Explorer.exe 90% procka

Nowicjusz50lat · 28 Czerwiec 2007 18:37

Drugi dzień explorer. exe ciągnie do 90% procka plus internet explorer sam się uruchamia (jakieś reklamy). Przeskanowałem system Avastem było trochę syfu.

Logfile of HijackThis v1.99.1 Scan saved at 20:32:50, on 2007-06-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Comodo\Firewall\cmdagent.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\system32\PSIService.exe D:\PROGRA~1\SPYWAR~2\sp_rsser.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\MsPMSPSv.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\wscntfy.exe D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\Program Files\Comodo\Firewall\CPF.exe D:\Program Files\NETGEAR\WPN111\wpn111.exe D:\Documents and Settings\janusz\Dane aplikacji\tmp10F.tmp.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Documents and Settings\janusz\Pulpit\TATA\Hijack\hijackthis.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eu.microsoft.com/poland/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - D:\WINDOWS\system32\tmp167.tmp.dll O2 - BHO: (no name) - {8b1d3337-32b4-4ac0-9e40-bf1ba601b7b4} - D:\WINDOWS\system32\icmast.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM…\Run: [NvCplDaemon] “RUNDLL32.EXE” D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [COMODO Firewall Pro] “D:\Program Files\Comodo\Firewall\CPF.exe” /background O4 - HKLM…\Run: [winehq.org] rundll32.exe “D:\WINDOWS\efdcyw.dll”,realset O4 - HKCU…\Run: [spyware Doctor] “D:\Program Files\Spyware Doctor\swdoctor.exe” /Q O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ? O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - D:\Program Files\WINnerTweak3\PopUp Blocker.exe O9 - Extra ‘Tools’ menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - D:\Program Files\WINnerTweak3\PopUp Blocker.exe O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} (DevalVR Control) - http://www.devalvr.com/instalacion/plugin/devalocx.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: d:\windows\system32\pmkhhif.dll O20 - Winlogon Notify: icmast - D:\WINDOWS\SYSTEM32\icmast.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: DomainService - - D:\Documents and Settings\janusz\Dane aplikacji\tmp10F.tmp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - D:\WINDOWS\system32\PSIService.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\PROGRA~1\SPYWAR~2\sp_rsser.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Spyware Doctor” = ““D:\Program Files\Spyware Doctor\swdoctor.exe” /Q” [“PC Tools Research Pty Ltd”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = ““RUNDLL32.EXE” D:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “COMODO Firewall Pro” = ““D:\Program Files\Comodo\Firewall\CPF.exe” /background” [“COMODO”] “winehq.org” = “rundll32.exe “D:\WINDOWS\efdcyw.dll”,realset” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0055C089-8582-441B-A0BF-17B458C2A3A8}(Default) = “IDM Helper” -> {HKLM…CLSID} = “IDMIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Internet Download Manager\IDMIECC.dll” [“Tonec Inc.”] {1F6581D5-AA53-4b73-A6F9-41420C6B61F1}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\tmp167.tmp.dll” [null data] {8b1d3337-32b4-4ac0-9e40-bf1ba601b7b4}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\icmast.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “D:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “D:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “D:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “D:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “D:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “D:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{FED7043D-346A-414D-ACD7-550D052499A7}” = “dBpowerAMP Music Converter 1” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “D:\Program Files\Illustrate\dBpowerAMP\dBShell.dll” [empty string] “{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}” = “dBpowerAMP Music Converter” -> {HKLM…CLSID} = “dMCIShell Class” \InProcServer32(Default) = “D:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll” [empty string] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “D:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “D:\WINDOWS\system32\uxtuneup.dll” [“TuneUp Software GmbH”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “D:\WINDOWS\system32\Audiodev.dll” [MS] “{71A466B0-65CC-4B41-9043-6090F2C830D3}” = “QCD IconHandler” -> {HKLM…CLSID} = “QIconHandler Class” \InProcServer32(Default) = “D:\Program Files\Quintessential Media Player\QMPShell.dll” [“Quinnware”] “{71A068F3-2DC9-438D-8944-6B4FF540D2F5}” = “QCD ContextMenu”

Bardzo proszę o pomoc i w razie ewentualnych błędów proszę o wyrozumiałość.

qrczak13 · 28 Czerwiec 2007 21:36

W trybie awaryjnym użyj VundoFix + FixVundo + VirtmundoBeGone

Po wykonaniu w/w daj log z ComboFix.

Nowicjusz50lat · 29 Czerwiec 2007 11:02

do grczak13. Wykonałem wszystkie czynności i wygląda, że jest wszystko dobrze, wielkie dzięki.

“janusz” - 2007-06-29 12:48:24 - ComboFix 07-06-27.7 - Dodatek Service Pack 2 NTFS

D:\WINDOWS\system32\gebyyvu.dll

D:\WINDOWS\system32\pmkhhif.dll

D:\WINDOWS\system32\hjkkj.bak1

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

D:\DOCUME~1\janusz\DANEAP~1\tmp10F.tmp.exe

D:\DOCUME~1\janusz\DANEAP~1\tmp144.tmp.exe

D:\DOCUME~1\janusz\DANEAP~1\tmp167.tmp.exe

D:\WINDOWS\hosts

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))

2007-06-29 12:53

2007-06-29 12:47 49,152 --a------ D:\WINDOWS\nircmd.exe

2007-06-29 12:34

2007-06-28 20:08 134,903 --a------ D:\WINDOWS\efdcyw.dll

2007-06-26 19:22

2007-06-26 19:21 77,824 --a------ D:\WINDOWS\system32\PICEntry.dll

2007-06-26 19:21 73,728 --a------ D:\WINDOWS\system32\PICSDK.dll

2007-06-26 19:21 65,536 --a------ D:\WINDOWS\system32\EPPicMgr.dll

2007-06-26 19:21 495,616 --a------ D:\WINDOWS\system32\PICSDK2.dll

2007-06-26 19:21 45,056 --a------ D:\WINDOWS\system32\PhDi2.sys

2007-06-26 19:21 4,943 --a------ D:\WINDOWS\system32\EPPICPattern6.dat

2007-06-26 19:21 31,053 --a------ D:\WINDOWS\system32\EPPICPattern131.dat

2007-06-26 19:21 27,417 --a------ D:\WINDOWS\system32\EPPICPattern121.dat

2007-06-26 19:21 26,154 --a------ D:\WINDOWS\system32\EPPICPattern1.dat

2007-06-26 19:21 24,903 --a------ D:\WINDOWS\system32\EPPICPattern3.dat

2007-06-26 19:21 21,390 --a------ D:\WINDOWS\system32\EPPICPattern5.dat

2007-06-26 19:21 20,148 --a------ D:\WINDOWS\system32\EPPICPattern2.dat

2007-06-26 19:21 114,688 --a------ D:\WINDOWS\system32\EpPicPrt.dll

2007-06-26 19:21 111,932 --a------ D:\WINDOWS\system32\EPPICPrinterDB.dat

2007-06-26 19:21 11,811 --a------ D:\WINDOWS\system32\EPPICPattern4.dat

2007-06-26 19:21 1,146 --a------ D:\WINDOWS\system32\EPPICPresetData_DU.dat

2007-06-26 19:21 1,139 --a------ D:\WINDOWS\system32\EPPICPresetData_PT.dat

2007-06-26 19:21 1,139 --a------ D:\WINDOWS\system32\EPPICPresetData_BP.dat

2007-06-26 19:21 1,136 --a------ D:\WINDOWS\system32\EPPICPresetData_ES.dat

2007-06-26 19:21 1,129 --a------ D:\WINDOWS\system32\EPPICPresetData_FR.dat

2007-06-26 19:21 1,129 --a------ D:\WINDOWS\system32\EPPICPresetData_CF.dat

2007-06-26 19:21 1,120 --a------ D:\WINDOWS\system32\EPPICPresetData_IT.dat

2007-06-26 19:21 1,107 --a------ D:\WINDOWS\system32\EPPICPresetData_GE.dat

2007-06-26 19:21 1,104 --a------ D:\WINDOWS\system32\EPPICPresetData_EN.dat

2007-06-26 19:11 11,776 --a------ D:\WINDOWS\system32\drivers\afc.sys

2007-06-26 19:11

2007-06-26 19:10

2007-06-26 15:42 18 --a------ D:\WINDOWS\system32\dn0cac246b.dat

2007-06-26 15:39 92,554 --a------ D:\WINDOWS\system32\icmast.dll.vir

2007-06-25 15:11

2007-06-23 23:23

2007-06-16 23:16

2007-06-13 21:10 138,368 --a------ D:\WINDOWS\system32\drivers\sp_rsdrv2.sys

2007-06-13 21:09

2007-06-13 20:54

2007-06-13 17:22 83,842 --a------ D:\WINDOWS\system32\prfc0415.dat

2007-06-13 17:22 489,078 --a------ D:\WINDOWS\system32\prfh0415.dat

2007-06-09 20:35 6,676,480 --a------ D:\DOCUME~1\janusz\ntuser.dat

2007-06-09 20:35 233,472 --a------ D:\DOCUME~1\LOCALS~1\ntuser.dat

2007-06-08 12:43

2007-06-07 19:51

2007-06-06 14:18

2007-06-06 14:17

2007-06-05 19:23 9,600 --a------ D:\WINDOWS\system32\drivers\hidusb.sys

2007-06-05 19:23 12,160 --a------ D:\WINDOWS\system32\drivers\mouhid.sys

2007-06-04 21:09

2007-06-04 19:56

2007-06-04 15:18 9,344 --a------ D:\WINDOWS\system32\drivers\NSDriver.sys

2007-06-04 15:17 8,320 --a------ D:\WINDOWS\system32\drivers\AWRTRD.sys

2007-06-04 15:14 6,272 --a------ D:\WINDOWS\system32\drivers\AWRTPD.sys

2007-06-03 18:26

2007-06-03 12:22

2007-06-01 19:34

2007-06-01 17:11 65,702 --a------ D:\WINDOWS\system32\drivers\StMp3Rec.sys

2007-05-30 21:50

2007-05-30 21:42

2007-05-30 21:36

2007-05-30 18:15

2007-05-30 18:10

2007-05-30 17:56 327,168 --a------ D:\WINDOWS\IsUn0415.exe

2007-05-29 15:13

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-29 10:47:36 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\DMCache

2007-06-29 09:35:27 -------- d-----w D:\Program Files\Spyware Doctor

2007-06-28 19:40:08 -------- d-----w D:\Program Files\Ashampoo

2007-06-27 15:35:25 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\Corel

2007-06-27 15:35:18 5,852 --sha-w D:\WINDOWS\system32\KGyGaAvL.sys

2007-06-27 15:35:17 88 --sh–r D:\WINDOWS\system32\3C8E9610FA.sys

2007-06-27 15:00:32 -------- d-----w D:\Program Files\Tweak-XP Pro 4

2007-06-26 20:21:08 -------- d-----w D:\Program Files\XnView

2007-06-26 19:57:37 -------- d-----w D:\Program Files\SUPERAntiSpyware

2007-06-26 17:08:27 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\uTorrent

2007-06-25 19:19:39 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\XnView

2007-06-25 18:41:55 2,860 ----a-w D:\WINDOWS\unins001.dat

2007-06-25 16:02:31 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\OpenOffice.ux.pl2

2007-06-25 13:32:40 -------- d-----w D:\Program Files\Torrent Master

2007-06-16 21:10:04 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\foobar2000

2007-06-13 15:18:16 -------- d-----w D:\Program Files\Mozilla Thunderbird

2007-06-13 15:18:16 -------- d-----w D:\Program Files\K-Meleon

2007-06-13 15:18:16 -------- d-----w D:\Program Files\Internet Download Manager

2007-06-08 16:24:36 -------- d-----w D:\Program Files\TrackMania Nations ESWC

2007-06-08 10:43:23 -------- d-----w D:\Program Files\Common Files\Wise Installation Wizard

2007-06-08 10:42:43 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\Lavasoft

2007-06-02 15:16:27 -------- d-----w D:\Program Files\GIMP-2.0

2007-06-01 17:37:45 -------- d-----w D:\Program Files\QuickTime

2007-06-01 15:52:53 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\concept design

2007-05-26 18:31:51 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\Apple Computer

2007-05-23 12:35:44 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\K-Meleon

2007-05-22 15:10:48 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\TweakNow PowerPack

2007-05-22 15:08:46 -------- d-----w D:\Program Files\TweakNow PowerPack 2006

2007-05-19 22:33:15 -------- d-----w D:\Program Files\Common Files\Onet.pl

2007-05-19 22:33:15 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\Czat

2007-05-19 22:33:11 -------- d-----w D:\Program Files\Onet

2007-05-19 12:04:02 -------- d-----w D:\Program Files\DevalVR

2007-05-19 12:00:12 16,623 ----a-w D:\WINDOWS\mozver.dat

2007-05-18 17:57:36 -------- d-----w D:\Program Files\BearShare

2007-05-17 18:38:39 -------- d-----w D:\Program Files\Paint.NET

2007-05-17 11:56:29 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\Opera

2007-05-17 11:56:21 -------- d-----w D:\Program Files\Opera

2007-05-17 11:50:15 -------- d-----w D:\Program Files\CCleaner

2007-05-17 11:48:44 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\IDM

2007-05-16 14:58:22 -------- d-----w D:\Program Files\Foto Studio

2007-05-15 13:56:02 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\GlarySoft

2007-05-13 08:33:00 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\Mp3tag

2007-05-13 08:32:55 -------- d-----w D:\Program Files\Mp3tag

2007-05-10 17:51:05 -------- d-----w D:\Program Files\Google

2007-05-09 17:29:07 -------- d-----w D:\Program Files\Common Files\DirectX

2007-05-09 14:21:55 -------- d-----w D:\Program Files\Common Files\ACD Systems

2007-05-09 10:54:54 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\Thinstall

2007-05-07 18:04:08 724,992 ----a-w D:\WINDOWS\iun6002.exe

2007-05-06 17:17:44 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\MusicIP

2007-05-05 18:49:45 -------- d-----w D:\Program Files\Picasa2

2007-05-03 09:15:27 -------- d-----w D:\Program Files\NAPI-PROJEKT

2007-05-02 19:05:05 -------- d-----w D:\Program Files\ToSearch

2007-05-02 17:40:17 -------- d-----w D:\Program Files\uTorrent

2007-05-01 19:39:25 -------- d-----w D:\Program Files\K-Lite Codec Pack

2007-05-01 10:31:56 -------- d-----w D:\Program Files\IrfanView

2007-04-30 17:16:24 -------- d-----w D:\Program Files\SubEdit-Player

2007-04-30 15:46:10 745,600 ----a-w D:\WINDOWS\system32\aswBoot.exe

2007-04-30 15:41:55 85,952 ----a-w D:\WINDOWS\system32\drivers\aswmon.sys

2007-04-30 15:41:42 94,552 ----a-w D:\WINDOWS\system32\drivers\aswmon2.sys

2007-04-30 15:39:41 23,416 ----a-w D:\WINDOWS\system32\drivers\aswRdr.sys

2007-04-30 15:38:51 43,176 ----a-w D:\WINDOWS\system32\drivers\aswTdi.sys

2007-04-30 15:37:23 26,888 ----a-w D:\WINDOWS\system32\drivers\aavmker4.sys

2007-04-30 15:35:28 95,872 ----a-w D:\WINDOWS\system32\AVASTSS.scr

2007-04-30 13:50:48 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\COWON

2007-04-29 10:37:31 -------- d-----w D:\DOCUME~1\janusz\DANEAP~1\DivX

2007-04-18 14:03:56 335 ----a-w D:\WINDOWS\mozregistry.dat

2007-04-13 13:19:52 7,680 ----a-w D:\WINDOWS\system32\lsdelete.exe

2007-04-03 13:44:20 88 --sh–r D:\WINDOWS\system32\5553265C75.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{0055C089-8582-441B-A0BF-17B458C2A3A8}=D:\Program Files\Internet Download Manager\IDMIECC.dll [2007-02-19 16:53]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42]

“COMODO Firewall Pro”=“D:\Program Files\Comodo\Firewall\CPF.exe” [2007-04-04 13:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

“NoSecCpl”=0 (0x0)

“DisableChangePassword”=0 (0x0)

“DisableLockWorkstation”=0 (0x0)

“NoDispCpl”=0 (0x0)

“NoDispBackgroundPage”=0 (0x0)

“NoDispScrSavPage”=0 (0x0)

“NoDispAppearancePage”=0 (0x0)

“NoDispSettingsPage”=0 (0x0)

“NoVisualStyleChoice”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoResolveTrack”=1 (0x1)

“LinkResolveIgnoreLinkInfo”=0 (0x0)

“NoResolveSearch”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“ClearRecentDocsOnExit”=1 (0x1)

“NoResolveTrack”=1 (0x1)

“LinkResolveIgnoreLinkInfo”=0 (0x0)

“HideClock”=0 (0x0)

“NoManageMyComputerVerb”=0 (0x0)

“NoLowDiskSpaceChecks”=0 (0x0)

“NoStartMenuPinnedList”=0 (0x0)

“NoStartMenuMFUprogramsList”=0 (0x0)

“NoUserNameInStartMenu”=0 (0x0)

“StartmenuLogoff”=0 (0x0)

“NoStartMenuSubFolders”=0 (0x0)

“NoCommonGroups”=0 (0x0)

“NoRecentDocsMenu”=0 (0x0)

“NoPrinterTabs”=0 (0x0)

“NoDeletePrinter”=0 (0x0)

“NoAddPrinter”=0 (0x0)

“NoPrinters”=0 (0x0)

“NoNetworkConnections”=0 (0x0)

“NoFavoritesMenu”=0 (0x0)

“NoClose”=0 (0x0)

“NoSetFolders”=0 (0x0)

“NoSMHelp”=0 (0x0)

“NoChangeStartMenu”=0 (0x0)

“NoViewContextMenu”=0 (0x0)

“NoFileMenu”=0 (0x0)

“NoShellSearchButton”=0 (0x0)

“NoToolbarCustomize”=0 (0x0)

“NoRecentDocsNetHood”=0 (0x0)

“NoChangeAnimation”=0 (0x0)

“NoChangeKeyboardNavigationIndicators”=0 (0x0)

“NoThemesTab”=0 (0x0)

“NoSaveSettings”=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“D:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“appinit_dlls”=d:\windows\system32\pmkhhif.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs

UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1b7c0eb0-1052-11dc-8145-00146c5d59ff}]

AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe

Open(&0)\command- H:\Recycled\ctfmon.exe

Contents of the ‘Scheduled Tasks’ folder

2007-06-01 15:17:39 D:\WINDOWS\tasks\1-Click Maintenance.job

2007-06-25 19:35:02 D:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-29 12:53:28

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-06-29 12:55:30 - machine was rebooted

D:\ComboFix-quarantined-files.txt … 2007-06-29 12:54

— E O F —

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

D:\WINDOWS\system32\gebyyvu.dll

D:\WINDOWS\system32\pmkhhif.dll

D:\WINDOWS\system32\hjkkj.bak1

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

D:\DOCUME~1\janusz\DANEAP~1\tmp10F.tmp.exe

D:\DOCUME~1\janusz\DANEAP~1\tmp144.tmp.exe

D:\DOCUME~1\janusz\DANEAP~1\tmp167.tmp.exe

D:\WINDOWS\hosts

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))

qrczak13 · 29 Czerwiec 2007 19:48

Ściągasz Pocket Killbox,

zaznaczasz Delete on reboot , w polu Full Path of File to Delete wklej ścieżkę:

D:\WINDOWS\efdcyw.dll

D:\WINDOWS\system32\icmast.dll.vir

i naciskasz X czerwony. Program poprosi o restart kompa, co robisz, ale dopiero po wklejeniu 2 ścieżki.

Do notatnika wklej:

Plik > zapisz jako > zmień rozszerzenie z .txt na wszystkie pliki > zapisz pod nazwą Fix.reg np na

pulpicie > dwuklik na Fix.reg > potwierdzasz > restart.

Przeskanuj na http://www.virustotal.com/vt/ lub http://virusscan.jotti.org i wklej raport po skanowaniu oraz nowy log z combofix.

Nowicjusz50lat · 1 Lipiec 2007 18:14

Dziękuję wszystkim za porady, które okazały się skuteczne.

adam9870 · 1 Lipiec 2007 18:29

Jeśli wykonałeś już czynności przedstawione przez qrczaka to wklej nowy log z ComboFix plus wyniki skanów plików, które wskazał do przeskanowania.