Log z dss, komputer zaatakowany przez amvo


(Qereidid) #1

Dzis uaktywnil sie u mnie amvo o ile zdolalem sie zorientowac, combofix sie nie chce uruchomic wiec zapuscilem dss, oto co wyrzucil:

Deckard's System Scanner v20071014.68

Run by Konrad on 2008-05-02 11:37:42

Computer is in Normal Mode.

--------------------------------------------------------------------------------


-- System Restore --------------------------------------------------------------


Unable to create WMI object; Operacja ukończona pomyślnie.



Backed up registry hives.

Performed disk cleanup.


[color=red]System Drive C: has 1.11 GiB (less than 15%) free.[/color]



-- HijackThis (run as Konrad.exe) ----------------------------------------------


Unable to run HijackThis; Nie można odnaleźć określonego pliku.

Path: C:\PROGRA~1\TRENDM~1\HIJACK~1\Konrad.exe



-- HijackThis Clone ------------------------------------------------------------



Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-05-02 11:39:06

Platform: Windows XP Dodatek Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\DLA\DLACTRLW.EXE

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\WINDOWS\system32\lkcitdl.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Program Files\RSSoft\RedSwoosh.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Last.fm\LastFMHelper.exe

D:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe

D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\HPQ\Shared\HpqToaster.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Konrad\Pulpit\dss.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx

O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKCU\..\Run: [Konnekt] "C:\Program Files\Konnekt\konnekt.exe" /autostart

O4 - HKCU\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.mks.com.pl (HKCU)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll

O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: CSIScanner - Unknown owner - C:\Program Files\PrevxCSI\\PrevxCSI.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe

O23 - Service: MySQL - Unknown owner - D:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe



-- 

End of file - 11002 bytes


-- File Associations -----------------------------------------------------------


[COLOR=red].cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*[/COLOR]

[COLOR=red].cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*[/COLOR]

[COLOR=red].txt - txtfile - shell\open\command - "C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe" "%1"[/COLOR]



-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------


2 atksgt - c:\windows\system32\drivers\atksgt.sys

3 btwhid - c:\windows\system32\drivers\btwhid.sys 

3 btwmodem (Modem Bluetooth) - c:\windows\system32\drivers\btwmodem.sys 

3 Duntlw (UNTLW device) - c:\windows\system32\drivers\duntlwnt.sys 

2 lirsgt - c:\windows\system32\drivers\lirsgt.sys

3 VirtualFD - c:\documents and settings\konrad\pulpit\vfd21-050404\vfd.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------


2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - c:\program files\bonjour\mdnsresponder.exe

2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe 

2 CSIScanner - c:\program files\prevxcsi\\prevxcsi.exe (file missing)

3 FLEXnet Licensing Service - c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe

2 LkCitadelServer (Lookout Citadel Server) - c:\windows\system32\lkcitdl.exe 

2 lkClassAds (National Instruments PSP Server Locator) - c:\windows\system32\lkads.exe 

2 lkTimeSync (National Instruments Time Synchronization) - c:\windows\system32\lktsrv.exe 

2 matlabserver (MATLAB Server) - d:\program files\matlab71\webserver\bin\win32\matlabserver.exe

2 MySQL - d:\program files\mysql\mysql server 5.1\bin\mysqld (file missing)

2 NIDomainService (National Instruments Domain Service) - d:\program files\national instruments\shared\security\nidmsrv.exe

3 NILM License Manager - d:\program files\national instruments\shared\license manager\bin\lmgrd.exe

2 niSvcLoc (NI Service Locator) - c:\windows\system32\nisvcloc.exe

2 PCA (PC Angel) - c:\windows\sminst\pcangel.exe 

3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe 

3 WmcCdsLs (Pomocnik programu Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmcls.exe 



-- Device Manager: Disabled ----------------------------------------------------


Unable to create WMI object.


-- Files created between 2008-04-02 and 2008-05-02 -----------------------------


2008-05-02 11:35:19 70656 -r-hs---- C:\WINDOWS\system32\amvo1.dll

2008-05-02 11:13:50 0 d-------- C:\327882R2FWJFW

2008-05-02 11:04:31 0 d-------- C:\Program Files\PrevxCSI

2008-04-30 23:53:52 0 d-------- C:\Program Files\Fma

2008-04-29 10:17:50 0 d-------- C:\Program Files\Common Files\SWF Studio

2008-04-28 20:27:29 104161 -r-hs---- C:\1dg.exe

2008-04-28 20:27:02 70656 -----n--- C:\WINDOWS\system32\amvo0.dll

2008-04-28 20:26:44 104161 -r-hs---- C:\WINDOWS\system32\amvo.exe

2008-04-22 11:26:54 0 d-------- C:\Program Files\Foxit Software

2008-04-22 10:27:53 0 d-------- C:\Program Files\JGsoft

2008-04-19 20:00:13 0 dr-h----- C:\Documents and Settings\Konrad\Recent

2008-04-14 21:29:54 0 d-------- C:\Program Files\Common Files\Bcgsoft

2008-04-14 21:28:05 0 d-------- C:\Program Files\HI-TECH Software

2008-04-14 21:24:22 0 d-------- C:\WINDOWS\system32\cvirte

2008-04-14 21:24:21 0 d-------- C:\Program Files\Common Files\Merge Modules

2008-04-13 00:05:31 0 d-------- C:\Program Files\Space Plasma 3D Screensaver

2008-04-12 20:56:20 0 d-------- C:\WINDOWS\system32\Adobe

2008-04-12 18:55:05 0 d-------- C:\Program Files\thriXXX

2008-04-12 11:12:58 0 d-------- C:\Program Files\Trend Micro

2008-04-07 20:54:25 253116 --a------ C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_2500.exe 

2008-04-07 20:54:25 14290 --a------ C:\Program Files\settings.dat

2008-04-07 20:54:24 0 d-------- C:\Program Files\PDFCreator Toolbar

2008-04-07 20:54:09 196608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll 

2008-04-07 20:54:08 23552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL 

2008-04-07 20:54:07 0 d-------- C:\Program Files\PDFCreator

2008-04-04 16:44:33 0 d-------- C:\Program Files\Microsoft Works

2008-04-04 16:44:20 0 d-------- C:\Program Files\MSBuild

2008-04-04 16:43:41 0 d-------- C:\Program Files\Microsoft.NET

2008-04-04 16:41:36 0 d-------- C:\Program Files\Microsoft Visual Studio 8



-- Find3M Report ---------------------------------------------------------------


2008-05-02 11:35:47 0 d-------- C:\Program Files\RSSoft

2008-05-02 11:31:15 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\SiteAdvisor

2008-05-02 10:46:52 2057 --a------ C:\WINDOWS\mozver.dat

2008-05-01 13:43:00 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\foobar2000

2008-04-30 23:53:52 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\FMA

2008-04-29 23:31:26 0 d-------- C:\Program Files\mIRC

2008-04-29 22:18:44 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Adobe

2008-04-29 17:17:14 0 d-------- C:\Program Files\DC++

2008-04-29 10:34:55 0 d--hs---- C:\Documents and Settings\Konrad\Dane aplikacji\.#

2008-04-29 10:17:50 0 d-------- C:\Program Files\Common Files

2008-04-23 19:43:29 0 d-------- C:\Program Files\EWB512

2008-04-22 23:29:31 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\MySQL

2008-04-22 10:28:15 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\JGsoft

2008-04-19 17:58:19 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Skype

2008-04-14 21:29:57 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\National Instruments

2008-04-13 13:29:54 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\ZoomBrowser EX

2008-04-12 21:00:02 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Macromedia

2008-04-12 18:52:45 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Oxin's Style!

2008-04-12 10:31:14 465796 --a------ C:\WINDOWS\system32\perfh015.dat

2008-04-12 10:31:14 81986 --a------ C:\WINDOWS\system32\perfc015.dat

2008-04-11 12:24:26 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Comodo

2008-04-03 10:38:09 0 d-------- C:\Program Files\Java

2008-03-31 18:49:23 0 d-------- C:\Program Files\Stickys

2008-03-31 14:00:19 0 d-------- C:\Program Files\MSECache

2008-03-29 00:51:47 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\GSplit

2008-03-29 00:29:45 0 d-------- C:\Program Files\GSplit

2008-03-26 22:10:54 216064 --a------ C:\WINDOWS\iun3405.exe 

2008-03-16 19:28:30 25440 --a------ C:\Documents and Settings\Konrad\Dane aplikacji\GDIPFONTCACHEV1.DAT

2008-02-23 18:38:59 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll

2008-02-23 18:38:59 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll

2008-02-23 18:38:59 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll



-- Registry Dump ---------------------------------------------------------------


*Note* empty entries & legit default entries are not shown



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 10:11]

"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 14:06]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]

"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2006-02-14 11:56]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 05:20]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 20:04]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 14:17]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 14:13]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 14:17]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 08:03]

"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 15:51]

"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-01-23 16:11]

"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 15:43]

"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57]

"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-04-11 12:24]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Konnekt"="C:\Program Files\Konnekt\konnekt.exe" [2005-05-24 23:41]

"Red Swoosh"="C:\Program Files\RSSoft\RedSwoosh.exe" [2007-02-27 03:30]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00]

"amva"="C:\WINDOWS\system32\amvo.exe" [2008-04-25 11:44]


C:\Documents and Settings\Konrad\Menu Start\Programy\Autostart\

Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-01 19:22:40]

Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"= C:\WINDOWS\system32\guard32.dll



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{089acd1c-b080-11dc-a405-001b770d51ff}]

AutoRun\command- G:\1dg.exe

explore\Command- G:\1dg.exe

open\Command- G:\1dg.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b46b755-1517-11dd-a53e-001a6b427af7}]

AutoRun\command- G:\1dg.exe

explore\Command- G:\1dg.exe

open\Command- G:\1dg.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{300818a6-a809-11dc-ab9b-001a6b427af7}]

AutoRun\command- G:\1dg.exe

explore\Command- G:\1dg.exe

open\Command- G:\1dg.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3952d91a-a7eb-11dc-ab99-001b770d51ff}]

AutoRun\command- EXPLORER.EXE

explore\Command- EXPLORER.EXE

open\Command- EXPLORER.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3952d91b-a7eb-11dc-ab99-001b770d51ff}]

AutoRun\command- EXPLORER.EXE

explore\Command- EXPLORER.EXE

open\Command- EXPLORER.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3aa762ae-105f-11dd-a533-001a6b427af7}]

AutoRun\command- dwvo.cmd

explore\Command- dwvo.cmd

open\Command- dwvo.cmd


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{509e4e80-fb24-11dc-a4ea-001b770d51ff}]

AutoRun\command- x6.bat

explore\Command- x6.bat

open\Command- x6.bat


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6853f98e-0a41-11dd-a51f-001a6b427af7}]

AutoRun\command- G:\8de.bat

explore\Command- G:\8de.bat

open\Command- G:\8de.bat


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6853f98f-0a41-11dd-a51f-001a6b427af7}]

AutoRun\command- H:\USBNB.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{75cd5ec5-feff-11dc-a4f9-001a6b427af7}]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78062126-fb33-11dc-a4eb-001b770d51ff}]

AutoRun\command- G:\uqhqx1.cmd

explore\Command- G:\uqhqx1.cmd

open\Command- G:\uqhqx1.cmd


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b56a9309-fcb1-11dc-a4f2-001b770d51ff}]

AutoRun\command- EXPLORER.EXE

explore\Command- EXPLORER.EXE

open\Command- EXPLORER.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e46b8814-0a34-11dd-a51e-001a6b427af7}]

AutoRun\command- G:\8de.bat

explore\Command- G:\8de.bat

open\Command- G:\8de.bat


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecb47fcc-cb27-11dc-a45a-001b770d51ff}]

AutoRun\command- G:\awda2.exe

explore\Command- G:\awda2.exe

open\Command- G:\awda2.exe





-- End of Deckard's System Scanner: finished at 2008-05-02 11:44:41 ------------

(huber2t) #2

fix w hijackthis

Pobierz Avenger

wklej do niego ten tekst:

Files to delete:

C:\WINDOWS\system32\amvo.exe

C:\WINDOWS\system32\amvo0.dll

C:\1dg.exe

C:\WINDOWS\system32\amvo1.dll

kopiuj to i klikasz na Paste Script from Clipboard wybierasz Execute oraz Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

otwórz notatnik i wklej

Z menu Notatnika -> Plik -> Zapisz jako -> Zmień rozszerzenie z .txt na wszystkie pliki -> zapisz pod nazwą Fix.reg

Uruchom ten plik, uruchom ponownie komputer


(Kacper1344) #3

Po wykonaniu porad huber2t daj loga z Combofix


(huber2t) #4

Napisał przecież że nie może uruchomić, czytaj dokładniej

Spróbuj podczas pobierania zapisujemy nie pod nazwą ComboFix.exe tylko z kreską pomiędzy:

Combo-Fix.exe


(Qereidid) #5

po wpisaniu skryptu do Avenger i kliknieciu execute pojawia sie blad mowiacy o niemozliwosci usuniecia tych plikow :confused:


(huber2t) #6

Dobrze, Daj log z Combofix z moimi wskazówkami z poprzedniego postu


(Qereidid) #7

Combofix caly czas wywala blad "Some files could not be created"


(huber2t) #8

Trudno usuń tamte pliki ręcznie, a następnie opróżnij kosz, daj nowy log z dss


(Kacper1344) #9

Sory za szybko przeczytałem.


(Qereidid) #10

po tych integracjach udalo sie odpalic Combofix wiec wrzucam teraz dwa logi najpierw Combofix, a pozniej DSS:

ComboFix 08-05-01.1 - Konrad 2008-05-02 13:28:11.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.543 [GMT 2:00]

Running from: C:\Documents and Settings\Konrad\Pulpit\Combo-Fix.exe

 * Created a new restore point


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [/b][/color]

.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.


C:\Autorun.inf

C:\Documents and Settings\Konrad\Dane aplikacji\.#

C:\WINDOWS\system32\Cfx32.lic

C:\WINDOWS\system32\cfx32.ocx

D:\Autorun.inf


.

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))

.


2008-05-02 13:16 . 2008-05-02 13:29	




DSS:

[code]Deckard's System Scanner v20071014.68 Run by Konrad on 2008-05-02 13:33:20 Computer is in Normal Mode. -------------------------------------------------------------------------------- [color=red]System Drive C: has 1 GiB (less than 15%) free.[/color] -- HijackThis (run as Konrad.exe) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 13:33:27, on 2008-05-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\SMINST\Scheduler.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\lkcitdl.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\WINDOWS\system32\lkads.exe C:\Program Files\RSSoft\RedSwoosh.exe C:\WINDOWS\system32\lktsrv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Last.fm\LastFMHelper.exe D:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe C:\WINDOWS\system32\nisvcloc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Konrad\Pulpit\dss.exe C:\DOCUME~1\Konrad\Pulpit\HIJACK~1\Konrad.exe C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe O4 - HKLM..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKCU..\Run: [Konnekt] "C:\Program Files\Konnekt\konnekt.exe" /autostart O4 - HKCU..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O15 - Trusted Zone: http://www.mks.com.pl O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: CSIScanner - Unknown owner - C:\Program Files\PrevxCSI\PrevxCSI.exe" /service (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: MATLAB Server (matlabserver) - Unknown owner - d:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing) O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe -- Files created between 2008-04-02 and 2008-05-02 ----------------------------- 2008-05-02 13:27:25 68096 --a------ C:\WINDOWS\zip.exe 2008-05-02 13:27:25 49152 --a------ C:\WINDOWS\VFind.exe 2008-05-02 13:27:25 212480 --a------ C:\WINDOWS\swxcacls.exe 2008-05-02 13:27:25 136704 --a------ C:\WINDOWS\swsc.exe 2008-05-02 13:27:25 161792 --a------ C:\WINDOWS\swreg.exe 2008-05-02 13:27:25 98816 --a------ C:\WINDOWS\sed.exe 2008-05-02 13:27:25 80412 --a------ C:\WINDOWS\grep.exe 2008-05-02 13:27:25 73728 --a------ C:\WINDOWS\fdsv.exe 2008-05-02 12:45:51 0 d-------- C:!KillBox 2008-05-02 11:04:31 0 d-------- C:\Program Files\PrevxCSI 2008-04-30 23:53:52 0 d-------- C:\Program Files\Fma 2008-04-29 10:17:50 0 d-------- C:\Program Files\Common Files\SWF Studio 2008-04-22 11:26:54 0 d-------- C:\Program Files\Foxit Software 2008-04-22 10:27:53 0 d-------- C:\Program Files\JGsoft 2008-04-19 20:00:13 0 dr-h----- C:\Documents and Settings\Konrad\Recent 2008-04-14 21:29:54 0 d-------- C:\Program Files\Common Files\Bcgsoft 2008-04-14 21:28:05 0 d-------- C:\Program Files\HI-TECH Software 2008-04-14 21:24:22 0 d-------- C:\WINDOWS\system32\cvirte 2008-04-14 21:24:21 0 d-------- C:\Program Files\Common Files\Merge Modules 2008-04-13 00:05:31 0 d-------- C:\Program Files\Space Plasma 3D Screensaver 2008-04-12 20:56:20 0 d-------- C:\WINDOWS\system32\Adobe 2008-04-12 18:55:05 0 d-------- C:\Program Files\thriXXX 2008-04-12 11:12:58 0 d-------- C:\Program Files\Trend Micro 2008-04-07 20:54:25 253116 --a------ C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_2500.exe 2008-04-07 20:54:25 14290 --a------ C:\Program Files\settings.dat 2008-04-07 20:54:24 0 d-------- C:\Program Files\PDFCreator Toolbar 2008-04-07 20:54:09 196608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll 2008-04-07 20:54:08 23552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL 2008-04-07 20:54:07 0 d-------- C:\Program Files\PDFCreator 2008-04-04 16:44:33 0 d-------- C:\Program Files\Microsoft Works 2008-04-04 16:44:20 0 d-------- C:\Program Files\MSBuild 2008-04-04 16:43:41 0 d-------- C:\Program Files\Microsoft.NET 2008-04-04 16:41:36 0 d-------- C:\Program Files\Microsoft Visual Studio 8 -- Find3M Report --------------------------------------------------------------- 2008-05-02 13:32:19 0 d-------- C:\Program Files\RSSoft 2008-05-02 13:22:19 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\SiteAdvisor 2008-05-02 12:03:07 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\HouseCall 6.6 2008-05-02 10:46:52 2057 --a------ C:\WINDOWS\mozver.dat 2008-05-01 13:43:00 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\foobar2000 2008-04-30 23:53:52 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\FMA 2008-04-29 23:31:26 0 d-------- C:\Program Files\mIRC 2008-04-29 22:18:44 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Adobe 2008-04-29 17:17:14 0 d-------- C:\Program Files\DC++ 2008-04-29 10:17:50 0 d-------- C:\Program Files\Common Files 2008-04-23 19:43:29 0 d-------- C:\Program Files\EWB512 2008-04-22 23:29:31 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\MySQL 2008-04-22 10:28:15 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\JGsoft 2008-04-19 17:58:19 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Skype 2008-04-14 21:29:57 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\National Instruments 2008-04-13 13:29:54 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\ZoomBrowser EX 2008-04-12 21:00:02 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Macromedia 2008-04-12 18:52:45 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Oxin's Style! 2008-04-12 10:31:14 465796 --a------ C:\WINDOWS\system32\perfh015.dat 2008-04-12 10:31:14 81986 --a------ C:\WINDOWS\system32\perfc015.dat 2008-04-11 12:24:26 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\Comodo 2008-04-03 10:38:09 0 d-------- C:\Program Files\Java 2008-03-31 18:49:23 0 d-------- C:\Program Files\Stickys 2008-03-31 14:00:19 0 d-------- C:\Program Files\MSECache 2008-03-29 00:51:47 0 d-------- C:\Documents and Settings\Konrad\Dane aplikacji\GSplit 2008-03-29 00:29:45 0 d-------- C:\Program Files\GSplit 2008-03-26 22:10:54 216064 --a------ C:\WINDOWS\iun3405.exe 2008-03-16 19:28:30 25440 --a------ C:\Documents and Settings\Konrad\Dane aplikacji\GDIPFONTCACHEV1.DAT 2008-02-23 18:38:59 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll 2008-02-23 18:38:59 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll 2008-02-23 18:38:59 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 10:11] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 14:06] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25] "PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2006-02-14 11:56] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 05:20] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 20:04] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 14:17] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 14:13] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 14:17] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 08:03] "Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 15:51] "Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-01-23 16:11] "Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 15:43] "WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57] "COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-04-11 12:24] [HKEY\_CURRENT\_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Konnekt"="C:\Program Files\Konnekt\konnekt.exe" [2005-05-24 23:41] "Red Swoosh"="C:\Program Files\RSSoft\RedSwoosh.exe" [2007-02-27 03:30] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00] C:\Documents and Settings\Konrad\Menu Start\Programy\Autostart\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-01 19:22:40] Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54] [HKEY\_LOCAL\_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"= C:\WINDOWS\system32\guard32.dll *Newly Created Service* - CATCHME -- End of Deckard's System Scanner: finished at 2008-05-02 13:36:22 ------------


(huber2t) #11

W logach nic nie widzę

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Optymalizacja autostartu

Optymalizacja xp

Usuń ręcznie folder C: \Qoobox

usuń instalkę Combofix z dysku.