Caly czas trojany mam na kompie

tomek.zielony · 4 Kwiecień 2007 00:06

siemka

mam problem cały czas mi avast wykrywa trojany i rożne inne wirusy

daje log do sprawdzenia

Logfile of HijackThis v1.99.1 Scan saved at 02:03:09, on 2007-04-04 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\cmd.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Tomek\Pulpit\Wylacznik.exe D:\Driver\patch\closeWHQL\TestW.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashQuick.exe C:\Documents and Settings\Tomek\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [msvccc66] svcchosst.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{8E87CE1E-84BC-4DEC-82A5-6CEE659FF0F0}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

a z Silent Runners nie mogę dać loga bo jakiś błąd mi wyskakuje

Joan · 4 Kwiecień 2007 06:14

plik na czerwono ręcznie z dysku w awaryjnym, wpisy usuń w hjt

daj nowe logi hijack+silentrunners (o problemach z Silentem poczytaj tutaj -> KLIK)

tomek.zielony · 4 Kwiecień 2007 06:18

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “(Default)” = “(empty string)” [file not found] “msvccc66” = “svcchosst.exe” [null data] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\AVASTSS.scr” [“ALWIL Software”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 134 seconds, including 4 seconds for message boxes)

zaras to usune

a jak przejść w tryb awaryjny><>??

Złączono Posta : 04.04.2007 (Sro) 8:31

usunąłem już to ci mi zaznaczyłeś w trybie awaryjnym

Złączono Posta : 04.04.2007 (Sro) 8:46

po usunięciu

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 08:45:59, on 2007-04-04 Platform: Windows XP (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Tomek\Pulpit\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip…{8E87CE1E-84BC-4DEC-82A5-6CEE659FF0F0}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe – End of file - 3339 bytes

Złączono Posta : 04.04.2007 (Sro) 9:24

a ja znalazłem kolejnego wirusa

Win32:Poebot-AY [Trj]

C:\System Volume Information_restore{B28C0222-D091-40F0-9C76-354A51899E89}\RP11\A0003060.exe

nie moge go usunac

adam9870 · 4 Kwiecień 2007 08:59

Jest Ok.

Rozumiem, że log z Silenta który wkleiłeś został wykonany jeszcze przed wykonaniem czynności, które radziła Joan.

tomek.zielony · 4 Kwiecień 2007 09:09

dam jeszcze raz nowe logi

a po co mam wyłączyć przywracanie systemu ??

cały czas avast mi znajduje wirusy

daje scieszke do niego

C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\7XGTAVEU\84785_sedfg[1].exe

C:\upnt.exe

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:04:24, on 2007-04-04 Platform: Windows XP (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Documents and Settings\Tomek\Pulpit\HiJackThis_v2.exe C:\WINDOWS\System32\WScript.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip…{8E87CE1E-84BC-4DEC-82A5-6CEE659FF0F0}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe – End of file - 3463 bytes

Złączono Posta : 04.04.2007 (Sro) 11:14

mnie jeszcze zastanawia ten wpis

O17 - HKLM\System\CCS\Services\Tcpip…{8E87CE1E-84BC-4DEC-82A5-6CEE659FF0F0}: NameServer = 194.204.159.1 217.98.63.164

wydaje mi sie ze jak by ktos jest połaczony z moim kompem

Złączono Posta : 04.04.2007 (Sro) 11:14

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “(Default)” = “(empty string)” [file not found] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\AVASTSS.scr” [“ALWIL Software”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 41 seconds. ---------- (total run time: 261 seconds)

adam9870 · 4 Kwiecień 2007 09:25

Logi są Ok.

Po to aby folder System Volume Information, w którym został znaleziony szkodnik opróżnił się. W folderze System Volume Information są przechowywane punkty przywracania systemu, a wyłączenie przywracania powoduje jego wyczyszczenie, a co za tym idzie - usunięcie zarażonego pliku.

Użyj programu ATF Cleaner i przeczyść TEMP’y.

Spróbuj usunąć ten plik ręcznie, a następnie wklej log z ComboFix.

tomek.zielony · 4 Kwiecień 2007 09:35

to taki log miał byc ??

ComboFix 07-04-04.5 - Running from: “C:\Program Files\Mozilla Firefox” ((((((((((((((((((((((((((((((( Files Created from 2007-03-04 to 2007-04-04 )))))))))))))))))))))))))))))))))) 2007-04-04 02:12 2007-04-03 23:03 2007-04-03 23:02 2007-04-03 23:01 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys 2007-04-03 23:01 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys 2007-04-03 23:01 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll 2007-04-03 23:01 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll 2007-04-03 23:01 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys 2007-04-03 23:01 16,896 --a------ C:\WINDOWS\system32\msyuv.dll 2007-04-03 23:01 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys 2007-04-03 23:01 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys 2007-04-03 23:01 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys 2007-04-03 23:01 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys 2007-04-03 23:01 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys 2007-04-03 23:01 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys 2007-04-03 23:01 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll 2007-04-03 23:00 2007-04-03 23:00 2007-04-03 22:58 2007-04-03 22:55 2007-04-03 21:52 2007-04-03 21:49 2007-04-03 21:38 2007-04-03 21:38 2007-04-03 21:29 2007-04-03 21:29 2007-04-03 18:05 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-04-03 18:00 2007-04-03 18:00 2007-04-03 17:59 2007-04-03 17:57 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-04-03 17:56 2007-04-03 17:53 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-03 17:53 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-03 17:53 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-04-03 17:53 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-03 17:53 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-03 17:53 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-03 17:46 63,529 --a------ C:\WINDOWS\system32\dload.exe 2007-04-03 17:28 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll 2007-04-03 17:28 2007-04-03 17:26 79,616 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2007-04-03 17:26 57,472 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2007-04-03 17:26 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2007-04-03 17:26 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2007-04-03 17:26 5,632 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2007-04-03 17:26 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2007-04-03 17:26 159,232 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2007-04-03 17:26 122,472 --a------ C:\WINDOWS\system32\drivers\aec.sys 2007-04-03 17:25 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-04-03 17:25 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:19 765,952 --a------ C:\WINDOWS\system\crlds3d.dll 2007-04-03 17:19 65,536 --a------ C:\WINDOWS\system32\Audio3D.dll 2007-04-03 17:19 65,536 --a------ C:\WINDOWS\system32\a3d.dll 2007-04-03 17:19 65,024 --a------ C:\WINDOWS\SOUNDMAN.EXE 2007-04-03 17:19 611,441 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2007-04-03 17:19 5,867,008 --a------ C:\WINDOWS\system32\RTLCPL.EXE 2007-04-03 17:19 391,424 --a------ C:\WINDOWS\system32\drivers\ALCXSENS.SYS 2007-04-03 17:19 208,896 --------- C:\WINDOWS\alcupd.exe 2007-04-03 17:19 155,648 --a------ C:\WINDOWS\system32\RTLCPAPI.dll 2007-04-03 17:19 139,264 --------- C:\WINDOWS\alcrmv.exe 2007-04-03 17:19 1,032 --------- C:\WINDOWS\system32\drivers\alcxinit.dat 2007-04-03 17:19 2007-04-03 17:19 2007-04-03 17:19 2007-04-03 17:17 3,000 -ra------ C:\WINDOWS\system32\SetupNT.sys 2007-04-03 17:17 2007-04-03 17:17 2007-04-03 17:17 2007-04-03 17:17 2007-04-03 17:13 2007-04-03 16:43 2007-04-03 16:43 2007-04-03 16:40 2007-04-03 16:36 4,313 --a------ C:\WINDOWS\mozver.dat 2007-04-03 16:31 57,088 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2007-04-03 16:31 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys 2007-04-03 16:30 70,144 --a------ C:\WINDOWS\system32\usbui.dll 2007-04-03 16:30 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys 2007-04-03 16:29 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL 2007-04-03 16:29 9,168 --a------ C:\WINDOWS\system\VER.DLL 2007-04-03 16:29 85,532 --a------ C:\WINDOWS\system32\dgsetup.dll 2007-04-03 16:29 83,456 --a------ C:\WINDOWS\system\OLECLI.DLL 2007-04-03 16:29 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll 2007-04-03 16:29 71,680 --a------ C:\WINDOWS\system32\storprop.dll 2007-04-03 16:29 70,096 --a------ C:\WINDOWS\system\AVICAP.DLL 2007-04-03 16:29 7,168 --a------ C:\WINDOWS\system32\kbdcz.dll 2007-04-03 16:29 69,712 --a------ C:\WINDOWS\system\MMSYSTEM.DLL 2007-04-03 16:29 67,072 --a------ C:\WINDOWS\NOTEPAD.EXE 2007-04-03 16:29 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdycl.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdsl1.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdsl.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdhu.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdcz2.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdcz1.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdcr.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\KBDAL.DLL 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\batt.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll 2007-04-03 16:29 5,632 --a------ C:\WINDOWS\system32\kbdro.dll 2007-04-03 16:29 5,632 --a------ C:\WINDOWS\system32\kbdhu1.dll 2007-04-03 16:29 5,120 --a------ C:\WINDOWS\system\SHELL.DLL 2007-04-03 16:29 33,376 --a------ C:\WINDOWS\system\COMMDLG.DLL 2007-04-03 16:29 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2007-04-03 16:29 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL 2007-04-03 16:29 19,200 --a------ C:\WINDOWS\system\TAPI.DLL 2007-04-03 16:29 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll 2007-04-03 16:29 15,360 --a------ C:\WINDOWS\TASKMAN.EXE 2007-04-03 16:29 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-04-03 16:29 127,008 --a------ C:\WINDOWS\system\MSVIDEO.DLL 2007-04-03 16:29 109,488 --a------ C:\WINDOWS\system\AVIFILE.DLL 2007-04-03 16:29 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll 2007-04-03 16:29 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:28 2007-04-03 16:28 2007-04-03 16:27 2007-04-03 16:17 2007-04-03 16:17 2007-04-03 16:10 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2007-04-03 16:10 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2007-04-03 16:10 2007-04-03 16:10 2007-04-03 16:09 2007-04-03 16:09 2007-04-03 16:06 65,001 --a------ C:\WINDOWS\system32\clockz.exe 2007-04-03 16:06 2007-04-03 16:05 2007-04-03 15:59 0 --a------ C:\WINDOWS\nsreg.dat 2007-04-03 15:56 64,000 --a------ C:\WINDOWS\system32\drivers\e4ldr.sys 2007-04-03 15:56 50,007 --a------ C:\WINDOWS\system32\drivers\adildr.sys 2007-04-03 15:56 46,892 --a------ C:\WINDOWS\system32\ADADIX16.DLL 2007-04-03 15:56 4,981 --a------ C:\WINDOWS\system32\ADADIX2K.DLL 2007-04-03 15:56 24,576 --a------ C:\WINDOWS\enddisk32.exe 2007-04-03 15:56 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin 2007-04-03 15:56 176,128 --a------ C:\WINDOWS\autoclk.exe 2007-04-03 15:56 155,648 --a------ C:\WINDOWS\system32\adadix32.dll 2007-04-03 15:56 152,220 -r------- C:\WINDOWS\system32\drivers\L1E4I2.BIN 2007-04-03 15:56 152,220 -r------- C:\WINDOWS\system32\drivers\L1E4I1.BIN 2007-04-03 15:56 152,220 -r------- C:\WINDOWS\system32\drivers\L1E4I0.BIN 2007-04-03 15:56 152,132 -r------- C:\WINDOWS\system32\drivers\L1E4P2.BIN 2007-04-03 15:56 152,132 -r------- C:\WINDOWS\system32\drivers\L1E4P1.BIN 2007-04-03 15:56 152,132 -r------- C:\WINDOWS\system32\drivers\L1E4P0.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9P2.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9P1.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9P0.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9I2.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9I1.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9I0.BIN 2007-04-03 15:56 152,036 --a------ C:\WINDOWS\system32\drivers\L1E4D2.BIN 2007-04-03 15:56 152,034 --a------ C:\WINDOWS\system32\drivers\L1E4D1.BIN 2007-04-03 15:56 152,034 --a------ C:\WINDOWS\system32\drivers\L1E4D0.BIN 2007-04-03 15:56 143,360 --a------ C:\WINDOWS\adiras.exe 2007-04-03 15:56 135,168 --a------ C:\WINDOWS\system32\unaddrv.exe 2007-04-03 15:56 127,456 --a------ C:\WINDOWS\system32\IPDETECT.EXE 2007-04-03 15:56 126,976 --a------ C:\WINDOWS\system32\coclassfast.dll 2007-04-03 15:56 126,489 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys 2007-04-03 15:56 116,992 --a------ C:\WINDOWS\system32\drivers\e4usbaw.sys 2007-04-03 15:56 2007-04-03 15:53 787,456 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-04-03 15:53 294,912 -ra------ C:\WINDOWS\system32\atiiiexx.dll 2007-04-03 15:53 151,552 -ra------ C:\WINDOWS\system32\ATIDEMGR.dll 2007-04-03 15:50 2007-04-03 15:49 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-04-03 15:48 2007-04-03 15:48 2007-04-03 15:48 2007-04-03 15:48 2007-04-03 15:48 2007-04-03 15:47 23,040 -ra------ C:\WINDOWS\system32\drivers\GVCplDrv.sys 2007-04-03 15:45 2007-04-03 15:43 1,048,576 --ah----- C:\DOCUME~1\Tomek\NTUSER.DAT 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:41 237,568 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT 2007-04-03 15:41 237,568 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:39 2007-04-03 15:39 2007-04-03 15:38 237,568 —h----- C:\DOCUME~1\DEFAUL~1\NTUSER.DAT 2007-04-03 15:38 112,128 --a------ C:\WINDOWS\system32\mapi32.dll 2007-04-03 15:38 0 -rahs---- C:\MSDOS.SYS 2007-04-03 15:38 0 -rahs---- C:\IO.SYS 2007-04-03 15:38 0 --a------ C:\CONFIG.SYS 2007-04-03 15:38 0 --a------ C:\AUTOEXEC.BAT 2007-04-03 15:38 2007-04-03 15:38 2007-04-03 15:38 2007-04-03 15:37 40,960 --a------ C:\WINDOWS\system32\safrslv.dll 2007-04-03 15:37 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll 2007-04-03 15:37 33,792 --a------ C:\WINDOWS\system32\racpldlg.dll 2007-04-03 15:37 26,624 --a------ C:\WINDOWS\system32\safrdm.dll 2007-04-03 15:37 179,200 --a------ C:\WINDOWS\system32\qmgr.dll 2007-04-03 15:37 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll 2007-04-03 15:37 11,264 --a------ C:\WINDOWS\system32\atrace.dll 2007-04-03 15:37 2007-04-03 15:37 2007-04-03 15:37 2007-04-03 15:37 2007-04-03 15:36 90,624 --a------ C:\WINDOWS\system32\msoert2.dll 2007-04-03 15:36 9,728 --a------ C:\WINDOWS\system32\mstinit.exe 2007-04-03 15:36 81,920 --a------ C:\WINDOWS\system32\isign32.dll 2007-04-03 15:36 73,728 --a------ C:\WINDOWS\system32\ils.dll 2007-04-03 15:36 70,400 --a------ C:\WINDOWS\system32\drivers\sr.sys 2007-04-03 15:36 69,632 --a------ C:\WINDOWS\system32\icwdial.dll 2007-04-03 15:36 67,584 --a------ C:\WINDOWS\system32\acctres.dll 2007-04-03 15:36 65,536 --a------ C:\WINDOWS\system32\msconf.dll 2007-04-03 15:36 61,952 --a------ C:\WINDOWS\system32\srclient.dll 2007-04-03 15:36 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll 2007-04-03 15:36 593,920 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-04-03 15:36 49,152 --a------ C:\WINDOWS\system32\inetres.dll 2007-04-03 15:36 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe 2007-04-03 15:36 32,384 --a------ C:\WINDOWS\system32\mnmdd.dll 2007-04-03 15:36 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll 2007-04-03 15:36 270,336 --a------ C:\WINDOWS\system32\inetcfg.dll 2007-04-03 15:36 253,440 --a------ C:\WINDOWS\system32\mstask.dll 2007-04-03 15:36 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll 2007-04-03 15:36 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll 2007-04-03 15:36 219,136 --a------ C:\WINDOWS\system32\srrstr.dll 2007-04-03 15:36 21,856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-04-03 15:36 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll 2007-04-03 15:36 159,744 --a------ C:\WINDOWS\system32\schedsvc.dll 2007-04-03 15:36 155,648 --a------ C:\WINDOWS\system32\srsvc.dll 2007-04-03 15:36 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll 2007-04-03 15:36 2007-04-03 15:36 2007-04-03 15:36 2007-04-03 15:36 2007-04-03 15:36 2007-04-03 15:35 99,328 --a------ C:\WINDOWS\system32\clipbrd.exe 2007-04-03 15:35 95,744 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-04-03 15:35 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll 2007-04-03 15:35 9,728 --a------ C:\WINDOWS\system32\reset.exe 2007-04-03 15:35 89,600 --a------ C:\WINDOWS\system32\tscfgwmi.dll 2007-04-03 15:35 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll 2007-04-03 15:35 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll 2007-04-03 15:35 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll 2007-04-03 15:35 82,432 --a------ C:\WINDOWS\system32\comrepl.dll 2007-04-03 15:35 80,896 --a------ C:\WINDOWS\system32\charmap.exe 2007-04-03 15:35 8,704 --a------ C:\WINDOWS\system32\icaapi.dll 2007-04-03 15:35 73,864 --a------ C:\WINDOWS\system32\rdpwsx.dll 2007-04-03 15:35 73,216 --a------ C:\WINDOWS\system32\avwav.dll 2007-04-03 15:35 61,952 --a------ C:\WINDOWS\system32\rdshost.exe 2007-04-03 15:35 605,696 --a------ C:\WINDOWS\system32\getuname.dll 2007-04-03 15:35 6,144 --a------ C:\WINDOWS\system32\msdtc.exe 2007-04-03 15:35 583,168 --a------ C:\WINDOWS\system32\catsrvut.dll 2007-04-03 15:35 57,344 --a------ C:\WINDOWS\system32\sol.exe 2007-04-03 15:35 57,344 --a------ C:\WINDOWS\system32\licwmi.dll 2007-04-03 15:35 56,832 --a------ C:\WINDOWS\system32\remotepg.dll 2007-04-03 15:35 56,832 --a------ C:\WINDOWS\system32\colbact.dll 2007-04-03 15:35 55,808 --a------ C:\WINDOWS\system32\freecell.exe 2007-04-03 15:35 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll 2007-04-03 15:35 54,272 --a------ C:\WINDOWS\system32\stclient.dll 2007-04-03 15:35 534,016 --a------ C:\WINDOWS\system32\spider.exe 2007-04-03 15:35 53,248 --a------ C:\WINDOWS\system32\servdeps.dll 2007-04-03 15:35 503,296 --a------ C:\WINDOWS\system32\mstscax.dll 2007-04-03 15:35 5,632 --a------ C:\WINDOWS\system32\write.exe 2007-04-03 15:35 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe 2007-04-03 15:35 495,616 --a------ C:\WINDOWS\system32\comuid.dll 2007-04-03 15:35 494,592 --a------ C:\WINDOWS\system32\hypertrm.dll 2007-04-03 15:35 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll 2007-04-03 15:35 44,544 --a------ C:\WINDOWS\system32\hticons.dll 2007-04-03 15:35 41,984 --a------ C:\WINDOWS\system32\rdpclip.exe 2007-04-03 15:35 40,448 --a------ C:\WINDOWS\system32\tscupgrd.exe 2007-04-03 15:35 4,608 --a------ C:\WINDOWS\system32\rdpcfgex.dll 2007-04-03 15:35 4,096 --a------ C:\WINDOWS\system32\wuauserv.dll 2007-04-03 15:35 4,096 --a------ C:\WINDOWS\system32\mtxex.dll 2007-04-03 15:35 387,072 --a------ C:\WINDOWS\system32\mstsc.exe 2007-04-03 15:35 37,896 --a------ C:\WINDOWS\system32\drivers\termdd.sys 2007-04-03 15:35 360,960 --a------ C:\WINDOWS\system32\msdtcprx.dll 2007-04-03 15:35 35,328 --a------ C:\WINDOWS\system32\winchat.exe 2007-04-03 15:35 342,016 --a------ C:\WINDOWS\system32\mspaint.exe 2007-04-03 15:35 33,792 --a------ C:\WINDOWS\system32\regini.exe 2007-04-03 15:35 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll 2007-04-03 15:35 25,600 --a------ C:\WINDOWS\system32\comaddin.dll 2007-04-03 15:35 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll 2007-04-03 15:35 231,424 --a------ C:\WINDOWS\system32\avtapi.dll 2007-04-03 15:35 22,528 --a------ C:\WINDOWS\system32\qwinsta.exe 2007-04-03 15:35 22,528 --a------ C:\WINDOWS\system32\msg.exe 2007-04-03 15:35 215,040 --a------ C:\WINDOWS\system32\catsrv.dll 2007-04-03 15:35 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll 2007-04-03 15:35 20,232 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys 2007-04-03 15:35 198,656 --a------ C:\WINDOWS\system32\termsrv.dll 2007-04-03 15:35 19,456 --a------ C:\WINDOWS\system32\qprocess.exe 2007-04-03 15:35 183,296 --a------ C:\WINDOWS\system32\accwiz.exe 2007-04-03 15:35 181,632 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys 2007-04-03 15:35 177,152 --a------ C:\WINDOWS\system32\cmprops.dll 2007-04-03 15:35 17,920 --a------ C:\WINDOWS\system32\tsshutdn.exe 2007-04-03 15:35 17,408 --a------ C:\WINDOWS\system32\qappsrv.exe 2007-04-03 15:35 16,896 --a------ C:\WINDOWS\system32\mmfutil.dll 2007-04-03 15:35 16,384 --a------ C:\WINDOWS\system32\tskill.exe 2007-04-03 15:35 16,384 --a------ C:\WINDOWS\system32\rwinsta.exe 2007-04-03 15:35 16,384 --a------ C:\WINDOWS\system32\avmeter.dll 2007-04-03 15:35 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2007-04-03 15:35 15,872 --a------ C:\WINDOWS\system32\logoff.exe 2007-04-03 15:35 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll 2007-04-03 15:35 15,360 --a------ C:\WINDOWS\system32\tsdiscon.exe 2007-04-03 15:35 15,360 --a------ C:\WINDOWS\system32\tscon.exe 2007-04-03 15:35 15,360 --a------ C:\WINDOWS\system32\shadow.exe 2007-04-03 15:35 147,456 --a------ C:\WINDOWS\system32\comsnap.dll 2007-04-03 15:35 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll 2007-04-03 15:35 139,264 --a------ C:\WINDOWS\system32\sndvol32.exe 2007-04-03 15:35 134,656 --a------ C:\WINDOWS\system32\rdchost.dll 2007-04-03 15:35 131,072 --a------ C:\WINDOWS\system32\sessmgr.exe 2007-04-03 15:35 128,000 --a------ C:\WINDOWS\system32\mshearts.exe 2007-04-03 15:35 125,440 --a------ C:\WINDOWS\system32\sndrec32.exe 2007-04-03 15:35 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe 2007-04-03 15:35 119,808 --a------ C:\WINDOWS\system32\winmine.exe 2007-04-03 15:35 118,272 --a------ C:\WINDOWS\system32\mplay32.exe 2007-04-03 15:35 115,200 --a------ C:\WINDOWS\system32\calc.exe 2007-04-03 15:35 113,664 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-04-03 15:35 11,144 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys 2007-04-03 15:35 107,912 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys 2007-04-03 15:35 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll 2007-04-03 15:35 1,225 --a------ C:\WINDOWS\system32\usrlogon.cmd 2007-04-03 15:35 1,139,200 --a------ C:\WINDOWS\system32\comsvcs.dll 2007-04-03 15:35 2007-04-03 15:35 2007-04-03 15:35 2007-04-03 15:35 2007-04-03 15:35 2007-04-03 15:35 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-03 16:29 62 --ahs---- C:\DOCUME~1\Tomek\DANEAP~1\desktop.ini 2007-04-03 16:14 67078 --a------ C:\WINDOWS\system32\perfc015.dat 2007-04-03 16:14 435978 --a------ C:\WINDOWS\system32\perfh015.dat 2007-04-03 15:37 -------- d-------- C:\Program Files\usugi online (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] @="" “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “RemoteControl”="“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ATI CATALYST System Tray.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ATI CATALYST System Tray.lnk” “backup”=“C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe SystemTray” “item”=“ATI CATALYST System Tray” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk” “backup”=“C:\WINDOWS\pss\DSLMON.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\SAGEM\SAGEMF~1\dslmon.exe " “item”=“DSLMON” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced DHTML Enable] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“fofanclm” “hkey”=“HKLM” “command”=“C:\WINDOWS\System32\fofanclm.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“cli” “hkey”=“HKLM” “command”=”“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“atiptaxx” “hkey”=“HKLM” “command”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Server Runtime Process] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“csrs” “hkey”=“HKLM” “command”=“C:\WINDOWS\System32\csrs.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“iexplore” “hkey”=“HKLM” “command”=“C:\WINDOWS\System32\iexplore.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvccc66] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“svcchosst” “hkey”=“HKLM” “command”=“svcchosst.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SOUNDMAN” “hkey”=“HKLM” “command”=“SOUNDMAN.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WooCnxMon] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CnxMon” “hkey”=“HKLM” “command”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“TaskbarIcon” “hkey”=“HKLM” “command”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Watch” “hkey”=“HKLM” “command”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “inimapping”=“0” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] @="" “ATICCC”="“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-04 11:35:39 C:\ComboFix-quarantined-files.txt … 07-04-04 11:35

adam9870 · 4 Kwiecień 2007 10:37

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\system32\dload.exe

C:\WINDOWS\System32\fofanclm.exe

C:\WINDOWS\System32\csrs.exe

Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart. Jeśli po wklejeniu którejś ze ścieżek pokaże się jakiś błąd, nie przejmuj się nim tylko przejdź do wykonywania dalszych czynności.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Proponuję usunąć SopCast ponieważ być może jest on nośnikiem infekcji. Poczytaj:

http://www.searchengines.pl/phpbb203/in … opic=86584

Po wykonaniu pokaż nowy log z Combo.

tomek.zielony · 4 Kwiecień 2007 11:07

dobra

zrobiłem wszystko tak jak mi napisałeś

a avast nadal mi wywala wirusy

daj link do tego Combo. bo nie mogę znalesc

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 13:12:09, on 2007-04-04 Platform: Windows XP (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system\smsc.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\svcchosst.exe C:\PROGRA~1\ALWILS~1\Avast4\ashQuick.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Tomek\Pulpit\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [msvccc66] svcchosst.exe O4 - HKLM…\RunServices: [msvccc66] svcchosst.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip…{8E87CE1E-84BC-4DEC-82A5-6CEE659FF0F0}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: System Manger Service 32 (SMSC) - Unknown owner - C:\WINDOWS\system\smsc.exe – End of file - 3669 bytes

zastanawiaja mnie ten wpisy

C:\WINDOWS\system\smsc.exe

O23 - Service: System Manger Service 32 (SMSC) - Unknown owner - C:\WINDOWS\system\smsc.exe

O4 - HKLM…\RunServices: [msvccc66] svcchosst.exe

Unknown

O4 - HKLM…\Run: [msvccc66] svcchosst.exe

O17 - HKLM\System\CCS\Services\Tcpip…{8E87CE1E-84BC-4DEC-82A5-6CEE659FF0F0}: NameServer = 194.204.159.1 217.98.63.164

nie moge dac loga z Silent Runners bo jakis bład mi wyskakuje i juz 3 razy sciagałem go’

adam9870 · 4 Kwiecień 2007 11:20

Gdzie je wykrywa? Podaj dokładne lokalizacje do znajdowanych zainfekowanych plików.

KLIK

tomek.zielony · 4 Kwiecień 2007 11:27

nie moge dac loga z combo

tez jakiś błąd wyskakuje

ComboFix 07-04-04.5 - Running from: “C:\Documents and Settings\Tomek\Pulpit\programy sciagniete” ((((((((((((((((((((((((((((((( Files Created from 2007-03-04 to 2007-04-04 )))))))))))))))))))))))))))))))))) 2007-04-04 12:49 2007-04-04 12:28 2007-04-04 12:19 41,473 -r-hs---- C:\WINDOWS\system\smsc.exe 2007-04-04 12:19 14,080 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2007-04-04 12:19 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2007-04-04 12:16 332 --a------ C:\WINDOWS\desctemp.dat 2007-04-04 11:51 2007-04-04 11:50 2007-04-04 11:50 2007-04-04 11:50 2007-04-04 11:50 2007-04-04 11:50 2007-04-04 11:48 2007-04-04 11:48 2007-04-04 11:44 2007-04-04 11:42 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll 2007-04-04 11:42 77,824 -ra------ C:\WINDOWS\system32\drivers\SioUi2k.dll 2007-04-04 11:42 63,488 -ra------ C:\WINDOWS\system32\drivers\wssbtr1f.sys 2007-04-04 11:42 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-04-04 11:42 51,169 -ra------ C:\WINDOWS\system32\drivers\OXSER.SYS 2007-04-04 11:42 50,688 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll 2007-04-04 11:42 48,556 -ra------ C:\WINDOWS\system32\drivers\SktBt2k.sys 2007-04-04 11:42 48,076 -ra------ C:\WINDOWS\system32\drivers\Sio9502k.sys 2007-04-04 11:42 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll 2007-04-04 11:42 40,960 -ra------ C:\WINDOWS\system32\drivers\SCTray.exe 2007-04-04 11:42 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-04-04 11:41 82,148 --a------ C:\WINDOWS\system32\drivers\VcommMgr.sys 2007-04-04 11:41 7,680 --a------ C:\WINDOWS\system32\btinstall.dll 2007-04-04 11:41 61,312 --a------ C:\WINDOWS\system32\drivers\VComm.sys 2007-04-04 11:41 49,152 --a------ C:\WINDOWS\system32\btfunc.dll 2007-04-04 11:41 28,271 --a------ C:\WINDOWS\system32\drivers\BTHidMgr.sys 2007-04-04 11:41 23,000 --a------ C:\WINDOWS\system32\drivers\btcusb.sys 2007-04-04 11:41 20,480 --a------ C:\WINDOWS\system32\drivers\blueletaudio.sys 2007-04-04 11:41 182,880 --a------ C:\WINDOWS\system32\iuengine.dll 2007-04-04 11:41 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys 2007-04-04 11:41 13,304 --a------ C:\WINDOWS\system32\drivers\BTNetFilter.sys 2007-04-04 11:41 116,021 --a------ C:\WINDOWS\system32\drivers\fw203x.sys 2007-04-04 11:41 11,860 --a------ C:\WINDOWS\system32\drivers\vbtenum.sys 2007-04-04 11:41 11,736 --a------ C:\WINDOWS\system32\drivers\VHIDMini.sys 2007-04-04 11:41 10,804 --a------ C:\WINDOWS\system32\drivers\BtNetDrv.sys 2007-04-04 11:41 2007-04-04 02:12 2007-04-03 23:03 2007-04-03 23:02 2007-04-03 23:01 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys 2007-04-03 23:01 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys 2007-04-03 23:01 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll 2007-04-03 23:01 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll 2007-04-03 23:01 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys 2007-04-03 23:01 16,896 --a------ C:\WINDOWS\system32\msyuv.dll 2007-04-03 23:01 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys 2007-04-03 23:01 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys 2007-04-03 23:01 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys 2007-04-03 23:01 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys 2007-04-03 23:01 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys 2007-04-03 23:01 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys 2007-04-03 23:01 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll 2007-04-03 23:00 2007-04-03 23:00 2007-04-03 22:58 2007-04-03 22:55 2007-04-03 21:52 2007-04-03 21:49 2007-04-03 21:29 2007-04-03 21:29 2007-04-03 18:05 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-04-03 18:00 2007-04-03 18:00 2007-04-03 17:59 2007-04-03 17:57 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-04-03 17:56 2007-04-03 17:53 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-03 17:53 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-03 17:53 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-04-03 17:53 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-03 17:53 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-03 17:53 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-03 17:28 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll 2007-04-03 17:28 2007-04-03 17:26 79,616 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2007-04-03 17:26 57,472 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2007-04-03 17:26 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2007-04-03 17:26 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2007-04-03 17:26 5,632 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2007-04-03 17:26 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2007-04-03 17:26 159,232 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2007-04-03 17:26 122,472 --a------ C:\WINDOWS\system32\drivers\aec.sys 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:23 2007-04-03 17:19 765,952 --a------ C:\WINDOWS\system\crlds3d.dll 2007-04-03 17:19 65,536 --a------ C:\WINDOWS\system32\Audio3D.dll 2007-04-03 17:19 65,536 --a------ C:\WINDOWS\system32\a3d.dll 2007-04-03 17:19 65,024 --a------ C:\WINDOWS\SOUNDMAN.EXE 2007-04-03 17:19 611,441 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2007-04-03 17:19 5,867,008 --a------ C:\WINDOWS\system32\RTLCPL.EXE 2007-04-03 17:19 391,424 --a------ C:\WINDOWS\system32\drivers\ALCXSENS.SYS 2007-04-03 17:19 208,896 --------- C:\WINDOWS\alcupd.exe 2007-04-03 17:19 155,648 --a------ C:\WINDOWS\system32\RTLCPAPI.dll 2007-04-03 17:19 139,264 --------- C:\WINDOWS\alcrmv.exe 2007-04-03 17:19 1,032 --------- C:\WINDOWS\system32\drivers\alcxinit.dat 2007-04-03 17:19 2007-04-03 17:19 2007-04-03 17:19 2007-04-03 17:17 3,000 -ra------ C:\WINDOWS\system32\SetupNT.sys 2007-04-03 17:17 2007-04-03 17:17 2007-04-03 17:17 2007-04-03 17:17 2007-04-03 17:13 2007-04-03 16:43 2007-04-03 16:43 2007-04-03 16:40 2007-04-03 16:36 4,313 --a------ C:\WINDOWS\mozver.dat 2007-04-03 16:31 57,088 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2007-04-03 16:31 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys 2007-04-03 16:30 70,144 --a------ C:\WINDOWS\system32\usbui.dll 2007-04-03 16:30 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys 2007-04-03 16:29 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL 2007-04-03 16:29 9,168 --a------ C:\WINDOWS\system\VER.DLL 2007-04-03 16:29 85,532 --a------ C:\WINDOWS\system32\dgsetup.dll 2007-04-03 16:29 83,456 --a------ C:\WINDOWS\system\OLECLI.DLL 2007-04-03 16:29 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll 2007-04-03 16:29 71,680 --a------ C:\WINDOWS\system32\storprop.dll 2007-04-03 16:29 70,096 --a------ C:\WINDOWS\system\AVICAP.DLL 2007-04-03 16:29 7,168 --a------ C:\WINDOWS\system32\kbdcz.dll 2007-04-03 16:29 69,712 --a------ C:\WINDOWS\system\MMSYSTEM.DLL 2007-04-03 16:29 67,072 --a------ C:\WINDOWS\NOTEPAD.EXE 2007-04-03 16:29 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdycl.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdsl1.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdsl.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdhu.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdcz2.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdcz1.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\kbdcr.dll 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\KBDAL.DLL 2007-04-03 16:29 6,656 --a------ C:\WINDOWS\system32\batt.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll 2007-04-03 16:29 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll 2007-04-03 16:29 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll 2007-04-03 16:29 5,632 --a------ C:\WINDOWS\system32\kbdro.dll 2007-04-03 16:29 5,632 --a------ C:\WINDOWS\system32\kbdhu1.dll 2007-04-03 16:29 5,120 --a------ C:\WINDOWS\system\SHELL.DLL 2007-04-03 16:29 33,376 --a------ C:\WINDOWS\system\COMMDLG.DLL 2007-04-03 16:29 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2007-04-03 16:29 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL 2007-04-03 16:29 19,200 --a------ C:\WINDOWS\system\TAPI.DLL 2007-04-03 16:29 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll 2007-04-03 16:29 15,360 --a------ C:\WINDOWS\TASKMAN.EXE 2007-04-03 16:29 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-04-03 16:29 127,008 --a------ C:\WINDOWS\system\MSVIDEO.DLL 2007-04-03 16:29 109,488 --a------ C:\WINDOWS\system\AVIFILE.DLL 2007-04-03 16:29 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll 2007-04-03 16:29 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:29 2007-04-03 16:28 2007-04-03 16:28 2007-04-03 16:27 2007-04-03 16:17 2007-04-03 16:17 2007-04-03 16:10 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2007-04-03 16:10 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2007-04-03 16:10 2007-04-03 16:10 2007-04-03 16:09 2007-04-03 16:09 2007-04-03 16:06 65,001 --a------ C:\WINDOWS\system32\clockz.exe 2007-04-03 16:06 2007-04-03 16:05 2007-04-03 15:59 0 --a------ C:\WINDOWS\nsreg.dat 2007-04-03 15:56 64,000 --a------ C:\WINDOWS\system32\drivers\e4ldr.sys 2007-04-03 15:56 50,007 --a------ C:\WINDOWS\system32\drivers\adildr.sys 2007-04-03 15:56 46,892 --a------ C:\WINDOWS\system32\ADADIX16.DLL 2007-04-03 15:56 4,981 --a------ C:\WINDOWS\system32\ADADIX2K.DLL 2007-04-03 15:56 24,576 --a------ C:\WINDOWS\enddisk32.exe 2007-04-03 15:56 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin 2007-04-03 15:56 176,128 --a------ C:\WINDOWS\autoclk.exe 2007-04-03 15:56 155,648 --a------ C:\WINDOWS\system32\adadix32.dll 2007-04-03 15:56 152,220 -r------- C:\WINDOWS\system32\drivers\L1E4I2.BIN 2007-04-03 15:56 152,220 -r------- C:\WINDOWS\system32\drivers\L1E4I1.BIN 2007-04-03 15:56 152,220 -r------- C:\WINDOWS\system32\drivers\L1E4I0.BIN 2007-04-03 15:56 152,132 -r------- C:\WINDOWS\system32\drivers\L1E4P2.BIN 2007-04-03 15:56 152,132 -r------- C:\WINDOWS\system32\drivers\L1E4P1.BIN 2007-04-03 15:56 152,132 -r------- C:\WINDOWS\system32\drivers\L1E4P0.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9P2.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9P1.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9P0.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9I2.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9I1.BIN 2007-04-03 15:56 152,126 --a------ C:\WINDOWS\system32\drivers\L1E9I0.BIN 2007-04-03 15:56 152,036 --a------ C:\WINDOWS\system32\drivers\L1E4D2.BIN 2007-04-03 15:56 152,034 --a------ C:\WINDOWS\system32\drivers\L1E4D1.BIN 2007-04-03 15:56 152,034 --a------ C:\WINDOWS\system32\drivers\L1E4D0.BIN 2007-04-03 15:56 143,360 --a------ C:\WINDOWS\adiras.exe 2007-04-03 15:56 135,168 --a------ C:\WINDOWS\system32\unaddrv.exe 2007-04-03 15:56 127,456 --a------ C:\WINDOWS\system32\IPDETECT.EXE 2007-04-03 15:56 126,976 --a------ C:\WINDOWS\system32\coclassfast.dll 2007-04-03 15:56 126,489 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys 2007-04-03 15:56 116,992 --a------ C:\WINDOWS\system32\drivers\e4usbaw.sys 2007-04-03 15:56 2007-04-03 15:53 787,456 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-04-03 15:53 294,912 -ra------ C:\WINDOWS\system32\atiiiexx.dll 2007-04-03 15:53 151,552 -ra------ C:\WINDOWS\system32\ATIDEMGR.dll 2007-04-03 15:50 2007-04-03 15:49 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-04-03 15:48 2007-04-03 15:48 2007-04-03 15:48 2007-04-03 15:48 2007-04-03 15:48 2007-04-03 15:47 23,040 -ra------ C:\WINDOWS\system32\drivers\GVCplDrv.sys 2007-04-03 15:45 2007-04-03 15:43 1,048,576 --ah----- C:\DOCUME~1\Tomek\NTUSER.DAT 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:43 2007-04-03 15:41 237,568 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT 2007-04-03 15:41 237,568 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:41 2007-04-03 15:39 2007-04-03 15:39 2007-04-03 15:38 237,568 —h----- C:\DOCUME~1\DEFAUL~1\NTUSER.DAT 2007-04-03 15:38 112,128 --a------ C:\WINDOWS\system32\mapi32.dll 2007-04-03 15:38 0 -rahs---- C:\MSDOS.SYS 2007-04-03 15:38 0 -rahs---- C:\IO.SYS 2007-04-03 15:38 0 --a------ C:\CONFIG.SYS 2007-04-03 15:38 0 --a------ C:\AUTOEXEC.BAT 2007-04-03 15:38 2007-04-03 15:38 2007-04-03 15:38 2007-04-03 15:37 40,960 --a------ C:\WINDOWS\system32\safrslv.dll 2007-04-03 15:37 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll 2007-04-03 15:37 33,792 --a------ C:\WINDOWS\system32\racpldlg.dll 2007-04-03 15:37 26,624 --a------ C:\WINDOWS\system32\safrdm.dll 2007-04-03 15:37 179,200 --a------ C:\WINDOWS\system32\qmgr.dll 2007-04-03 15:37 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll 2007-04-03 15:37 11,264 --a------ C:\WINDOWS\system32\atrace.dll 2007-04-03 15:37 2007-04-03 15:37 2007-04-03 15:37 2007-04-03 15:37 2007-04-03 15:36 90,624 --a------ C:\WINDOWS\system32\msoert2.dll 2007-04-03 15:36 9,728 --a------ C:\WINDOWS\system32\mstinit.exe 2007-04-03 15:36 81,920 --a------ C:\WINDOWS\system32\isign32.dll 2007-04-03 15:36 73,728 --a------ C:\WINDOWS\system32\ils.dll 2007-04-03 15:36 70,400 --a------ C:\WINDOWS\system32\drivers\sr.sys 2007-04-03 15:36 69,632 --a------ C:\WINDOWS\system32\icwdial.dll 2007-04-03 15:36 67,584 --a------ C:\WINDOWS\system32\acctres.dll 2007-04-03 15:36 65,536 --a------ C:\WINDOWS\system32\msconf.dll 2007-04-03 15:36 61,952 --a------ C:\WINDOWS\system32\srclient.dll 2007-04-03 15:36 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll 2007-04-03 15:36 593,920 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-04-03 15:36 49,152 --a------ C:\WINDOWS\system32\inetres.dll 2007-04-03 15:36 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe 2007-04-03 15:36 32,384 --a------ C:\WINDOWS\system32\mnmdd.dll 2007-04-03 15:36 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll 2007-04-03 15:36 270,336 --a------ C:\WINDOWS\system32\inetcfg.dll 2007-04-03 15:36 253,440 --a------ C:\WINDOWS\system32\mstask.dll 2007-04-03 15:36 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll 2007-04-03 15:36 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll 2007-04-03 15:36 219,136 --a------ C:\WINDOWS\system32\srrstr.dll 2007-04-03 15:36 21,856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-04-03 15:36 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll 2007-04-03 15:36 159,744 --a------ C:\WINDOWS\system32\schedsvc.dll 2007-04-03 15:36 155,648 --a------ C:\WINDOWS\system32\srsvc.dll 2007-04-03 15:36 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll 2007-04-03 15:36 2007-04-03 15:36 2007-04-03 15:36 2007-04-03 15:36 2007-04-03 15:36 2007-04-03 15:35 99,328 --a------ C:\WINDOWS\system32\clipbrd.exe 2007-04-03 15:35 95,744 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-04-03 15:35 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll 2007-04-03 15:35 9,728 --a------ C:\WINDOWS\system32\reset.exe 2007-04-03 15:35 89,600 --a------ C:\WINDOWS\system32\tscfgwmi.dll 2007-04-03 15:35 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll 2007-04-03 15:35 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll 2007-04-03 15:35 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll 2007-04-03 15:35 82,432 --a------ C:\WINDOWS\system32\comrepl.dll 2007-04-03 15:35 80,896 --a------ C:\WINDOWS\system32\charmap.exe 2007-04-03 15:35 8,704 --a------ C:\WINDOWS\system32\icaapi.dll 2007-04-03 15:35 73,864 --a------ C:\WINDOWS\system32\rdpwsx.dll 2007-04-03 15:35 73,216 --a------ C:\WINDOWS\system32\avwav.dll 2007-04-03 15:35 61,952 --a------ C:\WINDOWS\system32\rdshost.exe 2007-04-03 15:35 605,696 --a------ C:\WINDOWS\system32\getuname.dll 2007-04-03 15:35 6,144 --a------ C:\WINDOWS\system32\msdtc.exe 2007-04-03 15:35 583,168 --a------ C:\WINDOWS\system32\catsrvut.dll 2007-04-03 15:35 57,344 --a------ C:\WINDOWS\system32\sol.exe 2007-04-03 15:35 57,344 --a------ C:\WINDOWS\system32\licwmi.dll 2007-04-03 15:35 56,832 --a------ C:\WINDOWS\system32\remotepg.dll 2007-04-03 15:35 56,832 --a------ C:\WINDOWS\system32\colbact.dll 2007-04-03 15:35 55,808 --a------ C:\WINDOWS\system32\freecell.exe 2007-04-03 15:35 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll 2007-04-03 15:35 54,272 --a------ C:\WINDOWS\system32\stclient.dll 2007-04-03 15:35 534,016 --a------ C:\WINDOWS\system32\spider.exe 2007-04-03 15:35 53,248 --a------ C:\WINDOWS\system32\servdeps.dll 2007-04-03 15:35 503,296 --a------ C:\WINDOWS\system32\mstscax.dll 2007-04-03 15:35 5,632 --a------ C:\WINDOWS\system32\write.exe 2007-04-03 15:35 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe 2007-04-03 15:35 495,616 --a------ C:\WINDOWS\system32\comuid.dll 2007-04-03 15:35 494,592 --a------ C:\WINDOWS\system32\hypertrm.dll 2007-04-03 15:35 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll 2007-04-03 15:35 44,544 --a------ C:\WINDOWS\system32\hticons.dll 2007-04-03 15:35 41,984 --a------ C:\WINDOWS\system32\rdpclip.exe 2007-04-03 15:35 40,448 --a------ C:\WINDOWS\system32\tscupgrd.exe 2007-04-03 15:35 4,608 --a------ C:\WINDOWS\system32\rdpcfgex.dll 2007-04-03 15:35 4,096 --a------ C:\WINDOWS\system32\wuauserv.dll 2007-04-03 15:35 4,096 --a------ C:\WINDOWS\system32\mtxex.dll 2007-04-03 15:35 387,072 --a------ C:\WINDOWS\system32\mstsc.exe 2007-04-03 15:35 37,896 --a------ C:\WINDOWS\system32\drivers\termdd.sys 2007-04-03 15:35 360,960 --a------ C:\WINDOWS\system32\msdtcprx.dll 2007-04-03 15:35 35,328 --a------ C:\WINDOWS\system32\winchat.exe 2007-04-03 15:35 342,016 --a------ C:\WINDOWS\system32\mspaint.exe 2007-04-03 15:35 33,792 --a------ C:\WINDOWS\system32\regini.exe 2007-04-03 15:35 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll 2007-04-03 15:35 25,600 --a------ C:\WINDOWS\system32\comaddin.dll 2007-04-03 15:35 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll 2007-04-03 15:35 231,424 --a------ C:\WINDOWS\system32\avtapi.dll 2007-04-03 15:35 22,528 --a------ C:\WINDOWS\system32\qwinsta.exe 2007-04-03 15:35 22,528 --a------ C:\WINDOWS\system32\msg.exe 2007-04-03 15:35 215,040 --a------ C:\WINDOWS\system32\catsrv.dll 2007-04-03 15:35 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll 2007-04-03 15:35 20,232 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys 2007-04-03 15:35 198,656 --a------ C:\WINDOWS\system32\termsrv.dll 2007-04-03 15:35 19,456 --a------ C:\WINDOWS\system32\qprocess.exe 2007-04-03 15:35 183,296 --a------ C:\WINDOWS\system32\accwiz.exe 2007-04-03 15:35 181,632 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys 2007-04-03 15:35 177,152 --a------ C:\WINDOWS\system32\cmprops.dll 2007-04-03 15:35 17,920 --a------ C:\WINDOWS\system32\tsshutdn.exe 2007-04-03 15:35 17,408 --a------ C:\WINDOWS\system32\qappsrv.exe 2007-04-03 15:35 16,896 --a------ C:\WINDOWS\system32\mmfutil.dll 2007-04-03 15:35 16,384 --a------ C:\WINDOWS\system32\tskill.exe 2007-04-03 15:35 16,384 --a------ C:\WINDOWS\system32\rwinsta.exe 2007-04-03 15:35 16,384 --a------ C:\WINDOWS\system32\avmeter.dll 2007-04-03 15:35 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2007-04-03 15:35 15,872 --a------ C:\WINDOWS\system32\logoff.exe 2007-04-03 15:35 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll 2007-04-03 15:35 15,360 --a------ C:\WINDOWS\system32\tsdiscon.exe 2007-04-03 15:35 15,360 --a------ C:\WINDOWS\system32\tscon.exe 2007-04-03 15:35 15,360 --a------ C:\WINDOWS\system32\shadow.exe 2007-04-03 15:35 147,456 --a------ C:\WINDOWS\system32\comsnap.dll 2007-04-03 15:35 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll 2007-04-03 15:35 139,264 --a------ C:\WINDOWS\system32\sndvol32.exe 2007-04-03 15:35 134,656 --a------ C:\WINDOWS\system32\rdchost.dll 2007-04-03 15:35 131,072 --a------ C:\WINDOWS\system32\sessmgr.exe 2007-04-03 15:35 128,000 --a------ C:\WINDOWS\system32\mshearts.exe 2007-04-03 15:35 125,440 --a------ C:\WINDOWS\system32\sndrec32.exe 2007-04-03 15:35 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe 2007-04-03 15:35 119,808 --a------ C:\WINDOWS\system32\winmine.exe 2007-04-03 15:35 118,272 --a------ C:\WINDOWS\system32\mplay32.exe 2007-04-03 15:35 115,200 --a------ C:\WINDOWS\system32\calc.exe 2007-04-03 15:35 113,664 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-04-03 15:35 11,144 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys 2007-04-03 15:35 107,912 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys 2007-04-03 15:35 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll 2007-04-03 15:35 1,225 --a------ C:\WINDOWS\system32\usrlogon.cmd 2007-04-03 15:35 1,139,200 --a------ C:\WINDOWS\system32\comsvcs.dll 2007-04-03 15:35 2007-04-03 15:35 2007-04-03 15:35 2007-04-03 15:35 2007-04-03 15:35 2007-04-03 15:35 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-04 12:18 68334 --a------ C:\WINDOWS\system32\perfc015.dat 2007-04-04 12:18 439194 --a------ C:\WINDOWS\system32\perfh015.dat 2007-04-03 16:29 62 --ahs---- C:\DOCUME~1\Tomek\DANEAP~1\desktop.ini 2007-04-03 15:37 -------- d-------- C:\Program Files\usˆugi online (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries legit default entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] @="" “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ATI CATALYST System Tray.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ATI CATALYST System Tray.lnk” “backup”=“C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe SystemTray” “item”=“ATI CATALYST System Tray” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BlueSoleil.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\BlueSoleil.lnk” “backup”=“C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\IVTCOR~1\BLUESO~1\BLUESO~1.EXE " “item”=“BlueSoleil” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk” “backup”=“C:\WINDOWS\pss\DSLMON.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\SAGEM\SAGEMF~1\dslmon.exe " “item”=“DSLMON” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“cli” “hkey”=“HKLM” “command”=”“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“atiptaxx” “hkey”=“HKLM” “command”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“iexplore” “hkey”=“HKLM” “command”=“C:\WINDOWS\System32\iexplore.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“PDVDServ” “hkey”=“HKLM” “command”="“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Application Launcher” “hkey”=“HKLM” “command”="“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SOUNDMAN” “hkey”=“HKLM” “command”=“SOUNDMAN.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WooCnxMon] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CnxMon” “hkey”=“HKLM” “command”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“TaskbarIcon” “hkey”=“HKLM” “command”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Watch” “hkey”=“HKLM” “command”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “inimapping”=“0” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] @="" “ATICCC”="“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-04 13:36:52 C:\ComboFix-quarantined-files.txt … 07-04-04 13:36

adam9870 · 4 Kwiecień 2007 11:51

Z tym co masz powinien być jeszcze sterownik rdriv.sys jednak go nie widzę.

Pobierz The avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w lupkę => w okienku, które się otworzy wklej:

=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avengera i skasuj plik backup.zip czyli np. c:\avenger\backup.zip.

Usuń wpisy HJT.

Po wykonaniu wklej nowy log z hijacka, combo plus dwa logi z Gmer’a wykonane przy takich ustawieniach:

Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.

tomek.zielony · 4 Kwiecień 2007 12:51

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 14:41:01, on 2007-04-04 Platform: Windows XP (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system\smsc.exe C:\Documents and Settings\Tomek\Pulpit\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: System Manger Service 32 (SMSC) - Unknown owner - C:\WINDOWS\system\smsc.exe – End of file - 3452 bytes

log z gmera

GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2007-04-04 14:51:44 Windows 5.1.2600 ---- Services - GMER 1.0.12 ---- Service .NET CLR Data Service .NET CLR Networking Service .NETFramework Service [sYSTEM] Aavmker4 Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service C:\WINDOWS\System32\Drivers\adildr.sys [AUTO] ADILOADER Service C:\WINDOWS\System32\DRIVERS\adiusbaw.sys [MANUAL] adiusbaw Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\system32\drivers\ALCXSENS.SYS [MANUAL] ALCXSENS Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM Service C:\WINDOWS\System32\svchost.exe [MANUAL] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service ASP.NET Service ASP.NET_1.1.4322 Service C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [MANUAL] aspnet_state Service [AUTO] aswMon2 Service [MANUAL] aswRdr Service [sYSTEM] aswTdi Service C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [AUTO] aswUpdSv Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\System32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\System32\Ati2evxx.exe [AUTO] Ati HotKey Poller Service C:\WINDOWS\system32\ati2sgag.exe [AUTO] ATI Smart Service C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub Service C:\Program Files\Alwil Software\Avast4\ashServ.exe [AUTO] avast! Antivirus Service C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [MANUAL] avast! Mail Scanner Service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [MANUAL] avast! Web Scanner Service BattC Service [sYSTEM] Beep Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\System32\DRIVERS\blueletaudio.sys [MANUAL] BlueletAudio Service C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe [AUTO] BlueSoleil Hid Service Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser Service C:\WINDOWS\System32\DRIVERS\btnetdrv.sys [MANUAL] BT Service C:\WINDOWS\System32\Drivers\btcusb.sys [MANUAL] Btcsrusb Service C:\WINDOWS\System32\DRIVERS\vbtenum.sys [MANUAL] BTHidEnum Service C:\WINDOWS\System32\Drivers\BTHidMgr.sys [bOOT] BTHidMgr Service C:\WINDOWS\system32\drivers\BTNetFilter.sys [MANUAL] BTNetFilter Service [DISABLED] cbidf2k Service C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [MANUAL] CCDECODE Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\system32\cisvc.exe [MANUAL] cisvc Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\System32\DRIVERS\disk.sys [bOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [bOOT] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [bOOT] dmload Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc Service [sYSTEM] Fips Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service [sYSTEM] Fs_Rec Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc Service [MANUAL] GVCplDrv Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service C:\WINDOWS\System32\DRIVERS\hidusb.sys [MANUAL] HidUsb Service [DISABLED] hpn Service [DISABLED] hpt3xx Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service [sYSTEM] Imapi Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService Service inetaccs Service [DISABLED] ini910u Service Inport Service [DISABLED] IntelIde Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\System32\DRIVERS\kbdhid.sys [sYSTEM] kbdhid Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service C:\WINDOWS\system32\LEXBCES.EXE [AUTO] LexBceS Service LicenseService Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts Service C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [AUTO] MDM Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger Service [sYSTEM] mnmdd Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service C:\WINDOWS\System32\DRIVERS\mouhid.sys [MANUAL] mouhid Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service C:\WINDOWS\system32\drivers\MSTEE.sys [MANUAL] MSTEE Service [bOOT] Mup Service C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [MANUAL] NABTSFEC Service [bOOT] NDIS Service C:\WINDOWS\System32\DRIVERS\NdisIP.sys [MANUAL] NdisIP Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\System32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\System32\DRIVERS\netbt.sys [MANUAL] NetBT Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [sYSTEM] Null Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [MANUAL] ose Service Outlook Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\System32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service C:\WINDOWS\System32\DRIVERS\pciide.sys [bOOT] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\System32\DRIVERS\processr.sys [sYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\System32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess Service C:\WINDOWS\system32\svchost.exe [DISABLED] RemoteRegistry Service C:\WINDOWS\System32\Drivers\RootMdm.sys [MANUAL] ROOTMODEM Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139 Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [MANUAL] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\System32\DRIVERS\serial.sys [sYSTEM] Serial Service C:\WINDOWS\system32\SetupNT.sys [AUTO] SetupNT Service [sYSTEM] Sfloppy Service C:\WINDOWS\system32\svchost.exe [AUTO] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service C:\WINDOWS\System32\DRIVERS\SLIP.sys [MANUAL] SLIP Service C:\WINDOWS\system\smsc.exe [AUTO] SMSC Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\System32\DRIVERS\sr.sys [DISABLED] sr Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\System32\svchost.exe [DISABLED] SSDPSRV Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc Service C:\WINDOWS\System32\DRIVERS\StreamIP.sys [MANUAL] streamip Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\System32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service C:\WINDOWS\System32\tlntsvr.exe [DISABLED] TlntSvr Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr Service C:\WINDOWS\System32\svchost.exe [DISABLED] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\System32\DRIVERS\usbccgp.sys [MANUAL] usbccgp Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\System32\DRIVERS\usbprint.sys [MANUAL] usbprint Service C:\WINDOWS\System32\DRIVERS\usbscan.sys [MANUAL] usbscan Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci Service C:\WINDOWS\System32\DRIVERS\VComm.sys [MANUAL] VComm Service C:\WINDOWS\System32\Drivers\VcommMgr.sys [MANUAL] VcommMgr Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service C:\WINDOWS\system32\drivers\VHIDMini.sys [MANUAL] VHidMinidrv Service C:\WINDOWS\System32\DRIVERS\viaide.sys [bOOT] ViaIde Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service VxD Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [AUTO] WmdmPmSp Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi Service WmiApRpl Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service [DISABLED] wscsvc Service C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [MANUAL] WSTCODEC Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service {4121CF81-50DA-4510-9F3C-40C5CCFBFEF7} Service {633A7B08-1887-4FE2-ACF3-0BBD12E6540C} Service {748A253C-1011-4FB2-AE48-A0958A4F7608} ---- EOF - GMER 1.0.12 ----

adam9870 · 4 Kwiecień 2007 13:01

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

w zakładce Procesy wybierz Gmer awaryjny. Komputer się zrestartuje i zostanie samo okienko Gmer’a
w zakładce Usługi skasuj z prawokliku usługę SMSC
w zakładce Procesy kliknij Pliki i usuń ręcznie plik:

w zakładce Procesy przez … (trzy kropki) wskaż hijacka i usuń w nim wpis: (jeśli będzie)

zrestartuj komputer ręcznie przyciskiem na obudowie.

Po wykonaniu wklej nowy log z Gmer’a wykonany przy ustawieniu usługi + pokazuj wszystko.

tomek.zielony · 5 Kwiecień 2007 08:18

robie wszystko tak jak kazałeś ale jak zaznaczę ten proces do zamknięcia to odrazy komp chodzi jak czołg

nic nie da sie zrobić’

i robie w awaryjnym

adam9870 · 5 Kwiecień 2007 13:25

Wklej komplet nowych logów, być może sytuacja się zmieniła - nie będziemy strzelać w ciemno.

tomek.zielony · 5 Kwiecień 2007 14:29

dobra adam dzięki za pomoc

ale sie wnerwiłem i zrobiłem format

Złączono Posta : 05.04.2007 (Czw) 17:56

daje loga po formacie czy wszystko jest ok

a i jeszcze od czego jest ten proces MDM i notepad

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 17:56:03, on 2007-04-05

Platform: Windows XP (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Documents and Settings\Zielony\Pulpit\HiJackThis_v2.exe

C:\PROGRA~1\MOZILL~2\FIREFOX.EXE


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{3CB45462-8681-4218-9879-01A334A9A359}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


--

End of file - 3759 bytes