runners

Kod: Zaznacz cały

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"SYSTEM" = "winmgrd.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"SmcService" = "D:\Programy\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"SYSTEM" = "winmgrd.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
                                       \StubPath   = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{8A61098D-612B-4EF2-943D-64E920684061}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\cbxvvww.dll" [null data]
{9E21B048-C8F6-4685-ACEC-29E878CC1A72}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\pmkhg.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{8A61098D-612B-4EF2-943D-64E920684061}" = "*\" (unwritable string)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\cbxvvww.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> cbxvvww\DLLName = "cbxvvww.dll" [null data]
<<!>> pmkhg\DLLName = "C:\WINDOWS\System32\pmkhg.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"


Startup items in "Kuba" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
: ˙ţ[ V e r s i o n ]
 
:  S i g n a t u r e = " $ C H I C A G O $ "
 
:  A d v a n c e d I N F = 2 . 5 , " Y o u   n e e d   a   n e w   v e r s i o n   o f   a d v p a c k . d l l "
 
: 
 
:  [ R e s t o r e H o m e P a g e ]
 
:  A d d R e g = R e s t o r e H o m e P a g e . r e g
 
: 
 
:  [ R e s t o r e B r o w s e r S e t t i n g s ]
 
:  A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g
 
:  D e l R e g = D e l e t e T e m p l a t e s . r e g ,   D e l e t e A u t o s e a r c h . r e g
 
: 
 
:  [ R e s t o r e H o m e P a g e . r e g ]
 
:  H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n " , " S t a r t   P a g e " , 0 , % S T A R T _ P A G E _ U R L %
 
: 
 
:  [ R e s t o r e B r o w s e r S e t t i n g s . r e g ]
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L %
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L %
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n " , " S e a r c h   P a g e " , 0 , % S E A R C H _ P A G E _ U R L %
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m "
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g "
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t "
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u "
 
:  H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n " , " S e a r c h   P a g e " , 0 , % S E A R C H _ P A G E _ U R L %
 
: 
 
:  ;   N O T E   ( a n d r e w g u )   i e 5 . 5   b # 1 0 8 2 5 9   -   a u t o s e a r c h   s e t t i n g s   a r e   n o t   p r o p e r l y   r e s e t
 
:  H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " "
 
: 
 
:                                                                                                                                                                                                                                                                      t m "
 
:                                                                                                                                                                                                                                                                      t m "
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t   S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * "
 
: 
 
:  [ D e l e t e T e m p l a t e s . r e g ]
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 "
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 "
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 "
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 "
 
:  H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 "
 
: 
 
:  [ D e l e t e A u t o s e a r c h . r e g ]
 
:  ;   N O T E   ( a n d r e w g u )   i e 5 . 5   b # 1 0 8 2 5 9   -   a u t o s e a r c h   s e t t i n g s   a r e   n o t   p r o p e r l y   r e s e t
 
:  H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ M a i n " , " A u t o S e a r c h "
 
: 
 
:  [ S t r i n g s ]
 
:  S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e "
 
:  S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h "
 
:  S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m "
 
: 
 
:  ;   I M P O R T A N T   N O T E :
 
:  ;   I E   b r a n d i n g   d l l   ( i e d k c s 3 2 . d l l )   u s e s   t h e   f o l l o w i n g   e n t r i e s   t o   r e s t o r e   t h e   d e f a u l t   M S   v a l u e s .
 
:  ;   I n   t h e   v a n i l l a   v e r s i o n   o f   I E ,   t h e   v a l u e s   m u s t   b e   t h e   s a m e   a s   t h e i r   c o r r e s p o n d i n g   n o n   M S _ *   v a l u e s .
 
:  ;   F o r   e x a m p l e ,   S T A R T _ P A G E _ U R L   a n d   M S _ S T A R T _ P A G E _ U R L   m u s t   h a v e   t h e   s a m e   U R L   i n   t h e   I E   v e r s i o n   r e l e a s e d   b y   M S .
 
:  M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e "
 
: 

Missing lines (compared with English-language version):
[Version]: 2 lines
[RestoreHomePage]: 1 line
[RestoreHomePage.reg]: 1 line
[RestoreBrowserSettings.reg]: 12 lines
[DeleteTemplates.reg]: 5 lines
[DeleteAutosearch.reg]: 1 line
[Strings]: 1 line
[RestoreBrowserSettings]: 2 lines
[Strings]: 3 lines


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
msdll, msdll, ""C:\WINDOWS\system\msdll.exe"" [null data]
Sygate Personal Firewall Pro, SmcService, "D:\Programy\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 67 seconds.
---------- (total run time: 212 seconds)


Dzięki

[adam9870]

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Pobierz Gmer'a.

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

- w zakładce Procesy wybierz Gmer awaryjny. Komputer się zrestartuje i zostanie samo okienko Gmer'a
- w zakładce Usługi skasuj z prawokliku usługę msdll
- w zakładce Procesy kliknij Pliki i usuń ręcznie następujące pliki:

C:\WINDOWS\system\msdll.exe
C:\WINDOWS\System32\winmgrd.exe
C:\WINDOWS\System32\mssmpp.exe
C:\WINDOWS\System32\cbxvvww.dll
C:\WINDOWS\System32\pmkhg.dll

- zrestartuj komputer przyciskiem na obudowie
- uruchom Gmer'a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSTEM"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSTEM"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A61098D-612B-4EF2-943D-64E920684061}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E21B048-C8F6-4685-ACEC-29E878CC1A72}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxvvww]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmkhg]

- kliknij Uruchom i reset.

O4 - HKLM\..\Run: [SYSTEM] winmgrd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exe
O4 - HKLM\..\RunServices: [SYSTEM] winmgrd.exe
O4 - HKCU\..\Run: [SYSTEM] winmgrd.exe
O4 - HKCU\..\RunServices: [SYSTEM] winmgrd.exe
O23 - Service: msdll - Unknown owner - C:\WINDOWS\system\msdll.exe

Usuń wpisy HJT.

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (file missing)

Czy masz jeszcze zainstalowanego Windows Media Playera bądź coś kombinowałeś przy nim?

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić w trybie awaryjnym.

Wrzuć log z ComboFix. Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.

[ferenchy]

WMP jest zainstalowany, usunąłem ten plik, ale go przywróciłem.


Combofix

Kod: Zaznacz cały

"Kuba" - 2007-06-07 12:09:02    Dodatek Service Pack. 1  NTFS 
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Kuba\Pulpit\"


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\crypts.dll


(((((((((((((((((((((((((   Files Created from 2007-05-07 to 2007-06-07  )))))))))))))))))))))))))))))))


2007-06-07 11:44   <DIR>   d--------   C:\VundoFix Backups
2007-06-07 01:56   <DIR>   dr-hsc---   C:\WINDOWS\system32\dllcache
2007-06-07 01:56   <DIR>   dr--s----   C:\WINDOWS\Fonts
2007-06-07 01:56   <DIR>   dr-------   C:\WINDOWS\Web
2007-06-07 01:56   <DIR>   d--h-----   C:\WINDOWS\inf
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\WinSxS
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\twain_32
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\wins
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\wbem
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\usmt
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\spool
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\ShellExt
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\Setup
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\ras
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\oobe
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\npp
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\mui
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\inetsrv
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\IME
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\icsxml
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\ias
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\export
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\drivers\etc
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\drivers\disdn
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\drivers
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\dhcp
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\config
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\3com_dmi
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\3076
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\2052
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1054
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1045
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1042
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1041
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1037
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1033
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1031
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1028
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1025
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\security
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Resources
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\repair
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\mui
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\msapps
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\msagent
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Media
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\ime
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Help
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Driver Cache
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Debug
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Cursors
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Connection Wizard
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Config
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\AppPatch
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\addins
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS
2007-06-07 01:55   83,592   --a------   C:\WINDOWS\system32\SSSensor.dll
2007-06-07 01:55   61,008   --a------   C:\WINDOWS\system32\drivers\Teefer.sys
2007-06-07 01:55   21,075   --a------   C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-06-07 01:55   14,944   --a------   C:\WINDOWS\system32\drivers\wg6n.sys
2007-06-07 01:55   14,944   --a------   C:\WINDOWS\system32\drivers\wg5n.sys
2007-06-07 01:55   14,944   --a------   C:\WINDOWS\system32\drivers\wg4n.sys
2007-06-07 01:55   14,944   --a------   C:\WINDOWS\system32\drivers\wg3n.sys
2007-06-07 01:52   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 01:50   <DIR>   d--hs----   C:\RECYCLER
2007-06-07 01:46   524,288   --ah-----   C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-07 01:46   <DIR>   dr-h-----   C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-07 01:46   <DIR>   dr-------   C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-07 01:46   <DIR>   d--h-----   C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-07 01:46   <DIR>   d--h-----   C:\DOCUME~1\ADMINI~1\Szablony
2007-06-07 01:46   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-07 01:46   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-07 01:46   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-07 01:37   <DIR>   d--------   C:\WINDOWS\pss
2007-06-07 01:29   <DIR>   d--------   C:\!KillBox
2007-06-07 01:06   <DIR>   d--------   C:\DOCUME~1\Kuba\DANEAP~1\Lavasoft
2007-06-07 01:05   57,856   --a------   C:\WINDOWS\system32\drivers\redbook.sys
2007-06-07 01:05   3,072   --a------   C:\WINDOWS\system32\drivers\audstub.sys
2007-06-07 01:04   9,344   --a------   C:\WINDOWS\system32\drivers\compbatt.sys
2007-06-07 01:04   70,144   --a------   C:\WINDOWS\system32\usbui.dll
2007-06-07 01:04   6,400   --a------   C:\WINDOWS\system32\drivers\enum1394.sys
2007-06-07 01:04   31,232   --a------   C:\WINDOWS\system32\drivers\sisnic.sys
2007-06-07 01:04   26,112   --a------   C:\WINDOWS\system32\drivers\SISAGP.SYS
2007-06-07 01:04   14,080   --a------   C:\WINDOWS\system32\drivers\battc.sys
2007-06-07 01:04   13,184   --a------   C:\WINDOWS\system32\drivers\CmBatt.sys
2007-06-07 01:03   9,936   --a------   C:\WINDOWS\system\LZEXPAND.DLL
2007-06-07 01:03   9,168   --a------   C:\WINDOWS\system\VER.DLL
2007-06-07 01:03   85,532   --a------   C:\WINDOWS\system32\dgsetup.dll
2007-06-07 01:03   83,456   --a------   C:\WINDOWS\system\OLECLI.DLL
2007-06-07 01:03   8,192   -ra------   C:\WINDOWS\system32\kbdhept.dll
2007-06-07 01:03   72,192   --a------   C:\WINDOWS\system32\storprop.dll
2007-06-07 01:03   70,096   --a------   C:\WINDOWS\system\AVICAP.DLL
2007-06-07 01:03   7,168   --a------   C:\WINDOWS\system32\kbdcz.dll
2007-06-07 01:03   69,712   --a------   C:\WINDOWS\system\MMSYSTEM.DLL
2007-06-07 01:03   67,072   --a------   C:\WINDOWS\NOTEPAD.EXE
2007-06-07 01:03   6,656   -ra------   C:\WINDOWS\system32\kbdhela3.dll
2007-06-07 01:03   6,656   --a------   C:\WINDOWS\system32\kbdycl.dll
2007-06-07 01:03   6,656   --a------   C:\WINDOWS\system32\kbdsl1.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 22:33:07   49,690   ----a-w   C:\WINDOWS\system32\perfc015.dat
2007-06-06 22:33:07   355,724   ----a-w   C:\WINDOWS\system32\perfh015.dat
2007-06-06 22:10:39   --------   d-----w   C:\Program Files\Usługi online


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2E5F7E88-F76A-4715-9981-DC7E202A96AD}=C:\WINDOWS\System32\pmkhg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-07-25 03:02 C:\WINDOWS\system32\Ati2mdxx.exe]
"SmcService"="D:\Programy\Sygate\SPF\smc.exe" [2005-09-27 12:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-23 14:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"SYSTEM"=winmgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"SYSTEM"=winmgrd.exe
"Office Monitor Word Exel R"=C:\WINDOWS\System32\u.exe
"Network Security"=C:\WINDOWS\System32\NSecurity.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
LTSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsft Security Monitor Process]
mssmpp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvccc66]
svcchosst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spooler SubSystem App]
C:\WINDOWS\System32\spooIsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SYSTEM]
winmgrd.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 12:09:28
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 12:09:50
C:\ComboFix-quarantined-files.txt ... 2007-06-07 12:09

   --- E O F ---


HJT

Kod: Zaznacz cały

Logfile of HijackThis v1.99.1
Scan saved at 12:16:23, on 2007-06-07
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
D:\Programy\Sygate\SPF\smc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {2E5F7E88-F76A-4715-9981-DC7E202A96AD} - C:\WINDOWS\System32\pmkhg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SmcService] D:\Programy\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6698C29F-41AC-447C-A599-52F7CBA1334F}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Programy\Sygate\SPF\smc.exe

Kod: Zaznacz cały

O2 - BHO: (no name) - {2E5F7E88-F76A-4715-9981-DC7E202A96AD} - C:\WINDOWS\System32\pmkhg.dll (file missing)

Tak ma być?
Dzięki

[adam9870]

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

- w zakładce Procesy wybierz Gmer awaryjny. Komputer się zrestartuje i zostanie samo okienko Gmer'a
- w zakładce Procesy kliknij Pliki i usuń ręcznie następujące pliki: (jeśli będą)

C:\WINDOWS\System32\pmkhg.dll
C:\WINDOWS\System32\u.exe
C:\WINDOWS\System32\NSecurity.exe
C:\WINDOWS\System32\mssmpp.exe
C:\WINDOWS\System32\svcchosst.exe
C:\WINDOWS\System32\winmgrd.exe
C:\WINDOWS\System32\spooIsv.exe

- zrestartuj komputer przyciskiem na obudowie
- uruchom Gmer'a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E5F7E88-F76A-4715-9981-DC7E202A96AD}]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"SYSTEM"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"SYSTEM"=-
"Office Monitor Word Exel R"=-
"Network Security"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsft Security Monitor Process]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvccc66]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spooler SubSystem App]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SYSTEM]

- kliknij Uruchom i reset.

O2 - BHO: (no name) - {2E5F7E88-F76A-4715-9981-DC7E202A96AD} - C:\WINDOWS\System32\pmkhg.dll (file missing)

Usuń wpis HJT.

Po wykonaniu wklej komplet nowych logów.

[ferenchy]

To mam problem bo usunąłem nie spooIsv tylko spoolsv ;p

HJT

Kod: Zaznacz cały

Logfile of HijackThis v1.99.1
Scan saved at 13:39:22, on 2007-06-07
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
D:\Programy\Sygate\SPF\smc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SmcService] D:\Programy\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6698C29F-41AC-447C-A599-52F7CBA1334F}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Programy\Sygate\SPF\smc.exe
O23 - Service: Bufor wydruku (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)



Combofix

Kod: Zaznacz cały

"Kuba" - 2007-06-07 13:39:40    Dodatek Service Pack. 1  NTFS 
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Kuba\Pulpit\"


(((((((((((((((((((((((((   Files Created from 2007-05-07 to 2007-06-07  )))))))))))))))))))))))))))))))


2007-06-07 12:09   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-07 11:44   <DIR>   d--------   C:\VundoFix Backups
2007-06-07 01:56   <DIR>   dr-hsc---   C:\WINDOWS\system32\dllcache
2007-06-07 01:56   <DIR>   dr--s----   C:\WINDOWS\Fonts
2007-06-07 01:56   <DIR>   dr-------   C:\WINDOWS\Web
2007-06-07 01:56   <DIR>   d--h-----   C:\WINDOWS\inf
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\WinSxS
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\twain_32
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\wins
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\wbem
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\usmt
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\spool
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\ShellExt
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\Setup
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\ras
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\oobe
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\npp
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\mui
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\inetsrv
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\IME
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\icsxml
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\ias
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\export
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\drivers\etc
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\drivers\disdn
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\drivers
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\dhcp
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\config
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\3com_dmi
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\3076
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\2052
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1054
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1045
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1042
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1041
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1037
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1033
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1031
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1028
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32\1025
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system32
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\system
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\security
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Resources
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\repair
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\mui
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\msapps
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\msagent
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Media
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\ime
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Help
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Driver Cache
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Debug
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Cursors
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Connection Wizard
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\Config
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\AppPatch
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS\addins
2007-06-07 01:56   <DIR>   d--------   C:\WINDOWS
2007-06-07 01:55   83,592   --a------   C:\WINDOWS\system32\SSSensor.dll
2007-06-07 01:55   61,008   --a------   C:\WINDOWS\system32\drivers\Teefer.sys
2007-06-07 01:55   21,075   --a------   C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-06-07 01:55   14,944   --a------   C:\WINDOWS\system32\drivers\wg6n.sys
2007-06-07 01:55   14,944   --a------   C:\WINDOWS\system32\drivers\wg5n.sys
2007-06-07 01:55   14,944   --a------   C:\WINDOWS\system32\drivers\wg4n.sys
2007-06-07 01:55   14,944   --a------   C:\WINDOWS\system32\drivers\wg3n.sys
2007-06-07 01:52   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 01:50   <DIR>   d--hs----   C:\RECYCLER
2007-06-07 01:46   524,288   --ah-----   C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-07 01:46   <DIR>   dr-h-----   C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-07 01:46   <DIR>   dr-------   C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-07 01:46   <DIR>   d--h-----   C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-07 01:46   <DIR>   d--h-----   C:\DOCUME~1\ADMINI~1\Szablony
2007-06-07 01:46   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-07 01:46   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-07 01:46   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-07 01:37   <DIR>   d--------   C:\WINDOWS\pss
2007-06-07 01:29   <DIR>   d--------   C:\!KillBox
2007-06-07 01:06   <DIR>   d--------   C:\DOCUME~1\Kuba\DANEAP~1\Lavasoft
2007-06-07 01:05   57,856   --a------   C:\WINDOWS\system32\drivers\redbook.sys
2007-06-07 01:05   3,072   --a------   C:\WINDOWS\system32\drivers\audstub.sys
2007-06-07 01:04   9,344   --a------   C:\WINDOWS\system32\drivers\compbatt.sys
2007-06-07 01:04   70,144   --a------   C:\WINDOWS\system32\usbui.dll
2007-06-07 01:04   6,400   --a------   C:\WINDOWS\system32\drivers\enum1394.sys
2007-06-07 01:04   31,232   --a------   C:\WINDOWS\system32\drivers\sisnic.sys
2007-06-07 01:04   26,112   --a------   C:\WINDOWS\system32\drivers\SISAGP.SYS
2007-06-07 01:04   14,080   --a------   C:\WINDOWS\system32\drivers\battc.sys
2007-06-07 01:04   13,184   --a------   C:\WINDOWS\system32\drivers\CmBatt.sys
2007-06-07 01:03   9,936   --a------   C:\WINDOWS\system\LZEXPAND.DLL
2007-06-07 01:03   9,168   --a------   C:\WINDOWS\system\VER.DLL
2007-06-07 01:03   85,532   --a------   C:\WINDOWS\system32\dgsetup.dll
2007-06-07 01:03   83,456   --a------   C:\WINDOWS\system\OLECLI.DLL
2007-06-07 01:03   8,192   -ra------   C:\WINDOWS\system32\kbdhept.dll
2007-06-07 01:03   72,192   --a------   C:\WINDOWS\system32\storprop.dll
2007-06-07 01:03   70,096   --a------   C:\WINDOWS\system\AVICAP.DLL
2007-06-07 01:03   7,168   --a------   C:\WINDOWS\system32\kbdcz.dll
2007-06-07 01:03   69,712   --a------   C:\WINDOWS\system\MMSYSTEM.DLL
2007-06-07 01:03   67,072   --a------   C:\WINDOWS\NOTEPAD.EXE
2007-06-07 01:03   6,656   -ra------   C:\WINDOWS\system32\kbdhela3.dll
2007-06-07 01:03   6,656   --a------   C:\WINDOWS\system32\kbdycl.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 22:33:07   49,690   ----a-w   C:\WINDOWS\system32\perfc015.dat
2007-06-06 22:33:07   355,724   ----a-w   C:\WINDOWS\system32\perfh015.dat
2007-06-06 22:10:39   --------   d-----w   C:\Program Files\Usługi online


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-07-25 03:02 C:\WINDOWS\system32\Ati2mdxx.exe]
"SmcService"="D:\Programy\Sygate\SPF\smc.exe" [2005-09-27 12:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-23 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
LTSMMSG.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 13:40:05
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 13:40:28
C:\ComboFix-quarantined-files.txt ... 2007-06-07 13:40
C:\ComboFix2.txt ... 2007-06-07 12:09

   --- E O F ---


EDIT: Skopiowałem spoolsv.exe z ...\system32\dllcache do ...\system32.

Kod: Zaznacz cały

Logfile of HijackThis v1.99.1
Scan saved at 13:50:04, on 2007-06-07
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
D:\Programy\Sygate\SPF\smc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SmcService] D:\Programy\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6698C29F-41AC-447C-A599-52F7CBA1334F}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Programy\Sygate\SPF\smc.exe



[Gutek]

Już jest Ok

[ferenchy]

Dziękuję