Czy jest tu jakiś wirus?

Krzysztof_pawl · 31 Maj 2007 09:14

Od pewnego czasu nawala mi komputer. Początkowo sporadycznie się resetował. Teraz nie mogę go już normalnie uruchomić.Zaraz po uruchomieniu się resetuje. Działa tylko w trybie awaryjnym. Co robić?

Proszę o pomoc

log z hijackthis:

Logfile of HijackThis v1.99.1 Scan saved at 10:45:08, on 2007-05-31 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Lucyna\USTAWI~1\Temp\Rar$EX00.593\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {1712F332-4AFE-1101-F1A3-6743C060A1CE} - C:\WINDOWS\system32\tsevkro.dll (file missing) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: supporthelp.com O1 - Hosts: .1 free.xxxcounter.com O1 - Hosts: response.symantec.com O1 - Hosts: xtracker.com O1 - Hosts: supporthelp.com O1 - Hosts: .1 free.xxxcounter.com O2 - BHO: (no name) - {04F8B48F-5241-05B0-40F2-222726F8ECC9} - C:\WINDOWS\system32\prkornor.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe O4 - HKLM…\Run: [iEXPLORER] C:\WINDOWS\IEXPLORER.EXE 123 O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [system] C:\WINDOWS\system32\kernels32.exe O4 - HKLM…\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [ueto] “C:\DOCUME~1\Lucyna\MOJEDO~1\STEM~1\winlogon.exe” -vt ndrv O4 - HKCU…\Run: [Pvcucfv] C:\WINDOWS\A?pPatch??ool32.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU…\Run: [service Pack 1] C:\WINDOWS\system32\vexg6ame4.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_17.cab O16 - DPF: {2A781DED-C22D-4153-9812-CEA98A32981C} (GameDesire Makao) - http://67.15.101.3/g_bin/pl/cardsmakao_2_0_0_18.cab O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://slimak.onet.pl/_m/wirusy/ArcaOnline.cab O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_30.cab O16 - DPF: {4B4513E2-4E57-43DF-9496-FCD37E9DFA64} (GameDesire Sea Battle) - http://67.15.101.3/g_bin/pl/navy_2_0_0_17.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 … scan53.cab O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/pl/darts_2_0_0_31.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/pl/words_2_0_0_38.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/pl/soccer_2_0_0_8.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_22.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_24.cab O18 - Filter: text/html - (no CLSID) - (no file) O20 - AppInit_DLLs: O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dx8.dll O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Dokumenty\Settings\bot.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\CADopia\INTELL~1\LicenseManager\lmgrd.exe O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Gutek · 31 Maj 2007 14:27

Syfu dużo, spróbujmy automatami na początek.

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Skan AVG Anti-Spyware 7.5 po update

Daj log z Combofix

Krzysztof_pawl · 31 Maj 2007 16:04

Użyłem tych wszystkich programów: VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone! Czekam na dalsze wskazówki

log z combofixa:

“Krzysiek” - 2007-05-31 17:39:33 Dodatek Service Pack 2 [sAFE MODE] ComboFix 07-05.27.BV - Running from: “” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\WINDOWS\system32\0_exception.nls” “C:\WINDOWS\system32\dlh9jkd1q2.exe” “C:\WINDOWS\system32\dlh9jkd1q6.exe” “C:\WINDOWS\system32\dlh9jkd1q7.exe” “C:\WINDOWS\system32\dlh9jkd1q8.exe” “C:\WINDOWS\system32\kernels32.exe” “C:\WINDOWS\system32\vexg4am1et2.exe” “C:\WINDOWS\system32\vexg6ame4.exe” “C:\WINDOWS\system32\vexga1me4t1.exe” “C:\WINDOWS\system32\vexga4m1et4.exe” “C:\WINDOWS\system32\vexga4me1.exe” “C:\WINDOWS\system32\vexga5me3.exe” “C:\WINDOWS\system32\vexga8me6.exe” “C:\1.exe” “C:\WINDOWS\system32\alt.exe.exe” “C:\WINDOWS\system32\pee.exe.exe” “C:\WINDOWS\retadpu27.exe” “C:\DOCUME~1\Lucyna\DANEAP~1\Install.dat” “C:\WINDOWS\system32\max1d164v.exe” “C:\WINDOWS\system32\drivers\ip6fw.sys” “C:\WINDOWS\system32\lxcin.dll” “C:\WINDOWS\system32\ykiio.dll” “C:\Program Files\bravesentry\BraveSentry.exe” “C:\Program Files\bravesentry\BraveSentry.lic” “C:\Program Files\bravesentry\BraveSentry0.bs” “C:\Program Files\bravesentry\BraveSentry1.bs” “C:\Program Files\bravesentry\Uninstall.exe” “C:\WINDOWS\system32\command.pif” “C:\WINDOWS\system32\info.txt” “C:\WINDOWS\system32\ksys.sys” “C:\WINDOWS\system32\spoolsvv.exe” “C:\WINDOWS\system32\svcp.csv” “C:\WINDOWS\system32\vx.tll” “C:\WINDOWS\system32\wincom32.ini” “C:\WINDOWS\system32\wincom32.sys” “C:\WINDOWS\system32\winsub.xml” “C:\WINDOWS\system32\wtssvit.exe” “C:\windows\xpupdate.exe” “C:\WINDOWS\hosts” “C:\WINDOWS\iexplorer.exe” “C:\WINDOWS\system32\spoolsvv.sys” “C:\WINDOWS\system32\a3dx8.dll” “C:\Program Files\bravesentry” “C:\WINDOWS\system32\drivers\runtime2.sys” – Purity Folders: C:\WINDOWS\APPATC~1 C:\WINDOWS\MCROSO~1 C:\WINDOWS\ICROSO~1 C:\WINDOWS\PPATCH~1 C:\Program Files\Common Files\FNTS~1 C:\Program Files\Common Files\CURITY~1 C:\Program Files\Common Files\DOBE~1 C:\Program Files\WNSXS~1 C:\Program Files\ICROSO~1 ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DRIVER -------\LEGACY_ICF -------\LEGACY_NDNET1 -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\LEGACY_WINCOM32 -------\Driver -------\ICF -------\NDnet1 -------\runtime ((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 )))))))))))))))))))))))))))))))))) 2007-05-31 17:27 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-31 13:22 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-05-31 13:22 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-05-31 13:22 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-05-31 10:52 2007-05-31 01:48 61,040 --a------ C:\WINDOWS\system32\xpdx.sys 2007-05-30 23:51 6,144 --a------ C:\sysfcza.exe 2007-05-28 03:19 2007-05-25 22:01 73,216 --a------ C:\WINDOWS\ST6UNST.EXE 2007-05-25 22:01 249,856 --------- C:\WINDOWS\Setup1.exe 2007-05-22 23:26 2007-05-12 16:20 2007-04-29 19:09 268,048 --a------ C:\WINDOWS\system32\dxtmeta2.dll 2007-04-25 19:18 2007-04-05 22:28 36,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-04-05 22:28 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-04-05 22:28 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-04-05 22:28 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-04-05 22:28 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-04-05 22:27 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-30 23:49:12 14,336 ----a-w C:\WINDOWS\system32\svchost.exe 2007-05-30 21:47:05 -------- d-----w C:\Program Files\ViaCAD 2007-05-30 13:46:07 -------- d-----w C:\DOCUME~1\Krzysiek\DANEAP~1\Skype 2007-05-28 21:20:45 -------- d-----w C:\Program Files\SkanerOnline 2007-05-28 21:17:55 -------- d-----w C:\Program Files\Movie Maker 2007-05-28 21:16:54 -------- d-----w C:\Program Files\Microsoft ActiveSync 2007-05-28 21:15:01 -------- d-----w C:\Program Files\iTunes 2007-05-28 21:14:52 -------- d-----w C:\Program Files\IrfanView 2007-05-28 21:10:45 -------- d-----w C:\Program Files\Gadu-Gadu 2007-05-28 21:09:15 -------- d-----w C:\Program Files\eMule 2007-05-28 21:07:42 -------- d-----w C:\Program Files\Common Files\ScanSoft Shared 2007-05-28 21:04:24 -------- d-----w C:\Program Files\Commandos II 2007-05-18 23:05:24 -------- d-----w C:\Program Files\OpenOffice.org1.1.4 2007-05-15 22:53:22 -------- d-----w C:\Program Files\Opera 2007-04-27 17:39:30 -------- d-----w C:\Program Files\PITy 2007-04-24 19:23:16 -------- d-----w C:\DOCUME~1\Krzysiek\DANEAP~1\U3 2007-04-10 02:20:44 -------- d-----w C:\DOCUME~1\Krzysiek\DANEAP~1\Tlen.pl 2007-03-25 16:14:50 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 16:14:50 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-07 22:49:27 88,736 ----a-w C:\DOCUME~1\Krzysiek\DANEAP~1\GDIPFONTCACHEV1.DAT (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {04F8B48F-5241-05B0-40F2-222726F8ECC9}=C:\WINDOWS\system32\prkornor.dll [] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “LWBMOUSE”=“C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE” [2002-05-24 14:54] “iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-03-14 20:05] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-07 00:46] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-04-27 09:41] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-05-31 13:21] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “_Windows”=“C:\WINDOWS\WinSecurity\services.exe” [] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 21:02] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-10-10 17:51] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] “combofix”=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “ALUAlert”=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe “Ueto”=“C:\PROGRA~1\COMMON~1\CURITY~1\logonui.exe” -vt ndrv “”=C:\WINDOWS\APPATC~1\OOL32~1.EXE “Qzp”=C:\Documents and Settings\Lucyna\Dane aplikacji?icrosoft.NET\w?aclt.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\botreg] C:\Documents and Settings\All Users\Dokumenty\Settings\bot.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “appinit_dlls”= [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Corel MEDIA FOLDERS INDEXER 8.LNK] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Corel MEDIA FOLDERS INDEXER 8.LNK backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Krzysiek^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5.LNK] path=C:\Documents and Settings\Krzysiek\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5.LNK backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gah95on6] C:\WINDOWS\system32\gah95on6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iocios] C:\Program Files\Jcxzf\Ylnreu.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN] C:\Program Files\VVSN\VVSN.exe HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command- F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{63e4ae24-ce5d-11da-bdc6-000b6a86e35d}] AutoRun\command- EXPLORER.EXE explore\Command- EXPLORER.EXE open\Command- EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{aff17b2a-3b47-11da-bc12-000b6a86e35d}] AutoRun\command- F:\EXPLORER.EXE explore\Command- F:\EXPLORER.EXE open\Command- F:\EXPLORER.EXE Contents of the ‘Scheduled Tasks’ folder 2007-05-26 13:06:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2005-12-22 21:49:14 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1100294681.job 2007-05-31 00:07:00 C:\WINDOWS\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-31 17:56:10 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-31 17:57:42 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-05-31 17:57 — E O F —

Gutek · 31 Maj 2007 16:54

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Po tym daj log z Silenta

usuń jeszcze te pliki

Krzysztof_pawl · 31 Maj 2007 19:43

wyczyściłem rejestry RegCleanerem. C:\WINDOWS\system32\xpdx.sys - tego pliku nie da się usunąć.

Log z Silent Runners

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “H/PC Connection Agent” = ““C:\Program Files\Microsoft ActiveSync\wcescomm.exe”” [MS] “Ueto” = ““C:\DOCUME~1\Lucyna\MOJEDO~1\STEM~1\winlogon.exe” -vt ndrv” [file not found] “Pvcucfv” = “C:\WINDOWS\A*pPatch**ool32.exe” (unwritable string) [file not found] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “Windows update loader” = “C:\Windows\xpupdate.exe” [file not found] “Service Pack 1” = “C:\WINDOWS\system32\vexg6ame4.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “LWBMOUSE” = “C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE” [empty string] “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Inc.”] “Adobe Photo Downloader” = ““C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Inc.”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\OpenOffice.org1.1.4\program\shlxthdl.dll” [“Sun Microsystems, Inc.”] “{0A082D00-EC93-11D0-B1E6-80580BC10627}” = “Corel Media Folder Root Menu Handler” -> {HKLM…CLSID} = “Corel Media Folder Root Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” = “Folder To Corel Media Folder Menu Handler” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{854AF161-1AE1-11D1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{E856F161-1AE5-11d1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{CDB89701-262F-11D1-AB9C-00C0F00683EB}” = “Corel Media Find Folder” -> {HKLM…CLSID} = “Corel Media Find Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{F8152501-455F-11D1-B1E6-444553540000}” = “Corel Media Folder Copy Hook Handler” -> {HKLM…CLSID} = “Corel Media Folder Copy Hook Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{8E524B0D-04F0-11D1-B74A-00A0C90646A4}” = “IconFactTemp.NSIconHandlerFactory” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{A2AC368A-F883-11D0-B745-00A0C90646A4}” = “NSFiltManDll.FiltManCom” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{B63FCD5A-2396-11D1-B762-00A0C90646A4}” = “*n” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFnd80.dll” [“Corel Corporation”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device” -> {HKLM…CLSID} = “Urządzenie przenośne” \InProcServer32(Default) = “C:\PROGRA~1\MI3AA1~1\Wcesview.dll” [MS] “{6889CDD0-3116-11D0-97E2-080036CAF901}” = “GMLayout Symbols Custom Icon Handler” -> {HKLM…CLSID} = “GMLayout Symbols Custom Icon Handler” \InProcServer32(Default) = “c:\program files\geomedia professional\Program\symbext.dll” [“Intergraph Process, Power & Offshore”] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> botreg\DLLName = “C:\Documents and Settings\All Users\Dokumenty\Settings\bot.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder(Default) = “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- HKLM\Software\Classes.scr\ = (key not found) Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000001 {Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

qrczak13 · 31 Maj 2007 20:21

Log z silenta ucięty. Poczekaj na komunikat All Done i wklej całego

Krzysztof_pawl · 31 Maj 2007 20:57

Jeszcze raz log z silent runners. Tym razem mam nadziej że cały

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

“H/PC Connection Agent” = ““C:\Program Files\Microsoft ActiveSync\wcescomm.exe”” [MS]

“Ueto” = ““C:\DOCUME~1\Lucyna\MOJEDO~1\STEM~1\winlogon.exe” -vt ndrv” [file not found]

“Pvcucfv” = “C:\WINDOWS\A*pPatch**ool32.exe” (unwritable string) [file not found]

“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]

“Windows update loader” = “C:\Windows\xpupdate.exe” [file not found]

“Service Pack 1” = “C:\WINDOWS\system32\vexg6ame4.exe” [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“LWBMOUSE” = “C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE” [empty string]

“iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Inc.”]

“Adobe Photo Downloader” = ““C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”]

“QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Inc.”]

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “Adobe PDF Reader Link Helper”

\InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice Property Sheet Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\OpenOffice.org1.1.4\program\shlxthdl.dll” [“Sun Microsystems, Inc.”]

“{0A082D00-EC93-11D0-B1E6-80580BC10627}” = “Corel Media Folder Root Menu Handler”

-> {HKLM…CLSID} = “Corel Media Folder Root Menu Handler”

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string]

“{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” = “Folder To Corel Media Folder Menu Handler”

-> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler”

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string]

“{854AF161-1AE1-11D1-AB9B-00C0F00683EB}” = “Corel Media Folder”

-> {HKLM…CLSID} = “Corel Media Folder”

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string]

“{E856F161-1AE5-11d1-AB9B-00C0F00683EB}” = “Corel Media Folder”

-> {HKLM…CLSID} = “Corel Media Folder”

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string]

“{CDB89701-262F-11D1-AB9C-00C0F00683EB}” = “Corel Media Find Folder”

-> {HKLM…CLSID} = “Corel Media Find Folder”

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string]

“{F8152501-455F-11D1-B1E6-444553540000}” = “Corel Media Folder Copy Hook Handler”

-> {HKLM…CLSID} = “Corel Media Folder Copy Hook Handler”

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string]

“{8E524B0D-04F0-11D1-B74A-00A0C90646A4}” = “IconFactTemp.NSIconHandlerFactory”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”]

“{A2AC368A-F883-11D0-B745-00A0C90646A4}” = “NSFiltManDll.FiltManCom”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”]

“{B63FCD5A-2396-11D1-B762-00A0C90646A4}” = “*g” (unwritable string)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFnd80.dll” [“Corel Corporation”]

“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

“{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device”

-> {HKLM…CLSID} = “Urządzenie przenośne”

\InProcServer32(Default) = “C:\PROGRA~1\MI3AA1~1\Wcesview.dll” [MS]

“{6889CDD0-3116-11D0-97E2-080036CAF901}” = “GMLayout Symbols Custom Icon Handler”

-> {HKLM…CLSID} = “GMLayout Symbols Custom Icon Handler”

\InProcServer32(Default) = “c:\program files\geomedia professional\Program\symbext.dll” [“Intergraph Process, Power & Offshore”]

“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play”

-> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play”

\InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS]

“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”

-> {HKLM…CLSID} = “iTunes”

\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”]

“{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

<> botreg\DLLName = “C:\Documents and Settings\All Users\Dokumenty\Settings\bot.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

FolderToCorelMediaFolder(Default) = “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}”

-> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler”

\InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Default executables:

HKLM\Software\Classes.scr\ = (key not found)

Group Policies {policy setting}:

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoActiveDesktop” = (REG_DWORD) hex:0x00000000

{Disable Active Desktop}

“ClassicShell” = (REG_DWORD) hex:0x00000000

{Enable Classic Shell / Turn on Classic Shell}

“ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000001

{Enable Active Desktop}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“DisableRegistryTools” = (REG_DWORD) hex:0x00000000

{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

Startup items in “Lucyna” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

“Adobe Reader Synchronizer” -> shortcut to: “C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe” [null data]

Enabled Scheduled Tasks:

“AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”]

“FRU Task #Hewlett-Packard#hp psc 1200 series#1100294681” -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I “#Hewlett-Packard#hp psc 1200 series#1100294681"” [empty string]

“Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 19

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{EF99BD32-C1FB-11D2-892F-0090271D4F88}”

-> {HKLM…CLSID} = “Yahoo! Toolbar”

\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided)

-> {HKLM…CLSID} = “Yahoo! Toolbar”

\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}(Default) = (no title provided)

-> {HKLM…CLSID} = “Real.com”

\InProcServer32(Default) = “C:\WINDOWS\system32\Shdocvw.dll” [MS]

HKLM\Software\Classes\CLSID{0494D0DE-F8E0-41AD-92A3-14154ECE70AC}(Default) = “SearchBar Quick View”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.5.0_06”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

“ButtonText” = “Create Mobile Favorite”

“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”

-> {HKLM…CLSID} = “Create Mobile Favorite”

\InProcServer32(Default) = “C:\PROGRA~1\MI3AA1~1\INetRepl.dll” [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

“MenuText” = “Utwórz łącze Ulubione dla urządzenia przenośnego…”

“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”

-> {HKLM…CLSID} = “Create Mobile Favorite”

\InProcServer32(Default) = “C:\PROGRA~1\MI3AA1~1\INetRepl.dll” [MS]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

“ButtonText” = “Real.com”

{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\

“ButtonText” = “eBay - Homepage”

“CLSIDExtension” = “{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}”

-> {HKLM…CLSID} = “Toolbar Extension for Executable”

\InProcServer32(Default) = “C:\WINDOWS\System32\shdocvw.dll” [MS]

“Exec” = “C:\Program Files\IrfanView\Ebay\Ebay.htm” [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]

avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]

avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]

avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe” [“Anti-Malware Development a.s.”]

C-DillaCdaC11BA, C-DillaCdaC11BA, “C:\WINDOWS\system32\drivers\CDAC11BA.EXE” [“Macrovision”]

iPod Service, iPod Service, ““C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Inc.”]

Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS]

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

Sentinel Protection Server, SentinelProtectionServer, ““C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe”” [“SafeNet, Inc”]

STI Simulator, STI Simulator, “C:\WINDOWS\System32\PAStiSvc.exe” [null data]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt07\Driver = “hpzsnt07.dll” [“HP”]

Monitor języka PJL\Driver = “PJLMON.DLL” [MS]

<>: Suspicious data at a malware launch point.

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

The search for DESKTOP.INI DLL launch points on all local fixed drives

took 350 seconds.

---------- (total run time: 496 seconds)

Joan · 31 Maj 2007 21:08

Obejmij proszę logi w tagi QUOTE lub CODE i popraw temat na konkretny > użyj przycisku

Ściągasz narzędzie KillBox, zaznaczasz Delete on Reboot, potem klikasz All Files i wklejasz do pola Full Path of File to Delete ścieżkę:

C:\Documents and Settings\All Users\Dokumenty\Settings\bot.dll

Klikasz X i reset sysa.

Otwórz notatnik i wklej w nim to:

Plik - zapisz jako - zmień rozszerzenie na wszystkie pliki - zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa

Krzysztof_pawl · 1 Czerwiec 2007 08:59

Wykonałem wszystko zgodnie z zaleceniami. Czy jeszcze coś trzeba zrobić?

adam9870 · 1 Czerwiec 2007 09:00

Tak, dla pewności wklej nowy log z ComboFix.

Krzysztof_pawl · 1 Czerwiec 2007 09:28

log z combofixa

“Krzysiek” - 2007-06-01 11:12:56 Dodatek Service Pack 2 ComboFix 07-05.27.BV - Running from: “C:\Documents and Settings\Krzysiek\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 )))))))))))))))))))))))))))))))))) 2007-06-01 10:32 2007-05-31 19:45 2007-05-31 17:57 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-31 17:27 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-31 13:22 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-05-31 13:22 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-05-31 13:22 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-05-31 10:52 2007-05-31 01:48 61,040 --a------ C:\WINDOWS\system32\xpdx.sys 2007-05-28 03:19 2007-05-25 22:01 73,216 --a------ C:\WINDOWS\ST6UNST.EXE 2007-05-25 22:01 249,856 --------- C:\WINDOWS\Setup1.exe 2007-05-22 23:26 2007-05-12 16:20 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-30 23:49:12 14,336 ----a-w C:\WINDOWS\system32\svchost.exe 2007-05-30 21:47:05 -------- d-----w C:\Program Files\ViaCAD 2007-05-30 13:46:07 -------- d-----w C:\DOCUME~1\Krzysiek\DANEAP~1\Skype 2007-05-28 21:20:45 -------- d-----w C:\Program Files\SkanerOnline 2007-05-28 21:17:55 -------- d-----w C:\Program Files\Movie Maker 2007-05-28 21:16:54 -------- d-----w C:\Program Files\Microsoft ActiveSync 2007-05-28 21:15:01 -------- d-----w C:\Program Files\iTunes 2007-05-28 21:14:52 -------- d-----w C:\Program Files\IrfanView 2007-05-28 21:10:45 -------- d-----w C:\Program Files\Gadu-Gadu 2007-05-28 21:09:15 -------- d-----w C:\Program Files\eMule 2007-05-28 21:07:42 -------- d-----w C:\Program Files\Common Files\ScanSoft Shared 2007-05-28 21:04:24 -------- d-----w C:\Program Files\Commandos II 2007-05-25 19:34:04 -------- d-----w C:\Program Files\Winamp 2007-05-18 23:05:24 -------- d-----w C:\Program Files\OpenOffice.org1.1.4 2007-05-15 22:53:22 -------- d-----w C:\Program Files\Opera 2007-04-27 17:39:30 -------- d-----w C:\Program Files\PITy 2007-04-24 19:23:16 -------- d-----w C:\DOCUME~1\Krzysiek\DANEAP~1\U3 2007-04-10 02:20:44 -------- d-----w C:\DOCUME~1\Krzysiek\DANEAP~1\Tlen.pl 2007-03-25 16:14:50 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 16:14:50 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-07 22:49:27 88,736 ----a-w C:\DOCUME~1\Krzysiek\DANEAP~1\GDIPFONTCACHEV1.DAT (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “LWBMOUSE”=“C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE” [2002-05-24 14:54] “iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-03-14 20:05] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-07 00:46] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-04-27 09:41] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-05-31 13:21] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “_Windows”=“C:\WINDOWS\WinSecurity\services.exe” [] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 21:02] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-10-10 17:51] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “ALUAlert”=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe “Ueto”=“C:\PROGRA~1\COMMON~1\CURITY~1\logonui.exe” -vt ndrv “Qzp”=C:\Documents and Settings\Lucyna\Dane aplikacji?icrosoft.NET\w?aclt.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “appinit_dlls”= [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Corel MEDIA FOLDERS INDEXER 8.LNK] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Corel MEDIA FOLDERS INDEXER 8.LNK backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Krzysiek^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5.LNK] path=C:\Documents and Settings\Krzysiek\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5.LNK backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gah95on6] C:\WINDOWS\system32\gah95on6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iocios] C:\Program Files\Jcxzf\Ylnreu.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN] C:\Program Files\VVSN\VVSN.exe HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command- F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{63e4ae24-ce5d-11da-bdc6-000b6a86e35d}] AutoRun\command- EXPLORER.EXE explore\Command- EXPLORER.EXE open\Command- EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{aff17b2a-3b47-11da-bc12-000b6a86e35d}] AutoRun\command- F:\EXPLORER.EXE explore\Command- F:\EXPLORER.EXE open\Command- F:\EXPLORER.EXE Contents of the ‘Scheduled Tasks’ folder 2007-05-26 13:06:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2005-12-22 21:49:14 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1100294681.job 2007-06-01 00:07:03 C:\WINDOWS\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-01 11:21:30 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-06-01 11:23:54 C:\ComboFix-quarantined-files.txt … 2007-06-01 11:23 C:\ComboFix2.txt … 2007-05-31 17:57 — E O F —

Złączono Posta : 01.06.2007 (Pią) 13:25

Mam też problem z drugim komputerem. Od pewnego czasu wiesza sie zaraz po uruchomieniu i nie reaguje na nic. Wcześniej dało się na nim w miarę pracował, chociaż co pare godzin się wieszał. Teraz wiesza się co 2-3 minuty. Uruchomiłem na nim: VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone. Potem zrobiłem loga. Prosze o ich sprawdzenie.

Złączono Posta : 01.06.2007 (Pią) 13:31

log hijacthis

Logfile of HijackThis v1.99.1 Scan saved at 12:46:16, on 2007-06-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Eset\nod32krn.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\Mixer.exe D:\Program Files\Eset\nod32kui.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\Gadu-Gadu\gg.exe D:\Program Files\Wireless LAN Utility\SiWake.exe D:\Program Files\Wireless LAN Utility\SiSCFG.exe D:\Program Files\Internet Explorer\iexplore.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\internet explorer\iexplore.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\rundll32.exe D:\WINDOWS\system32\notepad.exe D:\DOCUME~1\Krzysiek\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis[1].zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM…\Run: [nod32kui] “D:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [skype] “D:\Documents and Settings\Krzysiek\Pulpit\Skype.exe” /nosplash /minimized O4 - Global Startup: SiWake.lnk = D:\Program Files\Wireless LAN Utility\SiWake.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe

Złączono Posta : 01.06.2007 (Pią) 13:33

log combofix

“Krzysiek” - 2007-06-01 12:41:45 Dodatek Service Pack 2 ComboFix 07-05.27.BV - Running from: “D:\Documents and Settings\Krzysiek\Pulpit” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “D:\DOCUME~1\Krzysiek\Pulpit\internet.lnk” ((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 )))))))))))))))))))))))))))))))))) 2007-06-01 12:32 512,096 --a------ D:\WINDOWS\system32\drivers\amon.sys 2007-06-01 12:32 298,104 --a------ D:\WINDOWS\system32\imon.dll 2007-06-01 12:32 15,424 --a------ D:\WINDOWS\system32\drivers\nod32drv.sys 2007-06-01 11:25 2007-06-01 11:19 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-29 14:34:59 -------- d-----w D:\Program Files\Gadu-Gadu 2007-04-26 16:03:12 0 ----a-w D:\WINDOWS\nsreg.dat 2007-04-26 15:59:58 -------- d-----w D:\Program Files\RegCleaner 2007-04-16 19:41:28 -------- d-----w D:\Program Files\Wireless LAN Utility 2007-04-16 19:41:13 -------- d-----w D:\Program Files\SiS163WinNT 2007-04-16 19:40:45 -------- d-----w D:\Program Files\Common Files\InstallShield 2007-04-16 19:40:32 1,386,496 ----a-w D:\WINDOWS\system32\msvbvm60.dll 2007-04-11 17:31:33 -------- d-----w D:\Program Files\InstallShield Installation Information 2007-04-11 17:31:23 -------- d-----w D:\Program Files\PowerQuest 2007-04-10 19:32:43 50,048 ----a-w D:\WINDOWS\system32\perfc015.dat 2007-04-10 19:32:43 356,508 ----a-w D:\WINDOWS\system32\perfh015.dat 2007-04-09 20:43:57 -------- d-----w D:\Program Files\Messenger 2007-04-09 19:28:27 -------- d-----w D:\DOCUME~1\Krzysiek\DANEAP~1\U3 2007-04-07 13:04:41 -------- d-----w D:\Program Files\Common Files\ODBC 2007-04-07 13:04:38 -------- d-----w D:\Program Files\Common Files\SpeechEngines 2007-04-07 11:54:22 -------- d-----w D:\DOCUME~1\Krzysiek\DANEAP~1\Skype 2007-04-07 11:52:27 -------- d-----w D:\DOCUME~1\Krzysiek\DANEAP~1\uTorrent 2007-04-07 11:17:49 -------- d-----w D:\Program Files\microsoft frontpage 2007-04-07 11:14:52 -------- d–h--w D:\Program Files\WindowsUpdate 2007-04-07 11:14:46 -------- d-----w D:\Program Files\Usługi online 2007-04-07 11:13:50 -------- d-----w D:\Program Files\Common Files\MSSoap 2007-04-07 11:13:40 -------- d-----w D:\Program Files\Movie Maker 2007-04-07 11:12:22 21,856 ----a-w D:\WINDOWS\system32\emptyregdb.dat 2007-04-07 11:11:36 -------- d-----w D:\Program Files\MSN Gaming Zone 2007-04-07 11:11:26 -------- d-----w D:\Program Files\Windows NT 2007-03-17 13:45:36 293,376 ----a-w D:\WINDOWS\system32\winsrv.dll 2007-03-08 15:38:47 579,072 ----a-w D:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w D:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w D:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w D:\WINDOWS\system32\win32k.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17] {53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “C-Media Mixer”=“Mixer.exe” [] “nod32kui”=“D:\Program Files\Eset\nod32kui.exe” [2007-06-01 12:31] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“D:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] “Skype”=“D:\Documents and Settings\Krzysiek\Pulpit\Skype.exe” [] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] AutoRun\command- I:\LaunchU3.exe -a ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-01 12:43:39 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-06-01 12:45:14 D:\ComboFix-quarantined-files.txt … 2007-06-01 12:45 — E O F —

Gutek · 1 Czerwiec 2007 11:41

Pierwszy komp użyj ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Drugi też albo RegCleaner albo jv16 PowerTools przeleć komp.

Krzysztof_pawl · 1 Czerwiec 2007 11:42

log z conbofix

“Krzysiek” - 2007-06-01 12:41:45 Dodatek Service Pack 2 ComboFix 07-05.27.BV - Running from: “D:\Documents and Settings\Krzysiek\Pulpit” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “D:\DOCUME~1\Krzysiek\Pulpit\internet.lnk” ((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 )))))))))))))))))))))))))))))))))) 2007-06-01 12:32 512,096 --a------ D:\WINDOWS\system32\drivers\amon.sys 2007-06-01 12:32 298,104 --a------ D:\WINDOWS\system32\imon.dll 2007-06-01 12:32 15,424 --a------ D:\WINDOWS\system32\drivers\nod32drv.sys 2007-06-01 11:25 2007-06-01 11:19 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-29 14:34:59 -------- d-----w D:\Program Files\Gadu-Gadu 2007-04-26 16:03:12 0 ----a-w D:\WINDOWS\nsreg.dat 2007-04-26 15:59:58 -------- d-----w D:\Program Files\RegCleaner 2007-04-16 19:41:28 -------- d-----w D:\Program Files\Wireless LAN Utility 2007-04-16 19:41:13 -------- d-----w D:\Program Files\SiS163WinNT 2007-04-16 19:40:45 -------- d-----w D:\Program Files\Common Files\InstallShield 2007-04-16 19:40:32 1,386,496 ----a-w D:\WINDOWS\system32\msvbvm60.dll 2007-04-11 17:31:33 -------- d-----w D:\Program Files\InstallShield Installation Information 2007-04-11 17:31:23 -------- d-----w D:\Program Files\PowerQuest 2007-04-10 19:32:43 50,048 ----a-w D:\WINDOWS\system32\perfc015.dat 2007-04-10 19:32:43 356,508 ----a-w D:\WINDOWS\system32\perfh015.dat 2007-04-09 20:43:57 -------- d-----w D:\Program Files\Messenger 2007-04-09 19:28:27 -------- d-----w D:\DOCUME~1\Krzysiek\DANEAP~1\U3 2007-04-07 13:04:41 -------- d-----w D:\Program Files\Common Files\ODBC 2007-04-07 13:04:38 -------- d-----w D:\Program Files\Common Files\SpeechEngines 2007-04-07 11:54:22 -------- d-----w D:\DOCUME~1\Krzysiek\DANEAP~1\Skype 2007-04-07 11:52:27 -------- d-----w D:\DOCUME~1\Krzysiek\DANEAP~1\uTorrent 2007-04-07 11:17:49 -------- d-----w D:\Program Files\microsoft frontpage 2007-04-07 11:14:52 -------- d–h--w D:\Program Files\WindowsUpdate 2007-04-07 11:14:46 -------- d-----w D:\Program Files\Usługi online 2007-04-07 11:13:50 -------- d-----w D:\Program Files\Common Files\MSSoap 2007-04-07 11:13:40 -------- d-----w D:\Program Files\Movie Maker 2007-04-07 11:12:22 21,856 ----a-w D:\WINDOWS\system32\emptyregdb.dat 2007-04-07 11:11:36 -------- d-----w D:\Program Files\MSN Gaming Zone 2007-04-07 11:11:26 -------- d-----w D:\Program Files\Windows NT 2007-03-17 13:45:36 293,376 ----a-w D:\WINDOWS\system32\winsrv.dll 2007-03-08 15:38:47 579,072 ----a-w D:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w D:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w D:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w D:\WINDOWS\system32\win32k.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17] {53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “C-Media Mixer”=“Mixer.exe” [] “nod32kui”=“D:\Program Files\Eset\nod32kui.exe” [2007-06-01 12:31] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“D:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] “Skype”=“D:\Documents and Settings\Krzysiek\Pulpit\Skype.exe” [] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] AutoRun\command- I:\LaunchU3.exe -a ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-01 12:43:39 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-06-01 12:45:14 D:\ComboFix-quarantined-files.txt … 2007-06-01 12:45 — E O F —

Gutek · 1 Czerwiec 2007 11:49

Log Ok

Krzysztof_pawl · 1 Czerwiec 2007 12:06

Dziękuję za pomoc! Komputer nr 1 działa jak trzeba:) A z drugim jeszcze powalcze. Może to jakiś konflikt sprzętowy.