Skocz do zawartości

r   e   k   l   a   m   a

Zdjęcie

Malware Doctor


  • Zaloguj się, aby dodać odpowiedź
4 odpowiedzi w tym temacie

#1 Pacman

Pacman
  • Użytkownicy
  • 3 postów

Napisano 29.05.2009 - 10:31

Mam problem z programem Malware Doctor. Poniżej zamieszcam logi z combofixa:

ComboFix 09-05-28.07 - Kuba 2009-05-29 11:09.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.2047.1508 [GMT 2:00]
Uruchomiony z: d:\moje dokumenty\Maszyny\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\wiaserva.log
f:\documents and settings\LocalService\Dane aplikacji\691447002.exe
f:\windows\system\mmtaskclean.log
f:\windows\system32\avast!Antivirus.exe
f:\windows\system32\drivers\zexdvsw.sys
f:\windows\system32\sft.res

.
(((((((((((((((((((((((((((((((((((((((   Sterowniki/Usługi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Service_avast!antivirus


(((((((((((((((((((((((((   Pliki utworzone od 2009-04-28 do 2009-05-29  )))))))))))))))))))))))))))))))
.

2009-05-29 08:28 . 2009-05-29 08:28	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Malwarebytes
2009-05-29 08:28 . 2009-05-26 11:20	40160	----a-w	f:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 08:28 . 2009-05-29 08:28	--------	d-----w	f:\documents and settings\All Users\Dane aplikacji\Malwarebytes
2009-05-29 08:28 . 2009-05-26 11:19	19096	----a-w	f:\windows\system32\drivers\mbam.sys
2009-05-29 08:17 . 2009-05-29 08:17	32768	----a-w	f:\windows\system32\avast!Antivirus(3).exe
2009-05-03 22:50 . 2009-05-03 22:50	--------	d-----w	f:\documents and settings\KUBA~1~KUB\USTAWI~1
2009-05-03 22:50 . 2009-05-03 22:50	--------	d-----w	f:\documents and settings\KUBA~1~KUB
2009-05-03 21:58 . 2009-05-03 21:58	--------	d-----w	f:\program files\Common Files\Wise Installation Wizard
2009-05-03 21:21 . 2009-05-03 21:48	--------	d-----w	f:\program files\AGEIA Technologies
2009-05-03 21:21 . 2009-05-03 21:21	--------	d-----w	f:\windows\system32\AGEIA
2009-05-02 08:51 . 2009-05-02 08:51	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\New Technology Studio
2009-04-29 22:18 . 2009-04-29 22:18	--------	d-----w	F:\t
2009-04-29 22:05 . 2009-04-29 22:05	--------	d-----w	F:\d
2009-04-29 21:53 . 2007-07-24 13:58	95616	----a-w	F:\junction.exe

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 09:13 . 2009-04-05 08:53	83294	----a-w	f:\windows\system32\drivers\45ec582f.sys
2009-05-29 09:13 . 2008-11-27 15:25	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Orbit
2009-05-29 09:10 . 2008-12-03 17:56	814312	----a-w	f:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat
2009-05-29 08:52 . 2008-03-31 07:42	--------	d-----w	f:\program files\Kalendarz XP
2009-05-29 08:13 . 2009-05-03 21:44	4904	----a-w	f:\windows\system32\PerfStringBackup.TMP
2009-05-29 08:13 . 2004-08-04 12:00	90632	----a-w	f:\windows\system32\perfc015.dat
2009-05-29 08:13 . 2004-08-04 12:00	503918	----a-w	f:\windows\system32\perfh015.dat
2009-05-28 20:28 . 2008-03-29 10:21	--------	d-----w	f:\program files\Mozilla Thunderbird
2009-05-20 22:10 . 2008-04-20 16:02	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Skype
2009-05-20 06:00 . 2008-04-20 16:13	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\skypePM
2009-05-03 22:50 . 2008-02-28 21:38	--------	d-----w	f:\program files\Realtek
2009-05-03 21:08 . 2008-09-15 16:20	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\GetRightToGo
2009-04-29 22:33 . 2008-03-29 10:14	--------	d-----w	f:\program files\Microsoft Office backup
2009-04-28 22:58 . 2009-04-28 22:58	221252	----a-w	f:\windows\system32\maskDll.dll
2009-04-28 22:58 . 2009-04-28 22:58	200776	----a-w	f:\windows\system32\unMaskDLL.dll
2009-04-27 16:33 . 2008-02-28 21:25	78800	----a-w	f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-04-26 23:46 . 2008-02-28 21:35	--------	d--h--w	f:\program files\InstallShield Installation Information
2009-04-19 19:21 . 2009-04-19 19:20	--------	d-----w	f:\program files\DOSBox-0.72
2009-04-15 11:24 . 2009-04-15 11:24	29184	----a-w	f:\windows\system32\smstf.dll
2009-04-11 17:16 . 2008-11-27 15:25	--------	d-----w	f:\program files\Orbitdownloader
2009-04-07 18:19 . 2008-03-29 10:49	--------	d-----w	f:\program files\Gadu-Gadu
2009-03-30 20:57 . 2008-05-12 10:18	--------	d-----w	f:\program files\NAPI-PROJEKT
2009-03-27 06:14 . 2008-03-10 17:50	453152	----a-w	f:\windows\system32\NVUNINST.EXE
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290}]
2009-05-29 09:13	29184	----a-w	f:\windows\system32\jhxm32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SkinClock"="f:\program files\Desktop Tray Clock\DTClock.exe" [2006-08-18 1712128]
"DAEMON Tools"="f:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="f:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"AdobeUpdater"="f:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"RGSC"="e:\gta4\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-13 306088]
"Malware Doctor"="f:\documents and settings\LocalService\Dane aplikacji\691447002.exe" [2009-05-29 96768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="f:\program files\winamp\winampa.exe" [2008-01-15 37376]
"avgnt"="f:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"NeroFilterCheck"="f:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="e:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"Malware Doctor"="f:\documents and settings\LocalService\Dane aplikacji\691447002.exe" [2009-05-29 96768]
"RTHDCPL"="RTHDCPL.EXE" - f:\windows\RTHDCPL.exe [2007-03-21 16126464]
"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

f:\documents and settings\Kuba.KUBA-NW\Menu Start\Programy\Autostart\
kalendarz.lnk - f:\program files\Kalendarz XP\Start.exe [2008-3-31 30208]

f:\documents and settings\All Users\Menu Start\Programy\Autostart\
Orbit.lnk - f:\program files\Orbitdownloader\orbitdm.exe [2008-11-27 1690824]
Przyspieszenie uruchomienia programu AutoCAD.lnk - f:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Test drive\\TestDriveUnlimited.exe"=
"f:\\Program Files\\Gadu-Gadu\\gg.exe"=
"f:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Alien Shooter 2\\AlienShooter.exe"=
"d:\\Program Files\\WapSter\\AQQ\\AQQ.exe"=
"d:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords_PitBoss.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"g:\\HEROES3\\Death\\Heroes3.exe"=
"d:\\Herosi\\Heroes3.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"e:\\GTA 4\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\GTA 4\\Grand Theft Auto IV\\GTAIV.exe"=
"e:\\GTA4\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Supreme Commander\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"d:\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=
"d:\\Supreme Commander\\GPGNet\\GPG.Multiplayer.Client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"444:UDP"= 444:UDP:444
"444:TCP"= 444:TCP:444

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;f:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R2 avast!Antivirus;avast!Antivirus;f:\windows\System32\avast!Antivirus.exe -k netsvcs --> f:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-07-13 98488]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;f:\windows\system32\drivers\atl01_xp.sys [2008-02-28 38656]
R3 DDCCI;DDC/CI monitor;f:\windows\system32\drivers\Moni2c.sys [2008-03-27 6494]
S0 bvli;bvli;f:\windows\system32\drivers\zexdvsw.sys --> f:\windows\system32\drivers\zexdvsw.sys [?]
S3 NDSPCIIO;NDSPCIIO;\??\f:\windows\system32\DRIVERS\NDSPCIIO.SYS --> f:\windows\system32\DRIVERS\NDSPCIIO.SYS [?]

--- Inne Usługi/Sterowniki w Pamięci ---

*NewlyCreated* - avast!antivirus
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-wsctf.exe - wsctf.exe
Notify-WgaLogon - (no file)
SafeBoot-procexp90.sys


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.orbitdownloader.com/
IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&ksport do programu Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Mozilla\Firefox\Profiles\d0gqwv3v.default\
FF - prefs.js: browser.startup.homepage - www.onet.pl
FF - plugin: d:\opera\program\plugins\npdsplay.dll
FF - plugin: d:\opera\program\plugins\npwmsdrm.dll
FF - plugin: f:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npOggX.dll

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: security.checkloaduri - false
FF - user.js: capability.policy.default.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 11:13
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...  

skanowanie ukrytych wpisów autostartu ... 

skanowanie ukrytych plików ...  


f:\windows\system32\jhxm32.dll

skanowanie pomyślnie ukończone
ukryte pliki: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\45ec582f]
"ImagePath"="\SystemRoot\System32\drivers\45ec582f.sys"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\s-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,f8,76,21,3f,ba,cb,dc,db,5a,01,5d,88,f1,d9,d2,bc,9e,27,dc,a5,da,35,
   19,14,4d,ab,35,3a,d6,19,05,19,64,b2,27,f9,5c,f4,8d,64,2e,3c,e0,31,aa,21,29,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\s-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d8,60,ff,89,e6,f2,7c,f6,a6,e0,c6,52,85,09,f2,67,a4,70,ea,f0,ba,
   e7,03,7f,b2,9c,08,8e,ab,e8,ee,83,0f,66,eb,ed,29,bc,7c,5b,1e,d5,eb,19,13,f3,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(1732)
f:\program files\Desktop Tray Clock\Clock.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
f:\windows\system32\browselc.dll
f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
f:\windows\system32\jhxm32.dll
f:\program files\Microsoft Office\OFFICE11\msohev.dll
f:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll
f:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
f:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files junction\Adobe\Reader 8.0\Reader\reader_sl.exe
f:\windows\system32\rundll32.exe
f:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\program files\Orbitdownloader\orbitnet.exe
e:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
f:\program files\Kalendarz XP\Kalendarz.exe
f:\windows\system32\nvsvc32.exe
f:\windows\system32\IoctlSvc.exe
f:\windows\system32\wscntfy.exe
f:\program files\Common Files\Nero\Lib\NMIndexingService.exe
f:\windows\system32\wbem\wmiapsrv.exe
f:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
f:\windows\system32\avast!Antivirus.exe
f:\windows\system32\notepad.exe
.
**************************************************************************
.
Czas ukończenia: 2009-05-29 11:14 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2009-05-29 09:14

Przed: 1 818 087 424 bajtów wolnych
Po: 2 388 976 128 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

234	--- E O F ---	2009-03-12 02:01

Co z tym fantem zrobić?

#2 spandaupol

spandaupol

    MODERATOR

  • Moderatorzy
  • 12855 postów

Napisano 29.05.2009 - 10:46

Przeskanuj ten plik f:\junction.exe tutaj http://www.virustotal.com/pl/ daj raport na forum

wklej do notatnika:

File::
f:\windows\system32\avast!Antivirus(3).exe
f:\windows\system32\drivers\45ec582f.sys
f:\windows\system32\smstf.dll
f:\windows\system32\jhxm32.dll
f:\documents and settings\LocalService\Dane aplikacji\691447002.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malware Doctor"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malware Doctor"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\45ec582f]

Driver::
avast!Antivirus
bvli

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.
Loga wklej na www.wklejto.pl lub http://www.wklej.org/ a w poście daj linka
Nie sprawdzam logów HijackThis chyba że z jakiegoś powodu sam o takiego loga poproszę.

#3 Pacman

Pacman
  • Użytkownicy
  • 3 postów

Napisano 29.05.2009 - 11:06

log z Combodiska:

ComboFix 09-05-28.07 - Kuba 2009-05-29 11:56.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.2047.1506 [GMT 2:00]
Uruchomiony z: d:\moje dokumenty\Maszyny\ComboFix.exe
Użyto następujących komend :: d:\moje dokumenty\Maszyny\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"f:\documents and settings\LocalService\Dane aplikacji\691447002.exe"
"f:\windows\system32\avast!Antivirus(3).exe"
"f:\windows\system32\drivers\45ec582f.sys"
"f:\windows\system32\jhxm32.dll"
"f:\windows\system32\smstf.dll"
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\burnlib.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\dsp_sps.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_aacplus.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_flac.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_lame.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_vorbis.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_wav.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_wma.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_crasher.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_ff.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_hotkeys.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_ml.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_tray.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_cdda.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_dshow.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_flac.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_linein.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_midi.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_mod.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_mp3.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_mp4.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_nsv.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_vorbis.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_wave.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_wm.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_autotag.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_bookmarks.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_dash.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_disc.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_history.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_local.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_nowplaying.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_online.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_orb.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_playlists.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_plg.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_pmp.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_rg.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_transcode.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_wire.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\out_disk.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\out_ds.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\out_wave.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_activesync.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_ipod.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_njb.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_p4s.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_usb.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\tagz.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_avs.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_avs_282.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_milk.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_milk2.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_nsfs.lng
f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\winamp.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\burnlib.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\dsp_sps.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_aacplus.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_flac.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_lame.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_vorbis.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_wav.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_wma.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_crasher.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_ff.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_hotkeys.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_ml.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_tray.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_cdda.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_dshow.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_flac.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_linein.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_midi.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_mod.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_mp3.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_mp4.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_nsv.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_vorbis.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_wave.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_wm.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_autotag.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_bookmarks.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_dash.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_disc.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_history.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_local.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_nowplaying.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_online.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_orb.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_playlists.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_plg.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_pmp.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_rg.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_transcode.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_wire.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\out_disk.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\out_ds.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\out_wave.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_activesync.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_ipod.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_njb.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_p4s.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_usb.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\tagz.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_avs.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_avs_282.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_milk.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_milk2.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_nsfs.lng
f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\winamp.lng
f:\documents and settings\LocalService\Dane aplikacji\691447002.exe
f:\program files\Internet Explorer\setupapi.dll
f:\windows\system32\avast!Antivirus(3).exe
f:\windows\system32\avast!Antivirus.exe
f:\windows\system32\drivers\45ec582f.sys
f:\windows\system32\jhxm32.dll
f:\windows\system32\sft.res
f:\windows\system32\smstf.dll

.
(((((((((((((((((((((((((((((((((((((((   Sterowniki/Usługi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Service_bvli
-------\Service_45ec582f


(((((((((((((((((((((((((   Pliki utworzone od 2009-04-28 do 2009-05-29  )))))))))))))))))))))))))))))))
.

2009-05-29 08:28 . 2009-05-29 08:28	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Malwarebytes
2009-05-29 08:28 . 2009-05-26 11:20	40160	----a-w	f:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 08:28 . 2009-05-29 08:28	--------	d-----w	f:\documents and settings\All Users\Dane aplikacji\Malwarebytes
2009-05-29 08:28 . 2009-05-26 11:19	19096	----a-w	f:\windows\system32\drivers\mbam.sys
2009-05-03 22:50 . 2009-05-03 22:50	--------	d-----w	f:\documents and settings\KUBA~1~KUB\USTAWI~1
2009-05-03 22:50 . 2009-05-03 22:50	--------	d-----w	f:\documents and settings\KUBA~1~KUB
2009-05-03 21:58 . 2009-05-03 21:58	--------	d-----w	f:\program files\Common Files\Wise Installation Wizard
2009-05-03 21:21 . 2009-05-03 21:48	--------	d-----w	f:\program files\AGEIA Technologies
2009-05-03 21:21 . 2009-05-03 21:21	--------	d-----w	f:\windows\system32\AGEIA
2009-05-02 08:51 . 2009-05-02 08:51	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\New Technology Studio
2009-04-29 22:18 . 2009-04-29 22:18	--------	d-----w	F:\t
2009-04-29 22:05 . 2009-04-29 22:05	--------	d-----w	F:\d
2009-04-29 21:53 . 2007-07-24 13:58	95616	----a-w	F:\junction.exe

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 10:00 . 2008-11-27 15:25	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Orbit
2009-05-29 09:57 . 2008-12-03 17:56	814312	----a-w	f:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat
2009-05-29 09:57 . 2008-03-31 07:42	--------	d-----w	f:\program files\Kalendarz XP
2009-05-29 08:13 . 2009-05-03 21:44	4904	----a-w	f:\windows\system32\PerfStringBackup.TMP
2009-05-29 08:13 . 2004-08-04 12:00	90632	----a-w	f:\windows\system32\perfc015.dat
2009-05-29 08:13 . 2004-08-04 12:00	503918	----a-w	f:\windows\system32\perfh015.dat
2009-05-28 20:28 . 2008-03-29 10:21	--------	d-----w	f:\program files\Mozilla Thunderbird
2009-05-20 22:10 . 2008-04-20 16:02	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Skype
2009-05-20 06:00 . 2008-04-20 16:13	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\skypePM
2009-05-03 22:50 . 2008-02-28 21:38	--------	d-----w	f:\program files\Realtek
2009-05-03 21:08 . 2008-09-15 16:20	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\GetRightToGo
2009-04-29 22:33 . 2008-03-29 10:14	--------	d-----w	f:\program files\Microsoft Office backup
2009-04-28 22:58 . 2009-04-28 22:58	221252	----a-w	f:\windows\system32\maskDll.dll
2009-04-28 22:58 . 2009-04-28 22:58	200776	----a-w	f:\windows\system32\unMaskDLL.dll
2009-04-27 16:33 . 2008-02-28 21:25	78800	----a-w	f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-04-26 23:46 . 2008-02-28 21:35	--------	d--h--w	f:\program files\InstallShield Installation Information
2009-04-19 19:21 . 2009-04-19 19:20	--------	d-----w	f:\program files\DOSBox-0.72
2009-04-11 17:16 . 2008-11-27 15:25	--------	d-----w	f:\program files\Orbitdownloader
2009-04-07 18:19 . 2008-03-29 10:49	--------	d-----w	f:\program files\Gadu-Gadu
2009-03-30 20:57 . 2008-05-12 10:18	--------	d-----w	f:\program files\NAPI-PROJEKT
2009-03-27 06:14 . 2008-03-10 17:50	453152	----a-w	f:\windows\system32\NVUNINST.EXE
.

(((((((((((((((((((((((((((((   SnapShot@2009-05-29_09.13.04   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-29 09:59 . 2009-05-29 09:59	16384              f:\windows\Temp\Perflib_Perfdata_31c.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SkinClock"="f:\program files\Desktop Tray Clock\DTClock.exe" [2006-08-18 1712128]
"DAEMON Tools"="f:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="f:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"AdobeUpdater"="f:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"RGSC"="e:\gta4\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-13 306088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="f:\program files\winamp\winampa.exe" [2008-01-15 37376]
"avgnt"="f:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"NeroFilterCheck"="f:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="e:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"RTHDCPL"="RTHDCPL.EXE" - f:\windows\RTHDCPL.exe [2007-03-21 16126464]
"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

f:\documents and settings\Kuba.KUBA-NW\Menu Start\Programy\Autostart\
kalendarz.lnk - f:\program files\Kalendarz XP\Start.exe [2008-3-31 30208]

f:\documents and settings\All Users\Menu Start\Programy\Autostart\
Orbit.lnk - f:\program files\Orbitdownloader\orbitdm.exe [2008-11-27 1690824]
Przyspieszenie uruchomienia programu AutoCAD.lnk - f:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Test drive\\TestDriveUnlimited.exe"=
"f:\\Program Files\\Gadu-Gadu\\gg.exe"=
"f:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Alien Shooter 2\\AlienShooter.exe"=
"d:\\Program Files\\WapSter\\AQQ\\AQQ.exe"=
"d:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords_PitBoss.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"g:\\HEROES3\\Death\\Heroes3.exe"=
"d:\\Herosi\\Heroes3.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"e:\\GTA 4\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\GTA 4\\Grand Theft Auto IV\\GTAIV.exe"=
"e:\\GTA4\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Supreme Commander\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"d:\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=
"d:\\Supreme Commander\\GPGNet\\GPG.Multiplayer.Client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"444:UDP"= 444:UDP:444
"444:TCP"= 444:TCP:444

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;f:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-07-13 98488]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;f:\windows\system32\drivers\atl01_xp.sys [2008-02-28 38656]
R3 DDCCI;DDC/CI monitor;f:\windows\system32\drivers\Moni2c.sys [2008-03-27 6494]
S3 NDSPCIIO;NDSPCIIO;\??\f:\windows\system32\DRIVERS\NDSPCIIO.SYS --> f:\windows\system32\DRIVERS\NDSPCIIO.SYS [?]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.orbitdownloader.com/
IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&ksport do programu Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Mozilla\Firefox\Profiles\d0gqwv3v.default\
FF - prefs.js: browser.startup.homepage - www.onet.pl

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: security.checkloaduri - false
FF - user.js: capability.policy.default.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 11:59
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...  

skanowanie ukrytych wpisów autostartu ... 

skanowanie ukrytych plików ...  

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,f8,76,21,3f,ba,cb,dc,db,5a,01,5d,88,f1,d9,d2,bc,9e,27,dc,a5,da,35,
   19,14,4d,ab,35,3a,d6,19,05,19,64,b2,27,f9,5c,f4,8d,64,2e,3c,e0,31,aa,21,29,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d8,60,ff,89,e6,f2,7c,f6,a6,e0,c6,52,85,09,f2,67,a4,70,ea,f0,ba,
   e7,03,7f,b2,9c,08,8e,ab,e8,ee,83,0f,66,eb,ed,29,bc,7c,5b,1e,d5,eb,19,13,f3,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(3700)
f:\program files\Desktop Tray Clock\Clock.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
f:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files junction\Adobe\Reader 8.0\Reader\reader_sl.exe
f:\windows\system32\rundll32.exe
f:\program files\Kalendarz XP\Kalendarz.exe
f:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
f:\program files\Orbitdownloader\orbitnet.exe
f:\program files\Java\jre6\bin\jqs.exe
e:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
e:\gta4\Rockstar Games Social Club\1_1_3_0\RGSC.exe
f:\windows\system32\nvsvc32.exe
f:\windows\system32\IoctlSvc.exe
f:\program files\Common Files\Nero\Lib\NMIndexingService.exe
f:\windows\system32\wbem\wmiapsrv.exe
f:\windows\system32\wscntfy.exe
f:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Czas ukończenia: 2009-05-29 12:01 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2009-05-29 10:01
ComboFix2.txt  2009-05-29 09:14

Przed: 2 264 782 336 bajtów wolnych
Po: 2 252 440 064 bajtów wolnych

319	--- E O F ---	2009-03-12 02:01

Problem wyglada na rozwiazany, Malware Doctor znikł :)

Co do f:\junction.exe:

Plik junction.exe otrzymany 2009.05.13 15:54:27 (UTC)
Obecny status: zakończono 
Wynik: 0/39 (0.00%)
 Zwięzły 
Drukuj wyniki  Antywirus	Wersja	Ostatnia aktualizacja	Wynik
a-squared	4.0.0.101	2009.05.13	-
AhnLab-V3	5.0.0.2	2009.05.13	-
AntiVir	7.9.0.166	2009.05.13	-
Antiy-AVL	2.0.3.1	2009.05.13	-
Authentium	5.1.2.4	2009.05.13	-
Avast	4.8.1335.0	2009.05.12	-
AVG	8.5.0.327	2009.05.13	-
BitDefender	7.2	2009.05.13	-
CAT-QuickHeal	10.00	2009.05.13	-
ClamAV	0.94.1	2009.05.13	-
Comodo	1157	2009.05.08	-
DrWeb	5.0.0.12182	2009.05.13	-
eSafe	7.0.17.0	2009.05.12	-
eTrust-Vet	31.6.6503	2009.05.13	-
F-Prot	4.4.4.56	2009.05.13	-
F-Secure	8.0.14470.0	2009.05.13	-
Fortinet	3.117.0.0	2009.05.13	-
GData	19	2009.05.13	-
Ikarus	T3.1.1.49.0	2009.05.13	-
K7AntiVirus	7.10.734	2009.05.13	-
Kaspersky	7.0.0.125	2009.05.13	-
McAfee	5613	2009.05.12	-
McAfee+Artemis	5613	2009.05.12	-
McAfee-GW-Edition	6.7.6	2009.05.13	-
Microsoft	1.4602	2009.05.13	-
NOD32	4071	2009.05.13	-
Norman	6.01.05	2009.05.13	-
nProtect	2009.1.8.0	2009.05.13	-
Panda	10.0.0.14	2009.05.13	-
PCTools	4.4.2.0	2009.05.07	-
Prevx	3.0	2009.05.13	-
Rising	21.29.24.00	2009.05.13	-
Sophos	4.41.0	2009.05.13	-
Sunbelt	3.2.1858.2	2009.05.13	-
Symantec	1.4.4.12	2009.05.13	-
TheHacker	6.3.4.1.325	2009.05.12	-
TrendMicro	8.950.0.1092	2009.05.13	-
VBA32	3.12.10.5	2009.05.13	-
ViRobot	2009.5.13.1733	2009.05.13	-
Dodatkowe informacje
File size: 95616 bytes
MD5   : a12686c5e71180980b51bc44dbbed50c
SHA1  : b081534131e27eade755677c54d28f3a146b7787
SHA256: 51d8cfee549e7338e62bf453388e7160bffc5892eaf338bde3e82192137a2bc7
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x406C
timedatestamp.....: 0x46A67AD0 (Wed Jul 25 00:18:56 2007)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xADC4 0xB000 6.59 88b04182b7dcdc384e0ef2acab693c00
.rdata 0xC000 0x52BA 0x6000 4.89 67bccad983c71261ca80bd9e68253ed8
.data 0x12000 0x2D24 0x2000 1.38 8ef0691a51a3581e53432ed3c1351d08
.rsrc 0x15000 0x480 0x1000 3.79 5e137fc11c99662cb030b38cf6606c97

( 5 imports )

> advapi32.dll: RegQueryValueExW, RegSetValueExW, RegCloseKey, RegCreateKeyW
> comdlg32.dll: PrintDlgW
> gdi32.dll: SetMapMode, StartDocW, StartPage, EndPage, EndDoc, GetDeviceCaps
> kernel32.dll: CreateDirectoryW, GetVolumeInformationW, GetFullPathNameW, GetCurrentDirectoryW, RemoveDirectoryW, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, FindFirstFileW, FindNextFileW, FindClose, CreateFileW, GetLastError, DeviceIoControl, GetFileAttributesW, FormatMessageW, CloseHandle, LocalAlloc, LoadLibraryW, LocalFree, CreateFileA, GetModuleHandleW, HeapAlloc, HeapFree, EnterCriticalSection, LeaveCriticalSection, HeapReAlloc, GetProcAddress, GetModuleHandleA, ExitProcess, GetVersionExA, GetProcessHeap, DeleteCriticalSection, VirtualFree, VirtualAlloc, HeapDestroy, HeapCreate, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetHandleCount, GetFileType, GetStartupInfoA, Sleep, HeapSize, LoadLibraryA, InitializeCriticalSection, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, SetFilePointer, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
> user32.dll: DialogBoxIndirectParamW, GetDlgItem, GetSysColorBrush, EndDialog, SetWindowTextW, LoadCursorW, SetCursor, InflateRect, SendMessageW

( 0 exports )
TrID  : File type identification
60.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.6% (.EXE) Win32 Executable Generic (8527/13/3)
14.7% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
3.9% (.EXE) Generic Win/DOS Executable (2002/3)
3.8% (.EXE) DOS Executable Generic (2000/1)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=a12686c5e71180980b51bc44dbbed50c
ssdeep: 1536:85pItDPiPtaEtZuOxEb7rKP3wY+I0WFE2gsg5XYcAy/FaeE:BPifUbvKgsg5XYcAy/Ev
PEiD  : -
RDS   : NSRL Reference Data Set

Ten plik raczej jest w porządku - to mały dosowy program służący do tworzenia tworzenie na dysku "linków" do katalogu, które dla programów widoczne są jako oddzielne katalogi. Przydatna opcja jak ktos ma kilka partycji i mały systemowy dysk :)

#4 spandaupol

spandaupol

    MODERATOR

  • Moderatorzy
  • 12855 postów

Napisano 29.05.2009 - 12:04

Ten plik raczej jest w porządku - to mały dosowy program służący do tworzenia tworzenie na dysku "linków" do katalogu, które dla programów widoczne są jako oddzielne katalogi. Przydatna opcja jak ktos ma kilka partycji i mały systemowy dysk :)

Chciałem się upewnić :)

Log wygląda na czysty.

usuń ręcznie folder C: \Qoobox oraz instalkê Combofix z dysku.

Przeczyść system oraz rejestr CCleaner

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj system programem Malwarebytes który masz na dysku (pełne skanowanie)

lub dodatkowo Dr.WEB CureIt!
Nie sprawdzam logów HijackThis chyba że z jakiegoś powodu sam o takiego loga poproszę.

#5 Pacman

Pacman
  • Użytkownicy
  • 3 postów

Napisano 29.05.2009 - 13:18

Ok, wielkie dzięki za pomoc, jestecie w porzadku :)