Tak jak w temacie. Zapodaje Logi
Logfile of HijackThis v1.99.1 Scan saved at 11:10:15, on 2007-04-08 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE c:\progra~1\intern~1\iexplore.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe C:\Documents and Settings\Michał\Pulpit\Counter-Strike v1.6\Counter-Strike v1.6\hl.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Michał\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.98.20.195:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\efcbbaa.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {A2A37C39-09A2-4428-9C56-4674972FAB06} - C:\WINDOWS\system32\mllmn.dll O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\TorrentQ\TorrentManager.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NVIDIA nTune] “C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe” /m=0 O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM…\Run: [multiliteamokbleh] C:\Documents and Settings\All Users\Dane aplikacji\Dent Idol Multi Lite\bleh base.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized O4 - HKCU…\Run: [steam] “d:\program files\steam\steam.exe” -silent O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU…\Run: [poke16] C:\DOCUME~1\MICHA~1\DANEAP~1\BLEHTO~1\burnplatform.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … xmk789YYPL O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach … 0.15-3.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O17 - HKLM\System\CCS\Services\Tcpip…{D424F101-C007-46E3-81E2-E71D090111E6}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: efcbbaa - C:\WINDOWS\SYSTEM32\efcbbaa.dll O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll O20 - Winlogon Notify: ssqrpop - C:\WINDOWS\SYSTEM32\ssqrpop.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\MSMSGS.EXE” /background” [MS] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “BitTorrent” = ““C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized” [null data] “Steam” = ““d:\program files\steam\steam.exe” -silent” [“Valve Corporation”] “MyWebSearch Email Plugin” = “C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe” [“MyWebSearch.com ”] “poke16” = “C:\DOCUME~1\MICHA~1\DANEAP~1\BLEHTO~1\burnplatform.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “NVIDIA nTune” = ““C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear” [“NVIDIA”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “My Web Search Bar Search Scope Monitor” = ““C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe” /m=0” [“MyWebSearch.com ”] “MyWebSearch Email Plugin” = “C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe” [“MyWebSearch.com ”] “multiliteamokbleh” = “C:\Documents and Settings\All Users\Dane aplikacji\Dent Idol Multi Lite\bleh base.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {00A6FAF1-072E-44cf-8957-5838F569A31D}(Default) = (no title provided) -> {HKLM…CLSID} = “MyWebSearch Search Assistant BHO” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL” [“MyWebSearch.com ”] {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {07B18EA1-A523-4961-B6BB-170DE4475CCA}(Default) = “mwsBar BHO” -> {HKLM…CLSID} = “mwsBar BHO” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL” [“MyWebSearch.com ”] {182B90A3-F372-438A-800C-6814B4DE417B}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\efcbbaa.dll” [null data] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = “flashget urlcatch” -> {HKLM…CLSID} = “Flashget Catch Url Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch.dll” [“www.flashget.com ”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {A2A37C39-09A2-4428-9C56-4674972FAB06}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\mllmn.dll” [null data] {D5792AA9-D373-4039-8670-2CDAB6A71F15}(Default) = (no title provided) -> {HKLM…CLSID} = “WebManager Class” \InProcServer32(Default) = “C:\Program Files\TorrentQ\TorrentManager.dll” [“WakeNet”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashGet GetFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [“www.flashget.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}” = “NeroCoverEd Live Icons” -> {HKLM…CLSID} = “NeroCoverEdLiveIcons Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{182B90A3-F372-438A-800C-6814B4DE417B}” = “*g” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\efcbbaa.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> efcbbaa\DLLName = “efcbbaa.dll” [null data] <> mllmn\DLLName = “C:\WINDOWS\system32\mllmn.dll” [null data] <> ssqrpop\DLLName = “ssqrpop.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Cover Designer(Default) = “{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}” -> {HKLM…CLSID} = “NeroCoverEdContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Downloads\AL-16-big.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Downloads\AL-16-big.bmp” Enabled Scheduled Tasks: ------------------------ “AA0A795C9341EE14” -> launches: “c:\docume~1\micha~1\daneap~1\blehto~1\IntraLinkBait.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{07B18EA9-A523-4961-B6BB-170DE4475CCA}” -> {HKLM…CLSID} = “My Web Search” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL” [“MyWebSearch.com ”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{07B18EA9-A523-4961-B6BB-170DE4475CCA}” = (no title provided) -> {HKLM…CLSID} = “My Web Search” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL” [“MyWebSearch.com ”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}(Default) = “My Web Search Quick View” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com ”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll ,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\MSMSGS.EXE” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] <> “{00A6FAF6-072E-44cf-8957-5838F569A31D}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL” [“MyWebSearch.com ”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] cFosSpeed System Service, cFosSpeedS, ““C:\Program Files\cFosSpeed\spd.exe” -service” [“cFos Software GmbH”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTsvcCDA.exe” [“Creative Technology Ltd”] LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] NMIndexingService, NMIndexingService, ““C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe”” [“Nero AG”] nTune Service, nTuneService, “C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService” [“NVIDIA”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 513 seconds. ---------- (total run time: 598 seconds)
adam9870
(adam9870)
8 Kwiecień 2007 11:11
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
W dodaj/usuń programy odinstaluj MyWebSearch.
Pobierz Gmer’a .
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
Usuń wpisy HJT jeśli będą.
Użyj VundoFix + FixVundo + VirtumundoBeGone . Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.
Po wykonaniu wklej nowy log z HJT, Silenta plus z ComboFix . Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.
Dzięki Adam9870 . Podaje logi :
Hijackthis :
Logfile of HijackThis v1.99.1 Scan saved at 14:15:47, on 2007-04-08 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\WScript.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Michał\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\TorrentQ\TorrentManager.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NVIDIA nTune] “C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized O4 - HKCU…\Run: [steam] “d:\program files\steam\steam.exe” -silent O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O17 - HKLM\System\CCS\Services\Tcpip…{D424F101-C007-46E3-81E2-E71D090111E6}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Sillent Runners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\MSMSGS.EXE” /background” [MS] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “BitTorrent” = ““C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized” [null data] “Steam” = ““d:\program files\steam\steam.exe” -silent” [“Valve Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “NVIDIA nTune” = ““C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear” [“NVIDIA”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = “flashget urlcatch” -> {HKLM…CLSID} = “Flashget Catch Url Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch.dll” [“www.flashget.com ”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {D5792AA9-D373-4039-8670-2CDAB6A71F15}(Default) = (no title provided) -> {HKLM…CLSID} = “WebManager Class” \InProcServer32(Default) = “C:\Program Files\TorrentQ\TorrentManager.dll” [“WakeNet”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashGet GetFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [“www.flashget.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}” = “NeroCoverEd Live Icons” -> {HKLM…CLSID} = “NeroCoverEdLiveIcons Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Cover Designer(Default) = “{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}” -> {HKLM…CLSID} = “NeroCoverEdContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Downloads\AL-16-big.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Downloads\AL-16-big.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com ”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll ,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\MSMSGS.EXE” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] cFosSpeed System Service, cFosSpeedS, ““C:\Program Files\cFosSpeed\spd.exe” -service” [“cFos Software GmbH”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTsvcCDA.exe” [“Creative Technology Ltd”] LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] nTune Service, nTuneService, “C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService” [“NVIDIA”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 346 seconds. ---------- (total run time: 378 seconds)
Combofix
a)ComboFix-quarantined-files
Zmienna PATH folderu
Numer seryjny woluminu: 34E9-E6EC
C:\QOOBOX
\---Quarantine
\---Registry_backups
B)
“Micha” - 07-04-08 13:59:19 Dodatek Service Pack 2 ComboFix 07-04-05 - Running from: “C:\Documents and Settings\Micha\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 )))))))))))))))))))))))))))))))))) 2007-04-07 21:32 2007-04-07 21:31 2007-04-07 21:31 2007-04-07 21:31 2007-04-07 21:31 2007-04-07 21:31 2007-04-07 09:06 81,920 --a------ C:\DOCUME~1\MICHA~1\DANEAP~1\ezpinst.exe 2007-04-07 09:06 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-04-07 09:06 47,360 --a------ C:\DOCUME~1\MICHA~1\DANEAP~1\pcouffin.sys 2007-04-07 09:06 14 --a------ C:\WINDOWS\system32\systeminfo3.dll 2007-04-07 09:06 2007-04-07 09:06 2007-04-07 09:06 2007-04-06 22:52 2007-04-06 22:48 2007-04-06 22:31 28,672 --a------ C:\WINDOWS\system32\f3PSSavr.scr 2007-04-06 22:30 2007-04-06 22:29 2007-04-06 16:39 2007-04-06 14:57 2007-04-06 14:57 2007-04-06 14:38 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 13:05 2007-04-05 19:38 2007-04-05 12:44 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys 2007-04-05 12:44 4,962 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys 2007-04-05 12:44 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys 2007-04-05 12:44 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll 2007-04-05 12:44 2007-04-04 19:56 2007-04-04 19:50 2007-04-04 15:12 2007-04-04 15:12 2007-04-03 20:35 2007-04-03 20:29 2007-04-03 20:29 2007-04-03 17:49 2007-04-03 17:05 2007-04-03 16:56 2007-04-01 18:15 2007-04-01 17:21 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll 2007-04-01 17:21 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll 2007-04-01 10:28 2007-04-01 10:22 2007-04-01 10:15 2007-03-29 20:02 2007-03-29 19:58 2007-03-29 19:57 2007-03-29 19:56 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-03-29 19:52 2007-03-29 19:50 2007-03-29 19:47 2007-03-28 14:08 2007-03-28 08:51 26,730 --a------ C:\WINDOWS\system32\pmnmlii.dll 2007-03-27 20:59 26,730 --a------ C:\WINDOWS\system32\tuvvvtu.dll 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:09 79,248 -ra------ C:\WINDOWS\system32\drivers\k600mgmt.sys 2007-03-27 18:08 87,456 -ra------ C:\WINDOWS\system32\drivers\k600mdm.sys 2007-03-27 18:08 77,072 -ra------ C:\WINDOWS\system32\drivers\k600obex.sys 2007-03-27 18:08 6,112 -ra------ C:\WINDOWS\system32\drivers\k600cmnt.sys 2007-03-27 18:08 6,112 -ra------ C:\WINDOWS\system32\drivers\k600cm.sys 2007-03-27 18:08 6,096 -ra------ C:\WINDOWS\system32\drivers\k600mdfl.sys 2007-03-27 18:08 52,384 -ra------ C:\WINDOWS\system32\drivers\k600bus.sys 2007-03-27 18:08 5,744 -ra------ C:\WINDOWS\system32\drivers\k600whnt.sys 2007-03-27 18:08 5,744 -ra------ C:\WINDOWS\system32\drivers\k600wh.sys 2007-03-26 15:16 2007-03-26 15:16 2007-03-25 17:55 2007-03-25 17:05 2007-03-25 17:04 2007-03-25 17:04 2007-03-25 17:04 2007-03-19 16:56 2007-03-18 20:13 2007-03-15 21:09 2007-03-14 19:27 972,336 --a------ C:\WINDOWS\UNRecode.exe 2007-03-14 19:20 133,168 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys 2007-03-14 19:20 11,568 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-03-14 19:19 972,336 --a------ C:\WINDOWS\UNNeroBackItUp.exe 2007-03-14 19:19 95,864 --a------ C:\WINDOWS\system32\NeroCo.dll 2007-03-12 19:04 2007-03-12 19:03 2007-03-12 15:41 24,576 --a------ C:\WINDOWS\system32\ealtest.exe 2007-03-12 15:41 132,096 --a------ C:\WINDOWS\system32\eaexec.exe 2007-03-12 15:40 2007-03-12 15:38 2007-03-12 13:51 972,336 --a------ C:\WINDOWS\UNNeroMediaHome.exe 2007-03-12 13:06 2007-03-12 12:54 2007-03-12 12:50 2007-03-08 18:59 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll 2007-03-08 13:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-08 13:43 -------- d-------- C:\Program Files\cfosspeed 2007-04-08 13:43 -------- d-------- C:\Program Files\cfosspeed 2007-04-08 11:08 26056 --a------ C:\WINDOWS\system32\drivers\hamachi.sys 2007-04-07 19:19 -------- d-------- C:\Program Files\rocks’n’diamonds 2007-04-07 19:19 -------- d-------- C:\Program Files\rocks’n’diamonds 2007-04-07 16:26 -------- d-------- C:\Program Files\speedfan 2007-04-07 16:26 -------- d-------- C:\Program Files\speedfan 2007-04-07 11:57 -------- d-------- C:\Program Files\flashget 2007-04-07 11:57 -------- d-------- C:\Program Files\flashget 2007-04-06 14:35 -------- d-------- C:\Program Files\gadu-gadu 2007-04-06 14:35 -------- d-------- C:\Program Files\gadu-gadu 2007-04-05 19:39 8 --a------ C:\WINDOWS\system32\nvmodes.dat 2007-04-05 15:22 -------- d-------- C:\Program Files\lavalys 2007-04-05 15:22 -------- d-------- C:\Program Files\lavalys 2007-04-05 12:44 -------- d–h----- C:\Program Files\installshield installation information 2007-04-05 12:44 -------- d–h----- C:\Program Files\installshield installation information 2007-04-03 17:50 -------- d-------- C:\Program Files\Common Files\ahead 2007-03-29 20:02 87166 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-29 20:02 493860 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-29 19:46 -------- d-------- C:\Program Files\messenger 2007-03-29 19:46 -------- d-------- C:\Program Files\messenger 2007-03-26 15:06 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll 2007-03-20 17:46 -------- d-------- C:\Program Files\bittorrent 2007-03-20 17:46 -------- d-------- C:\Program Files\bittorrent 2007-03-16 20:54 -------- d-------- C:\Program Files\winamp 2007-03-16 20:54 -------- d-------- C:\Program Files\winamp 2007-03-12 18:16 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-03-12 18:04 -------- d-------- C:\Program Files\Common Files\installshield 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 17:37 1843840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-05 17:32 -------- d-------- C:\Program Files\nlite 2007-03-05 17:32 -------- d-------- C:\Program Files\nlite 2007-03-05 16:42 -------- d-------- C:\Program Files\autopatcher 2007-03-05 16:42 -------- d-------- C:\Program Files\autopatcher 2007-03-04 15:43 20480 --a------ C:\WINDOWS\system32\h@tkeysh@@k.dll 2007-03-03 18:12 -------- d-------- C:\Program Files\java 2007-03-03 18:12 -------- d-------- C:\Program Files\java 2007-03-02 18:10 -------- d—s---- C:\Program Files\xfire 2007-03-02 18:10 -------- d—s---- C:\Program Files\xfire 2007-03-02 18:09 271360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys 2007-03-02 18:09 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys 2007-02-28 22:14 -------- d-------- C:\Program Files\supermariopac 2007-02-28 22:14 -------- d-------- C:\Program Files\supermariopac 2007-02-28 21:18 -------- d-------- C:\Program Files\thrixxx 2007-02-28 21:18 -------- d-------- C:\Program Files\thrixxx 2007-02-28 20:53 972336 --a------ C:\WINDOWS\unnerovision.exe 2007-02-28 15:41 972336 --a------ C:\WINDOWS\unneroshowtime.exe 2007-02-27 19:41 282164 —hs---- C:\WINDOWS\system32\ssqpp.dll 2007-02-27 19:33 26637 —hs---- C:\WINDOWS\system32\tuvttqp.dll 2007-02-27 19:32 26637 —hs---- C:\WINDOWS\system32\mljklmk.dll 2007-02-27 19:32 -------- d-------- C:\Program Files\limewire 2007-02-27 19:32 -------- d-------- C:\Program Files\limewire 2007-02-27 19:14 -------- d-------- C:\Program Files\Common Files\java 2007-02-24 09:54 -------- d-------- C:\Program Files\netia 2007-02-24 09:54 -------- d-------- C:\Program Files\netia 2007-02-23 17:02 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2007-02-23 15:26 -------- d-------- C:\Program Files\creative 2007-02-23 15:26 -------- d-------- C:\Program Files\creative 2007-02-23 15:19 -------- d–h----- C:\Program Files\creative installation information 2007-02-23 15:19 -------- d–h----- C:\Program Files\creative installation information 2007-02-23 15:19 -------- d-------- C:\Program Files\Common Files\creative 2007-02-21 13:59 -------- d-------- C:\Program Files\hamachi 2007-02-21 13:59 -------- d-------- C:\Program Files\hamachi 2007-02-21 13:35 -------- d-------- C:\Program Files\hd tune 2007-02-21 13:35 -------- d-------- C:\Program Files\hd tune 2007-02-16 14:19 -------- d-------- C:\Program Files\airstrike ii demo 2007-02-16 14:19 -------- d-------- C:\Program Files\airstrike ii demo 2007-02-16 13:39 -------- d-------- C:\Program Files\mindscape 2007-02-16 13:39 -------- d-------- C:\Program Files\mindscape 2007-02-16 13:38 -------- d-------- C:\Program Files\alcohol soft 2007-02-16 13:38 -------- d-------- C:\Program Files\alcohol soft 2007-02-15 17:39 -------- d-------- C:\Program Files\rox 2007-02-15 17:39 -------- d-------- C:\Program Files\rox 2007-02-15 13:41 -------- d-------- C:\Program Files\wapster 2007-02-15 13:41 -------- d-------- C:\Program Files\wapster 2007-02-15 13:27 -------- d-------- C:\Program Files\pogoda 2007-02-15 13:27 -------- d-------- C:\Program Files\pogoda 2007-02-15 13:25 1252 --a------ C:\WINDOWS\unins000.dat 2007-02-15 13:19 -------- d-------- C:\Program Files\elastomania 2007-02-15 13:19 -------- d-------- C:\Program Files\elastomania 2007-02-12 20:26 -------- d-------- C:\Program Files\realtek ac97 2007-02-12 20:26 -------- d-------- C:\Program Files\realtek ac97 2007-02-11 21:42 -------- d-------- C:\Program Files\rivatuner v2.0 final release 2007-02-11 21:42 -------- d-------- C:\Program Files\rivatuner v2.0 final release 2007-02-11 21:18 -------- d-------- C:\Program Files\project1 2007-02-11 21:18 -------- d-------- C:\Program Files\project1 2007-02-11 20:07 73216 --a------ C:\WINDOWS\st6unst.exe 2007-02-11 20:07 286720 --------- C:\WINDOWS\setup1.exe 2007-02-11 20:05 -------- d-------- C:\Program Files\ppf 2007-02-11 20:05 -------- d-------- C:\Program Files\ppf 2007-02-09 19:25 60416 --a------ C:\WINDOWS\alcfdrtm.exe 2007-02-09 18:34 -------- d-------- C:\Program Files\tvtool 2007-02-09 18:34 -------- d-------- C:\Program Files\tvtool 2007-02-08 19:18 -------- d-------- C:\Program Files\k-lite codec pack 2007-02-08 19:18 -------- d-------- C:\Program Files\k-lite codec pack 2007-02-08 19:15 -------- d-------- C:\Program Files\nero 2007-02-08 19:15 -------- d-------- C:\Program Files\nero 2007-02-04 16:46 0 -rahs---- C:\MSDOS.SYS 2007-02-04 16:46 0 -rahs---- C:\IO.SYS 2007-02-04 16:46 0 --a------ C:\CONFIG.SYS 2007-02-04 16:46 0 --a------ C:\AUTOEXEC.BAT 2007-02-04 16:43 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-01-26 21:20 1177593 --a------ C:\WINDOWS\gta4 c.scr 2007-01-26 19:42 1182224 --a------ C:\WINDOWS\gta4 a.scr 2007-01-26 19:41 1188893 --a------ C:\WINDOWS\gta4 b.scr 2007-01-24 16:27 255848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-01-22 17:23 6912 --a------ C:\WINDOWS\nvoclock.sys 2007-01-22 17:23 385024 --a------ C:\WINDOWS\ntuneoem.dll 2007-01-22 17:22 28672 --a------ C:\WINDOWS\autotunescript.dll 2007-01-22 17:22 1622016 --a------ C:\WINDOWS\nvbenchmarks.dll 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-01-10 08:00 545 --a------ C:\WINDOWS\uc.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\rar.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\pkzip.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\pkunzip.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\noclose.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\lha.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\arj.pif 2007-01-10 00:59 217088 --a------ C:\WINDOWS\nvgfxogl.dll 2007-01-08 16:30 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “MSMSGS”="“C:\Program Files\Messenger\MSMSGS.EXE” /background" “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “BitTorrent”="“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized" “Steam”="“d:\program files\steam\steam.exe” -silent" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “NVIDIA nTune”="“C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE " “item”=“Adobe Reader Synchronizer” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^Adobe Gamma.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\Adobe Gamma.lnk” “backup”=“C:\WINDOWS\pss\Adobe Gamma.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE " “item”=“Adobe Gamma” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^HDDlife.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\HDDlife.lnk” “backup”=“C:\WINDOWS\pss\HDDlife.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\BINARY~1\HDDlife\HDDLIF~1.EXE " “item”=“HDDlife” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^Xfire.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\Xfire.lnk” “backup”=“C:\WINDOWS\pss\Xfire.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\Xfire\Xfire.exe " “item”=“Xfire” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=”” “hkey”=“HKLM” “command”=”” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQQ] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AQQ” “hkey”=“HKCU” “command”=“C:\PROGRA~1\Wapster\AQQ\AQQ.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoConnect] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AutoConnect” “hkey”=“HKCU” “command”=“C:\Program Files\AutoConnect\AutoConnect.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NMBgMonitor” “hkey”=“HKCU” “command”=”“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“bittorrent” “hkey”=“HKCU” “command”="“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cFosSpeed] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“cFosSpeed” “hkey”=“HKLM” “command”=“C:\Program Files\cFosSpeed\cFosSpeed.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CTSysVol” “hkey”=“HKLM” “command”=“C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Flashget” “hkey”=“HKLM” “command”=“C:\PROGRA~1\FlashGet\Flashget.exe /min” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“gg” “hkey”=“HKCU” “command”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“OverClk” “hkey”=“HKLM” “command”="“C:\Program Files\ASUS\Ai Booster\OverClk.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“LXSUPMON” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\LXSUPMON.EXE RUN” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NETIANET] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“netianet” “hkey”=“HKCU” “command”=“C:\Program Files\Netia\Net\netianet.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Rundll32 P17” “hkey”=“HKLM” “command”=“Rundll32 P17.dll,P17Helper” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SOUNDMAN” “hkey”=“HKLM” “command”=“SOUNDMAN.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Dragdiag” “hkey”=“HKLM” “command”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”="“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TweakRAM] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“TweakRAM” “hkey”=“HKCU” “command”=“C:\Program Files\TweakRAM\TweakRAM.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“UpdReg” “hkey”=“HKLM” “command”=“C:\WINDOWS\UpdReg.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Amoumain” “hkey”=“HKLM” “command”=“C:\Program Files\A4Tech\Mouse\Amoumain.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsSystem32] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“msnmssgr” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\System\msnmssgr.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://img.interia.pl/sport/nimg/Adam_M … 493318.jpg [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F] Shell\AutoRun\command F:\Autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{2c94de89-bdb2-11db-b73a-000e50e2a95b}] Shell\AutoRun\command F:\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{f9c21768-da05-11db-b76d-000e50e2a95b}] Shell\AutoRun\command F:\Autorun.exe ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-08 14:02:26 C:\ComboFix-quarantined-files.txt … 07-04-08 14:02
VundoFIX
adam9870
(adam9870)
8 Kwiecień 2007 12:49
#4
To Twoje? Jeśli nie to ten folder również usuń w Gmerze w zakładce Procesy poprzez opcję Pliki.
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
Przeskanuj system programem AVG Anti-Spyware po update.
Po wykonaniu wklej nowe logi.
Oki. Zaraz to zrobię. Ej powiedz mi co to za kupa jest co sie tak do mnie przyczepiła ?
adam9870
(adam9870)
8 Kwiecień 2007 13:06
#6
Ok wszystko zrobione. Zapodaje logi
Hijackthis
Logfile of HijackThis v1.99.1 Scan saved at 19:20:54, on 2007-04-08 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\Documents and Settings\Michał\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NVIDIA nTune] “C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized O4 - HKCU…\Run: [steam] “d:\program files\steam\steam.exe” -silent O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O17 - HKLM\System\CCS\Services\Tcpip…{D424F101-C007-46E3-81E2-E71D090111E6}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Sillent
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “BitTorrent” = ““C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized” [null data] “Steam” = ““d:\program files\steam\steam.exe” -silent” [“Valve Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “NVIDIA nTune” = ““C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear” [“NVIDIA”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “!AVG Anti-Spyware” = ““C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = “flashget urlcatch” -> {HKLM…CLSID} = “Flashget Catch Url Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch.dll” [“www.flashget.com ”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashGet GetFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [“www.flashget.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}” = “NeroCoverEd Live Icons” -> {HKLM…CLSID} = “NeroCoverEdLiveIcons Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Cover Designer(Default) = “{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}” -> {HKLM…CLSID} = “NeroCoverEdContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Downloads\AL-16-big.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Downloads\AL-16-big.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com ”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll ,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\MSMSGS.EXE” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe” [“Anti-Malware Development a.s.”] cFosSpeed System Service, cFosSpeedS, ““C:\Program Files\cFosSpeed\spd.exe” -service” [“cFos Software GmbH”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTsvcCDA.exe” [“Creative Technology Ltd”] LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] nTune Service, nTuneService, “C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService” [“NVIDIA”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 348 seconds. ---------- (total run time: 384 seconds)
Combo FIX
“Micha” - 07-04-08 19:33:00 Dodatek Service Pack 2 ComboFix 07-04-05 - Running from: “C:\Documents and Settings\Micha\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 )))))))))))))))))))))))))))))))))) 2007-04-08 15:32 106 --a------ C:\delete.bat 2007-04-08 14:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-04-07 21:31 2007-04-07 09:06 81,920 --a------ C:\DOCUME~1\MICHA~1\DANEAP~1\ezpinst.exe 2007-04-07 09:06 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-04-07 09:06 47,360 --a------ C:\DOCUME~1\MICHA~1\DANEAP~1\pcouffin.sys 2007-04-07 09:06 14 --a------ C:\WINDOWS\system32\systeminfo3.dll 2007-04-07 09:06 2007-04-07 09:06 2007-04-07 09:06 2007-04-06 22:52 2007-04-06 22:48 2007-04-06 22:31 28,672 --a------ C:\WINDOWS\system32\f3PSSavr.scr 2007-04-06 22:29 2007-04-06 16:39 2007-04-06 14:57 2007-04-06 14:57 2007-04-06 14:38 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 13:05 2007-04-05 19:38 2007-04-05 12:44 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys 2007-04-05 12:44 4,962 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys 2007-04-05 12:44 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys 2007-04-05 12:44 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll 2007-04-05 12:44 2007-04-04 19:56 2007-04-04 19:50 2007-04-04 15:12 2007-04-04 15:12 2007-04-03 20:35 2007-04-03 20:29 2007-04-03 20:29 2007-04-03 17:49 2007-04-03 17:05 2007-04-03 16:56 2007-04-01 18:15 2007-04-01 17:21 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll 2007-04-01 17:21 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll 2007-04-01 10:28 2007-04-01 10:22 2007-04-01 10:15 2007-03-29 20:02 2007-03-29 19:58 2007-03-29 19:57 2007-03-29 19:56 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-03-29 19:52 2007-03-29 19:50 2007-03-29 19:47 2007-03-28 14:08 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:09 79,248 -ra------ C:\WINDOWS\system32\drivers\k600mgmt.sys 2007-03-27 18:08 87,456 -ra------ C:\WINDOWS\system32\drivers\k600mdm.sys 2007-03-27 18:08 77,072 -ra------ C:\WINDOWS\system32\drivers\k600obex.sys 2007-03-27 18:08 6,112 -ra------ C:\WINDOWS\system32\drivers\k600cmnt.sys 2007-03-27 18:08 6,112 -ra------ C:\WINDOWS\system32\drivers\k600cm.sys 2007-03-27 18:08 6,096 -ra------ C:\WINDOWS\system32\drivers\k600mdfl.sys 2007-03-27 18:08 52,384 -ra------ C:\WINDOWS\system32\drivers\k600bus.sys 2007-03-27 18:08 5,744 -ra------ C:\WINDOWS\system32\drivers\k600whnt.sys 2007-03-27 18:08 5,744 -ra------ C:\WINDOWS\system32\drivers\k600wh.sys 2007-03-26 15:16 2007-03-26 15:16 2007-03-25 17:55 2007-03-25 17:05 2007-03-25 17:04 2007-03-25 17:04 2007-03-25 17:04 2007-03-19 16:56 2007-03-18 20:13 2007-03-15 21:09 2007-03-14 19:27 972,336 --a------ C:\WINDOWS\UNRecode.exe 2007-03-14 19:20 133,168 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys 2007-03-14 19:20 11,568 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-03-14 19:19 972,336 --a------ C:\WINDOWS\UNNeroBackItUp.exe 2007-03-14 19:19 95,864 --a------ C:\WINDOWS\system32\NeroCo.dll 2007-03-12 19:04 2007-03-12 19:03 2007-03-12 15:41 24,576 --a------ C:\WINDOWS\system32\ealtest.exe 2007-03-12 15:41 132,096 --a------ C:\WINDOWS\system32\eaexec.exe 2007-03-12 15:40 2007-03-12 15:38 2007-03-12 13:51 972,336 --a------ C:\WINDOWS\UNNeroMediaHome.exe 2007-03-12 13:06 2007-03-12 12:54 2007-03-12 12:50 2007-03-08 18:59 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll 2007-03-08 13:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-08 19:29 -------- d-------- C:\Program Files\cfosspeed 2007-04-08 19:29 -------- d-------- C:\Program Files\cfosspeed 2007-04-08 11:08 26056 --a------ C:\WINDOWS\system32\drivers\hamachi.sys 2007-04-07 19:19 -------- d-------- C:\Program Files\rocks’n’diamonds 2007-04-07 19:19 -------- d-------- C:\Program Files\rocks’n’diamonds 2007-04-07 16:26 -------- d-------- C:\Program Files\speedfan 2007-04-07 16:26 -------- d-------- C:\Program Files\speedfan 2007-04-07 11:57 -------- d-------- C:\Program Files\flashget 2007-04-07 11:57 -------- d-------- C:\Program Files\flashget 2007-04-06 14:35 -------- d-------- C:\Program Files\gadu-gadu 2007-04-06 14:35 -------- d-------- C:\Program Files\gadu-gadu 2007-04-05 19:39 8 --a------ C:\WINDOWS\system32\nvmodes.dat 2007-04-05 15:22 -------- d-------- C:\Program Files\lavalys 2007-04-05 15:22 -------- d-------- C:\Program Files\lavalys 2007-04-05 12:44 -------- d–h----- C:\Program Files\installshield installation information 2007-04-05 12:44 -------- d–h----- C:\Program Files\installshield installation information 2007-04-03 17:50 -------- d-------- C:\Program Files\Common Files\ahead 2007-03-29 20:02 87166 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-29 20:02 493860 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-29 19:46 -------- d-------- C:\Program Files\messenger 2007-03-29 19:46 -------- d-------- C:\Program Files\messenger 2007-03-26 15:06 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll 2007-03-20 17:46 -------- d-------- C:\Program Files\bittorrent 2007-03-20 17:46 -------- d-------- C:\Program Files\bittorrent 2007-03-16 20:54 -------- d-------- C:\Program Files\winamp 2007-03-16 20:54 -------- d-------- C:\Program Files\winamp 2007-03-12 18:16 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-03-12 18:04 -------- d-------- C:\Program Files\Common Files\installshield 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 17:37 1843840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-05 17:32 -------- d-------- C:\Program Files\nlite 2007-03-05 17:32 -------- d-------- C:\Program Files\nlite 2007-03-05 16:42 -------- d-------- C:\Program Files\autopatcher 2007-03-05 16:42 -------- d-------- C:\Program Files\autopatcher 2007-03-04 15:43 20480 --a------ C:\WINDOWS\system32\h@tkeysh@@k.dll 2007-03-03 18:12 -------- d-------- C:\Program Files\java 2007-03-03 18:12 -------- d-------- C:\Program Files\java 2007-03-02 18:10 -------- d—s---- C:\Program Files\xfire 2007-03-02 18:10 -------- d—s---- C:\Program Files\xfire 2007-03-02 18:09 271360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys 2007-03-02 18:09 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys 2007-02-28 22:14 -------- d-------- C:\Program Files\supermariopac 2007-02-28 22:14 -------- d-------- C:\Program Files\supermariopac 2007-02-28 21:18 -------- d-------- C:\Program Files\thrixxx 2007-02-28 21:18 -------- d-------- C:\Program Files\thrixxx 2007-02-28 20:53 972336 --a------ C:\WINDOWS\unnerovision.exe 2007-02-28 15:41 972336 --a------ C:\WINDOWS\unneroshowtime.exe 2007-02-27 19:32 -------- d-------- C:\Program Files\limewire 2007-02-27 19:32 -------- d-------- C:\Program Files\limewire 2007-02-27 19:14 -------- d-------- C:\Program Files\Common Files\java 2007-02-24 09:54 -------- d-------- C:\Program Files\netia 2007-02-24 09:54 -------- d-------- C:\Program Files\netia 2007-02-23 17:02 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2007-02-23 15:26 -------- d-------- C:\Program Files\creative 2007-02-23 15:26 -------- d-------- C:\Program Files\creative 2007-02-23 15:19 -------- d–h----- C:\Program Files\creative installation information 2007-02-23 15:19 -------- d–h----- C:\Program Files\creative installation information 2007-02-23 15:19 -------- d-------- C:\Program Files\Common Files\creative 2007-02-21 13:59 -------- d-------- C:\Program Files\hamachi 2007-02-21 13:59 -------- d-------- C:\Program Files\hamachi 2007-02-21 13:35 -------- d-------- C:\Program Files\hd tune 2007-02-21 13:35 -------- d-------- C:\Program Files\hd tune 2007-02-16 14:19 -------- d-------- C:\Program Files\airstrike ii demo 2007-02-16 14:19 -------- d-------- C:\Program Files\airstrike ii demo 2007-02-16 13:39 -------- d-------- C:\Program Files\mindscape 2007-02-16 13:39 -------- d-------- C:\Program Files\mindscape 2007-02-16 13:38 -------- d-------- C:\Program Files\alcohol soft 2007-02-16 13:38 -------- d-------- C:\Program Files\alcohol soft 2007-02-15 17:39 -------- d-------- C:\Program Files\rox 2007-02-15 17:39 -------- d-------- C:\Program Files\rox 2007-02-15 13:41 -------- d-------- C:\Program Files\wapster 2007-02-15 13:41 -------- d-------- C:\Program Files\wapster 2007-02-15 13:27 -------- d-------- C:\Program Files\pogoda 2007-02-15 13:27 -------- d-------- C:\Program Files\pogoda 2007-02-15 13:25 1252 --a------ C:\WINDOWS\unins000.dat 2007-02-15 13:19 -------- d-------- C:\Program Files\elastomania 2007-02-15 13:19 -------- d-------- C:\Program Files\elastomania 2007-02-12 20:26 -------- d-------- C:\Program Files\realtek ac97 2007-02-12 20:26 -------- d-------- C:\Program Files\realtek ac97 2007-02-11 21:42 -------- d-------- C:\Program Files\rivatuner v2.0 final release 2007-02-11 21:42 -------- d-------- C:\Program Files\rivatuner v2.0 final release 2007-02-11 21:18 -------- d-------- C:\Program Files\project1 2007-02-11 21:18 -------- d-------- C:\Program Files\project1 2007-02-11 20:05 -------- d-------- C:\Program Files\ppf 2007-02-11 20:05 -------- d-------- C:\Program Files\ppf 2007-02-09 19:25 60416 --a------ C:\WINDOWS\alcfdrtm.exe 2007-02-09 18:34 -------- d-------- C:\Program Files\tvtool 2007-02-09 18:34 -------- d-------- C:\Program Files\tvtool 2007-02-08 19:18 -------- d-------- C:\Program Files\k-lite codec pack 2007-02-08 19:18 -------- d-------- C:\Program Files\k-lite codec pack 2007-02-08 19:15 -------- d-------- C:\Program Files\nero 2007-02-08 19:15 -------- d-------- C:\Program Files\nero 2007-02-04 16:46 0 -rahs---- C:\MSDOS.SYS 2007-02-04 16:46 0 -rahs---- C:\IO.SYS 2007-02-04 16:46 0 --a------ C:\CONFIG.SYS 2007-02-04 16:46 0 --a------ C:\AUTOEXEC.BAT 2007-02-04 16:43 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-01-26 21:20 1177593 --a------ C:\WINDOWS\gta4 c.scr 2007-01-26 19:42 1182224 --a------ C:\WINDOWS\gta4 a.scr 2007-01-26 19:41 1188893 --a------ C:\WINDOWS\gta4 b.scr 2007-01-24 16:27 255848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-01-22 17:23 6912 --a------ C:\WINDOWS\nvoclock.sys 2007-01-22 17:23 385024 --a------ C:\WINDOWS\ntuneoem.dll 2007-01-22 17:22 28672 --a------ C:\WINDOWS\autotunescript.dll 2007-01-22 17:22 1622016 --a------ C:\WINDOWS\nvbenchmarks.dll 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-01-10 08:00 545 --a------ C:\WINDOWS\uc.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\rar.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\pkzip.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\pkunzip.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\noclose.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\lha.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\arj.pif 2007-01-10 00:59 217088 --a------ C:\WINDOWS\nvgfxogl.dll 2007-01-08 16:30 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “BitTorrent”="“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized" “Steam”="“d:\program files\steam\steam.exe” -silent" “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “NVIDIA nTune”="“C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE " “item”=“Adobe Reader Synchronizer” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^Adobe Gamma.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\Adobe Gamma.lnk” “backup”=“C:\WINDOWS\pss\Adobe Gamma.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE " “item”=“Adobe Gamma” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^HDDlife.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\HDDlife.lnk” “backup”=“C:\WINDOWS\pss\HDDlife.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\BINARY~1\HDDlife\HDDLIF~1.EXE " “item”=“HDDlife” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^Xfire.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\Xfire.lnk” “backup”=“C:\WINDOWS\pss\Xfire.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\Xfire\Xfire.exe " “item”=“Xfire” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=”” “hkey”=“HKLM” “command”=”” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQQ] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AQQ” “hkey”=“HKCU” “command”=“C:\PROGRA~1\Wapster\AQQ\AQQ.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoConnect] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AutoConnect” “hkey”=“HKCU” “command”=“C:\Program Files\AutoConnect\AutoConnect.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NMBgMonitor” “hkey”=“HKCU” “command”=”“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“bittorrent” “hkey”=“HKCU” “command”="“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cFosSpeed] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“cFosSpeed” “hkey”=“HKLM” “command”=“C:\Program Files\cFosSpeed\cFosSpeed.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CTSysVol” “hkey”=“HKLM” “command”=“C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Flashget” “hkey”=“HKLM” “command”=“C:\PROGRA~1\FlashGet\Flashget.exe /min” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“gg” “hkey”=“HKCU” “command”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“OverClk” “hkey”=“HKLM” “command”="“C:\Program Files\ASUS\Ai Booster\OverClk.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“LXSUPMON” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\LXSUPMON.EXE RUN” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NETIANET] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“netianet” “hkey”=“HKCU” “command”=“C:\Program Files\Netia\Net\netianet.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Rundll32 P17” “hkey”=“HKLM” “command”=“Rundll32 P17.dll,P17Helper” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SOUNDMAN” “hkey”=“HKLM” “command”=“SOUNDMAN.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Dragdiag” “hkey”=“HKLM” “command”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”="“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TweakRAM] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“TweakRAM” “hkey”=“HKCU” “command”=“C:\Program Files\TweakRAM\TweakRAM.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“UpdReg” “hkey”=“HKLM” “command”=“C:\WINDOWS\UpdReg.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Amoumain” “hkey”=“HKLM” “command”=“C:\Program Files\A4Tech\Mouse\Amoumain.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsSystem32] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“msnmssgr” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\System\msnmssgr.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://img.interia.pl/sport/nimg/Adam_M … 493318.jpg [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F] Shell\AutoRun\command F:\Autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{2c94de89-bdb2-11db-b73a-000e50e2a95b}] Shell\AutoRun\command F:\autorun.exe ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-08 19:34:41 C:\ComboFix-quarantined-files.txt … 07-04-08 19:34 C:\ComboFix2.txt … 07-04-08 14:02
adam9870
(adam9870)
8 Kwiecień 2007 19:04
#8
Sprawdź czy masz na dysku plik:
a jeśli tak to usuń go ręcznie w trybie awaryjnym.
Start => uruchom => wpisz regedit i kliknij OK => przejdź do klucza:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg
i skasuj z prawokliku znajdujący się tam klucz WindowsSystem32
Po wykonaniu możesz wkleić nowy log z Combo.
Sądzę że już wszystko ok. Dzięki adam9870 za poświęcony czas itp.
“Micha” - 07-04-08 21:09:14 Dodatek Service Pack 2 ComboFix 07-04-05 - Running from: “C:\Documents and Settings\Micha\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 )))))))))))))))))))))))))))))))))) 2007-04-08 15:32 106 --a------ C:\delete.bat 2007-04-08 14:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-04-07 21:31 2007-04-07 09:06 81,920 --a------ C:\DOCUME~1\MICHA~1\DANEAP~1\ezpinst.exe 2007-04-07 09:06 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-04-07 09:06 47,360 --a------ C:\DOCUME~1\MICHA~1\DANEAP~1\pcouffin.sys 2007-04-07 09:06 14 --a------ C:\WINDOWS\system32\systeminfo3.dll 2007-04-07 09:06 2007-04-07 09:06 2007-04-07 09:06 2007-04-06 22:52 2007-04-06 22:48 2007-04-06 22:31 28,672 --a------ C:\WINDOWS\system32\f3PSSavr.scr 2007-04-06 22:29 2007-04-06 16:39 2007-04-06 14:57 2007-04-06 14:57 2007-04-06 14:38 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 14:38 2007-04-06 13:05 2007-04-05 19:38 2007-04-05 12:44 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys 2007-04-05 12:44 4,962 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys 2007-04-05 12:44 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys 2007-04-05 12:44 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll 2007-04-05 12:44 2007-04-04 19:56 2007-04-04 19:50 2007-04-04 15:12 2007-04-04 15:12 2007-04-03 20:35 2007-04-03 20:29 2007-04-03 20:29 2007-04-03 17:49 2007-04-03 17:05 2007-04-03 16:56 2007-04-01 18:15 2007-04-01 17:21 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll 2007-04-01 17:21 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll 2007-04-01 10:28 2007-04-01 10:22 2007-04-01 10:15 2007-03-29 20:02 2007-03-29 19:58 2007-03-29 19:57 2007-03-29 19:56 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-03-29 19:52 2007-03-29 19:50 2007-03-29 19:47 2007-03-28 14:08 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:13 2007-03-27 18:09 79,248 -ra------ C:\WINDOWS\system32\drivers\k600mgmt.sys 2007-03-27 18:08 87,456 -ra------ C:\WINDOWS\system32\drivers\k600mdm.sys 2007-03-27 18:08 77,072 -ra------ C:\WINDOWS\system32\drivers\k600obex.sys 2007-03-27 18:08 6,112 -ra------ C:\WINDOWS\system32\drivers\k600cmnt.sys 2007-03-27 18:08 6,112 -ra------ C:\WINDOWS\system32\drivers\k600cm.sys 2007-03-27 18:08 6,096 -ra------ C:\WINDOWS\system32\drivers\k600mdfl.sys 2007-03-27 18:08 52,384 -ra------ C:\WINDOWS\system32\drivers\k600bus.sys 2007-03-27 18:08 5,744 -ra------ C:\WINDOWS\system32\drivers\k600whnt.sys 2007-03-27 18:08 5,744 -ra------ C:\WINDOWS\system32\drivers\k600wh.sys 2007-03-26 15:16 2007-03-26 15:16 2007-03-25 17:55 2007-03-25 17:05 2007-03-25 17:04 2007-03-25 17:04 2007-03-25 17:04 2007-03-19 16:56 2007-03-18 20:13 2007-03-15 21:09 2007-03-14 19:27 972,336 --a------ C:\WINDOWS\UNRecode.exe 2007-03-14 19:20 133,168 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys 2007-03-14 19:20 11,568 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-03-14 19:19 972,336 --a------ C:\WINDOWS\UNNeroBackItUp.exe 2007-03-14 19:19 95,864 --a------ C:\WINDOWS\system32\NeroCo.dll 2007-03-12 19:04 2007-03-12 19:03 2007-03-12 15:41 24,576 --a------ C:\WINDOWS\system32\ealtest.exe 2007-03-12 15:41 132,096 --a------ C:\WINDOWS\system32\eaexec.exe 2007-03-12 15:40 2007-03-12 15:38 2007-03-12 13:51 972,336 --a------ C:\WINDOWS\UNNeroMediaHome.exe 2007-03-12 13:06 2007-03-12 12:54 2007-03-12 12:50 2007-03-08 18:59 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll 2007-03-08 13:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-08 21:09 -------- d-------- C:\Program Files\cfosspeed 2007-04-08 21:09 -------- d-------- C:\Program Files\cfosspeed 2007-04-08 11:08 26056 --a------ C:\WINDOWS\system32\drivers\hamachi.sys 2007-04-07 19:19 -------- d-------- C:\Program Files\rocks’n’diamonds 2007-04-07 19:19 -------- d-------- C:\Program Files\rocks’n’diamonds 2007-04-07 16:26 -------- d-------- C:\Program Files\speedfan 2007-04-07 16:26 -------- d-------- C:\Program Files\speedfan 2007-04-07 11:57 -------- d-------- C:\Program Files\flashget 2007-04-07 11:57 -------- d-------- C:\Program Files\flashget 2007-04-06 14:35 -------- d-------- C:\Program Files\gadu-gadu 2007-04-06 14:35 -------- d-------- C:\Program Files\gadu-gadu 2007-04-05 19:39 8 --a------ C:\WINDOWS\system32\nvmodes.dat 2007-04-05 15:22 -------- d-------- C:\Program Files\lavalys 2007-04-05 15:22 -------- d-------- C:\Program Files\lavalys 2007-04-05 12:44 -------- d–h----- C:\Program Files\installshield installation information 2007-04-05 12:44 -------- d–h----- C:\Program Files\installshield installation information 2007-04-03 17:50 -------- d-------- C:\Program Files\Common Files\ahead 2007-03-29 20:02 87166 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-29 20:02 493860 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-29 19:46 -------- d-------- C:\Program Files\messenger 2007-03-29 19:46 -------- d-------- C:\Program Files\messenger 2007-03-26 15:06 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll 2007-03-20 17:46 -------- d-------- C:\Program Files\bittorrent 2007-03-20 17:46 -------- d-------- C:\Program Files\bittorrent 2007-03-16 20:54 -------- d-------- C:\Program Files\winamp 2007-03-16 20:54 -------- d-------- C:\Program Files\winamp 2007-03-12 18:16 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-03-12 18:04 -------- d-------- C:\Program Files\Common Files\installshield 2007-03-08 17:38 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:38 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:38 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 17:37 1843840 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-05 17:32 -------- d-------- C:\Program Files\nlite 2007-03-05 17:32 -------- d-------- C:\Program Files\nlite 2007-03-05 16:42 -------- d-------- C:\Program Files\autopatcher 2007-03-05 16:42 -------- d-------- C:\Program Files\autopatcher 2007-03-04 15:43 20480 --a------ C:\WINDOWS\system32\h@tkeysh@@k.dll 2007-03-03 18:12 -------- d-------- C:\Program Files\java 2007-03-03 18:12 -------- d-------- C:\Program Files\java 2007-03-02 18:10 -------- d—s---- C:\Program Files\xfire 2007-03-02 18:10 -------- d—s---- C:\Program Files\xfire 2007-03-02 18:09 271360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys 2007-03-02 18:09 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys 2007-02-28 22:14 -------- d-------- C:\Program Files\supermariopac 2007-02-28 22:14 -------- d-------- C:\Program Files\supermariopac 2007-02-28 21:18 -------- d-------- C:\Program Files\thrixxx 2007-02-28 21:18 -------- d-------- C:\Program Files\thrixxx 2007-02-28 20:53 972336 --a------ C:\WINDOWS\unnerovision.exe 2007-02-28 15:41 972336 --a------ C:\WINDOWS\unneroshowtime.exe 2007-02-27 19:32 -------- d-------- C:\Program Files\limewire 2007-02-27 19:32 -------- d-------- C:\Program Files\limewire 2007-02-27 19:14 -------- d-------- C:\Program Files\Common Files\java 2007-02-24 09:54 -------- d-------- C:\Program Files\netia 2007-02-24 09:54 -------- d-------- C:\Program Files\netia 2007-02-23 17:02 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2007-02-23 15:26 -------- d-------- C:\Program Files\creative 2007-02-23 15:26 -------- d-------- C:\Program Files\creative 2007-02-23 15:19 -------- d–h----- C:\Program Files\creative installation information 2007-02-23 15:19 -------- d–h----- C:\Program Files\creative installation information 2007-02-23 15:19 -------- d-------- C:\Program Files\Common Files\creative 2007-02-21 13:59 -------- d-------- C:\Program Files\hamachi 2007-02-21 13:59 -------- d-------- C:\Program Files\hamachi 2007-02-21 13:35 -------- d-------- C:\Program Files\hd tune 2007-02-21 13:35 -------- d-------- C:\Program Files\hd tune 2007-02-16 14:19 -------- d-------- C:\Program Files\airstrike ii demo 2007-02-16 14:19 -------- d-------- C:\Program Files\airstrike ii demo 2007-02-16 13:39 -------- d-------- C:\Program Files\mindscape 2007-02-16 13:39 -------- d-------- C:\Program Files\mindscape 2007-02-16 13:38 -------- d-------- C:\Program Files\alcohol soft 2007-02-16 13:38 -------- d-------- C:\Program Files\alcohol soft 2007-02-15 17:39 -------- d-------- C:\Program Files\rox 2007-02-15 17:39 -------- d-------- C:\Program Files\rox 2007-02-15 13:41 -------- d-------- C:\Program Files\wapster 2007-02-15 13:41 -------- d-------- C:\Program Files\wapster 2007-02-15 13:27 -------- d-------- C:\Program Files\pogoda 2007-02-15 13:27 -------- d-------- C:\Program Files\pogoda 2007-02-15 13:25 1252 --a------ C:\WINDOWS\unins000.dat 2007-02-15 13:19 -------- d-------- C:\Program Files\elastomania 2007-02-15 13:19 -------- d-------- C:\Program Files\elastomania 2007-02-12 20:26 -------- d-------- C:\Program Files\realtek ac97 2007-02-12 20:26 -------- d-------- C:\Program Files\realtek ac97 2007-02-11 21:42 -------- d-------- C:\Program Files\rivatuner v2.0 final release 2007-02-11 21:42 -------- d-------- C:\Program Files\rivatuner v2.0 final release 2007-02-11 21:18 -------- d-------- C:\Program Files\project1 2007-02-11 21:18 -------- d-------- C:\Program Files\project1 2007-02-11 20:05 -------- d-------- C:\Program Files\ppf 2007-02-11 20:05 -------- d-------- C:\Program Files\ppf 2007-02-09 19:25 60416 --a------ C:\WINDOWS\alcfdrtm.exe 2007-02-09 18:34 -------- d-------- C:\Program Files\tvtool 2007-02-09 18:34 -------- d-------- C:\Program Files\tvtool 2007-02-08 19:18 -------- d-------- C:\Program Files\k-lite codec pack 2007-02-08 19:18 -------- d-------- C:\Program Files\k-lite codec pack 2007-02-08 19:15 -------- d-------- C:\Program Files\nero 2007-02-08 19:15 -------- d-------- C:\Program Files\nero 2007-02-04 16:46 0 -rahs---- C:\MSDOS.SYS 2007-02-04 16:46 0 -rahs---- C:\IO.SYS 2007-02-04 16:46 0 --a------ C:\CONFIG.SYS 2007-02-04 16:46 0 --a------ C:\AUTOEXEC.BAT 2007-02-04 16:43 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-01-26 21:20 1177593 --a------ C:\WINDOWS\gta4 c.scr 2007-01-26 19:42 1182224 --a------ C:\WINDOWS\gta4 a.scr 2007-01-26 19:41 1188893 --a------ C:\WINDOWS\gta4 b.scr 2007-01-24 16:27 255848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-01-22 17:23 6912 --a------ C:\WINDOWS\nvoclock.sys 2007-01-22 17:23 385024 --a------ C:\WINDOWS\ntuneoem.dll 2007-01-22 17:22 28672 --a------ C:\WINDOWS\autotunescript.dll 2007-01-22 17:22 1622016 --a------ C:\WINDOWS\nvbenchmarks.dll 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-01-10 08:00 545 --a------ C:\WINDOWS\uc.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\rar.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\pkzip.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\pkunzip.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\noclose.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\lha.pif 2007-01-10 08:00 545 --a------ C:\WINDOWS\arj.pif 2007-01-10 00:59 217088 --a------ C:\WINDOWS\nvgfxogl.dll 2007-01-08 16:30 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “BitTorrent”="“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized" “Steam”="“d:\program files\steam\steam.exe” -silent" “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “NVIDIA nTune”="“C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE " “item”=“Adobe Reader Synchronizer” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^Adobe Gamma.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\Adobe Gamma.lnk” “backup”=“C:\WINDOWS\pss\Adobe Gamma.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE " “item”=“Adobe Gamma” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^HDDlife.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\HDDlife.lnk” “backup”=“C:\WINDOWS\pss\HDDlife.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\BINARY~1\HDDlife\HDDLIF~1.EXE " “item”=“HDDlife” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michał^Menu Start^Programy^Autostart^Xfire.lnk] “path”=“C:\Documents and Settings\Michał\Menu Start\Programy\Autostart\Xfire.lnk” “backup”=“C:\WINDOWS\pss\Xfire.lnkStartup” “location”=“Startup” “command”=“C:\PROGRA~1\Xfire\Xfire.exe " “item”=“Xfire” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=”” “hkey”=“HKLM” “command”=”” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQQ] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AQQ” “hkey”=“HKCU” “command”=“C:\PROGRA~1\Wapster\AQQ\AQQ.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoConnect] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AutoConnect” “hkey”=“HKCU” “command”=“C:\Program Files\AutoConnect\AutoConnect.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NMBgMonitor” “hkey”=“HKCU” “command”=”“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“bittorrent” “hkey”=“HKCU” “command”="“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cFosSpeed] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“cFosSpeed” “hkey”=“HKLM” “command”=“C:\Program Files\cFosSpeed\cFosSpeed.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CTSysVol” “hkey”=“HKLM” “command”=“C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Flashget” “hkey”=“HKLM” “command”=“C:\PROGRA~1\FlashGet\Flashget.exe /min” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“gg” “hkey”=“HKCU” “command”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“OverClk” “hkey”=“HKLM” “command”="“C:\Program Files\ASUS\Ai Booster\OverClk.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“LXSUPMON” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\LXSUPMON.EXE RUN” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NETIANET] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“netianet” “hkey”=“HKCU” “command”=“C:\Program Files\Netia\Net\netianet.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Rundll32 P17” “hkey”=“HKLM” “command”=“Rundll32 P17.dll,P17Helper” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SOUNDMAN” “hkey”=“HKLM” “command”=“SOUNDMAN.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Dragdiag” “hkey”=“HKLM” “command”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”="“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TweakRAM] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“TweakRAM” “hkey”=“HKCU” “command”=“C:\Program Files\TweakRAM\TweakRAM.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“UpdReg” “hkey”=“HKLM” “command”=“C:\WINDOWS\UpdReg.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Amoumain” “hkey”=“HKLM” “command”=“C:\Program Files\A4Tech\Mouse\Amoumain.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “WPDShServiceObj”="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://img.interia.pl/sport/nimg/Adam_M … 493318.jpg [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F] Shell\AutoRun\command F:\Autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{2c94de89-bdb2-11db-b73a-000e50e2a95b}] Shell\AutoRun\command F:\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{f9c21768-da05-11db-b76d-000e50e2a95b}] Shell\AutoRun\command F:\Autorun.exe ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-08 21:11:45 C:\ComboFix-quarantined-files.txt … 07-04-08 21:11 C:\ComboFix2.txt … 07-04-08 19:34 C:\ComboFix3.txt … 07-04-08 14:02