Jak usunąć win32 trojan-gen{other} i inny syf

kolanna · 15 Sierpień 2008 14:02

Nie chcę robić formata …chciałabym to usunąc jakims sposobem,czy może ktos wtajemniczony w ow problem moze mi pomoc??? ![-o<

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:54:26, on 2008-08-15

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\TrojanHunter 5.0\THGuard.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Corel\Graphics9\Register\Remind32.exe

C:\WINDOWS\System32\rundll32.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Windows\system32\conime.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\program files\winamp toolbar\WinampTbServer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll

O3 - Toolbar: Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM…\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”

O4 - HKLM…\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM…\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

O4 - HKLM…\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM…\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”

O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [THGuard] “C:\Program Files\TrojanHunter 5.0\THGuard.exe”

O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA SIECIOWA’)

O4 - Startup: Rejestrowanie produktów Corela.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Przypomnij o aukcji - file://C:\Users\Andzia\AppData\Roaming\Aukcjoner.net\reminder.htm

O8 - Extra context menu item: Upoluj aukcję snajperem - file://C:\Users\Andzia\AppData\Roaming\Aukcjoner.net\sniper.htm

O8 - Extra context menu item: Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Sprawdź/oceń sprzedającego - file://C:\Users\Andzia\AppData\Roaming\Aukcjoner.net\feedback.htm

O8 - Extra context menu item: Wyślij obraz do urządzenia Bluetooth… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Wyślij stronę do urządzenia Bluetooth… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O13 - Gopher Prefix:

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/conte … ite_EN.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow … eqlab3.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

–

End of file - 9766 bytes

Leon1 · 15 Sierpień 2008 14:09

wpisy

usuń HijackThisem >> Fix checked

Pobierz HijackThis http://forum.dobreprogramy.pl/viewtopic.php?f=16&t=36654 ale nie włączaj

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

kolanna · 15 Sierpień 2008 15:27

Nie wiem czy dobrze zrobiłam …ale wyszło coś takiego #-o

ComboFix 08-08-14.03 - Andzia 2008-08-15 17:18:35.3 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1250.1.1045.18.1260 [GMT 2:00]

Running from: C:\Users\Andzia\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Previous Run -------

.

C:\Users\Andzia\AppData\Roaming\Microsoft\Windows\Cookies\andzia@nuggad[2].txt

C:\Users\Andzia\AppData\Roaming\Microsoft\Windows\Cookies\andzia@tradedoubler[2].txt

C:\Windows\g32.txt

C:\Windows\system32\actskn43.ocx

.

((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))

.

2008-08-15 15:54 . 2008-08-15 15:54

2008-08-15 14:09 . 2008-08-15 14:09

2008-08-15 13:34 . 2008-08-15 13:34

2008-08-15 13:18 . 2008-08-15 13:18

2008-08-15 13:15 . 2008-08-15 13:15

2008-08-15 11:51 . 2008-08-14 01:54

2008-08-15 10:07 . 2008-08-15 10:07

2008-08-13 23:41 . 2008-08-13 23:41 0 --a------ C:\Users\Andzia\AppData\Roaming\wklnhst.dat

2008-08-04 20:37 . 2008-08-04 20:37

2008-08-04 20:37 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\System32\drivers\mbamswissarmy.sys

2008-08-04 20:37 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\System32\drivers\mbam.sys

2008-08-04 19:59 . 2008-08-04 19:59

2008-08-04 19:42 . 2008-08-04 20:49

2008-08-04 19:42 . 2008-08-04 20:55

2008-08-04 19:17 . 2008-08-15 13:14

2008-07-31 18:27 . 2008-07-31 18:27

2008-07-31 18:13 . 2008-07-31 18:38 10 --a------ C:\s2windir.tmp

2008-07-30 22:44 . 2008-08-04 20:46

2008-07-29 23:29 . 2008-07-30 15:15

2008-07-29 23:29 . 2000-03-15 14:33 151,824 --a------ C:\WINDOWS\System32\temp.000

2008-07-28 09:21 . 2008-07-28 09:21

2008-07-28 09:20 . 2008-07-28 09:20

2008-07-28 09:07 . 2008-07-28 22:25

2008-07-26 21:40 . 2008-07-26 21:40

2008-07-20 12:28 . 2008-07-20 12:28

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-15 14:49 79,478 ----a-w C:\Users\Andzia\AppData\Roaming\nvModes.dat

2008-08-15 11:51 --------- d-----w C:\Users\Andzia\AppData\Roaming\Skype

2008-08-15 11:39 --------- d-----w C:\Program Files\PrivacyIns

2008-08-15 07:49 --------- d-----w C:\Users\Andzia\AppData\Roaming\skypePM

2008-07-28 07:20 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-19 14:36 51,280 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys

2008-07-10 01:06 --------- d-----w C:\Program Files\Windows Mail

2008-07-05 12:42 --------- d-----w C:\Users\Andzia\AppData\Roaming\Roxio

2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll

2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll

2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll

2008-06-25 19:03 --------- d-----w C:\Users\Andzia\AppData\Roaming\Corel

2008-06-21 17:43 --------- d-----w C:\Program Files\Odkurzacz

2008-06-21 14:09 --------- d-----w C:\Users\Andzia\AppData\Roaming\Media Player Classic

2008-06-21 14:09 --------- d-----w C:\Program Files\Real Alternative

2008-06-19 12:58 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-06-18 22:36 --------- d-----w C:\Users\Andzia\AppData\Roaming\TomTom

2008-06-18 22:36 --------- d-----w C:\Program Files\TomTom HOME 2

2008-06-18 22:33 --------- d-----w C:\Program Files\TomTom HOME

2008-06-18 22:00 --------- d-----w C:\ProgramData\TomTom

2008-06-18 21:50 0 —ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

2008-06-17 22:00 --------- d-----w C:\Program Files\MSN Messenger

2008-06-17 21:56 174 --sha-w C:\Program Files\desktop.ini

2008-06-17 21:48 --------- d-----w C:\Program Files\Windows Sidebar

2008-06-17 21:48 --------- d-----w C:\Program Files\Windows Photo Gallery

2008-06-17 21:48 --------- d-----w C:\Program Files\Windows Journal

2008-06-17 21:48 --------- d-----w C:\Program Files\Windows Defender

2008-06-17 21:48 --------- d-----w C:\Program Files\Windows Collaboration

2008-06-17 21:48 --------- d-----w C:\Program Files\Windows Calendar

2008-06-17 21:29 82,432 ----a-w C:\Windows\System32\axaltocm.dll

2008-06-17 21:29 101,888 ----a-w C:\Windows\System32\ifxcardm.dll

2008-06-07 10:29 446,464 ----a-w C:\Windows\System32\nvuninst.exe

2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll

2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll

2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe

2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll

2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll

2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll

2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll

2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll

2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll

2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll

2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll

2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll

2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll

2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll

2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll

2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin

2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin

2007-12-31 14:15 32 ----a-w C:\Users\All Users\ezsid.dat

2007-12-31 14:15 32 ----a-w C:\ProgramData\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{3041D03E-FD4B-44E0-B742-2D9B88305F98}”= “C:\Program Files\AskBarDis\bar\bin\askBar.dll” [2008-07-07 15:13 279944]

[HKEY_CLASSES_ROOT\clsid{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [2007-01-16 23:34 634880]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-01-13 05:36 827392]

“QPService”=“C:\Program Files\HP\QuickPlay\QPService.exe” [2007-04-23 18:11 176128]

“HP Health Check Scheduler”=“C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe” [2007-03-12 11:54 50696]

“HP Software Update”=“C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [2005-02-16 23:11 49152]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]

“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 12:09 63712]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 16:38 78008]

“NvSvc”=“C:\Windows\system32\nvsvc.dll” [2007-05-01 12:27 86016]

“NvCplDaemon”=“C:\Windows\system32\NvCpl.dll” [2007-05-01 12:27 8429568]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2008-06-12 02:38 34672]

“THGuard”=“C:\Program Files\TrojanHunter 5.0\THGuard.exe” [2008-08-12 12:28 1056928]

C:\Users\Andzia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Rejestrowanie produkt˘w Corela.lnk - C:\Program Files\Corel\Graphics9\Register\Remind32.exe [2007-12-31 19:14:05 67584]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 13:27:40 719664]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 03:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“EnableLUA”= 0 (0x0)

“EnableUIADesktopToggle”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“AppInit_DLLs”=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“MSACM.l3codec”= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“UacDisableNotify”=dword:00000001

“InternetSettingsDisableNotify”=dword:00000001

“AutoUpdateDisableNotify”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

“{DC6B58C1-F27F-46B6-BC49-7F3725435A97}”= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

“{A7EE9358-BE7C-43D9-B98E-AFFD8596C1B8}”= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play

“{0C2F0C4D-11B0-449B-B2CE-F9DE879042EA}”= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

“TCP Query User{A4E3460D-EDBA-4461-8954-8596F29DA569}C:\program files\gadu-gadu\gg.exe”= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny

“UDP Query User{5FE68F57-EBBE-426B-B29F-9E85E91375DB}C:\program files\gadu-gadu\gg.exe”= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny

“{DA91E17A-367A-42EA-A21B-AE8F5B482CA1}”= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb

“{B9796EBD-E131-4BF1-B736-5FF2FFAE00AA}”= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb

“{B16CFCB3-89ED-4191-BB3F-8E37899809FB}”= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray

“{A414476C-4ACE-4668-A62C-4F7381E52F93}”= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray

“{32C18C9E-2317-4647-942F-CF4113252FBF}”= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR

“{94DB8010-B0FA-48B0-B620-A87BF8D1E1CD}”= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR

“{EDE676BA-46DA-43B9-A546-7D6E5E73D382}”= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client

“{C55ADEFD-B930-4CCA-8779-F28142700AB1}”= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client

“{74370C0B-8911-4990-89B9-B884CE98A6F8}”= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype

“{CC86A6BD-7D3E-4806-B45A-C77E1217241F}”= TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

“{EED99883-19AE-4483-BE12-5DB72A74D5F8}”= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-07-19 16:35]

R2 ASBroker;Logon Session Broker;C:\Windows\System32\svchost.exe [2008-01-19 09:33]

R2 ASChannel;Local Communication Channel;C:\Windows\System32\svchost.exe [2008-01-19 09:33]

R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]

R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 16:36]

R3 btwaudio;Urządzenie dźwiękowe Bluetooth;C:\Windows\system32\drivers\btwaudio.sys [2007-01-02 12:45]

R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-01-02 12:45]

R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-01-02 12:45]

S2 USBHSB;GeneLink File Transfer Driver;C:\Windows\system32\Drivers\usbhsb.sys [2001-12-17 18:42]

S3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrusb.sys [2006-12-22 21:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{37480347-00bc-11dd-ab03-001e375c6e0d}]

\shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{986b3071-36fd-11dd-bbca-001e375c6e0d}]

\shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b78e9093-e1e0-11dc-9120-001e375c6e0d}]

\shell\AutoRun\command - G:\USBNB.exe

.

Contents of the ‘Scheduled Tasks’ folder

2008-08-01 C:\Windows\Tasks\HPCeeScheduleForAndzia.job

C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-03-23 14:23]

2008-08-15 C:\Windows\Tasks\User_Feed_Synchronization-{B7695DE8-E645-418A-ABC7-14FB60798B80}.job

C:\Windows\system32\msfeedssync.exe [2008-01-19 09:33]

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Users\Andzia\AppData\Roaming\Mozilla\Firefox\Profiles\6hhp6n0e.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-15 17:21:30

Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-15 17:23:16

ComboFix-quarantined-files.txt 2008-08-15 15:23:03

Pre-Run: 101,730,136,064 bajtów wolnych

Post-Run: 101,693,767,680 bajtów wolnych

212 — E O F — 2008-08-06 07:36:10

kolanna · 15 Sierpień 2008 20:33

Myślałam ,ze już go nie ma a Avast znowu go pokazał win32 trojan-gen{other} pomocy

Leon1 · 15 Sierpień 2008 20:45

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

Pobierz System Repair Engineer

http://www.cybertrash.pl/images/tata/System%20Repair/System%20Repair%20Engineer.html

przeskanuj daj log

kolanna · 15 Sierpień 2008 21:40

o Jezuuuuu…mam nadzieję ,ze to to

http://up.wklej.org/download.php?id=696 … 71476ec255

Leon1 · 15 Sierpień 2008 21:45

do kompletu daj

kolanna · 15 Sierpień 2008 21:46

o tak chyba bedzie lepiej

http://wklej.org/id/218f176871

kolanna · 15 Sierpień 2008 21:51

ComboFix 08-08-14.03 - Andzia 2008-08-15 23:01:32.4 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1250.1.1045.18.1169 [GMT 2:00]

Running from: C:\Users\Andzia\Desktop\ComboFix.exe

Command switches used :: C:\Users\Andzia\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Users\Andzia\AppData\Roaming\Microsoft\Windows\Cookies\andzia@tradedoubler[1].txt

.

((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-15 19:11 79,478 ----a-w C:\Users\Andzia\AppData\Roaming\nvModes.dat

2008-08-15 18:23 --------- d-----w C:\Program Files\Windows Mail

2008-08-15 18:22 --------- d-----w C:\Program Files\Microsoft Works

2008-08-15 18:14 --------- d-----w C:\Program Files\TrojanHunter 5.0

2008-08-15 17:14 --------- d-----w C:\Program Files\PrivacyIns

2008-08-15 13:54 --------- d-----w C:\Program Files\Trend Micro

2008-08-15 11:51 --------- d-----w C:\Users\Andzia\AppData\Roaming\Skype

2008-08-15 11:18 --------- d-----w C:\Users\Andzia\AppData\Roaming\GlarySoft

2008-08-15 11:14 --------- d—a-w C:\ProgramData\TEMP

2008-08-15 07:49 --------- d-----w C:\Users\Andzia\AppData\Roaming\skypePM

2008-08-13 21:41 0 ----a-w C:\Users\Andzia\AppData\Roaming\wklnhst.dat

2008-08-04 18:55 --------- d-----w C:\Program Files\Unlocker

2008-08-04 18:49 --------- d-----w C:\Users\Andzia\AppData\Roaming\Desktopicon

2008-08-04 18:46 --------- d-----w C:\Program Files\Applications

2008-08-04 18:37 --------- d-----w C:\Users\Andzia\AppData\Roaming\Malwarebytes

2008-08-04 18:37 --------- d-----w C:\ProgramData\Malwarebytes

2008-08-04 17:59 --------- d-----w C:\Users\Andzia\AppData\Roaming\Lavasoft

2008-08-04 17:59 --------- d-----w C:\Program Files\Lavasoft

2008-07-28 20:25 --------- d-----w C:\ProgramData\NOS

2008-07-28 20:25 --------- d-----w C:\Program Files\NOS

2008-07-28 07:21 --------- d-----w C:\Program Files\SystemRequirementsLab

2008-07-28 07:20 --------- d-----w C:\Program Files\Common Files\Adobe AIR

2008-07-28 07:20 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-20 10:28 --------- d-----w C:\ProgramData\WindowsSearch

2008-07-19 14:36 51,280 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys

2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll

2008-07-05 12:42 --------- d-----w C:\Users\Andzia\AppData\Roaming\Roxio

2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll

2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll

2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll

2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll

2008-06-25 19:03 --------- d-----w C:\Users\Andzia\AppData\Roaming\Corel

2008-06-21 17:43 --------- d-----w C:\Program Files\Odkurzacz

2008-06-21 14:09 --------- d-----w C:\Users\Andzia\AppData\Roaming\Media Player Classic

2008-06-19 12:58 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-06-19 03:31 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL