Explorer exe - brak paska zadan i wywalanie neta

rentgen · 8 Wrzesień 2007 12:53

WItam

Przy starcie systemu wyskakuje okno z komunikatem : Windows Explorer has encountered a problem and needs to close. We sorry for the inconvenience, po czym znika pasek zadan. System byl sprawdzany 3 antywirami on-line i troche trojanow pousuwalem. Co moze byc tego przyczna ???

podaje loga do spradzenia

Logfile of HijackThis v1.97.2

Scan saved at 12:08:31, on 08/09/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\dwwin.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcworld.pl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl … r=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcworld.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl … r=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\9.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\9.bin\MWSSRCAS.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Zango /fleok=1D8A83A5C7E5197A91AC6B2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\a.bin\MWSBAR.DLL

O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp5.tmp.dll

O2 - BHO: (no name) - {ec206721-bbbe-480f-b836-64c33db659f1} - C:\WINDOWS\system32\appass.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM…\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM…\Run: [TabletTip] “C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe” /resume

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM…\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM…\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM…\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe

O4 - HKLM…\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe

O4 - HKLM…\Run: [000StTHK] 000StTHK.exe

O4 - HKLM…\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM…\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM…\Run: [TosRotation] “C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe”

O4 - HKLM…\Run: [TPSMain] TPSMain.exe

O4 - HKLM…\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM…\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM…\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe

O4 - HKLM…\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe

O4 - HKLM…\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM…\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM…\Run: [sensiva] “C:\Symbol Commander\Sensiva.exe”

O4 - HKLM…\Run: [TFNF5] TFNF5.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM…\Run: [mav_startupmon] “C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe”

O4 - HKLM…\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe

O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent

O4 - HKLM…\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM…\Run: [systemOptimizer] rundll32.exe “C:\WINDOWS\awtrsp.dll”,forkonce

O4 - HKLM…\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\a.bin\MWSBAR.DLL,S

O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe

O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [sysRestore] “C:\DOCUME~1\User\LOCALS~1\Temp\tmp34.tmp.exe”

O4 - HKCU…\Run: [iDesk] C:\Program Files\INTERIAPL\iDesk\iDesk.exe

O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … p=ZCfox000

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?c8f75d22b8f34a779f0970fe62cb8a5c

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?c8f75d22b8f34a779f0970fe62cb8a5c

O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3

O17 - HKLM\System\CCS\Services\Tcpip…{20E387B5-A5D8-4AA8-85B1-98458C9D60CE}: NameServer = 194.64.31.3

O17 - HKLM\System\CCS\Services\Tcpip…{8B3FF419-473F-4E6D-B390-4151B98CA121}: NameServer = 194.64.31.3

O17 - HKLM\System\CCS\Services\Tcpip…{B5BE15B3-64DD-46D8-BCB7-AC0563D32C5C}: NameServer = 194.64.31.3

O17 - HKLM\System\CCS\Services\Tcpip…{EFD3E199-B6DF-4DE2-8D5D-426A33668A12}: NameServer = 194.64.31.3

O17 - HKLM\System\CCS\Services\Tcpip…{FFCCDF6E-D9C5-4F45-B6E7-BC7A6087F082}: NameServer = 194.64.31.3

O17 - HKLM\System\CS1\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3

O17 - HKLM\System\CS2\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3

Monczkin · 8 Wrzesień 2007 14:05

rentgen popraw tytuł na konkretny i obejmij loga znacznikami quote.

rentgen · 8 Wrzesień 2007 14:12

Sorry jesli czyms zawinilem ale jak mam teraz uzyskac pomoc ??

adam9870 · 8 Wrzesień 2007 14:14

Dałeś loga z bardzo starej wersji programu, jednak ze względu na ilość syfu, który widać dam wstępną instrukcję usuwania.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\9.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\9.bin\MWSSRCAS.DLL O2 - BHO: Zango /fleok=1D8A83A5C7E5197A91AC6B2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file) O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\a.bin\MWSBAR.DLL O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp5.tmp.dll O2 - BHO: (no name) - {ec206721-bbbe-480f-b836-64c33db659f1} - C:\WINDOWS\system32\appass.dll O4 - HKLM…\Run: [mav_startupmon] “C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe” O4 - HKLM…\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe O4 - HKLM…\Run: [systemOptimizer] rundll32.exe “C:\WINDOWS\awtrsp.dll”,forkonce O4 - HKLM…\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\a.bin\MWSBAR.DLL,S O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\a.bin\mwsoemon.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … p=ZCfox000

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Odinstaluj poprzez aplet Dodaj/usuń programy MyWebSearch oraz WinAntiVirus Pro 2007
Użyj VundoFix + FixVundo + VirtumundoBeGone + SmitFraudFix z opcji numer 2. Wszystkie narzędzia należy uruchomić w trybie awaryjnym.
Wykonaj i wklej log z ComboFix plus nowy log z najnowszej wersji Hijacka, którą możesz pobrać stąd:

http://dobreprogramy.pl/index.php?dz=2&t=55&id=730

rentgen · 8 Wrzesień 2007 15:10

te fixy vundo nic nie wykryly. chodzi cos lepeij ale dalej nie mam paska zadan na dole. daje loga z HJT

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:58:59, on 08/09/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\WISPTIS.EXE C:\WINDOWS\System32\tabbtnu.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\INTERIAPL\iDesk\iDesk.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ; O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Zango /fleok=1D8A83A5C7E5197A91AC6B2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file) O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM…\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe O4 - HKLM…\Run: [TabletTip] “C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe” /resume O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM…\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM…\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe O4 - HKLM…\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe O4 - HKLM…\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe O4 - HKLM…\Run: [000StTHK] 000StTHK.exe O4 - HKLM…\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM…\Run: [TosRotation] “C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe” O4 - HKLM…\Run: [TPSMain] TPSMain.exe O4 - HKLM…\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon O4 - HKLM…\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service O4 - HKLM…\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe O4 - HKLM…\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe O4 - HKLM…\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM…\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM…\Run: [sensiva] “C:\Symbol Commander\Sensiva.exe” O4 - HKLM…\Run: [TFNF5] TFNF5.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent O4 - HKLM…\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [iDesk] C:\Program Files\INTERIAPL\iDesk\iDesk.exe O4 - HKUS\S-1-5-19…\Run: [TabletWizard] %windir%\help\wizard.hta (User ‘LOCAL SERVICE’) O4 - HKUS\S-1-5-20…\Run: [TabletWizard] %windir%\help\wizard.hta (User ‘NETWORK SERVICE’) O4 - HKUS\S-1-5-18…\Run: [TabletWizard] %windir%\help\wizard.hta (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [TabletWizard] %windir%\help\wizard.hta (User ‘Default user’) O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … p=ZCfox000 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?c8f75d22b8f34a779f0970fe62cb8a5c O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?c8f75d22b8f34a779f0970fe62cb8a5c O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{20E387B5-A5D8-4AA8-85B1-98458C9D60CE}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{8B3FF419-473F-4E6D-B390-4151B98CA121}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{B5BE15B3-64DD-46D8-BCB7-AC0563D32C5C}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{EFD3E199-B6DF-4DE2-8D5D-426A33668A12}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{FFCCDF6E-D9C5-4F45-B6E7-BC7A6087F082}: NameServer = 194.64.31.3 O17 - HKLM\System\CS1\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3 O17 - HKLM\System\CS2\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: c:\windows\system32\hggfddc.dll O20 - Winlogon Notify: diani32 - C:\WINDOWS\ O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing) – End of file - 8438 bytes

i z combo

ComboFix 07-09-08.7 - “User” 2007-09-08 16:04:01.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.112 [GMT 1:00] . ((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 ))))))))))))))))))))))))))))))) . 2007-09-08 15:58 2007-09-08 15:47 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-09-08 15:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-09-08 15:47 4,320 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-08 15:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-09-08 15:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-09-08 15:36 2007-09-08 14:06 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-08 11:41 2007-09-07 13:15 2007-09-07 12:07 2007-08-18 16:55 2007-08-18 16:55 2007-08-18 16:55 2007-08-13 20:47 55,235 --a------ C:\WINDOWS\system32\qwerty12.exe(1).VIR . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-08 15:52 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Skype 2007-09-08 14:22 394112 --a------ C:\WINDOWS\system32\drivers\tcpip.sys 2007-09-08 14:02 --------- d-------- C:\Program Files\Windows Live Toolbar 2007-09-08 14:02 --------- d-------- C:\Program Files\Gadu-Gadu 2007-09-08 09:50 --------- d-------- C:\Program Files\microsoft frontpage 2007-09-07 13:05 --------- d-------- C:\Program Files\MSN Messenger 2007-08-23 23:39 --------- d-------- C:\Program Files\Winamp 2007-08-15 13:14 --------- d-------- C:\Program Files\VstPlugins 2007-08-15 12:56 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-15 12:54 --------- d-------- C:\Program Files\Image-Line 2007-08-05 14:55 --------- d-------- C:\Program Files\eMule 2007-08-05 12:15 --------- d-------- C:\Program Files\Kaspersky Lab 2007-07-10 13:23 --------- d-------- C:\DOCUME~1\User\APPLIC~1\GanymedeNet 2007-07-01 20:45 6566912 --a------ C:\winamp532_full.exe 2007-06-24 22:54 22080 --a------ C:\WINDOWS\system32\V07UdmkK.exe . C:\WINDOWS\system32\drivers\tcpip.sys … is infected (additional data below) 394,112 2007-09-08 13:22:02 C:\WINDOWS\system32\drivers\tcpip.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{07AA283A-43D7-4CBE-A064-32A21112D94D}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TabletWizard”=“C:\WINDOWS\help\SplshWrp.exe” [2004-08-04 13:00] “TabletTip”=“C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe” [2004-08-04 13:00] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-04-15 15:05] “nwiz”=“nwiz.exe” [2004-04-15 15:05 C:\WINDOWS\system32\nwiz.exe] “SoundMAXPnP”=“C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [] “SoundMAX”=“C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” [] “00THotkey”=“C:\WINDOWS\system32\00THotkey.exe” [] “CrossMenu”=“C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe” [] “TapButt”=“C:\Program Files\Toshiba\TapButton\TapButt.exe” [] “000StTHK”=“000StTHK.exe” [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe] “Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [] “AGRSMMSG”=“AGRSMMSG.exe” [2004-02-20 15:00 C:\WINDOWS\agrsmmsg.exe] “SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [] “TosRotation”=“C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe” [] “TPSMain”=“TPSMain.exe” [2004-06-28 09:29 C:\WINDOWS\system32\TPSMain.exe] “TMESRV.EXE”=“C:\Program Files\TOSHIBA\TME3\TMESRV31.exe” [] “TMERzCtl.EXE”=“C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe” [] “TAcelMgr”=“C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe” [] “TSkrMain”=“C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe” [] “TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [] “NDSTray.exe”=“NDSTray.exe” [] “Sensiva”=“C:\Symbol Commander\Sensiva.exe” [] “TFNF5”=“TFNF5.exe” [2003-12-02 14:15 C:\WINDOWS\system32\TFNF5.exe] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [] “SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe” [] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl] “CFSServ.exe”=“CFSServ.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-05-28 14:52] “MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 15:58] “iDesk”=“C:\Program Files\INTERIAPL\iDesk\iDesk.exe” [2007-08-21 10:35] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “TabletWizard”=%windir%\help\wizard.hta “msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” /background C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2004-06-17 23:33:06] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] C:\DOCUME~1\User\STARTM~1\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-11 21:57:52] Stardock ObjectDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005-02-21 14:56:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\diani32] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey] C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 13:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL] TabBtnWL.dll 2002-08-29 03:41 11776 C:\WINDOWS\system32\tabbtnwl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify] tpgwlnot.dll 2004-08-04 13:00 30208 C:\WINDOWS\system32\tpgwlnot.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “appinit_dlls”=c:\windows\system32\hggfddc.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 nwprovau R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys R3 w70n51;Intel® PRO/Wireless 2100 Adapter Driver;C:\WINDOWS\system32\DRIVERS\w70n51.sys R3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys S3 DIBLOAD2;Digital TV firmware loader(Type 2);C:\WINDOWS\system32\DRIVERS\dgtvload2.sys S3 MODUSB;Digital TV DVB-T USB adapter driver;C:\WINDOWS\system32\Drivers\dgtvcap.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fa6ee9b0-d581-11db-8f0f-00080d7044d7}] AutoRun\command- D:\SETUP\Setup.exe . Contents of the ‘Scheduled Tasks’ folder “2007-09-08 15:03:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job” - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE “2007-02-06 15:03:12 C:\WINDOWS\Tasks\Registration reminder 1.job” - C:\WINDOWS\system32\OOBE\oobebaln.exe “2007-02-06 15:03:14 C:\WINDOWS\Tasks\Registration reminder 2.job” “2007-02-06 15:03:16 C:\WINDOWS\Tasks\Registration reminder 3.job” - C:\WINDOWS\system32\OOBE\oobebaln.exe . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-08 16:04:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-08 16:05:04 C:\ComboFix-quarantined-files.txt … 2007-09-08 16:04 C:\ComboFix2.txt … 2007-09-08 16:02 C:\ComboFix3.txt … 2007-09-08 14:46 . — E O F — i co teraz ??? ktos moze mi jeszcze pomoc ?? z gory dziekuje

Gutek · 8 Wrzesień 2007 16:48

Pobierz program SDFix

rentgen · 9 Wrzesień 2007 10:24

SD fix zrobiony, oto raport:

SDFix: Version 1.102 Run by User on 09/09/2007 at 11:09 Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\User\Desktop\fixy\SDFix Safe Mode: Checking Services: Infected tcpip.sys Found! tcpip.sys File Locations: “C:\WINDOWS\system32\drivers\tcpip.sys” 394112 08/09/2007 14:22 Detected Patched Files Are Listed Below: C:\WINDOWS\system32\drivers\tcpip.sys Note: SDFix Does Not Repair This File! If No Clean Copies Are Found Download The Below Update To Restore Original Files: http://www.microsoft.com/technet/securi … 6-032.mspx Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\spooldr.ini - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath " [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\DOCUME~1\User\Desktop\fixy\SDFix\backups\backups.zip Files with Hidden Attributes: C:\Documents and Settings\User\Application Data\Microsoft\Word~WRL0743.tmp C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Journal\Cache\NB18.tmp C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Journal\Cache\NB9.tmp C:\WINDOWS\system32\config\SAM.tmp.LOG C:\WINDOWS\system32\config\SECURITY.tmp.LOG Finished

i cobmo

ComboFix 07-09-08.7 - “User” 2007-09-09 11:20:56.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.120 [GMT 1:00] . ((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 ))))))))))))))))))))))))))))))) . 2007-09-09 11:08 2007-09-08 15:58 2007-09-08 15:47 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-09-08 15:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-09-08 15:47 4,320 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-08 15:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-09-08 15:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-09-08 15:36 2007-09-08 14:06 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-08 11:41 2007-09-07 13:15 2007-09-07 12:07 2007-08-18 16:55 2007-08-18 16:55 2007-08-18 16:55 2007-08-13 20:47 55,235 --a------ C:\WINDOWS\system32\qwerty12.exe(1).VIR . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-09 11:18 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Skype 2007-09-08 14:22 394112 --a------ C:\WINDOWS\system32\drivers\tcpip.sys 2007-09-08 14:02 --------- d-------- C:\Program Files\Windows Live Toolbar 2007-09-08 14:02 --------- d-------- C:\Program Files\Gadu-Gadu 2007-09-08 09:50 --------- d-------- C:\Program Files\microsoft frontpage 2007-09-07 13:05 --------- d-------- C:\Program Files\MSN Messenger 2007-08-23 23:39 --------- d-------- C:\Program Files\Winamp 2007-08-15 13:14 --------- d-------- C:\Program Files\VstPlugins 2007-08-15 12:56 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-15 12:54 --------- d-------- C:\Program Files\Image-Line 2007-08-05 14:55 --------- d-------- C:\Program Files\eMule 2007-08-05 12:15 --------- d-------- C:\Program Files\Kaspersky Lab 2007-07-10 13:23 --------- d-------- C:\DOCUME~1\User\APPLIC~1\GanymedeNet 2007-07-01 20:45 6566912 --a------ C:\winamp532_full.exe 2007-06-24 22:54 22080 --a------ C:\WINDOWS\system32\V07UdmkK.exe . C:\WINDOWS\system32\drivers\tcpip.sys … is infected (additional data below) 394,112 2007-09-08 13:22:02 C:\WINDOWS\system32\drivers\tcpip.sys ((((((((((((((((((((((((((((( snapshot_2007-09-08_144619.72 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 163,328 2007-09-05 10:43:25 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 3,383,296 2007-09-09 10:08:55 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT ----a-w 32,768 2007-09-09 10:08:55 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-09-05 10:43:25 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 3,383,296 2007-09-09 10:08:53 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT ----a-w 32,768 2007-09-09 10:08:53 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{07AA283A-43D7-4CBE-A064-32A21112D94D}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TabletWizard”=“C:\WINDOWS\help\SplshWrp.exe” [2004-08-04 13:00] “TabletTip”=“C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe” [2004-08-04 13:00] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-04-15 15:05] “nwiz”=“nwiz.exe” [2004-04-15 15:05 C:\WINDOWS\system32\nwiz.exe] “SoundMAXPnP”=“C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [] “SoundMAX”=“C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” [] “00THotkey”=“C:\WINDOWS\system32\00THotkey.exe” [] “CrossMenu”=“C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe” [] “TapButt”=“C:\Program Files\Toshiba\TapButton\TapButt.exe” [] “000StTHK”=“000StTHK.exe” [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe] “Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [] “AGRSMMSG”=“AGRSMMSG.exe” [2004-02-20 15:00 C:\WINDOWS\agrsmmsg.exe] “SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [] “TosRotation”=“C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe” [] “TPSMain”=“TPSMain.exe” [2004-06-28 09:29 C:\WINDOWS\system32\TPSMain.exe] “TMESRV.EXE”=“C:\Program Files\TOSHIBA\TME3\TMESRV31.exe” [] “TMERzCtl.EXE”=“C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe” [] “TAcelMgr”=“C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe” [] “TSkrMain”=“C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe” [] “TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [] “NDSTray.exe”=“NDSTray.exe” [] “Sensiva”=“C:\Symbol Commander\Sensiva.exe” [] “TFNF5”=“TFNF5.exe” [2003-12-02 14:15 C:\WINDOWS\system32\TFNF5.exe] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [] “SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe” [] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl] “CFSServ.exe”=“CFSServ.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-05-28 14:52] “MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 15:58] “iDesk”=“C:\Program Files\INTERIAPL\iDesk\iDesk.exe” [2007-08-21 10:35] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “TabletWizard”=%windir%\help\wizard.hta “msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” /background C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2004-06-17 23:33:06] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] C:\DOCUME~1\User\STARTM~1\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-11 21:57:52] Stardock ObjectDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005-02-21 14:56:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\diani32] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey] C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 13:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL] TabBtnWL.dll 2002-08-29 03:41 11776 C:\WINDOWS\system32\tabbtnwl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify] tpgwlnot.dll 2004-08-04 13:00 30208 C:\WINDOWS\system32\tpgwlnot.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “appinit_dlls”=c:\windows\system32\hggfddc.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 nwprovau R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys R3 w70n51;Intel® PRO/Wireless 2100 Adapter Driver;C:\WINDOWS\system32\DRIVERS\w70n51.sys R3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys S3 DIBLOAD2;Digital TV firmware loader(Type 2);C:\WINDOWS\system32\DRIVERS\dgtvload2.sys S3 MODUSB;Digital TV DVB-T USB adapter driver;C:\WINDOWS\system32\Drivers\dgtvcap.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fa6ee9b0-d581-11db-8f0f-00080d7044d7}] AutoRun\command- D:\SETUP\Setup.exe . Contents of the ‘Scheduled Tasks’ folder “2007-09-09 10:03:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job” - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE “2007-02-06 15:03:12 C:\WINDOWS\Tasks\Registration reminder 1.job” - C:\WINDOWS\system32\OOBE\oobebaln.exe “2007-02-06 15:03:14 C:\WINDOWS\Tasks\Registration reminder 2.job” “2007-02-06 15:03:16 C:\WINDOWS\Tasks\Registration reminder 3.job” - C:\WINDOWS\system32\OOBE\oobebaln.exe . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-09 11:22:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-09 11:23:03 C:\ComboFix-quarantined-files.txt … 2007-09-09 11:22 C:\ComboFix2.txt … 2007-09-08 16:05 C:\ComboFix3.txt … 2007-09-08 16:02 . — E O F —

Gutek · 9 Wrzesień 2007 17:43

nie naprawiony sterownik musisz podmienić

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

usuń plik C:\WINDOWS\system32*qwerty12.exe(1).VIR*

rentgen · 10 Wrzesień 2007 11:06

Do gutek2222

te narzedzia o ktorych piszesz juz byly uzyte wczesniej i nic nie wykryly, mam to zrobic jeszcze raz ??. Plik z windowsa usunalem. Co do podmiany pliku tcpip.sys to nie mam takiej mozliwosci poniewaz w lapopie nie ma cd-romu i nie mam dysku z systemem. Da si\e to jakos zassac z neta ??

Gutek · 10 Wrzesień 2007 21:04

Spróbuj - http://www.microsoft.com/downloads/deta … 8430a1f7c8

rentgen · 10 Wrzesień 2007 22:57

dzieki gutek2222 juz nie ma tego syfu podaje loga z combo

ComboFix 07-09-08.7 - “User” 2007-09-10 23:47:02.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.169 [GMT 1:00] . ((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 ))))))))))))))))))))))))))))))) . 2007-09-09 11:08 2007-09-08 15:58 2007-09-08 15:47 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-09-08 15:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-09-08 15:47 4,320 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-08 15:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-09-08 15:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-09-08 15:36 2007-09-08 14:06 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-08 11:41 2007-09-07 13:15 2007-09-07 12:07 2007-08-18 16:55 2007-08-18 16:55 2007-08-18 16:55 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-10 23:45 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Skype 2007-09-08 14:02 --------- d-------- C:\Program Files\Windows Live Toolbar 2007-09-08 14:02 --------- d-------- C:\Program Files\Gadu-Gadu 2007-09-08 09:50 --------- d-------- C:\Program Files\microsoft frontpage 2007-09-07 13:05 --------- d-------- C:\Program Files\MSN Messenger 2007-08-23 23:39 --------- d-------- C:\Program Files\Winamp 2007-08-15 13:14 --------- d-------- C:\Program Files\VstPlugins 2007-08-15 12:56 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-15 12:54 --------- d-------- C:\Program Files\Image-Line 2007-08-05 14:55 --------- d-------- C:\Program Files\eMule 2007-08-05 12:15 --------- d-------- C:\Program Files\Kaspersky Lab 2007-07-10 13:23 --------- d-------- C:\DOCUME~1\User\APPLIC~1\GanymedeNet 2007-07-01 20:45 6566912 --a------ C:\winamp532_full.exe 2007-06-24 22:54 22080 --a------ C:\WINDOWS\system32\V07UdmkK.exe . ((((((((((((((((((((((((((((( snapshot_2007-09-08_144619.72 ))))))))))))))))))))))))))))))))))))))))) . -c----w 394,112 2007-09-08 13:22:02 C:\WINDOWS$NtUninstallKB884020$\tcpip.sys -c----w 169,984 2004-08-07 04:30:23 C:\WINDOWS$NtUninstallKB884020$\spuninst\spuninst.exe ----a-w 163,328 2007-09-05 10:43:25 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 3,383,296 2007-09-09 10:08:55 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT ----a-w 32,768 2007-09-09 10:08:55 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-09-05 10:43:25 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 3,383,296 2007-09-09 10:08:53 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT ----a-w 32,768 2007-09-09 10:08:53 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat ------w 7,168 2004-07-28 23:15:00 C:\WINDOWS\system32\spmsg.dll ----a-w 359,040 2004-08-13 22:50:43 C:\WINDOWS\system32\drivers\tcpip.sys . ----a-w 394,112 2007-09-08 13:22:02 C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{07AA283A-43D7-4CBE-A064-32A21112D94D}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TabletWizard”=“C:\WINDOWS\help\SplshWrp.exe” [2004-08-04 13:00] “TabletTip”=“C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe” [2004-08-04 13:00] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-04-15 15:05] “nwiz”=“nwiz.exe” [2004-04-15 15:05 C:\WINDOWS\system32\nwiz.exe] “SoundMAXPnP”=“C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [] “SoundMAX”=“C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” [] “00THotkey”=“C:\WINDOWS\system32\00THotkey.exe” [] “CrossMenu”=“C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe” [] “TapButt”=“C:\Program Files\Toshiba\TapButton\TapButt.exe” [] “000StTHK”=“000StTHK.exe” [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe] “Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [] “AGRSMMSG”=“AGRSMMSG.exe” [2004-02-20 15:00 C:\WINDOWS\agrsmmsg.exe] “SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [] “TosRotation”=“C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe” [] “TPSMain”=“TPSMain.exe” [2004-06-28 09:29 C:\WINDOWS\system32\TPSMain.exe] “TMESRV.EXE”=“C:\Program Files\TOSHIBA\TME3\TMESRV31.exe” [] “TMERzCtl.EXE”=“C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe” [] “TAcelMgr”=“C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe” [] “TSkrMain”=“C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe” [] “TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [] “NDSTray.exe”=“NDSTray.exe” [] “Sensiva”=“C:\Symbol Commander\Sensiva.exe” [] “TFNF5”=“TFNF5.exe” [2003-12-02 14:15 C:\WINDOWS\system32\TFNF5.exe] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [] “SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe” [] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl] “CFSServ.exe”=“CFSServ.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-05-28 14:52] “MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 15:58] “iDesk”=“C:\Program Files\INTERIAPL\iDesk\iDesk.exe” [2007-08-21 10:35] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “TabletWizard”=%windir%\help\wizard.hta “msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” /background C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2004-06-17 23:33:06] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] C:\DOCUME~1\User\STARTM~1\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-11 21:57:52] Stardock ObjectDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005-02-21 14:56:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\diani32] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey] C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 13:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL] TabBtnWL.dll 2002-08-29 03:41 11776 C:\WINDOWS\system32\tabbtnwl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify] tpgwlnot.dll 2004-08-04 13:00 30208 C:\WINDOWS\system32\tpgwlnot.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “appinit_dlls”=c:\windows\system32\hggfddc.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 nwprovau R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys R3 w70n51;Intel® PRO/Wireless 2100 Adapter Driver;C:\WINDOWS\system32\DRIVERS\w70n51.sys R3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys S3 DIBLOAD2;Digital TV firmware loader(Type 2);C:\WINDOWS\system32\DRIVERS\dgtvload2.sys S3 MODUSB;Digital TV DVB-T USB adapter driver;C:\WINDOWS\system32\Drivers\dgtvcap.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fa6ee9b0-d581-11db-8f0f-00080d7044d7}] AutoRun\command- D:\SETUP\Setup.exe . Contents of the ‘Scheduled Tasks’ folder “2007-09-10 17:03:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job” “2007-02-06 15:03:12 C:\WINDOWS\Tasks\Registration reminder 1.job” - C:\WINDOWS\system32\OOBE\oobebaln.exe “2007-02-06 15:03:14 C:\WINDOWS\Tasks\Registration reminder 2.job” “2007-02-06 15:03:16 C:\WINDOWS\Tasks\Registration reminder 3.job” - C:\WINDOWS\system32\OOBE\oobebaln.exe . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-10 23:48:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-10 23:49:26 C:\ComboFix-quarantined-files.txt … 2007-09-10 23:49 . — E O F —

tylko nadal nie mam paska zadan

ale dzieki wam za serdeczna pomoc

Gutek · 11 Wrzesień 2007 00:18

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Opis RegCleaner - http://www.agavk.p9.pl/strony/progra_regcleaner.php

Zobacz - Obsługa jv16 PowerTools

zobacz - http://support.microsoft.com/kb/318027/pl

albo użyj - http://www.searchengines.pl/index.php?showtopic=39226

rentgen · 12 Wrzesień 2007 11:00

Po czyszczeniu rejestru pasek sie pokazal ale dalej jest zainfekowany tspip.sys. podaje logi

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 20:26:22, on 11/09/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\WISPTIS.EXE C:\WINDOWS\System32\tabbtnu.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\INTERIAPL\iDesk\iDesk.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\User\Desktop\HiJackThis_v2.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Windows Media Player\wmplayer.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ; O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Zango /fleok=1D8A83A5C7E5197A91AC6B2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file) O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM…\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe O4 - HKLM…\Run: [TabletTip] “C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe” /resume O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM…\Run: [000StTHK] 000StTHK.exe O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [TPSMain] TPSMain.exe O4 - HKLM…\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe O4 - HKLM…\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM…\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM…\Run: [TFNF5] TFNF5.exe O4 - HKLM…\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [iDesk] C:\Program Files\INTERIAPL\iDesk\iDesk.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … p=ZCfox000 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?c8f75d22b8f34a779f0970fe62cb8a5c O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?c8f75d22b8f34a779f0970fe62cb8a5c O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{20E387B5-A5D8-4AA8-85B1-98458C9D60CE}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{8B3FF419-473F-4E6D-B390-4151B98CA121}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{B5BE15B3-64DD-46D8-BCB7-AC0563D32C5C}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{EFD3E199-B6DF-4DE2-8D5D-426A33668A12}: NameServer = 194.64.31.3 O17 - HKLM\System\CCS\Services\Tcpip…{FFCCDF6E-D9C5-4F45-B6E7-BC7A6087F082}: NameServer = 194.64.31.3 O17 - HKLM\System\CS1\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3 O17 - HKLM\System\CS2\Services\Tcpip…{165BEF44-E842-4ACC-A770-5D25FF947E39}: NameServer = 194.64.31.3 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: diani32 - C:\WINDOWS\ O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing) – End of file - 6390 bytes

ComboFix 07-09-08.7 - “User” 2007-09-11 20:29:52.8 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.160 [GMT 1:00] . ((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 ))))))))))))))))))))))))))))))) . 2007-09-11 20:19 360,576 -----c— C:\WINDOWS\system32\dllcache\tcpip.sys 2007-09-11 20:19 2007-09-11 11:49 23 --ahs---- C:\WINDOWS\system32\ceabeca_r.dll 2007-09-11 11:49 2007-09-11 10:56 2007-09-09 11:08 2007-09-08 15:58 2007-09-08 15:47 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-09-08 15:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-09-08 15:47 4,320 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-08 15:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-09-08 15:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-09-08 15:36 2007-09-08 14:06 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-08 11:41 2007-09-07 13:15 2007-09-07 12:07 2007-08-18 16:55 2007-08-18 16:55 2007-08-18 16:55 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-11 20:23 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Skype 2007-09-08 14:02 --------- d-------- C:\Program Files\Windows Live Toolbar 2007-09-08 14:02 --------- d-------- C:\Program Files\Gadu-Gadu 2007-09-08 09:50 --------- d-------- C:\Program Files\microsoft frontpage 2007-09-07 13:05 --------- d-------- C:\Program Files\MSN Messenger 2007-08-23 23:39 --------- d-------- C:\Program Files\Winamp 2007-08-15 13:14 --------- d-------- C:\Program Files\VstPlugins 2007-08-15 12:56 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-15 12:54 --------- d-------- C:\Program Files\Image-Line 2007-08-05 14:55 --------- d-------- C:\Program Files\eMule 2007-08-05 12:15 --------- d-------- C:\Program Files\Kaspersky Lab 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-01 20:45 6566912 --a------ C:\winamp532_full.exe 2007-06-24 22:54 22080 --a------ C:\WINDOWS\system32\V07UdmkK.exe . ((((((((((((((((((((((((((((( snapshot_2007-09-08_144619.72 ))))))))))))))))))))))))))))))))))))))))) . -c----w 394,112 2007-09-08 13:22:02 C:\WINDOWS$NtUninstallKB884020$\tcpip.sys -c----w 169,984 2004-08-07 04:30:23 C:\WINDOWS$NtUninstallKB884020$\spuninst\spuninst.exe -c----w 359,040 2004-08-13 22:50:43 C:\WINDOWS$NtUninstallKB917953$\tcpip.sys -c----w 213,216 2005-10-12 23:12:26 C:\WINDOWS$NtUninstallKB917953$\spuninst\spuninst.exe -c----w 371,424 2005-10-12 23:12:33 C:\WINDOWS$NtUninstallKB917953$\spuninst\updspapi.dll ----a-w 163,328 2007-09-05 10:43:25 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 3,383,296 2007-09-11 19:10:24 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT ----a-w 32,768 2007-09-11 19:10:24 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-09-05 10:43:25 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 3,383,296 2007-09-09 10:08:53 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT ----a-w 32,768 2007-09-09 10:08:53 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat ----a-w 14,048 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\126638ad80a740243aeee66683d803a7\spmsg.dll ----a-w 209,632 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\126638ad80a740243aeee66683d803a7\spuninst.exe ----a-w 22,752 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\126638ad80a740243aeee66683d803a7\spupdsvc.exe ----a-w 22,240 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\126638ad80a740243aeee66683d803a7\update\spcustom.dll ----a-w 718,048 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\126638ad80a740243aeee66683d803a7\update\update.exe ----a-w 371,936 2005-02-25 03:35:06 C:\WINDOWS\SoftwareDistribution\Download\126638ad80a740243aeee66683d803a7\update\updspapi.dll ----a-w 2,890,240 2005-05-04 13:45:32 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msi.dll ----a-w 78,848 2005-05-04 13:45:36 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msiexec.exe ----a-w 271,360 2005-05-04 13:45:36 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msihnd.dll ----a-w 884,736 2005-05-04 13:45:36 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msimsg.dll ----a-w 15,360 2005-05-04 13:45:36 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\msisip.dll ----a-w 13,536 2005-05-04 13:45:26 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\spmsg.dll ----a-w 209,632 2005-05-04 13:45:26 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\spuninst.exe ----a-w 22,240 2005-05-04 13:45:26 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\update\spcustom.dll ----a-w 718,048 2005-05-04 13:45:26 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\update\update.exe ----a-w 371,936 2005-05-04 13:45:28 C:\WINDOWS\SoftwareDistribution\Download\ad9c4c2a779933f83b51a49a2c88838d\update\updspapi.dll ------w 14,048 2005-10-12 23:12:25 C:\WINDOWS\system32\spmsg.dll -c–a-w 92,504 2007-07-30 18:19:20 C:\WINDOWS\system32\dllcache\cdm.dll -c–a-w 549,720 2007-07-30 18:19:36 C:\WINDOWS\system32\dllcache\wuapi.dll -c–a-w 53,080 2007-07-30 18:19:16 C:\WINDOWS\system32\dllcache\wuauclt.exe -c–a-w 1,712,984 2007-07-30 18:19:42 C:\WINDOWS\system32\dllcache\wuaueng.dll -c–a-w 325,976 2007-07-30 18:19:32 C:\WINDOWS\system32\dllcache\wucltui.dll -c–a-w 33,624 2007-07-30 18:18:40 C:\WINDOWS\system32\dllcache\wups.dll -c–a-w 203,096 2007-07-30 18:19:28 C:\WINDOWS\system32\dllcache\wuweb.dll ----a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\system32\drivers\tcpip.sys ----a-w 33,624 2007-07-30 18:18:40 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll . ----a-w 394,112 2007-09-08 13:22:02 C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{07AA283A-43D7-4CBE-A064-32A21112D94D}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TabletWizard”=“C:\WINDOWS\help\SplshWrp.exe” [2004-08-04 13:00] “TabletTip”=“C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe” [2004-08-04 13:00] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-04-15 15:05] “nwiz”=“nwiz.exe” [2004-04-15 15:05 C:\WINDOWS\system32\nwiz.exe] “000StTHK”=“000StTHK.exe” [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe] “AGRSMMSG”=“AGRSMMSG.exe” [2004-02-20 15:00 C:\WINDOWS\agrsmmsg.exe] “TPSMain”=“TPSMain.exe” [2004-06-28 09:29 C:\WINDOWS\system32\TPSMain.exe] “TAcelMgr”=“C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe” [] “TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [] “NDSTray.exe”=“NDSTray.exe” [] “TFNF5”=“TFNF5.exe” [2003-12-02 14:15 C:\WINDOWS\system32\TFNF5.exe] “CFSServ.exe”=“CFSServ.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-05-28 14:52] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 15:58] “iDesk”=“C:\Program Files\INTERIAPL\iDesk\iDesk.exe” [2007-08-21 10:35] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoBandCustomize”=0 (0x0) “NoMovingBands”=0 (0x0) “NoCloseDragDropBands”=0 (0x0) “NoSetTaskbar”=0 (0x0) “NoToolbarsOnTaskbar”=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\diani32] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey] C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 13:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL] TabBtnWL.dll 2002-08-29 03:41 11776 C:\WINDOWS\system32\tabbtnwl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify] tpgwlnot.dll 2004-08-04 13:00 30208 C:\WINDOWS\system32\tpgwlnot.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 nwprovau R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys R3 w70n51;Intel® PRO/Wireless 2100 Adapter Driver;C:\WINDOWS\system32\DRIVERS\w70n51.sys R3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys S3 DIBLOAD2;Digital TV firmware loader(Type 2);C:\WINDOWS\system32\DRIVERS\dgtvload2.sys S3 MODUSB;Digital TV DVB-T USB adapter driver;C:\WINDOWS\system32\Drivers\dgtvcap.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fa6ee9b0-d581-11db-8f0f-00080d7044d7}] AutoRun\command- D:\SETUP\Setup.exe . Contents of the ‘Scheduled Tasks’ folder “2007-09-11 11:03:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job” - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE “2007-02-06 15:03:12 C:\WINDOWS\Tasks\Registration reminder 1.job” - C:\WINDOWS\system32\OOBE\oobebaln.exe “2007-02-06 15:03:14 C:\WINDOWS\Tasks\Registration reminder 2.job” “2007-02-06 15:03:16 C:\WINDOWS\Tasks\Registration reminder 3.job” - C:\WINDOWS\system32\OOBE\oobebaln.exe . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-11 20:30:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-11 20:31:13 C:\ComboFix-quarantined-files.txt … 2007-09-11 20:31 C:\ComboFix2.txt … 2007-09-11 12:16 C:\ComboFix3.txt … 2007-09-10 23:49 . — E O F —

SDFix: Version 1.102 Run by User on 12/09/2007 at 11:32 Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\User\Desktop\fixy\SDFix Safe Mode: Checking Services: Infected tcpip.sys Found! tcpip.sys File Locations: “C:\WINDOWS$NtUninstallKB884020$\tcpip.sys” 394112 08/09/2007 14:22 “C:\WINDOWS$NtUninstallKB917953$\tcpip.sys” 359040 13/08/2004 23:50 “C:\WINDOWS\system32\dllcache\tcpip.sys” 360576 20/04/2006 13:18 “C:\WINDOWS\system32\drivers\tcpip.sys” 360576 20/04/2006 13:18 Detected Patched Files Are Listed Below: C:\WINDOWS$NtUninstallKB884020$\tcpip.sys Note: SDFix Does Not Repair This File! If No Clean Copies Are Found Download The Below Update To Restore Original Files: http://www.microsoft.com/technet/securi … 6-032.mspx Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath " [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: C:\WINDOWS\system32\ceabeca_r.dll C:\Documents and Settings\User\Application Data\Microsoft\Word~WRL0743.tmp C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Journal\Cache\NB18.tmp C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Journal\Cache\NB9.tmp C:\WINDOWS\system32\config\SAM.tmp.LOG C:\WINDOWS\system32\config\SECURITY.tmp.LOG Finished

Gutek · 12 Wrzesień 2007 20:54

Uruchom ze 2 skanery i zamieść wyniki - Skanery do wyboru