Antivirus XP 2008 - log HijackThis

Laokoon · 24 Sierpień 2008 14:43

Witam,

Bardzo prosze o pomoc w usunieciu tego virusa. Na tym forum jest juz kilka takich tematow, ale ten Antivirus XP 2008 to nowa wersja czy cos w tym stylu, bo logi z HijackThis sie nie zgadzaja z tymi w wielu tematach, ktore sprawdzilem. Nie moge tego w zaden sposob usunac.

Logi z HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:55:29, on 2008-08-24

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\lphcggnj0ej9a.exe

C:\Program Files\rhclgnj0ej9a\rhclgnj0ej9a.exe

C:\WINDOWS\system32\ctfmon.exe

C:\freescan\freescan.exe

F:\Pulpit\Gadu-Gadu\gg.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\drivers\svchost.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\Xfire\xfire.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pphcggnj0ej9a.exe

E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allegro.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [lphcggnj0ej9a] C:\WINDOWS\system32\lphcggnj0ej9a.exe

O4 - HKLM\..\Run: [SMrhclgnj0ej9a] C:\Program Files\rhclgnj0ej9a\rhclgnj0ej9a.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan

O4 - HKCU\..\Run: [Gadu-Gadu] "F:\Pulpit\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = E:\dane z dysku 20GB\Documents and Settings\programs\MFIndexer.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\StarWind\StarWindServiceAE.exe


--

End of file - 8115 bytes

Jeszcze raz bardzo prosze o pomoc!

Laokoon

huber2t · 24 Sierpień 2008 14:46

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Otwórz notatnik i wklej do niego:

File::

C:\WINDOWS\system32\lphcggnj0ej9a.exe

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\drivers\svchost.exe

C:\WINDOWS\system32\pphcggnj0ej9a.exe


Folder::

C:\Program Files\rhclgnj0ej9a

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

Leon1 · 24 Sierpień 2008 14:50

wpisy

usuń HijackThisem >> Fix checked

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s … ntry369724

lub format

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj.

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

Laokoon · 24 Sierpień 2008 19:05

Bardzoi dziekuje za pomoc, niestety nie zadzialalo.

usunalem to, co kazaliscie hijackiem, potem sciagnalem combofixa (przy okazji okazalo sie, ze nei moge nci sciagac ani wysylac przez przegladarke ani firefox ani IE i kolega musial mi wyslac rpzez gg), przeciagnalem na ikonke combofixa ten plik txt, pokazal sie paseczek ,ze usuwa a potem komunikat o nastepujacej tresci: “combofix has detected the presence of rootkit activity and needs to reboot the machine” kliknalem ok i srestartowal kompa, drugi raz to samo ;/

Bardzo prosze o pomoc lub wskazowki, co zle zrobilem

Laokoon

PS. zapomnailem rpzedtem napisac, skasowalo mi tapete, ekran byl bialy a teraz na ekranie jest jakby wklejony w tapete komunikat o wirusach rzekomo komunikat jest windowsa, ale juz sam nie wiem

pps loga nie pokazalo

huber2t · 24 Sierpień 2008 19:07

Start --> wyszukaj --> ComboFix.txt

Laokoon · 24 Sierpień 2008 19:15

nie znalazlo ;/

jaszyn18 · 24 Sierpień 2008 19:29

Mi zapisało jako bug.txt n dysku C

Laokoon · 24 Sierpień 2008 19:33

oo, dziekuje, jest jako bug.txt wklejam tak, bo chyba ten wirus mi zablokowal upload i download plikow w przegladarkach

PUSHD "C:\327882R2FWJFW\" 


IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT 


VER 1>temp00 


FIND.exe "Microsoft Windows [Version 5.2.3790]" temp00 1>null 


IF NOT ERRORLEVEL 1 GOTO Not_NT 


FIND.exe "Windows XP" temp00 1>null 


Del temp00 


PV -o"%i\t%l" | SED "/\t.*\\nircmd\.inf$/!d; s///; s/./@pv -kfi &/" 1>temp00.bat 


CALL temp00.bat 


DEL temp00.bat 2>null 


=============================================


ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Ludľ\Dane aplikacji

BitRock=1

CFLDR=327882R2FWJFW

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=OL-D20D504D32C3

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Ludľ

KMD=CF18862.exe

LOGONSERVER=\\OL-D20D504D32C3

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\;;C:\PROGRA~1\COMMON~1\AUTODE~1

PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0801

ProgramFiles=C:\Program Files

PROMPT=$

SESSIONNAME=Console

sfxname=C:\Documents and Settings\Ludľ\Pulpit\ComboFix.exe

SYSTEM=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\LUD~1\USTAWI~1\Temp

TMP=C:\DOCUME~1\LUD~1\USTAWI~1\Temp

USERDOMAIN=OL-D20D504D32C3

USERNAME=Ludľ

USERPROFILE=C:\Documents and Settings\Ludľ

windir=C:\WINDOWS


=============================================



IF NOT DEFINED sfxname GOTO END 


Restoring 'cfdummy' to 'HKLM\System\CurrentControlSet\Services\deleteme17450' was not successful

Laokoon · 24 Sierpień 2008 20:41

Witam

potorzylem jeszcze raz probe tej operacji z uzyciem ComboFixa i znowu wyskoczyl komunikat o rootkicie ;/

to log z ComboFixa:

PUSHD "C:\327882R2FWJFW\" 


IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT 


VER 1>temp00 


FIND.exe "Microsoft Windows [Version 5.2.3790]" temp00 1>null 


IF NOT ERRORLEVEL 1 GOTO Not_NT 


FIND.exe "Windows XP" temp00 1>null 


Del temp00 


PV -o"%i\t%l" | SED "/\t.*\\nircmd\.inf$/!d; s///; s/./@pv -kfi &/" 1>temp00.bat 


CALL temp00.bat 


DEL temp00.bat 2>null 


=============================================


ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Ludľ\Dane aplikacji

BitRock=1

CFLDR=327882R2FWJFW

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=OL-D20D504D32C3

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Ludľ

KMD=CF12134.exe

LOGONSERVER=\\OL-D20D504D32C3

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\;;C:\PROGRA~1\COMMON~1\AUTODE~1

PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0801

ProgramFiles=C:\Program Files

PROMPT=$

SESSIONNAME=Console

sfxname=C:\Documents and Settings\Ludľ\Pulpit\ComboFix.exe

SYSTEM=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\LUD~1\USTAWI~1\Temp

TMP=C:\DOCUME~1\LUD~1\USTAWI~1\Temp

USERDOMAIN=OL-D20D504D32C3

USERNAME=Ludľ

USERPROFILE=C:\Documents and Settings\Ludľ

windir=C:\WINDOWS


=============================================



IF NOT DEFINED sfxname GOTO END 


Restoring 'cfdummy' to 'HKLM\System\CurrentControlSet\Services\deleteme4155' was not successful

udalo mi sie recznie usunac wszystkie pliki tego wirusa razem z folderem, ktorym byly, co wczesniej bylo niemozliwe, wirus jzu nei wlacza sie rpzy uruchamianiu komputera, ale nadal jest tapeta, na ktorej jest (chyba falszywe, bo w stylu okienek z Visty a ja mam xp) ostrzezenie o wirusach i nei moge zmeinic tapety, poniewaz jak klikne w pulpit>> wlasciwosci to sa tam tylko 3 zakladki : kompozycje, wyglad i ustawienia, nic wiecej.

Czy jako ktos, kto nei wie kompletnie nic o informatyce mam szanse zrobic cos z rootkitem?

Jeszcze raz prosze o pomoc

Laokoon

Leon1 · 24 Sierpień 2008 20:51

Pobierz program SDFix

Laokoon · 24 Sierpień 2008 21:16

zrobilem tym dfixem to, co powiedziales, oto, co “wyplul”:

Rebooting



[b]Checking Files [/b]: 


Trojan Files Found:


C:\WINDOWS\system32\lphcggnj0ej9a.exe - Deleted

C:\WINDOWS\system32\pphcggnj0ej9a.exe - Deleted



Could Not Remove C:\WINDOWS\system32\drivers\tdssserv.sys 

Could Not Remove C:\WINDOWS\system32\tdssadw.dll 

Could Not Remove C:\WINDOWS\system32\tdssinit.dll 

Could Not Remove C:\WINDOWS\system32\tdssl.dll 

Could Not Remove C:\WINDOWS\system32\tdsslog.dll 

Could Not Remove C:\WINDOWS\system32\tdssmain.dll 

Could Not Remove C:\WINDOWS\system32\tdssservers.dat 




Removing Temp Files


[b]ADS Check [/b]:




                                 [b]Final Check [/b]:


catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-24 23:12:54

Windows 5.1.2600 Dodatek Service Pack 3 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000002


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\"

"h0"=dword:00000000

"ujdew"=hex:c1,fb,37,e2,d4,53,f0,a0,8c,6a,73,e6,83,3a,47,c8,4c,f9,ef,a8,b8,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000001

"khjeh"=hex:79,17,57,1f,da,19,f9,5c,1b,66,4f,82,4b,3a,29,51,e9,f9,5d,dd,a8,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,93,4f,83,62,f9,ab,0e,78,07,a2,bd,f8,a5,fa,96,57,15,..

"khjeh"=hex:d9,03,89,1b,c2,9a,02,df,88,7d,a8,92,48,25,fe,3e,f9,67,60,36,da,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:a5,79,19,ca,44,db,48,68,b0,37,6e,95,34,5a,e8,d1,12,66,66,22,92,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv]

"start"=dword:00000001

"type"=dword:00000001

"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\"

"h0"=dword:00000000

"ujdew"=hex:c1,fb,37,e2,d4,53,f0,a0,8c,6a,73,e6,83,3a,47,c8,4c,f9,ef,a8,b8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\tdssserv.sys]

@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\tdssserv.sys]

@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="E:\dane z dysku 20GB\LUDZ\gagaga\Nowy folder\Alcohol 52\"

"h0"=dword:00000000

"ujdew"=hex:c1,fb,37,e2,d4,53,f0,a0,8c,6a,73,e6,83,3a,47,c8,4c,f9,ef,a8,b8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000001

"khjeh"=hex:79,17,57,1f,da,19,f9,5c,1b,66,4f,82,4b,3a,29,51,e9,f9,5d,dd,a8,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,93,4f,83,62,f9,ab,0e,78,07,a2,bd,f8,a5,fa,96,57,15,..

"khjeh"=hex:d9,03,89,1b,c2,9a,02,df,88,7d,a8,92,48,25,fe,3e,f9,67,60,36,da,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:a5,79,19,ca,44,db,48,68,b0,37,6e,95,34,5a,e8,d1,12,66,66,22,92,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdssserv]

"start"=dword:00000001

"type"=dword:00000001

"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"


scanning hidden registry entries ...


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:000000a1

"TracesSuccessful"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710


scanning hidden files ...


C:\WINDOWS\system32\tdssadw.dll 32768 bytes executable

C:\WINDOWS\system32\tdssinit.dll 57727 bytes

C:\WINDOWS\system32\tdssl.dll 16384 bytes executable

C:\WINDOWS\system32\tdsslog.dll 10752 bytes executable

C:\WINDOWS\system32\tdssmain.dll 10752 bytes executable

C:\WINDOWS\system32\tdssserf.dll 12288 bytes executable

C:\WINDOWS\system32\tdssservers.dat 217 bytes

C:\WINDOWS\system32\drivers\tdssserv.sys 35328 bytes executable

C:\WINDOWS\Temp\tdssbfe5.tmp 0 bytes

C:\WINDOWS\Temp\tdssc1aa.tmp 0 bytes

C:\WINDOWS\Temp\tdssc37f.tmp 0 bytes


scan completed successfully

hidden processes: 0

hidden services: 1

hidden files: 11



[b]Remaining Services [/b]:





Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Ol©dzki\\Moje dokumenty\\Gadu-Gadu\\gg.exe"="C:\\Documents and Settings\\Ol©dzki\\Moje dokumenty\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny"

"E:\\Gadu-Gadu\\gg.exe"="E:\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny"

"E:\\dane z dysku 20GB\\LUDZ\\Gadu-Gadu\\gg.exe"="E:\\dane z dysku 20GB\\LUDZ\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny"

"C:\\Documents and Settings\\Ludľ\\Pulpit\\eMule.exe"="C:\\Documents and Settings\\Ludľ\\Pulpit\\eMule.exe:*:Enabled:eMule"

"C:\\Program Files\\eMule\\eMule.exe"="C:\\Program Files\\eMule\\eMule.exe:*:Enabled:eMule"

"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted PC Demo\\speedDemo.exe"="C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted PC Demo\\speedDemo.exe:*:Enabled:speedDemo"

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX05.734\\ManiaDrive-1.01-win32-i386-data\\game\\mania_server.exe"="C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX05.734\\ManiaDrive-1.01-win32-i386-data\\game\\mania_server.exe:*:Enabled:mania_server"

"C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX07.344\\ManiaDrive-1.01-win32-i386-data\\game\\mania_server.exe"="C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX07.344\\ManiaDrive-1.01-win32-i386-data\\game\\mania_server.exe:*:Enabled:mania_server"

"C:\\Program Files\\EA GAMES\\Need for Speed Underground 2 Demo\\speed2demo.exe"="C:\\Program Files\\EA GAMES\\Need for Speed Underground 2 Demo\\speed2demo.exe:*:Enabled:speed2demo"

"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"

"C:\\Program Files\\Drago Games\\Vulture\\Vulture.exe"="C:\\Program Files\\Drago Games\\Vulture\\Vulture.exe:*:Enabled:VULTURE"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"

"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"

"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

"C:\\Program Files\\Kazaa Lite Rewolucja\\kazaalite.kpp"="C:\\Program Files\\Kazaa Lite Rewolucja\\kazaalite.kpp:*:Enabled:kazaalite"

"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"F:\\Azureus\\Azureus.exe"="F:\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"F:\\mp3\\angielskie\\hl.exe"="F:\\mp3\\angielskie\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\mp3\\angielskie\\cstrike\\hltv.exe"="F:\\mp3\\angielskie\\cstrike\\hltv.exe:*:Enabled:HLTV Launcher"

"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Uruchamia plik DLL jako aplikacj©"

"C:\\Documents and Settings\\Ol©dzki\\Pulpit\\Gadu-Gadu\\gg.exe"="C:\\Documents and Settings\\Ol©dzki\\Pulpit\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"C:\\Documents and Settings\\Ludľ\\Pulpit\\Gadu-Gadu\\gg.exe"="C:\\Documents and Settings\\Ludľ\\Pulpit\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"F:\\Pulpit\\Gadu-Gadu\\gg.exe"="F:\\Pulpit\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"F:\\mp3\\angielskie\\Nowy folder\\hl.exe"="F:\\mp3\\angielskie\\Nowy folder\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\mp3\\angielskie\\Nowy folder\\hlds.exe"="F:\\mp3\\angielskie\\Nowy folder\\hlds.exe:*:Enabled:HLDS Launcher"

"F:\\mp3\\angielskie\\Nowy folder\\Nowy folder\\hl.exe"="F:\\mp3\\angielskie\\Nowy folder\\Nowy folder\\hl.exe:*:Enabled:Half-Life Launcher"

"F:\\Azureus\\Azureus\\Azureus.exe"="F:\\Azureus\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"F:\\mp3\\paintball\\Paintball2\\paintball2.exe"="F:\\mp3\\paintball\\Paintball2\\paintball2.exe:*:Enabled:paintball2"

"F:\\mp3\\little fighter\\LF2_v1.9c\\lf2.exe"="F:\\mp3\\little fighter\\LF2_v1.9c\\lf2.exe:*:Enabled:lf2"

"C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX01.062\\lf2_Kate\\lf2.exe"="C:\\Documents and Settings\\Ludľ\\Ustawienia lokalne\\Temp\\Rar$EX01.062\\lf2_Kate\\lf2.exe:*:Enabled:lf2"

"C:\\Documents and Settings\\Ludľ\\Pulpit\\lf2 kate\\lf2_Kate\\lf2.exe"="C:\\Documents and Settings\\Ludľ\\Pulpit\\lf2 kate\\lf2_Kate\\lf2.exe:*:Enabled:lf2"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"


[b]Remaining Files [/b]:


C:\WINDOWS\system32\drivers\tdssserv.sys Found

C:\WINDOWS\system32\tdssadw.dll Found

C:\WINDOWS\system32\tdssinit.dll Found

C:\WINDOWS\system32\tdssl.dll Found

C:\WINDOWS\system32\tdsslog.dll Found

C:\WINDOWS\system32\tdssmain.dll Found

C:\WINDOWS\system32\tdssservers.dat Found


File Backups: - C:\SDFix\backups\backups.zip


[b]Files with Hidden Attributes [/b]:


Sat 16 Aug 2008 90,343 ..SHR --- "C:\0.com"

Wed 9 Jul 2008 118,734 ..SHR --- "C:\00hoeav.com"

Fri 11 Jul 2008 117,053 ..SHR --- "C:\0gjn3yw.exe"

Fri 25 Apr 2008 104,161 ..SHR --- "C:\1dg.exe"

Tue 29 Jul 2008 87,816 ..SHR --- "C:\1rfw8hjr.com"

Wed 12 Mar 2008 101,492 ..SHR --- "C:\22wcb21o.exe"

Thu 13 Mar 2008 101,291 ..SHR --- "C:\32e2.com"

Tue 1 Apr 2008 103,084 ..SHR --- "C:\6l6w8.com"

Thu 21 Aug 2008 90,994 ..SHR --- "C:\83fgj.com"

Fri 18 Apr 2008 103,202 ..SHR --- "C:\8ti.exe"

Wed 13 Aug 2008 89,917 ..SHR --- "C:\b3b9u.com"

Mon 11 Aug 2008 89,407 ..SHR --- "C:\bpu.exe"

Fri 1 Aug 2008 87,215 ..SHR --- "C:\e.com"

Tue 22 Jul 2008 116,906 ..SHR --- "C:\e9ehn1m8.com"

Sat 12 Jul 2008 116,972 ..SHR --- "C:\ffojc.com"

Fri 29 Feb 2008 107,155 ..SHR --- "C:\fppg1.exe"

Fri 25 Jul 2008 87,297 ..SHR --- "C:\g2pfnid.com"

Tue 15 Jul 2008 116,862 ..SHR --- "C:\k.com"

Sun 29 Jun 2008 112,227 ..SHR --- "C:\klp8j6i.com"

Tue 10 Jun 2008 117,064 ..SHR --- "C:\m88coaim.exe"

Sat 5 Apr 2008 103,463 ..SHR --- "C:\m9j.com"

Sun 24 Aug 2008 91,127 ..SHR --- "C:\n.com"

Mon 24 Mar 2008 101,835 ..SHR --- "C:\nlblkhq.com"

Sun 23 Mar 2008 99,626 ..SHR --- "C:\okqa2g.com"

Wed 16 Jul 2008 115,233 ..SHR --- "C:\p83gjy.exe"

Wed 2 Apr 2008 103,810 ..SHR --- "C:\qwc.exe"

Sun 6 Jul 2008 116,932 ..SHR --- "C:\qxbx9blb.com"

Thu 20 Mar 2008 102,455 ..SHR --- "C:\ser.com"

Sat 16 Aug 2008 91,179 ..SHR --- "C:\t1ypkh.exe"

Tue 24 Jun 2008 110,892 ..SHR --- "C:\t9peum02.exe"

Mon 11 Aug 2008 89,221 ..SHR --- "C:\tyktjfww.exe"

Sat 8 Mar 2008 102,536 ..SHR --- "C:\v.com"

Wed 23 Apr 2008 103,618 ..SHR --- "C:\vqv.exe"

Sun 16 Mar 2008 101,295 ..SHR --- "C:\xp19.com"

Sun 3 Aug 2008 89,885 ..SHR --- "C:\xqf.com"

Tue 5 Aug 2008 90,474 ..SHR --- "C:\xvlyb.exe"

Mon 21 Jul 2008 118,782 ..SHR --- "C:\ybj8df.exe"

Wed 9 Jul 2008 77,312 ..SHR --- "C:\WINDOWS\system32\amvo1.dll"

Sat 15 Mar 2008 72,192 ..SHR --- "C:\WINDOWS\system32\amvo2.dll"

Sun 24 Aug 2008 91,127 ..SHR --- "C:\WINDOWS\system32\ckvo.exe"

Sun 24 Aug 2008 84,992 ..SHR --- "C:\WINDOWS\system32\ckvo0.dll"

Sun 24 Aug 2008 84,992 ..SHR --- "C:\WINDOWS\system32\ckvo1.dll"

Thu 15 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 17 Oct 2006 23,040 ...H. --- "C:\Documents and Settings\Ludľ\Pulpit\~WRL0001.tmp"

Sun 14 Oct 2007 23,552 ...H. --- "C:\Documents and Settings\Ludľ\Pulpit\~WRL2947.tmp"

Mon 30 Apr 2007 1,007,616 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL0002.tmp"

Fri 11 May 2007 5,237,248 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL0467.tmp"

Fri 11 May 2007 5,673,472 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL0775.tmp"

Thu 10 May 2007 2,552,320 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL1145.tmp"

Sun 15 Apr 2007 921,088 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL1383.tmp"

Sun 29 Apr 2007 25,600 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL1781.tmp"

Sun 29 Apr 2007 24,064 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL2025.tmp"

Wed 9 May 2007 2,723,328 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL2067.tmp"

Fri 11 May 2007 5,586,432 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL2072.tmp"

Sun 29 Apr 2007 22,528 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL3007.tmp"

Fri 11 May 2007 4,454,400 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL3579.tmp"

Sun 29 Apr 2007 17,920 ...H. --- "C:\Documents and Settings\Ol©dzki\Pulpit\~WRL3641.tmp"

Fri 16 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Thu 13 Mar 2008 25,736 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\22umqpcg.dll"

Thu 19 Jun 2008 30,208 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\4.dll"

Sat 26 Apr 2008 26,848 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\54mo4e.dll"

Tue 1 Jul 2008 28,672 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\5ox2s.dll"

Fri 9 May 2008 27,521 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\7bpapp.dll"

Wed 11 Jun 2008 30,208 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\8.dll"

Thu 10 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\8k4m7s.dll"

Wed 2 Jul 2008 28,160 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\8m5olv.dll"

Wed 16 Apr 2008 26,983 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\9s.dll"

Fri 4 Apr 2008 26,884 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\9sky8pia.dll"

Fri 21 Mar 2008 25,787 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\9sob2.dll"

Thu 28 Feb 2008 30,721 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\9v.dll"

Fri 14 Mar 2008 25,786 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\aqb2.dll"

Mon 2 Jun 2008 29,812 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\aze.dll"

Sun 16 Mar 2008 26,145 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\boalrz.dll"

Wed 27 Feb 2008 29,571 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\bpvcrq29.dll"

Sat 5 Jul 2008 29,696 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\cahcp.dll"

Sat 15 Mar 2008 25,885 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\cfmwfbi.dll"

Tue 15 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\dtkcsly.dll"

Tue 15 Jul 2008 32,256 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\dtwg.dll"

Sun 27 Apr 2008 25,867 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\dtzr9je.dll"

Tue 11 Mar 2008 26,952 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\dxw.dll"

Sun 24 Feb 2008 30,127 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\ep.dll"

Sat 26 Apr 2008 26,707 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\es8m88z.dll"

Thu 6 Mar 2008 30,068 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fggnvylp.dll"

Mon 31 Mar 2008 26,494 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fhww8.dll"

Thu 27 Mar 2008 26,501 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fliuqm.dll"

Mon 3 Mar 2008 29,978 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fqig.dll"

Thu 27 Mar 2008 27,098 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\fusdft5a.dll"

Wed 19 Mar 2008 25,631 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\gj4hn.dll"

Sat 22 Mar 2008 26,189 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\h.dll"

Mon 25 Feb 2008 29,941 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\h4khdlm.dll"

Mon 26 May 2008 26,174 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\h8my7hut.dll"

Mon 21 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\hs7nysg.dll"

Thu 14 Feb 2008 29,807 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\i2ir.dll"

Sat 14 Jun 2008 30,720 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\iem.dll"

Sat 1 Mar 2008 30,225 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\ilpggjj.dll"

Wed 11 Jun 2008 31,063 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\izxx7r.dll"

Sat 8 Mar 2008 29,464 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\jm2fbs.dll"

Thu 24 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\jzuqe.dll"

Sat 8 Mar 2008 30,542 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\k4jm.dll"

Tue 1 Apr 2008 26,532 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\m.dll"

Mon 31 Mar 2008 26,338 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\megq.dll"

Thu 3 Jul 2008 28,672 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\mrzkj.dll"

Sun 6 Jul 2008 29,184 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\nx.dll"

Fri 18 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\olj5w.dll"

Thu 3 Jul 2008 30,208 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\ovk2o.dll"

Tue 8 Jul 2008 30,208 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\ovlx.dll"

Mon 2 Jun 2008 29,799 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\pd7crtpf.dll"

Sun 6 Jul 2008 29,696 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\port.dll"

Mon 21 Apr 2008 27,020 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\psdtohkm.dll"

Fri 15 Feb 2008 29,707 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\q4olgq.dll"

Sun 29 Jun 2008 29,184 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\q8gqt.dll"

Fri 22 Feb 2008 29,274 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\qc7r.dll"

Mon 24 Mar 2008 26,167 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\qt75a.dll"

Sat 5 Apr 2008 27,064 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\r.dll"

Sat 19 Apr 2008 26,564 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\rm.dll"

Sat 5 Jul 2008 29,184 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\t.dll"

Sun 29 Jun 2008 28,672 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\vyjx4s.dll"

Sat 29 Mar 2008 26,711 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\wi.dll"

Sat 5 Apr 2008 25,958 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\wosrcuy.dll"

Thu 24 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\wzw9.dll"

Thu 10 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\xl4wtg77.dll"

Tue 22 Jul 2008 31,232 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\y7vnqv.dll"

Mon 21 Jul 2008 30,720 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\yedp8.dll"

Tue 22 Jul 2008 31,744 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\yhgo47to.dll"

Fri 4 Jul 2008 29,696 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\yv.dll"

Tue 22 Apr 2008 27,205 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\z.dll"

Mon 18 Feb 2008 29,691 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\z5.dll"

Fri 21 Mar 2008 26,894 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\z8.dll"

Tue 11 Mar 2008 26,761 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\zsh4zci.dll"

Tue 25 Mar 2008 26,439 A..H. --- "C:\Documents and Settings\Ol©dzki\Ustawienia lokalne\Temp\zt.dll"

Sun 14 Oct 2007 19,968 ...H. --- "C:\Documents and Settings\Ludľ\Dane aplikacji\Microsoft\Word\~WRL0005.tmp"

Sun 14 Oct 2007 20,992 ...H. --- "C:\Documents and Settings\Ludľ\Dane aplikacji\Microsoft\Word\~WRL0716.tmp"

Sun 14 Oct 2007 23,040 ...H. --- "C:\Documents and Settings\Ludľ\Dane aplikacji\Microsoft\Word\~WRL1575.tmp"

Thu 15 Jun 2006 4,348 ...H. --- "C:\Documents and Settings\Ludľ\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak"

Thu 15 Jun 2006 20 A..H. --- "C:\Documents and Settings\Ludľ\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak"

Thu 15 Jun 2006 312 A.SH. --- "C:\Documents and Settings\Ludľ\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak"

Tue 9 May 2006 79,872 ...H. --- "C:\Documents and Settings\Ol©dzki\Dane aplikacji\Microsoft\Word\~WRL0086.tmp"

Mon 30 Apr 2007 1,093,120 ...H. --- "C:\Documents and Settings\Ol©dzki\Dane aplikacji\Microsoft\Word\~WRL0264.tmp"

Wed 11 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Ol©dzki\Dane aplikacji\Microsoft\Word\~WRL2266.tmp"

Mon 30 Apr 2007 1,093,120 ...H. --- "C:\Documents and Settings\Ol©dzki\Dane aplikacji\Microsoft\Word\~WRL2925.tmp"


[b]Finished![/b]

teraz biore sie za system repair enginnera

Laokoon · 24 Sierpień 2008 21:26

przeskanowalem (kliknalem “smart scan”) srengiem, wszystko na opcjach default, bez zmienianai, bo nei znam programu, to log: http://wklej.org/id/784/

Laokoon · 24 Sierpień 2008 21:36

ooo, teraz juz moge zmienic tlo pulpitu itd., tak jakby sie naprawilo, co mam zrobic, zeby sprawdzic, czy jzu wszystko ok?

Leon1 · 25 Sierpień 2008 13:52

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s … ntry369724

lub format

Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum

kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

Otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

powstanie plik o takiej ikonie

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

uruchom System Repair Engineer zakładka System Repair Browser Add-ons odszukaj i usuń

System Repair Engineer zakładka Boot items services drivers odszukaj i usuń

potem nowy log System Repair Engineer przed zrobieniem skanu odznacz HOSTS File

potem log HijackThis

Laokoon · 25 Sierpień 2008 17:54

wykonalem krok 1, to report z avengera:

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com


Platform: Windows XP


*******************


Script file opened successfully.

Script file read successfully.


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


Rootkit scan active.

No rootkits found!


File "C:\WINDOWS\system32\blphcggnj0ej9a.scr" deleted successfully.

File "C:\WINDOWS\system32\ckvo.exe" deleted successfully.

File "C:\WINDOWS\system32\ckvo1.dll" deleted successfully.

File "C:\Autorun.Inf" deleted successfully.

File "D:\Autorun.Inf" deleted successfully.

File "E:\Autorun.Inf" deleted successfully.

File "F:\Autorun.Inf" deleted successfully.


Completed script processing.


*******************


Finished! Terminate.

pliku backup.zip nie bylo w tym folderze

Leon1 · 25 Sierpień 2008 18:31

usunięte a co z resztą?

Laokoon · 25 Sierpień 2008 18:55

to logi z srenga i hijacka po wykonaniu wszystkich operacji: http://wklej.org/id/949/ i http://wklej.org/id/948/

niestety nie moge nic wyslac na zaden serwer hostingowy (te logi kolega wysylal na wklej.org, ktoremu przez gg to wyslalem), po kliknieciu zeby zaladowac plik/tekst poprostu pojawia sie biala strona i nci sie nei dzieje, na rapidshare pokazalo mi predkosc uploadu 0 kb/s, ale speedtest wykazal normalna predklasc lacza. komunikatory dzialaja normalnie, kilka razy pokazalo sie cos w stylu BSOD’a, ktory znikal po wcisnieciu escape i komputer natychmiast powracal do normalnej pracy, odtwarzany w miedzyczasie dzwiek nei zniknal. co to jest i co z tym zrobic?

Laokoon

Laokoon · 25 Sierpień 2008 18:59

z jakiegos powodu mam demo spyware begone, ktore tylko wykrywa spyware, ale nei mozna usunac , trzeba zamowic pelna, platna wersje… w kazdym razie wyrkywa on 4 programy spyware

Leon1 · 25 Sierpień 2008 19:39

Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum

kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

Otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

powstanie plik o takiej ikonie

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

Pobierz CCleaner http://www.filehippo.com/download_ccleaner/

przeskanuj nim i wyczyść rejestr.

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i … 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

lub

Dr.WEB CureIt! http://dobreprogramy.pl/index.php?dz=2 … It!+4.44.5

Laokoon · 25 Sierpień 2008 19:57

avenger.txt wyglada tak:

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com


Platform: Windows XP


*******************


Script file opened successfully.

Script file read successfully.


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


Rootkit scan active.


Hidden driver "tdssserv" found!

ImagePath: \systemroot\system32\drivers\tdssserv.sys 

Start Type: 1 (System)


Rootkit scan completed.


File "C:\WINDOWS\system32\tsd32.dll" deleted successfully.

Folder "C:\freescan" deleted successfully.


Completed script processing.


*******************


Finished! Terminate.

probowalem dodac plik.reg do rejestru, ale pokazalo sie to:

nie mozna zaimportowac C:…\plik.reg : Okreslony plik nie jest skryptem rejestru. Mozna importowac tylko binarne pliki rejestru z wewnatrz Edytora rejestru.

postepowac wg. kolejnych krokow, czy zrobci cos innego?