Logi po wirusie

Blazej_1203466206 · 12 Sierpień 2007 14:11

Na świeży system po formacie złapałem od razu wirusa sassera/blastera tego co wyświetla okno, że system zamknie się za 30sec

Już się takie okno nie pojawia, ale chce się upewnić czy “all clear”

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:04:12, on 2007-08-12

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) 

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

D:\AutoConnect\AutoConnect.exe

D:\Mozilla Firefox\firefox.exe

D:\Gadu-Gadu\gg.exe

D:\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [AutoConnect] D:\AutoConnect\AutoConnect.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\twain_32" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\eHome" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\config" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Cursors" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Connection Wizard" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] cmd.exe /c md "%SystemRoot%\Web\Wallpaper" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_07] cmd.exe /c md "C:\Documents and Settings\Default User\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] cmd.exe /c md "%AppData%\Microsoft\Internet Explorer\Quick Launch" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Inetsrv" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_10] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Npp" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\help" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\pchealth" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\ime" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\msagent" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_15] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Oobe" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_16] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_17] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Tasks" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_18] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Help\Tours" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_19] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\NtmsData" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_20] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Icsxml" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_21] cmd.exe /c md "%USERPROFILE%\Ustawienia lokalne\Temp" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_22] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_23] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_24] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_25] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_26] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\twain_32" (User 'USŁUGA SIECIOWA')

O13 - DefaultPrefix: 

O13 - WWW Prefix: 

O13 - Home Prefix: 

O13 - Mosaic Prefix: 

O13 - FTP Prefix: 

O13 - Gopher Prefix: 

O17 - HKLM\System\CCS\Services\Tcpip\..\{8574B6C7-9C9D-40AE-AD49-7C1954D05EED}: NameServer = 213.241.79.37 83.238.255.76

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


--

End of file - 4858 bytes

Silent

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"AutoConnect" = "D:\AutoConnect\AutoConnect.exe" ["http://autoconnect.prv.pl"]

"Gadu-Gadu" = ""D:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"

  -> {HKLM...CLSID} = "IE Microsoft AutoComplete"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

  -> {HKLM...CLSID} = "History Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {HKLM...CLSID} = "Eksplorator pulpitów"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKLM\Software\Classes\.hta\(Default) = (value not set)

HKLM\Software\Classes\htafile\shell\open\command\ = (key not found)

HKLM\Software\Classes\htafile\



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoInternetIcon" = (REG_DWORD) hex:0x00000001

{User Configuration|Administrative Templates|Desktop|

Hide Internet Explorer icon on desktop}


"NoSMHelp" = (REG_DWORD) hex:0x00000001

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Help menu from Start Menu}


"NoInstrumentation" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoStartMenuMFUprogramsList" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoResolveTrack" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"LinkResolveIgnoreLinkInfo" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoResolveSearch" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoStartBanner" = (REG_DWORD) hex:0x00000001

{Remove "Click here to begin" from Start button}


"NoSMMyDocs" = (REG_DWORD) hex:0x00000001

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Documents menu from Start Menu}


"NoSMMyPictures" = (REG_DWORD) hex:0x00000001

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove My Pictures icon from Start Menu}


"NoStartMenuPinnedList" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoSMConfigurePrograms" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}


"DisableStatusMessages" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"VerboseStatus" = (REG_DWORD) hex:0x00000000

{unrecognized setting}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Scheduled Tasks:

------------------------


WARNING! The "C:\WINDOWS\Tasks" directory cannot be found.



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

<> C:\WINDOWS\INF\IERESET.INF was not found!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

BJ Language Monitor\Driver = "cnbjmon.dll" [file not found]

PJL Language Monitor\Driver = "pjlmon.dll" [file not found]



---------- (launch time: 2007-08-12 16:08:16)

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 13 seconds.

---------- (total run time: 137 seconds)

qrczak13 · 12 Sierpień 2007 20:24

Możesz ciachnąć w HJT.

A to tak:

Do notatnika wklej:

Plik > zapisz jako > zmień rozszerzenie z .txt na wszystkie pliki > zapisz pod nazwą Fix.reg np na

pulpicie > dwuklik na Fix.reg > potwierdzasz > restart.

Możesz jeszcze zapodać log ComboFix + opis zrobienia loga na samym dole.

Blazej_1203466206 · 13 Sierpień 2007 00:27

HiJack po fixie

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:27:38, on 2007-08-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal 


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

D:\AutoConnect\AutoConnect.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

D:\Mozilla Firefox\firefox.exe

D:\HijackThis\HijackThis.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKCU\..\Run: [AutoConnect] D:\AutoConnect\AutoConnect.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\twain_32" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\eHome" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\config" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Cursors" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Connection Wizard" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] cmd.exe /c md "%SystemRoot%\Web\Wallpaper" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_07] cmd.exe /c md "C:\Documents and Settings\Default User\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] cmd.exe /c md "%AppData%\Microsoft\Internet Explorer\Quick Launch" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Inetsrv" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_10] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Npp" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\help" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\pchealth" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\ime" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\msagent" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_15] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Oobe" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_16] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_17] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Tasks" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_18] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Help\Tours" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_19] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\NtmsData" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_20] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Icsxml" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_21] cmd.exe /c md "%USERPROFILE%\Ustawienia lokalne\Temp" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_22] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_23] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_24] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_25] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_26] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\twain_32" (User 'USŁUGA SIECIOWA')

O17 - HKLM\System\CCS\Services\Tcpip\..\{8574B6C7-9C9D-40AE-AD49-7C1954D05EED}: NameServer = 213.241.79.37 83.238.255.76

O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - D:\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)


--

End of file - 5773 bytes

ComboFix

http://wklej.org/id/3209a2d132