Atakują wirusy!

kaska2 · 12 Czerwiec 2007 15:26

Atak wirusów, które chcą połączyć się z kompem.Wysyłam logi:

Logfile of HijackThis v1.99.1 Scan saved at 17:00:15, on 2007-06-12 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\system32\qttask.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Microsoft Security Adviser\mssadv.exe C:\Program Files\Microsoft Security Adviser\msctrl.exe C:\Program Files\Microsoft Security Adviser\msavsc.exe C:\Program Files\Microsoft Security Adviser\msscan.exe C:\Program Files\Microsoft Security Adviser\msiemon.exe C:\Program Files\Microsoft Security Adviser\msfw.exe C:\WINDOWS\avp.exe C:\WINDOWS\smgr.exe C:\WINDOWS\System32\ipmon.exe C:\WINDOWS\System32\ipmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\sss\Pulpit\apteczka dla kompa\HijackThis.exe C:\DOCUME~1\sss\USTAWI~1\Temp\130796.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\3.bin\MGSBAR.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\3.bin\MGSBAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM…\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM…\Run: [QuickTime Task] “C:\WINDOWS\system32\qttask.exe” -atboottime O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - HKLM…\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKLM…\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKLM…\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKLM…\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKLM…\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - HKLM…\Run: [avp] C:\WINDOWS\avp.exe O4 - HKLM…\Run: [smgr] smgr.exe O4 - HKLM…\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe O4 - HKLM…\Run: [ipmon] ipmon.exe O4 - HKCU…\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - HKCU…\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKCU…\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKCU…\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKCU…\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKCU…\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\Plugin Manager\Skype4COM.dll (file missing) O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Microsoft security adviser” = “C:\Program Files\Microsoft Security Adviser\mssadv.exe” [“home”] “msctrl.exe” = “C:\Program Files\Microsoft Security Adviser\msctrl.exe” [null data] “msavsc.exe” = “C:\Program Files\Microsoft Security Adviser\msavsc.exe” [null data] “msscan.exe” = “C:\Program Files\Microsoft Security Adviser\msscan.exe” [null data] “msiemon.exe” = “C:\Program Files\Microsoft Security Adviser\msiemon.exe” [null data] “msfw.exe” = “C:\Program Files\Microsoft Security Adviser\msfw.exe” [null data] “mssadv.exe” = “*d” (unwritable string) [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”] “SiS Windows KeyHook” = “C:\WINDOWS\System32\keyhook.exe” [“Silicon Integrated Systems Corporation”] “QuickTime Task” = ““C:\WINDOWS\system32\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “Microsoft security adviser” = “C:\Program Files\Microsoft Security Adviser\mssadv.exe” [“home”] “msctrl.exe” = “C:\Program Files\Microsoft Security Adviser\msctrl.exe” [null data] “msavsc.exe” = “C:\Program Files\Microsoft Security Adviser\msavsc.exe” [null data] “msscan.exe” = “C:\Program Files\Microsoft Security Adviser\msscan.exe” [null data] “msiemon.exe” = “C:\Program Files\Microsoft Security Adviser\msiemon.exe” [null data] “msfw.exe” = “C:\Program Files\Microsoft Security Adviser\msfw.exe” [null data] “mssadv.exe” = “*” (unwritable string) [file not found] “avp” = “C:\WINDOWS\avp.exe” [“MskSoftStudy Corp.”] “smgr” = “smgr.exe” [null data] “WindowsHive” = “C:\WINDOWS\System32\rpcc.exe” [null data] “ipmon” = “ipmon.exe” [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {37B85A21-692B-4205-9CAD-2626E4993404}(Default) = “My Global Search Bar BHO” -> {HKLM…CLSID} = “My Global Search Bar BHO” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\3.bin\MGSBAR.DLL” [“My Global Search”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll” [“RealNetworks, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ “load” = (value not set) “run” = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = " c:\windows\system32\ldcore.dll" [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\sss\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\sss\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “sss” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] “{37B85A29-692B-4205-9CAD-2626E4993404}” -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\3.bin\MGSBAR.DLL” [“My Global Search”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{37B85A29-692B-4205-9CAD-2626E4993404}” = (no title provided) -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\3.bin\MGSBAR.DLL” [“My Global Search”] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 91 seconds. ---------- (total run time: 338 seconds)

Oprócz tego cos się dostało do kompa, wygoda jak tarcza biało czerwona z iksem. Jak nacisnę na to wyskakuje komunikat:

Would you like to update your security software and download System Live Protect.

Z góry dziękuje. :o

Złączono Posta : 12.06.2007 (Wto) 18:20

Chodzi o to, że te wirusy zakatowały plik Temporary Internet Files i nie można ich usunąć. I do tego powoduje lekkie sypanie systemu.

Agaton · 12 Czerwiec 2007 16:52

kaśka

Na Forum używamy polskich znaków.

Proszę poprawić błędy pisowni w opisie problemu.

W celu edycji swojego posta proszę skorzystać z przycisku

Zignorowanie prośby będzie skutkowało usunięciem tematu do Kosza.

Gutek · 12 Czerwiec 2007 18:29

Daj log z Combofix

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

kaska2 · 12 Czerwiec 2007 19:38

Po dużych problemach udało się zrobić log.

Ale mam dwa więc oba przesyłam:

ComboFix 07-06-13 - C:\Documents and Settings\sss\Pulpit\apteczka dla kompa\ComboFix.exe “sss” - 2007-06-12 20:52:40 - Dodatek Service Pack. 1 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\LOCALS~1\DANEAP~1\Install.dat C:\DOCUME~1\NETWOR~1\DANEAP~1\Install.dat C:\DOCUME~1\sss\DANEAP~1…rdr.ini C:\Program Files\MyGlobalSearch C:\Program Files\MyGlobalSearch\bar\3.bin\M9FFXTBR.JAR C:\Program Files\MyGlobalSearch\bar\3.bin\M9FFXTBR.MANIFEST C:\Program Files\MyGlobalSearch\bar\3.bin\M9NTSTBR.JAR C:\Program Files\MyGlobalSearch\bar\3.bin\M9NTSTBR.MANIFEST C:\Program Files\MyGlobalSearch\bar\3.bin\M9PLUGIN.DLL C:\Program Files\MyGlobalSearch\bar\3.bin\MGSBAR.DLL C:\Program Files\MyGlobalSearch\bar\3.bin\NPMYGLSH.DLL C:\Program Files\MyGlobalSearch\bar\Cache\007483C2 C:\Program Files\MyGlobalSearch\bar\Cache\00748A1B.bin C:\Program Files\MyGlobalSearch\bar\Cache\007499EA.bin C:\Program Files\MyGlobalSearch\bar\Cache\00749C8A.bin C:\Program Files\MyGlobalSearch\bar\Cache\files.ini C:\Program Files\MyGlobalSearch\bar\History\search C:\Program Files\MyGlobalSearch\bar\Settings\prevcfg.htm C:\svchost.exe C:\WINDOWS\764.exe C:\WINDOWS\avp.exe C:\WINDOWS\smgr.exe C:\WINDOWS\system32\0_exception.nls C:\WINDOWS\system32\alt.exe.exe C:\WINDOWS\system32\driver.exe C:\WINDOWS\system32\drivers\secdrv.sys C:\WINDOWS\system32\KB18561603.exe C:\WINDOWS\system32\KB66507128.exe C:\WINDOWS\system32\ldinfo.ldr C:\WINDOWS\system32\max1d1641.exe C:\WINDOWS\system32\RunOnce2.t__ C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\winsub.xml C:\WINDOWS\system32\wmvds32.dll C:\WINDOWS\system32\xjwsgqo.dll C:\WINDOWS\system32RunOnce2.t__ C:\WINDOWS\system32RunOnce2.tm_ ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_NDNET1 -------\LEGACY_RUNTIME -------\NDnet1 -------\ntio256 -------\Runtime ((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 ))))))))))))))))))))))))))))))) 2007-06-12 20:42 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-11 21:02 7,200 --a------ C:\yuvncha.exe 2007-06-11 21:02 48,128 --a------ C:\jwvbsck.exe 2007-06-11 21:02 1,536 --a------ C:\ptfhcti.exe 2007-06-11 20:51 7,200 --a------ C:\eeca.exe 2007-06-11 20:51 48,128 --a------ C:\kxxqqwg(3).exe 2007-06-11 20:51 48,128 --a------ C:\kxxqqwg(2).exe 2007-06-11 20:51 48,128 --------- C:\kxxqqwg.exe 2007-06-11 20:51 30,720 --a------ C:\WINDOWS\system32\ipmon.exe 2007-06-11 20:51 13,824 --a------ C:\WINDOWS\system32\max1d1641(3).exe 2007-06-11 20:51 13,824 --a------ C:\WINDOWS\system32\max1d1641(2).exe 2007-06-11 20:51 1,536 --a------ C:\mnfltoc(3).exe 2007-06-11 20:51 1,536 --a------ C:\mnfltoc(2).exe 2007-06-11 20:51 1,536 --------- C:\mnfltoc.exe 2007-06-11 16:38 1,536 --a------ C:\nhibp.exe 2007-06-11 14:49 2,560 --------- C:\imyhftn.exe 2007-06-05 22:49 2007-06-05 17:32 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-06-05 17:29 12 --a------ C:\WINDOWS\system32\sl.bin 2007-06-05 17:28 9,216 --a------ C:\WINDOWS\bjam.dll 2007-06-05 17:28 32,256 --a------ C:\WINDOWS\bokja.exe 2007-06-05 17:28 31,744 --a------ C:\WINDOWS\system32\wml.exe 2007-06-05 17:28 31,744 --a------ C:\WINDOWS\system32\vxddsk.exe 2007-06-05 17:28 31,488 --a------ C:\WINDOWS\cdsm32.dll 2007-06-05 17:28 30,976 --a------ C:\WINDOWS\system32\updatetc.exe 2007-06-05 17:28 28,160 --a------ C:\WINDOWS\system32\Biprep.exe 2007-06-05 17:28 27,648 --a------ C:\WINDOWS\system32\MSIXU.DLL 2007-06-05 17:28 27,648 --a------ C:\WINDOWS\flt.dll 2007-06-05 17:28 26,880 --a------ C:\WINDOWS\system32\180ax.exe 2007-06-05 17:28 26,112 --a------ C:\WINDOWS\bi.dll 2007-06-05 17:28 25,088 --a------ C:\WINDOWS\system32\msdn_lib.dll 2007-06-05 17:28 25,088 --a------ C:\WINDOWS\saiemod.dll 2007-06-05 17:28 24,832 --a------ C:\WINDOWS\pbar.dll 2007-06-05 17:28 24,832 --a------ C:\WINDOWS\2020search.dll 2007-06-05 17:28 24,320 --a------ C:\WINDOWS\7search.dll 2007-06-05 17:28 23,040 --a------ C:\WINDOWS\system32\salm.exe 2007-06-05 17:28 22,784 --a------ C:\WINDOWS\system32\WER8274.DLL 2007-06-05 17:28 21,760 --a------ C:\WINDOWS\voiceip.dll 2007-06-05 17:28 20,992 --a------ C:\WINDOWS\system32\SUSP.exe 2007-06-05 17:28 20,480 --a------ C:\WINDOWS\2020search2.dll 2007-06-05 17:28 18,176 --a------ C:\WINDOWS\system32\satmat.exe 2007-06-05 17:28 17,152 --a------ C:\WINDOWS\system32\Bi.dll 2007-06-05 17:28 16,640 --a------ C:\WINDOWS\mspphe.dll 2007-06-05 17:28 14,848 --a------ C:\WINDOWS\swin32.dll 2007-06-05 17:28 14,848 --a------ C:\WINDOWS\stcloader.exe 2007-06-05 17:28 14,336 --a------ C:\WINDOWS\mssvr.exe 2007-06-05 17:28 12 --a------ C:\WINDOWS\system32\gtv_sd.bin 2007-06-05 17:17 35,840 --------- C:\WINDOWS\system32\msvcrtd.exe 2007-06-05 17:16 4,096 --a------ C:\WINDOWS\system32\schtasks.dll 2007-06-05 17:16 15,872 --a------ C:\WINDOWS\vmmreg32.exe 2007-06-05 15:39 7,168 --a------ C:\svchost2.exe 2007-06-05 15:39 35,328 --a------ C:\WINDOWS\mssadv.dll 2007-06-05 15:39 10,752 --a------ C:\WINDOWS\msscan.dll 2007-06-05 15:39 10,752 --a------ C:\WINDOWS\msiemon.dll 2007-06-05 15:39 10,752 --a------ C:\WINDOWS\msfw.dll 2007-06-05 15:39 10,752 --a------ C:\WINDOWS\msctrl.dll 2007-06-05 15:39 10,752 --a------ C:\WINDOWS\msavsc.dll 2007-06-05 15:39 2007-05-30 20:12 4,980,736 --a------ C:\DOCUME~1\sss\ntuser.dat 2007-05-30 20:12 233,472 --a------ C:\DOCUME~1\NETWOR~1\ntuser.dat 2007-05-30 20:12 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat 2007-05-27 22:45 2007-05-27 22:45 2007-05-13 13:32 16,224 --a------ C:\WINDOWS\system32\drivers\hamachi.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-08 22:45:34 -------- d-----w C:\Program Files\Tibia 2007-05-13 11:46:16 -------- d-----w C:\Program Files\Hamachi 2007-05-13 11:37:48 -------- d-----w C:\DOCUME~1\sss\DANEAP~1\Hamachi 2007-05-12 07:20:43 -------- d-----w C:\Program Files\Gadu-Gadu 2007-05-11 21:25:55 -------- d-----w C:\DOCUME~1\sss\DANEAP~1\Gadu-Gadu 2007-05-09 14:08:12 -------- d-----w C:\Program Files\JoWood 2007-05-09 13:36:24 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-09 09:37:48 -------- d-----w C:\Program Files\Damian Pasternak 2007-05-07 17:35:07 4,096 ----a-w C:\WINDOWS\d3dx.dat 2007-05-04 10:34:26 -------- d-----w C:\Program Files\Google 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-17 11:12:43 -------- d-----w C:\Program Files\Zajaczek 4.1 2007-03-25 08:37:34 49,492 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 08:37:34 355,486 ----a-w C:\WINDOWS\system32\perfh015.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 06:12] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “Cmaudio”=“cmicnfg.cpl” [] “Microsoft security adviser”=“C:\Program Files\Microsoft Security Adviser\mssadv.exe” [2007-06-11 14:20] “msctrl.exe”=“C:\Program Files\Microsoft Security Adviser\msctrl.exe” [2007-06-11 14:20] “msavsc.exe”=“C:\Program Files\Microsoft Security Adviser\msavsc.exe” [2007-06-11 14:20] “msscan.exe”=“C:\Program Files\Microsoft Security Adviser\msscan.exe” [2007-06-11 14:20] “msiemon.exe”=“C:\Program Files\Microsoft Security Adviser\msiemon.exe” [2007-06-11 14:20] “msfw.exe”=“C:\Program Files\Microsoft Security Adviser\msfw.exe” [2007-06-11 14:20] “mssadv.exe”="" [] “ipmon”=“ipmon.exe” [2007-06-11 21:02 C:\WINDOWS\system32\ipmon.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Microsoft security adviser”=“C:\Program Files\Microsoft Security Adviser\mssadv.exe” [2007-06-11 14:20] “msctrl.exe”=“C:\Program Files\Microsoft Security Adviser\msctrl.exe” [2007-06-11 14:20] “msavsc.exe”=“C:\Program Files\Microsoft Security Adviser\msavsc.exe” [2007-06-11 14:20] “msscan.exe”=“C:\Program Files\Microsoft Security Adviser\msscan.exe” [2007-06-11 14:20] “msiemon.exe”=“C:\Program Files\Microsoft Security Adviser\msiemon.exe” [2007-06-11 14:20] “msfw.exe”=“C:\Program Files\Microsoft Security Adviser\msfw.exe” [2007-06-11 14:20] “mssadv.exe”="" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “DisableTaskMgr”=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BlueSoleil.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\BlueSoleil.lnk backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^sss^Menu Start^Programy^Autostart^UniSpiker-2.6.lnk] path=C:\Documents and Settings\sss\Menu Start\Programy\Autostart\UniSpiker-2.6.lnk backup=C:\WINDOWS\pss\UniSpiker-2.6.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “C:\Program Files\BearShare\BearShare.exe” /pause [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-12 21:03:04 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ************************************************************************** Completion time: 2007-06-12 21:04:57 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-06-12 21:04 — E O F —

I drugi który znajdował się w pliku stworzonym przez combofixa o nazwie ComboFix-quarantined-files.txt :

2003-06-05 17:27 12800 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wmvds32.dll.vir 2007-02-02 14:17 11973 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\secdrv.sys.vir 2007-05-02 11:32 140 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\3.bin\M9FFXTBR.MANIFEST.vir 2007-05-02 11:32 140 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\3.bin\M9NTSTBR.MANIFEST.vir 2007-05-02 11:32 225280 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\3.bin\MGSBAR.DLL.vir 2007-05-02 11:32 24576 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\3.bin\NPMYGLSH.DLL.vir 2007-05-02 11:32 45056 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\3.bin\M9PLUGIN.DLL.vir 2007-05-02 11:32 4829 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\3.bin\M9FFXTBR.JAR.vir 2007-05-02 11:32 6493 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\3.bin\M9NTSTBR.JAR.vir 2007-05-02 11:34 1024 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\History\search.vir 2007-05-02 11:34 1092 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\Cache\00749C8A.bin.vir 2007-05-02 11:34 1320 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\Cache\007499EA.bin.vir 2007-05-02 11:34 4504 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\Cache\00748A1B.bin.vir 2007-05-02 11:34 7618 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\Settings\prevcfg.htm.vir 2007-05-21 17:03 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\0_exception.nls.vir 2007-06-05 17:17 334 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ldinfo.ldr.vir 2007-06-05 17:18 1174416 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\LOCALS~1\DANEAP~1\Install.dat.vir 2007-06-05 17:18 1174416 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\NETWOR~1\DANEAP~1\Install.dat.vir 2007-06-05 17:19 16 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\sss\DANEAP~1.rdr.ini.vir 2007-06-05 17:27 11271 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\KB18561603.exe.vir 2007-06-05 17:27 169984 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xjwsgqo.dll.vir 2007-06-05 17:27 18944 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\KB66507128.exe.vir 2007-06-05 17:27 2 --a------ C:\Qoobox\Quarantine\C\WINDOWS\System32RunOnce2.t__.vir 2007-06-05 17:27 2 --a------ C:\Qoobox\Quarantine\C\WINDOWS\System32RunOnce2.tm_.vir 2007-06-05 17:27 32 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\RunOnce2.t__.vir 2007-06-05 17:28 25344 --a------ C:\Qoobox\Quarantine\C\WINDOWS\764.exe.vir 2007-06-11 14:20 7168 --a------ C:\Qoobox\Quarantine\C\svchost.exe.vir 2007-06-11 14:22 18944 --a------ C:\Qoobox\Quarantine\C\WINDOWS\avp.exe.vir 2007-06-11 16:38 32633 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcc.exe.vir 2007-06-11 16:38 62350 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xpdx.sys.vir 2007-06-11 16:43 28160 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\driver.exe.vir 2007-06-11 20:51 13824 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\max1d1641.exe.vir 2007-06-12 17:13 79 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\Cache\007483C2.vir 2007-06-12 17:20 11776 --a------ C:\Qoobox\Quarantine\C\WINDOWS\smgr.exe.vir 2007-06-12 17:27 4 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winsub.xml.vir 2007-06-12 17:27 63 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\svcp.csv.vir 2007-06-12 17:27 85906 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\alt.exe.exe.vir 2007-06-12 20:49 309 --a------ C:\Qoobox\Quarantine\C\Program Files\MyGlobalSearch\bar\Cache\files.ini.vir 2007-06-12 20:59 1196 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NDNET1.reg.cf 2007-06-12 20:59 1208 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf 2007-06-12 20:59 2524 --a------ C:\Qoobox\Quarantine\Registry_backups\services_ntio256.reg.cf 2007-06-12 20:59 700 --a------ C:\Qoobox\Quarantine\Registry_backups\hklm_windowsNT_windows.reg.cf 2007-06-12 20:59 750 --a------ C:\Qoobox\Quarantine\Registry_backups\services_Runtime.reg.cf 2007-06-12 20:59 782 --a------ C:\Qoobox\Quarantine\Registry_backups\services_NDnet1.reg.cf 2007-06-12 21:00 443 --a------ C:\Qoobox\Quarantine\catchme.log 2007-06-12 21:00 91641 --a------ C:\Qoobox\Quarantine\catchme2007-06-12_210302.42.zip Zmienna PATH folderu dla woluminu Pawe Numer seryjny woluminu: 71F5E346 5494:58F5 C:\QOOBOX —Quarantine | catchme.log | catchme2007-06-12_210302.42.zip | ±–C | | svchost.exe.vir | | | ±–DOCUME~1 | | ±–LOCALS~1 | | | —DANEAP~1 | | | Install.dat.vir | | | | | ±–NETWOR~1 | | | —DANEAP~1 | | | Install.dat.vir | | | | | —sss | | —DANEAP~1 | | .rdr.ini.vir | | | ±–Program Files | | —MyGlobalSearch | | —bar | | ±–3.bin | | | M9FFXTBR.JAR.vir | | | M9FFXTBR.MANIFEST.vir | | | M9NTSTBR.JAR.vir | | | M9NTSTBR.MANIFEST.vir | | | M9PLUGIN.DLL.vir | | | MGSBAR.DLL.vir | | | NPMYGLSH.DLL.vir | | | | | ±–Cache | | | 007483C2.vir | | | 00748A1B.bin.vir | | | 007499EA.bin.vir | | | 00749C8A.bin.vir | | | files.ini.vir | | | | | ±–History | | | search.vir | | | | | —Settings | | prevcfg.htm.vir | | | —WINDOWS | | 764.exe.vir | | avp.exe.vir | | smgr.exe.vir | | System32RunOnce2.tm_.vir | | System32RunOnce2.t__.vir | | | —system32 | | 0_exception.nls.vir | | alt.exe.exe.vir | | driver.exe.vir | | KB18561603.exe.vir | | KB66507128.exe.vir | | ldinfo.ldr.vir | | max1d1641.exe.vir | | rpcc.exe.vir | | RunOnce2.t__.vir | | svcp.csv.vir | | winsub.xml.vir | | wmvds32.dll.vir | | xjwsgqo.dll.vir | | xpdx.sys.vir | | | —drivers | secdrv.sys.vir | —Registry_backups hklm_windowsNT_windows.reg.cf LEGACY_NDNET1.reg.cf LEGACY_RUNTIME.reg.cf services_NDnet1.reg.cf services_ntio256.reg.cf services_Runtime.reg.cf

Teraz pisze z innego kompa, bo na moim avast wykrywa cały czas jakieś wiry, jak nie trojany to robaki, które ja przerzucam do kwarantanny albo usuwam.

A propos RegCleanera to boję się z niego korzystać. Nie znam się aż tyle

Czekam na dalsze instrukcje…

P.S. Przy robieniu loga komp sam się zrestartował.

qrczak13 · 12 Czerwiec 2007 22:31

Ściągnij The Avenger,

wypakuj > uruchom > Input script manually > klikasz w lupkę > w nowo otwartym oknie wklejasz:

Files to delete: C:\yuvncha.exe C:\jwvbsck.exe C:\ptfhcti.exe C:\eeca.exe C:\kxxqqwg(3).exe C:\kxxqqwg(2).exe C:\kxxqqwg.exe C:\WINDOWS\system32\max1d1641(3).exe C:\WINDOWS\system32\max1d1641(2).exe C:\mnfltoc(3).exe C:\mnfltoc(2).exe C:\mnfltoc.exe C:\nhibp.exe C:\imyhftn.exe C:\WINDOWS\bjam.dll C:\WINDOWS\bokja.exe C:\WINDOWS\system32\ipmon.exe C:\WINDOWS\system32\wml.exe C:\WINDOWS\system32\vxddsk.exe C:\WINDOWS\cdsm32.dll C:\WINDOWS\system32\updatetc.exe C:\WINDOWS\system32\Biprep.exe C:\WINDOWS\system32\MSIXU.DLL C:\WINDOWS\flt.dll C:\WINDOWS\system32\180ax.exe C:\WINDOWS\bi.dll C:\WINDOWS\system32\msdn_lib.dll C:\WINDOWS\saiemod.dll C:\WINDOWS\pbar.dll C:\WINDOWS\2020search.dll C:\WINDOWS\7search.dll C:\WINDOWS\system32\salm.exe C:\WINDOWS\system32\WER8274.DLL C:\WINDOWS\voiceip.dll C:\WINDOWS\system32\SUSP.exe C:\WINDOWS\2020search2.dll C:\WINDOWS\system32\satmat.exe C:\WINDOWS\system32\Bi.dll C:\WINDOWS\mspphe.dll C:\WINDOWS\swin32.dll C:\WINDOWS\stcloader.exe C:\WINDOWS\mssvr.exe C:\WINDOWS\system32\gtv_sd.bin C:\WINDOWS\system32\msvcrtd.exe C:\WINDOWS\vmmreg32.exe C:\svchost2.exe C:\WINDOWS\mssadv.dll C:\WINDOWS\system32\schtasks.dll C:\WINDOWS\msscan.dll C:\WINDOWS\msiemon.dll C:\WINDOWS\msfw.dll C:\WINDOWS\msctrl.dll C:\WINDOWS\msavsc.dll Folders to delete: C:\Program Files\Microsoft Security Adviser Registry Values to delete: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “Microsoft security adviser” “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msctrl.exe” “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msavsc.exe” “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msscan.exe” “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msiemon.exe” “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msfw.exe” “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “mssadv.exe” “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “ipmon” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | "Microsoft security adviser “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msctrl.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msavsc.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msscan.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msiemon.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msfw.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “mssadv.exe”

Po wklejeniu > Done > klik na zielone światło > ok i będzie restart. Po restarcie wchodzisz gdzie masz The Avenger i wklejasz raport C:\avenger.txt

Oraz nowy log z Combo.

kaska2 · 13 Czerwiec 2007 06:33

Ponownie witam.

Małe pytanko: Czy użyć tego programu w trybie awaryjnym, czy przy normalnie włączonym systemie?

Złączono Posta : 13.06.2007 (Sro) 11:16

Zrobiłam to co napisałeś/aś w The Avenger i pojawił mi sie jakiś błąd. Wyskoczyło okienko z taką informacją;

Po naciśnięciu ok wyskoczyło następne okno z błędem itd aż do momentu kiedy program się wyłączył. Co mam teraz robić?

Złączono Posta : 13.06.2007 (Sro) 11:25

P.S. Co trochę avast wykrywa mi jakiegoś wirusa.

adam9870 · 13 Czerwiec 2007 13:46

The Avengera można użyć przy normalnie włączonym systemie. W zasadzie nie robi to różnicy, ponieważ i tak polecenia w stworzonych skryptach są wykonywane przy następnym uruchomieniu systemu jeszcze na poziomie ładowania jądra.

Proszę wkleić nowy log z ComboFix, jeśli nic nie zostało jednak usunięte, spróbujemy usunąć szkodniki w inny sposób.

kaska2 · 13 Czerwiec 2007 17:12

Nic sie nie dało zrobić, więc zainstalować od nowa windowsa.Bardzo dziękuje za pomoc w ratowaniu mojego kompa.