Downloader.Agent.uj

trelemorele18 · 10 Czerwiec 2007 11:20

usunołem wirusy w AVG anti-spyware i tego co w temacie nie moze usunąc bo za kazdym razem go wykrywa to dałem kwarantanne. Ale na necie nie wszystko mi działa poprawnie… jakies głupie strony , okienka same wyskakuja itp …

Logfile of HijackThis v1.99.1 Scan saved at 13:14:16, on 2007-06-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\mateo\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F3 - REG:win.ini: load=??? F3 - REG:win.ini: run=??? O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [mstsdsc.exe] c:\windows\system32\mstsdsc.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O17 - HKLM\System\CCS\Services\Tcpip…{093A389F-C86C-45B4-84AE-4FB3D8327AE4}: NameServer = 85.255.115.68,85.255.112.118 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118 O17 - HKLM\System\CS1\Services\Tcpip…{093A389F-C86C-45B4-84AE-4FB3D8327AE4}: NameServer = 85.255.115.68,85.255.112.118 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118 O17 - HKLM\System\CS2\Services\Tcpip…{093A389F-C86C-45B4-84AE-4FB3D8327AE4}: NameServer = 85.255.115.68,85.255.112.118 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32.exe (file missing)

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “!AVG Anti-Spyware” = ““C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“GRISOFT s.r.o.”] “mstsdsc.exe” = “c:\windows\system32\mstsdsc.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real Alternative\rpshell.dll” [“RealNetworks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“GRISOFT s.r.o.”] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ “load” = (value not set) “run” = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “System” = “csypw.exe” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\mateo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: c:\windows\system32\tmwsock.dll [null data], 01 - 11, 23 - 24 %SystemRoot%\system32\mswsock.dll [MS], 12 - 14, 17 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 15 - 16 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe” [“GRISOFT s.r.o.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 41 seconds, including 2 seconds for message boxes)

Gutek · 10 Czerwiec 2007 11:27

F3 - REG:win.ini: load=? F3 - REG:win.ini: run=? O4 - HKLM…\Run: [mstsdsc.exe] c:\windows\system32\mstsdsc.exe O17 - HKLM\System\CCS\Services\Tcpip…{093A389F-C86C-45B4-84AE-4FB3D8327AE4}: NameServer = 85.255.115.68,85.255.112.118 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118 O17 - HKLM\System\CS1\Services\Tcpip…{093A389F-C86C-45B4-84AE-4FB3D8327AE4}: NameServer = 85.255.115.68,85.255.112.118 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118 O17 - HKLM\System\CS2\Services\Tcpip…{093A389F-C86C-45B4-84AE-4FB3D8327AE4}: NameServer = 85.255.115.68,85.255.112.118 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118 O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32.exe (file missing)

wpisy usuń HJT

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki

C:\WINDOWS\System32\mstsdsc.exe

C:\WINDOWS\System32.exe

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

Odpal LSP-Fix

zaznacz “I know what I’m doing” następnie w okienku Keep zaznacz plik tmwsock.dll i za pomocą strzałki (>>) przenieś go do okienka Remover i kliknij Finish

O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll

Użyj FixWareOut - http://downloads.subratam.org/Fixwareout.exe

Daj log z Combofix

trelemorele18 · 12 Czerwiec 2007 15:11

wykonałm pierwsza czesc czyli usunołem wpisy z hjt. po restarcie nie działał mi internet tylko gg sie załączało. Czekałem do wieczora na drugi dzien tez nic wiec sformatoqałem dysk. Wczoraj woeczorem (na swiezym windowsie) miałem znow podobne problemy. Nie otwieraja sie stronki i IE ani w mozilli. Ad aware wykrył 99 robakow w tym jakis whenU (?) jak usnołem to nadal nie moglem sie polaczyc z netem. Podkreslam ze nic nie sciagałem oprucz gg i na zadne porno nie wlaziłem tak dla jasnosci. Dzis zformtowałem go znowu i wszystko działa. Boje sie ylko ze problem znow powruci juz sie zabezpieczyłem i zaktualizowałem baze wirosow w ad aware i AVG Anti-Spyware. Normalnie jak mam ten problem to nie moge nic zaktualizować. Formatuje zawsze tylko dysk C jest mozliwoc ze wirusy (choc ich tam nie wykrywa) mogły pozostać na innych partycjach ? (mam dwie NTFS w tym C i dwie FAT32)

co tu robić ? to nie wina łącza bo innym net działa tylko mi nie…

prosze o pomoc jak potrzebujecie wiecej info pytać … byle szybko bo kto wie moze wieczorem juz sie nie połącze z internetem

adam9870 · 12 Czerwiec 2007 15:19

Poczytaj o prawidłowej instalacji systemu operacyjnego i czynnościach, które tuż po instalacji należy wykonać w celu zabezpieczenia systemu - Prawidłowe instalowanie Windows 2000/XP/2003.

Wklej komplet nowych logów tj. HijackThis i ComboFix.

trelemorele18 · 12 Czerwiec 2007 15:38

no racja nigdy nie odlaczałem kabelka od neta podczas formatu.

Logfile of HijackThis v1.99.1 Scan saved at 17:32:38, on 2007-06-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\atiptaxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\mateo\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{D22403B2-D219-4FEF-98C8-E9CE43316C7B}: NameServer = 10.0.0.2 O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

ComboFix 07-06-11.3 - C:\Documents and Settings\mateo\Pulpit\ComboFix.exe “mateo” - 2007-06-12 17:36:00 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 ))))))))))))))))))))))))))))))) 2007-06-12 18:32 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2007-06-12 18:32 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys 2007-06-12 18:32 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-06-12 18:31 77,312 --a------ C:\WINDOWS\system32\usbui.dll 2007-06-12 18:31 524,567 --a------ C:\WINDOWS\system32\ati3d1ag.dll 2007-06-12 18:31 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll 2007-06-12 18:31 385,152 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-06-12 18:31 229,376 --a------ C:\WINDOWS\system32\ati2cqag.dll 2007-06-12 18:31 215,040 --a------ C:\WINDOWS\system32\ati2dvag.dll 2007-06-12 18:31 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-06-12 18:31 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll 2007-06-12 18:29 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL 2007-06-12 18:29 9,168 --a------ C:\WINDOWS\system\VER.DLL 2007-06-12 18:29 85,532 --a------ C:\WINDOWS\system32\dgsetup.dll 2007-06-12 18:29 83,456 --a------ C:\WINDOWS\system\OLECLI.DLL 2007-06-12 18:29 8,704 --a------ C:\WINDOWS\system32\batt.dll 2007-06-12 18:29 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll 2007-06-12 18:29 75,776 --a------ C:\WINDOWS\system32\storprop.dll 2007-06-12 18:29 70,144 --a------ C:\WINDOWS\NOTEPAD.EXE 2007-06-12 18:29 70,096 --a------ C:\WINDOWS\system\AVICAP.DLL 2007-06-12 18:29 7,168 --a------ C:\WINDOWS\system32\kbdcz.dll 2007-06-12 18:29 69,552 --a------ C:\WINDOWS\system\MMSYSTEM.DLL 2007-06-12 18:29 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll 2007-06-12 18:29 6,656 --a------ C:\WINDOWS\system32\kbdycl.dll 2007-06-12 18:29 6,656 --a------ C:\WINDOWS\system32\kbdsl1.dll 2007-06-12 18:29 6,656 --a------ C:\WINDOWS\system32\kbdsl.dll 2007-06-12 18:29 6,656 --a------ C:\WINDOWS\system32\kbdhu.dll 2007-06-12 18:29 6,656 --a------ C:\WINDOWS\system32\kbdcz2.dll 2007-06-12 18:29 6,656 --a------ C:\WINDOWS\system32\kbdcz1.dll 2007-06-12 18:29 6,656 --a------ C:\WINDOWS\system32\kbdcr.dll 2007-06-12 18:29 6,656 --a------ C:\WINDOWS\system32\KBDAL.DLL 2007-06-12 18:29 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll 2007-06-12 18:29 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll 2007-06-12 18:29 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll 2007-06-12 18:29 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll 2007-06-12 18:29 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll 2007-06-12 18:29 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll 2007-06-12 18:29 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll 2007-06-12 18:29 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll 2007-06-12 18:29 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll 2007-06-12 18:29 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll 2007-06-12 18:29 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll 2007-06-12 18:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll 2007-06-12 18:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll 2007-06-12 18:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll 2007-06-12 18:29 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll 2007-06-12 18:29 5,632 --a------ C:\WINDOWS\system32\kbdro.dll 2007-06-12 18:29 5,632 --a------ C:\WINDOWS\system32\kbdhu1.dll 2007-06-12 18:29 5,120 --a------ C:\WINDOWS\system\SHELL.DLL 2007-06-12 18:29 33,376 --a------ C:\WINDOWS\system\COMMDLG.DLL 2007-06-12 18:29 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2007-06-12 18:29 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL 2007-06-12 18:29 19,200 --a------ C:\WINDOWS\system\TAPI.DLL 2007-06-12 18:29 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll 2007-06-12 18:29 15,360 --a------ C:\WINDOWS\TASKMAN.EXE 2007-06-12 18:29 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-06-12 18:29 127,008 --a------ C:\WINDOWS\system\MSVIDEO.DLL 2007-06-12 18:29 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys 2007-06-12 18:29 109,488 --a------ C:\WINDOWS\system\AVIFILE.DLL 2007-06-12 18:29 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:29 2007-06-12 18:28 2007-06-12 18:28 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 2007-06-12 18:23 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-12 14:47:19 49,492 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-12 14:47:19 355,486 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-12 14:40:30 -------- d-----w C:\Program Files\Usługi online ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Cmaudio”=“cmicnfg.cpl” [] “AtiPTA”=“atiptaxx.exe” [2002-02-15 11:42 C:\WINDOWS\system32\atiptaxx.exe] “HydarVisionDesktopManager”="" [] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-05-30 14:30] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 16:36] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-05-30 14:29] *Newly Created Service* - AVGASCLN ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-12 17:36:44 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-12 17:37:20 — E O F —

wwd zawsze uzywałem no ale tez potym jak podlaczyłem neta

mam jeszcze pytanie co z zaporą windows ? warto miec ja właczoną?

Gutek · 12 Czerwiec 2007 18:16

Jest Ok

trelemorele18 · 12 Czerwiec 2007 19:38

znalazłem przyczyne ! to Bear Share po instalacji sciaga jakis when u save a wraz z tym jakies gowna i neta blokuje … i znow bym sie złapał naszczescie w pore odlaczyłem kabel od neta i wszystko recznie pousuwałem. Nie wiem czy to przy wszystkich instalkach bo ja mam troche starawą na płycie ale zawsze z niej korzystałem i nic takiego ni emiało miejsca

pozdro