Antivirus XP 2008 - log HijackThis


(Sebastian) #1

Witam,

Bardzo prosze o pomoc w usunieciu tego virusa. Na tym forum jest juz kilka takich tematow, ale ten Antivirus XP 2008 to nowa wersja czy cos w tym stylu, bo logi z HijackThis sie nie zgadzaja z tymi w wielu tematach, ktore sprawdzilem. Nie moge tego w zaden sposob usunac.

Logi z HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:55:29, on 2008-08-24

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\lphcggnj0ej9a.exe

C:\Program Files\rhclgnj0ej9a\rhclgnj0ej9a.exe

C:\WINDOWS\system32\ctfmon.exe

C:\freescan\freescan.exe

F:\Pulpit\Gadu-Gadu\gg.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\drivers\svchost.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\Xfire\xfire.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pphcggnj0ej9a.exe

E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allegro.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [lphcggnj0ej9a] C:\WINDOWS\system32\lphcggnj0ej9a.exe

O4 - HKLM\..\Run: [SMrhclgnj0ej9a] C:\Program Files\rhclgnj0ej9a\rhclgnj0ej9a.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan

O4 - HKCU\..\Run: [Gadu-Gadu] "F:\Pulpit\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = E:\dane z dysku 20GB\Documents and Settings\programs\MFIndexer.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\StarWind\StarWindServiceAE.exe


--

End of file - 8115 bytes

Jeszcze raz bardzo prosze o pomoc!

Laokoon


(huber2t) #2

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Otwórz notatnik i wklej do niego:

File::

C:\WINDOWS\system32\lphcggnj0ej9a.exe

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\drivers\svchost.exe

C:\WINDOWS\system32\pphcggnj0ej9a.exe


Folder::

C:\Program Files\rhclgnj0ej9a

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

cfscript10uc2.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link


(Leon$) #3

wpisy

usuń HijackThisem >> Fix checked

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S ... Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s ... ntry369724

lub format

Pobierz Combofix http://www.searchengines.pl/index.php?s ... ntry395642 ale nie włączaj.

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri ... iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:


(Sebastian) #4

Bardzoi dziekuje za pomoc, niestety nie zadzialalo. :frowning:

usunalem to, co kazaliscie hijackiem, potem sciagnalem combofixa (przy okazji okazalo sie, ze nei moge nci sciagac ani wysylac przez przegladarke ani firefox ani IE i kolega musial mi wyslac rpzez gg), przeciagnalem na ikonke combofixa ten plik txt, pokazal sie paseczek ,ze usuwa a potem komunikat o nastepujacej tresci: "combofix has detected the presence of rootkit activity and needs to reboot the machine" kliknalem ok i srestartowal kompa, drugi raz to samo ;/

Bardzo prosze o pomoc lub wskazowki, co zle zrobilem

Laokoon

PS. zapomnailem rpzedtem napisac, skasowalo mi tapete, ekran byl bialy a teraz na ekranie jest jakby wklejony w tapete komunikat o wirusach rzekomo komunikat jest windowsa, ale juz sam nie wiem

pps loga nie pokazalo


(huber2t) #5

Start --> wyszukaj --> ComboFix.txt


(Sebastian) #6

nie znalazlo ;/


(Jaszyn18) #7

Mi zapisało jako bug.txt n dysku C


(Sebastian) #8

oo, dziekuje, jest jako bug.txt wklejam tak, bo chyba ten wirus mi zablokowal upload i download plikow w przegladarkach

PUSHD "C:\327882R2FWJFW\" 


IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT 


VER 1>temp00 


FIND.exe "Microsoft Windows [Version 5.2.3790]" temp00 1>null 


IF NOT ERRORLEVEL 1 GOTO Not_NT 


FIND.exe "Windows XP" temp00 1>null 


Del temp00 


PV -o"%i\t%l" | SED "/\t.*\\nircmd\.inf$/!d; s///; s/./@pv -kfi &/" 1>temp00.bat 


CALL temp00.bat 


DEL temp00.bat 2>null 


=============================================


ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Ludľ\Dane aplikacji

BitRock=1

CFLDR=327882R2FWJFW

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=OL-D20D504D32C3

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Ludľ

KMD=CF18862.exe

LOGONSERVER=\\OL-D20D504D32C3

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\;;C:\PROGRA~1\COMMON~1\AUTODE~1

PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0801

ProgramFiles=C:\Program Files

PROMPT=$

SESSIONNAME=Console

sfxname=C:\Documents and Settings\Ludľ\Pulpit\ComboFix.exe

SYSTEM=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\LUD~1\USTAWI~1\Temp

TMP=C:\DOCUME~1\LUD~1\USTAWI~1\Temp

USERDOMAIN=OL-D20D504D32C3

USERNAME=Ludľ

USERPROFILE=C:\Documents and Settings\Ludľ

windir=C:\WINDOWS


=============================================



IF NOT DEFINED sfxname GOTO END 


Restoring 'cfdummy' to 'HKLM\System\CurrentControlSet\Services\deleteme17450' was not successful

(Sebastian) #9

Witam

potorzylem jeszcze raz probe tej operacji z uzyciem ComboFixa i znowu wyskoczyl komunikat o rootkicie ;/

to log z ComboFixa:

PUSHD "C:\327882R2FWJFW\" 


IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT 


VER 1>temp00 


FIND.exe "Microsoft Windows [Version 5.2.3790]" temp00 1>null 


IF NOT ERRORLEVEL 1 GOTO Not_NT 


FIND.exe "Windows XP" temp00 1>null 


Del temp00 


PV -o"%i\t%l" | SED "/\t.*\\nircmd\.inf$/!d; s///; s/./@pv -kfi &/" 1>temp00.bat 


CALL temp00.bat 


DEL temp00.bat 2>null 


=============================================


ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Ludľ\Dane aplikacji

BitRock=1

CFLDR=327882R2FWJFW

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=OL-D20D504D32C3

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Ludľ

KMD=CF12134.exe

LOGONSERVER=\\OL-D20D504D32C3

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\;;C:\PROGRA~1\COMMON~1\AUTODE~1

PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0801

ProgramFiles=C:\Program Files

PROMPT=$

SESSIONNAME=Console

sfxname=C:\Documents and Settings\Ludľ\Pulpit\ComboFix.exe

SYSTEM=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\LUD~1\USTAWI~1\Temp

TMP=C:\DOCUME~1\LUD~1\USTAWI~1\Temp

USERDOMAIN=OL-D20D504D32C3

USERNAME=Ludľ

USERPROFILE=C:\Documents and Settings\Ludľ

windir=C:\WINDOWS


=============================================



IF NOT DEFINED sfxname GOTO END 


Restoring 'cfdummy' to 'HKLM\System\CurrentControlSet\Services\deleteme4155' was not successful

udalo mi sie recznie usunac wszystkie pliki tego wirusa razem z folderem, ktorym byly, co wczesniej bylo niemozliwe, wirus jzu nei wlacza sie rpzy uruchamianiu komputera, ale nadal jest tapeta, na ktorej jest (chyba falszywe, bo w stylu okienek z Visty a ja mam xp) ostrzezenie o wirusach i nei moge zmeinic tapety, poniewaz jak klikne w pulpit>> wlasciwosci to sa tam tylko 3 zakladki : kompozycje, wyglad i ustawienia, nic wiecej.

Czy jako ktos, kto nei wie kompletnie nic o informatyce mam szanse zrobic cos z rootkitem?

Jeszcze raz prosze o pomoc

Laokoon


(Leon$) #10

Pobierz program SDFix

-


(Sebastian) #11

zrobilem tym dfixem to, co powiedziales, oto, co "wyplul":

Rebooting



[b]Checking Files [/b]: 


Trojan Files Found:


C:\WINDOWS\system32\lphcggnj0ej9a.exe - Deleted

C:\WINDOWS\system32\pphcggnj0ej9a.exe - Deleted



Could Not Remove C:\WINDOWS\system32\drivers\tdssserv.sys 

Could Not Remove C:\WINDOWS\system32\tdssadw.dll 

Could Not Remove C:\WINDOWS\system32\tdssinit.dll 

Could Not Remove C:\WINDOWS\system32\tdssl.dll 

Could Not Remove C:\WINDOWS\system32\tdsslog.dll 

Could Not Remove C:\WINDOWS\system32\tdssmain.dll 

Could Not Remove C:\WINDOWS\system32\tdssservers.dat 




Removing Temp Files


[b]ADS Check [/b]:




                                 [b]Final Check [/b]:


catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-24 23:12:54

Windows 5.1.2600 Dodatek Service Pack 3 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000002


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\"

"h0"=dword:00000000

"ujdew"=hex:c1,fb,37,e2,d4,53,f0,a0,8c,6a,73,e6,83,3a,47,c8,4c,f9,ef,a8,b8,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000001

"khjeh"=hex:79,17,57,1f,da,19,f9,5c,1b,66,4f,82,4b,3a,29,51,e9,f9,5d,dd,a8,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,93,4f,83,62,f9,ab,0e,78,07,a2,bd,f8,a5,fa,96,57,15,..

"khjeh"=hex:d9,03,89,1b,c2,9a,02,df,88,7d,a8,92,48,25,fe,3e,f9,67,60,36,da,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:a5,79,19,ca,44,db,48,68,b0,37,6e,95,34,5a,e8,d1,12,66,66,22,92,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv]

"start"=dword:00000001

"type"=dword:00000001

"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\"

"h0"=dword:00000000

"ujdew"=hex:c1,fb,37,e2,d4,53,f0,a0,8c,6a,73,e6,83,3a,47,c8,4c,f9,ef,a8,b8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\tdssserv.sys]

@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\tdssserv.sys]

@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\"

"h0"=dword:00000000

"ujdew"=hex:c1,fb,37,e2,d4,53,f0,a0,8c,6a,73,e6,83,3a,47,c8,4c,f9,ef,a8,b8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000001

"khjeh"=hex:79,17,57,1f,da,19,f9,5c,1b,66,4f,82,4b,3a,29,51,e9,f9,5d,dd,a8,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,93,4f,83,62,f9,ab,0e,78,07,a2,bd,f8,a5,fa,96,57,15,..

"khjeh"=hex:d9,03,89,1b,c2,9a,02,df,88,7d,a8,92,48,25,fe,3e,f9,67,60,36,da,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:a5,79,19,ca,44,db,48,68,b0,37,6e,95,34,5a,e8,d1,12,66,66,22,92,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdssserv]

"start"=dword:00000001

"type"=dword:00000001

"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"


scanning hidden registry entries ...


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:000000a1

"TracesSuccessful"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710


scanning hidden files ...


C:\WINDOWS\system32\tdssadw.dll 32768 bytes executable

C:\WINDOWS\system32\tdssinit.dll 57727 bytes

C:\WINDOWS\system32\tdssl.dll 16384 bytes executable

C:\WINDOWS\system32\tdsslog.dll 10752 bytes executable

C:\WINDOWS\system32\tdssmain.dll 10752 bytes executable

C:\WINDOWS\system32\tdssserf.dll 12288 bytes executable

C:\WINDOWS\system32\tdssservers.dat 217 bytes

C:\WINDOWS\system32\drivers\tdssserv.sys 35328 bytes executable

C:\WINDOWS\Temp\tdssbfe5.tmp 0 bytes

C:\WINDOWS\Temp\tdssc1aa.tmp 0 bytes

C:\WINDOWS\Temp\tdssc37f.tmp 0 bytes


scan completed successfully

hidden processes: 0

hidden services: 1

hidden files: 11



[b]Remaining Services [/b]:





Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Ol©dzki\\Moje dokumenty\\Gadu-Gadu\\gg.exe"="C:\\Documents and Settings\\Ol©dzki\\Moje dokumenty\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny"

"E:\\Gadu-Gadu\\gg.exe"="E:\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny"

"E:\\dane z dysku 20GB\\LUDZ\\Gadu-Gadu\\gg.exe"="E:\\dane z dysku 20GB\\LUDZ\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny"

"C:\\Documents and Settings\\Ludľ\\Pulpit\\eMule.exe"="C:\\Documents and Settings\\Ludľ\\Pulpit\\eMule.exe:*:Enabled:eMule"

"C:\\Program Files\\eMule\\eMule.exe"="C:\\Program Files\\eMule\\eMule.exe:*:Enabled:eMule"

"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted PC Demo\\speedDemo.exe"="C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted PC Demo\\speedDemo.exe:*:Enabled:speedDemo"

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX05.734\\ManiaDrive-1.01-win32-i386-data\\game\\mania_server.exe"="C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX05.734\\ManiaDrive-1.01-win32-i386-data\\game\\mania_server.exe:*:Enabled:mania_server"

"C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX07.344\\ManiaDrive-1.01-win32-i386-data\\game\\mania_server.exe"="C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX07.344\\ManiaDrive-1.01-win32-i386-data\\game\\mania_server.exe:*:Enabled:mania_server"

"C:\\Program Files\\EA GAMES\\Need for Speed Underground 2 Demo\\speed2demo.exe"="C:\\Program Files\\EA GAMES\\Need for Speed Underground 2 Demo\\speed2demo.exe:*:Enabled:speed2demo"

"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"

"C:\\Program Files\\Drago Games\\Vulture\\Vulture.exe"="C:\\Program Files\\Drago Games\\Vulture\\Vulture.exe:*:Enabled:VULTURE"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"

"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"

"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

"C:\\Program Files\\Kazaa Lite Rewolucja\\kazaalite.kpp"="C:\\Program Files\\Kazaa Lite Rewolucja\\kazaalite.kpp:*:Enabled:kazaalite"

"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"F:\\Azureus\\Azureus.exe"="F:\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"F:\\mp3\\angielskie\\hl.exe"="F:\\mp3\\angielskie\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\mp3\\angielskie\\cstrike\\hltv.exe"="F:\\mp3\\angielskie\\cstrike\\hltv.exe:*:Enabled:HLTV Launcher"

"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Uruchamia plik DLL jako aplikacj©"

"C:\\Documents and Settings\\Ol©dzki\\Pulpit\\Gadu-Gadu\\gg.exe"="C:\\Documents and Settings\\Ol©dzki\\Pulpit\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"C:\\Documents and Settings\\Ludľ\\Pulpit\\Gadu-Gadu\\gg.exe"="C:\\Documents and Settings\\Ludľ\\Pulpit\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"F:\\Pulpit\\Gadu-Gadu\\gg.exe"="F:\\Pulpit\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"F:\\mp3\\angielskie\\Nowy folder\\hl.exe"="F:\\mp3\\angielskie\\Nowy folder\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\mp3\\angielskie\\Nowy folder\\hlds.exe"="F:\\mp3\\angielskie\\Nowy folder\\hlds.exe:*:Enabled:HLDS Launcher"

"F:\\mp3\\angielskie\\Nowy folder\\Nowy folder\\hl.exe"="F:\\mp3\\angielskie\\Nowy folder\\Nowy folder\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\Azureus\\Azureus\\Azureus.exe"="F:\\Azureus\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"F:\\mp3\\paintball\\Paintball2\\paintball2.exe"="F:\\mp3\\paintball\\Paintball2\\paintball2.exe:*:Enabled:paintball2"

"F:\\mp3\\little fighter\\LF2_v1.9c\\lf2.exe"="F:\\mp3\\little fighter\\LF2_v1.9c\\lf2.exe:*:Enabled:lf2"

"C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX01.062\\lf2_Kate\\lf2.exe"="C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX01.062\\lf2_Kate\\lf2.exe:*:Enabled:lf2"

"C:\\Documents and Settings\\Ludľ\\Pulpit\\lf2 kate\\lf2_Kate\\lf2.exe"="C:\\Documents and Settings\\Ludľ\\Pulpit\\lf2 kate\\lf2_Kate\\lf2.exe:*:Enabled:lf2"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"


[b]Remaining Files [/b]:


C:\WINDOWS\system32\drivers\tdssserv.sys Found

C:\WINDOWS\system32\tdssadw.dll Found

C:\WINDOWS\system32\tdssinit.dll Found

C:\WINDOWS\system32\tdssl.dll Found

C:\WINDOWS\system32\tdsslog.dll Found

C:\WINDOWS\system32\tdssmain.dll Found

C:\WINDOWS\system32\tdssservers.dat Found


File Backups: - C:\SDFix\backups\backups.zip


[b]Files with Hidden Attributes [/b]:


Sat 16 Aug 2008 90,343 ..SHR --- "C:\0.com"

Wed 9 Jul 2008 118,734 ..SHR --- "C:\00hoeav.com"

Fri 11 Jul 2008 117,053 ..SHR --- "C:\0gjn3yw.exe"

Fri 25 Apr 2008 104,161 ..SHR --- "C:\1dg.exe"

Tue 29 Jul 2008 87,816 ..SHR --- "C:\1rfw8hjr.com"

Wed 12 Mar 2008 101,492 ..SHR --- "C:\22wcb21o.exe"

Thu 13 Mar 2008 101,291 ..SHR --- "C:\32e2.com"

Tue 1 Apr 2008 103,084 ..SHR --- "C:\6l6w8.com"

Thu 21 Aug 2008 90,994 ..SHR --- "C:\83fgj.com"

Fri 18 Apr 2008 103,202 ..SHR --- "C:\8ti.exe"

Wed 13 Aug 2008 89,917 ..SHR --- "C:\b3b9u.com"

Mon 11 Aug 2008 89,407 ..SHR --- "C:\bpu.exe"

Fri 1 Aug 2008 87,215 ..SHR --- "C:\e.com"

Tue 22 Jul 2008 116,906 ..SHR --- "C:\e9ehn1m8.com"

Sat 12 Jul 2008 116,972 ..SHR --- "C:\ffojc.com"

Fri 29 Feb 2008 107,155 ..SHR --- "C:\fppg1.exe"

Fri 25 Jul 2008 87,297 ..SHR --- "C:\g2pfnid.com"

Tue 15 Jul 2008 116,862 ..SHR --- "C:\k.com"

Sun 29 Jun 2008 112,227 ..SHR --- "C:\klp8j6i.com"

Tue 10 Jun 2008 117,064 ..SHR --- "C:\m88coaim.exe"

Sat 5 Apr 2008 103,463 ..SHR --- "C:\m9j.com"

Sun 24 Aug 2008 91,127 ..SHR --- "C:\n.com"

Mon 24 Mar 2008 101,835 ..SHR --- "C:\nlblkhq.com"

Sun 23 Mar 2008 99,626 ..SHR --- "C:\okqa2g.com"

Wed 16 Jul 2008 115,233 ..SHR --- "C:\p83gjy.exe"

Wed 2 Apr 2008 103,810 ..SHR --- "C:\qwc.exe"

Sun 6 Jul 2008 116,932 ..SHR --- "C:\qxbx9blb.com"

Thu 20 Mar 2008 102,455 ..SHR --- "C:\ser.com"

Sat 16 Aug 2008 91,179 ..SHR --- "C:\t1ypkh.exe"

Tue 24 Jun 2008 110,892 ..SHR --- "C:\t9peum02.exe"

Mon 11 Aug 2008 89,221 ..SHR --- "C:\tyktjfww.exe"

Sat 8 Mar 2008 102,536 ..SHR --- "C:\v.com"

Wed 23 Apr 2008 103,618 ..SHR --- "C:\vqv.exe"

Sun 16 Mar 2008 101,295 ..SHR --- "C:\xp19.com"

Sun 3 Aug 2008 89,885 ..SHR --- "C:\xqf.com"

Tue 5 Aug 2008 90,474 ..SHR --- "C:\xvlyb.exe"

Mon 21 Jul 2008 118,782 ..SHR --- "C:\ybj8df.exe"

Wed 9 Jul 2008 77,312 ..SHR --- "C:\WINDOWS\system32\amvo1.dll"

Sat 15 Mar 2008 72,192 ..SHR --- "C:\WINDOWS\system32\amvo2.dll"

Sun 24 Aug 2008 91,127 ..SHR --- "C:\WINDOWS\system32\ckvo.exe"

Sun 24 Aug 2008 84,992 ..SHR --- "C:\WINDOWS\system32\ckvo0.dll"

Sun 24 Aug 2008 84,992 ..SHR --- "C:\WINDOWS\system32\ckvo1.dll"

Thu 15 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 17 Oct 2006 23,040 ...H. --- "C:\Documents and Settings\Ludľ\Pulpit\~WRL0001.tmp"

Sun 14 Oct 2007 23,552 ...H. --- "C:\Documents and Settings\Ludľ\Pulpit\~WRL2947.tmp"

Mon 30 Apr 2007 1,007,616 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL0002.tmp"

Fri 11 May 2007 5,237,248 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL0467.tmp"

Fri 11 May 2007 5,673,472 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL0775.tmp"

Thu 10 May 2007 2,552,320 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL1145.tmp"

Sun 15 Apr 2007 921,088 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL1383.tmp"

Sun 29 Apr 2007 25,600 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL1781.tmp"

Sun 29 Apr 2007 24,064 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL2025.tmp"

Wed 9 May 2007 2,723,328 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL2067.tmp"

Fri 11 May 2007 5,586,432 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL2072.tmp"

Sun 29 Apr 2007 22,528 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL3007.tmp"

Fri 11 May 2007 4,454,400 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL3579.tmp"

Sun 29 Apr 2007 17,920 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL3641.tmp"

Fri 16 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Thu 13 Mar 2008 25,736 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\22umqpcg.dll"

Thu 19 Jun 2008 30,208 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\4.dll"

Sat 26 Apr 2008 26,848 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\54mo4e.dll"

Tue 1 Jul 2008 28,672 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\5ox2s.dll"

Fri 9 May 2008 27,521 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\7bpapp.dll"

Wed 11 Jun 2008 30,208 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\8.dll"

Thu 10 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\8k4m7s.dll"

Wed 2 Jul 2008 28,160 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\8m5olv.dll"

Wed 16 Apr 2008 26,983 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\9s.dll"

Fri 4 Apr 2008 26,884 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\9sky8pia.dll"

Fri 21 Mar 2008 25,787 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\9sob2.dll"

Thu 28 Feb 2008 30,721 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\9v.dll"

Fri 14 Mar 2008 25,786 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\aqb2.dll"

Mon 2 Jun 2008 29,812 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\aze.dll"

Sun 16 Mar 2008 26,145 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\boalrz.dll"

Wed 27 Feb 2008 29,571 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\bpvcrq29.dll"

Sat 5 Jul 2008 29,696 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\cahcp.dll"

Sat 15 Mar 2008 25,885 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\cfmwfbi.dll"

Tue 15 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\dtkcsly.dll"

Tue 15 Jul 2008 32,256 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\dtwg.dll"

Sun 27 Apr 2008 25,867 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\dtzr9je.dll"

Tue 11 Mar 2008 26,952 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\dxw.dll"

Sun 24 Feb 2008 30,127 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\ep.dll"

Sat 26 Apr 2008 26,707 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\es8m88z.dll"

Thu 6 Mar 2008 30,068 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fggnvylp.dll"

Mon 31 Mar 2008 26,494 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fhww8.dll"

Thu 27 Mar 2008 26,501 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fliuqm.dll"

Mon 3 Mar 2008 29,978 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fqig.dll"

Thu 27 Mar 2008 27,098 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fusdft5a.dll"

Wed 19 Mar 2008 25,631 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\gj4hn.dll"

Sat 22 Mar 2008 26,189 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\h.dll"

Mon 25 Feb 2008 29,941 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\h4khdlm.dll"

Mon 26 May 2008 26,174 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\h8my7hut.dll"

Mon 21 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\hs7nysg.dll"

Thu 14 Feb 2008 29,807 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\i2ir.dll"

Sat 14 Jun 2008 30,720 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\iem.dll"

Sat 1 Mar 2008 30,225 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\ilpggjj.dll"

Wed 11 Jun 2008 31,063 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\izxx7r.dll"

Sat 8 Mar 2008 29,464 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\jm2fbs.dll"

Thu 24 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\jzuqe.dll"

Sat 8 Mar 2008 30,542 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\k4jm.dll"

Tue 1 Apr 2008 26,532 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\m.dll"

Mon 31 Mar 2008 26,338 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\megq.dll"

Thu 3 Jul 2008 28,672 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\mrzkj.dll"

Sun 6 Jul 2008 29,184 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\nx.dll"

Fri 18 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\olj5w.dll"

Thu 3 Jul 2008 30,208 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\ovk2o.dll"

Tue 8 Jul 2008 30,208 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\ovlx.dll"

Mon 2 Jun 2008 29,799 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\pd7crtpf.dll"

Sun 6 Jul 2008 29,696 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\port.dll"

Mon 21 Apr 2008 27,020 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\psdtohkm.dll"

Fri 15 Feb 2008 29,707 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\q4olgq.dll"

Sun 29 Jun 2008 29,184 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\q8gqt.dll"

Fri 22 Feb 2008 29,274 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\qc7r.dll"

Mon 24 Mar 2008 26,167 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\qt75a.dll"

Sat 5 Apr 2008 27,064 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\r.dll"

Sat 19 Apr 2008 26,564 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\rm.dll"

Sat 5 Jul 2008 29,184 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\t.dll"

Sun 29 Jun 2008 28,672 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\vyjx4s.dll"

Sat 29 Mar 2008 26,711 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\wi.dll"

Sat 5 Apr 2008 25,958 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\wosrcuy.dll"

Thu 24 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\wzw9.dll"

Thu 10 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\xl4wtg77.dll"

Tue 22 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\y7vnqv.dll"

Mon 21 Jul 2008 30,720 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\yedp8.dll"

Tue 22 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\yhgo47to.dll"

Fri 4 Jul 2008 29,696 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\yv.dll"

Tue 22 Apr 2008 27,205 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\z.dll"

Mon 18 Feb 2008 29,691 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\z5.dll"

Fri 21 Mar 2008 26,894 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\z8.dll"

Tue 11 Mar 2008 26,761 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\zsh4zci.dll"

Tue 25 Mar 2008 26,439 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\zt.dll"

Sun 14 Oct 2007 19,968 ...H. --- "C:\Documents and Settings\Ludľ\Dane aplikacji\Microsoft\Word\~WRL0005.tmp"

Sun 14 Oct 2007 20,992 ...H. --- "C:\Documents and Settings\Ludľ\Dane aplikacji\Microsoft\Word\~WRL0716.tmp"

Sun 14 Oct 2007 23,040 ...H. --- "C:\Documents and Settings\Ludľ\Dane aplikacji\Microsoft\Word\~WRL1575.tmp"

Thu 15 Jun 2006 4,348 ...H. --- "C:\Documents and Settings\Ludľ\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak"

Thu 15 Jun 2006 20 A..H. --- "C:\Documents and Settings\Ludľ\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak"

Thu 15 Jun 2006 312 A.SH. --- "C:\Documents and Settings\Ludľ\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak"

Tue 9 May 2006 79,872 ...H. --- "C:\Documents and Settings\Ol©dzki\Dane aplikacji\Microsoft\Word\~WRL0086.tmp"

Mon 30 Apr 2007 1,093,120 ...H. --- "C:\Documents and Settings\Ol©dzki\Dane aplikacji\Microsoft\Word\~WRL0264.tmp"

Wed 11 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Ol©dzki\Dane aplikacji\Microsoft\Word\~WRL2266.tmp"

Mon 30 Apr 2007 1,093,120 ...H. --- "C:\Documents and Settings\Ol©dzki\Dane aplikacji\Microsoft\Word\~WRL2925.tmp"


[b]Finished![/b]

teraz biore sie za system repair enginnera


(Sebastian) #12

przeskanowalem (kliknalem "smart scan") srengiem, wszystko na opcjach default, bez zmienianai, bo nei znam programu, to log: http://wklej.org/id/784/


(Sebastian) #13

ooo, teraz juz moge zmienic tlo pulpitu itd., tak jakby sie naprawilo, co mam zrobic, zeby sprawdzic, czy jzu wszystko ok?


(Leon$) #14

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S ... Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s ... ntry369724

lub format

Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum

kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

Otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

b57f17008275c957m.jpg

powstanie plik o takiej ikonie

062aec4c9b51c033m.jpg

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

uruchom System Repair Engineer zakładka System Repair Browser Add-ons odszukaj i usuń

System Repair Engineer zakładka Boot items services drivers odszukaj i usuń

potem nowy log System Repair Engineer przed zrobieniem skanu odznacz HOSTS File

potem log HijackThis

:slight_smile:


(Sebastian) #15

wykonalem krok 1, to report z avengera:

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com


Platform: Windows XP


*******************


Script file opened successfully.

Script file read successfully.


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


Rootkit scan active.

No rootkits found!


File "C:\WINDOWS\system32\blphcggnj0ej9a.scr" deleted successfully.

File "C:\WINDOWS\system32\ckvo.exe" deleted successfully.

File "C:\WINDOWS\system32\ckvo1.dll" deleted successfully.

File "C:\Autorun.Inf" deleted successfully.

File "D:\Autorun.Inf" deleted successfully.

File "E:\Autorun.Inf" deleted successfully.

File "F:\Autorun.Inf" deleted successfully.


Completed script processing.


*******************


Finished! Terminate.

pliku backup.zip nie bylo w tym folderze


(Leon$) #16

usunięte a co z resztą?

:slight_smile:


(Sebastian) #17

to logi z srenga i hijacka po wykonaniu wszystkich operacji: http://wklej.org/id/949/ i http://wklej.org/id/948/

niestety nie moge nic wyslac na zaden serwer hostingowy (te logi kolega wysylal na wklej.org, ktoremu przez gg to wyslalem), po kliknieciu zeby zaladowac plik/tekst poprostu pojawia sie biala strona i nci sie nei dzieje, na rapidshare pokazalo mi predkosc uploadu 0 kb/s, ale speedtest wykazal normalna predklasc lacza. komunikatory dzialaja normalnie, kilka razy pokazalo sie cos w stylu BSOD'a, ktory znikal po wcisnieciu escape i komputer natychmiast powracal do normalnej pracy, odtwarzany w miedzyczasie dzwiek nei zniknal. co to jest i co z tym zrobic?

Laokoon


(Sebastian) #18

z jakiegos powodu mam demo spyware begone, ktore tylko wykrywa spyware, ale nei mozna usunac , trzeba zamowic pelna, platna wersje... w kazdym razie wyrkywa on 4 programy spyware


(Leon$) #19

Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum

kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

Otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

b57f17008275c957m.jpg

powstanie plik o takiej ikonie

062aec4c9b51c033m.jpg

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

Pobierz CCleaner http://www.filehippo.com/download_ccleaner/

przeskanuj nim i wyczyść rejestr.

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i ... 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

lub

Dr.WEB CureIt! http://dobreprogramy.pl/index.php?dz=2 ... It!+4.44.5

:slight_smile:


(Sebastian) #20

avenger.txt wyglada tak:

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com


Platform: Windows XP


*******************


Script file opened successfully.

Script file read successfully.


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


Rootkit scan active.


Hidden driver "tdssserv" found!

ImagePath: \systemroot\system32\drivers\tdssserv.sys 

Start Type: 1 (System)


Rootkit scan completed.


File "C:\WINDOWS\system32\tsd32.dll" deleted successfully.

Folder "C:\freescan" deleted successfully.


Completed script processing.


*******************


Finished! Terminate.

probowalem dodac plik.reg do rejestru, ale pokazalo sie to:

nie mozna zaimportowac C:......\plik.reg : Okreslony plik nie jest skryptem rejestru. Mozna importowac tylko binarne pliki rejestru z wewnatrz Edytora rejestru.

postepowac wg. kolejnych krokow, czy zrobci cos innego?