Maksymalnie spowolniony komputer i internet

Dla specjalistów Bezpieczeństwo
#1

Bardzo prosze o sprawdzenie, i rade co powinnam zrobi. oto logi

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:50:14, on 2008-10-18

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\UPCSmartGuard\Common\FSM32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\UPCSmartGuard\Anti-Virus\fsgk32st.exe

C:\Program Files\UPCSmartGuard\Common\FSMA32.EXE

C:\Program Files\UPCSmartGuard\Anti-Virus\FSGK32.EXE

C:\Program Files\UPCSmartGuard\Common\FSMB32.EXE

C:\Program Files\UPCSmartGuard\Common\FCH32.EXE

C:\Program Files\UPCSmartGuard\Anti-Virus\fssm32.exe

C:\Program Files\UPCSmartGuard\Common\FAMEH32.EXE

C:\Program Files\UPCSmartGuard\Anti-Virus\fsqh.exe

C:\Program Files\UPCSmartGuard\FSAUA\program\fsaua.exe

C:\Program Files\UPCSmartGuard\FSPC\fspc.exe

C:\Program Files\UPCSmartGuard\FWES\Program\fsdfwd.exe

C:\Program Files\UPCSmartGuard\FSGUI\fsguidll.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\UPCSmartGuard\FSAUA\program\fsus.exe

C:\Program Files\UPCSmartGuard\Anti-Virus\fsav32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gry.enastolatki.net/tytul/dziewczece/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM…\Run: [F-Secure Manager] “C:\Program Files\UPCSmartGuard\Common\FSM32.EXE” /splash

O4 - HKLM…\Run: [F-Secure TNB] “C:\Program Files\UPCSmartGuard\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Kontrola rodzicielska… - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\UPCSmartGuard\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\UPCSmartGuard\FSPC\fspcmsie.dll

O9 - Extra ‘Tools’ menuitem: Kontrola rodzicielska… - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\UPCSmartGuard\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\UPCSmartGuard\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\UPCSmartGuard\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\UPCSmartGuard\FWES\Program\fsdfwd.exe

O23 - Service: Agent zarządzania F-Secure (FSMA) - F-Secure Corporation - C:\Program Files\UPCSmartGuard\Common\FSMA32.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O24 - Desktop Component 0: (no name) - http://republika.pl/blog_ln_141813/1790 … smiech.gif

End of file - 5831 bytes

Z góry dziekuje za pomoc

giaa24

#2

Log czysty.

Pokaż log z Silent Runners oraz ComboFix.

Instrukcje znajdują się tutaj: viewtopic.php?f=16&t=36654

#3

SILENT RUNNERS

Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [“Google Inc.”]

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“F-Secure Manager” = ““C:\Program Files\UPCSmartGuard\Common\FSM32.EXE” /splash” [“F-Secure Corporation”]

“F-Secure TNB” = ““C:\Program Files\UPCSmartGuard\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW” [“F-Secure Corporation”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”]

{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)

-> {HKLM…CLSID} = “Google Toolbar Helper”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {policy setting}:

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“DisableRegistryTools” = (REG_DWORD) dword:0x00000000

{Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

“DisableCMD” = (REG_DWORD) dword:0x00000000

{Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssmyst.scr” [MS]

COMBO:

ComboFix 08-10-17.01 - user 2008-10-18 20:21:00.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.175 [GMT 2:00]

Uruchomiony z: C:\Documents and Settings\user\Pulpit\ComboFix.exe

* Resident AV is active

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA!!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\INSTALL.LOG

.

((((((((((((((((((((((((( Pliki utworzone od 2008-09-18 do 2008-10-18 )))))))))))))))))))))))))))))))

.

2008-10-18 19:48 . 2008-10-18 19:48

2008-10-18 19:39 . 2008-10-18 19:39

2008-10-17 22:07 . 2008-10-17 22:09

2008-10-16 11:37 . 2008-10-16 11:37

2008-10-10 23:03 . 2008-10-10 23:03

2008-09-25 16:53 . 2008-09-25 16:54

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-18 17:35 --------- d-----w C:\Program Files\BraveDwarves 2 Gold Trial

2008-10-18 17:34 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-10-18 14:53 --------- d-----w C:\Program Files\MPlayer for Windows

2008-09-15 15:40 1,846,272 ----a-w C:\WINDOWS\system32\win32k.sys

2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-08-26 08:27 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-08-14 13:46 2,181,632 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 13:46 2,059,008 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-03-19 18:13 6,422,611 -c–a-w C:\Program Files\frostwire-4.13.1.6.windows.exe

1998-04-30 12:56 129,024 ----a-w C:\Program Files\UNWISE.EXE

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2008-07-19 171448]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 2127296]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“F-Secure Manager”=“C:\Program Files\UPCSmartGuard\Common\FSM32.EXE” [2007-04-26 183208]

“F-Secure TNB”=“C:\Program Files\UPCSmartGuard\FSGUI\TNBUtil.exe” [2007-04-26 740208]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^D-Link AirPlus.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\D-Link AirPlus.lnk

backup=C:\WINDOWS\pss\D-Link AirPlus.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^user^Menu Start^Programy^Autostart^OpenOffice.org 1.1.2.lnk]

path=C:\Documents and Settings\user\Menu Start\Programy\Autostart\OpenOffice.org 1.1.2.lnk

backup=C:\WINDOWS\pss\OpenOffice.org 1.1.2.lnkStartup

[HKLM~\startupfolder\C:^Documents and Settings^user^Menu Start^Programy^Autostart^OpenOffice.ux.pl 2.0.lnk]

path=C:\Documents and Settings\user\Menu Start\Programy\Autostart\OpenOffice.ux.pl 2.0.lnk

backup=C:\WINDOWS\pss\OpenOffice.ux.pl 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

–a--c— 2006-01-13 08:46 196608 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

–a--c— 2006-12-15 03:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“Pml Driver”=3 (0x3)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“C:\Program Files\Gadu-Gadu\gg.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\WINDOWS\system32\sessmgr.exe”=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-07-19 51072]

R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\UPCSmartGuard\HIPS\fshs.sys [2008-07-19 41184]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\UPCSmartGuard\Anti-Virus\minifilter\fsgk.sys [2007-04-26 59760]

S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 17616]

S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 69680]

S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\UPCSmartGuard\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 40048]

S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\UPCSmartGuard\Anti-Virus\Win2K\FSrec.sys [2007-04-26 25456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{38a72120-95e3-11dc-a2d3-de24bb1ef97a}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe

\Shell\Open(0)\command - Recycled\ctfmon.exe

*Newly Created Service* - PROCEXP90

.

        • USUNIĘTO PUSTE WPISY - - - -

MSConfigStartUp-HPHmon03 - C:\WINDOWS\system32\hphmon03.exe

MSConfigStartUp-Spyware Doctor - C:\Program Files\Spyware Doctor\swdoctor.exe

MSConfigStartUp-Cmaudio - cmicnfg.cpl

.

------- Skan uzupełniający -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.gry.enastolatki.net/tytul/dziewczece/

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}sourceid=ie7rls=com.microsoft:en-USie=utf8oe=utf8

R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: Eksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-18 20:27:18

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2008-10-18 20:32:35

ComboFix-quarantined-files.txt 2008-10-18 18:32:26

Przed: 7,323,426,816 bajtów wolnych

Po: 7,374,516,224 bajtów wolnych

115 — E O F — 2008-10-15 11:00:41

#4

Czy te logi są w porzadku???

#5

Do notatnika wklej:

Windows Registry Editor Version 5.00


[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38a72120-95e3-11dc-a2d3-de24bb1ef97a}]

Plik ==> Zapisz jako ==> Zmień rozszerzenie na Wszystkie pliki ==> Zapisz pod nazwą FIX.REG

Uruchom utworzony plik FIX.REG i potwierdź dodanie do Rejestru i zresetuj komputer.

Po za tym jest ok.

Usuń ręcznie folder C:\Qoobox ,

Usuń instalkę ComboFix z dysku.

Wykonaj optymalizację autostartu

Przeczyść komputer Ccleanerem

Wyłącz i włącz przywracanie systemu na wszystkich dyskach.Instrukcja

Przeskanuj tym: Dr.WEB CureIt! .

#6

Ok, dziekuje bardzo. A czy moge prosic o sprawdzenie logów mojego drugiego komputera? Oto one:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:40:43, on 2008-10-18

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\FixCamera.exe

C:\WINDOWS\tsnp325.exe

C:\WINDOWS\vsnp325.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\NETGEAR\WPN111\wpn111.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nasza-klasa.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM…\Run: [Ad-aware] “C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe” +c

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”

O4 - HKLM…\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM…\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKLM…\Run: [FixCamera] C:\WINDOWS\FixCamera.exe

O4 - HKLM…\Run: [tsnp325] C:\WINDOWS\tsnp325.exe

O4 - HKLM…\Run: [snp325] C:\WINDOWS\vsnp325.exe

O4 - HKLM…\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [bitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [AutoEA] C:\Program Files\Creative\SBLive\AudioHQ\ahqrun.exe “C:\Program Files\Creative\SBLive\AudioHQ\AHQ\CTAutoEA.ahq” 0

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background

O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\Wcescomm.exe”

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_01] cmd.exe /c md “%USERPROFILE%\Ustawienia lokalne\Temp” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_03] cmd.exe /c md “%SystemRoot%\System32\dllcache” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_04] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-20…\RunOnce: [nlpo_01] cmd.exe /c md “%USERPROFILE%\Ustawienia lokalne\Temp” (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ … leId=23100

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

End of file - 8683 bytes

ComboFix 08-10-17.01 - agu 2008-10-18 20:48:55.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.219 [GMT 2:00]

Uruchomiony z: C:\Documents and Settings\agu\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA!!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\Downloaded Program Files\setup.inf

.

((((((((((((((((((((((((( Pliki utworzone od 2008-09-18 do 2008-10-18 )))))))))))))))))))))))))))))))

.

2008-10-18 20:40 . 2008-10-18 20:40

2008-10-18 00:50 . 2008-10-18 00:50 268 --ah----- C:\sqmdata04.sqm

2008-10-18 00:50 . 2008-10-18 00:50 244 --ah----- C:\sqmnoopt04.sqm

2008-10-17 00:56 . 2008-10-17 00:56 268 --ah----- C:\sqmdata03.sqm

2008-10-17 00:56 . 2008-10-17 00:56 244 --ah----- C:\sqmnoopt03.sqm

2008-10-16 00:47 . 2008-10-16 00:47 268 --ah----- C:\sqmdata02.sqm

2008-10-16 00:47 . 2008-10-16 00:47 244 --ah----- C:\sqmnoopt02.sqm

2008-10-16 00:17 . 2008-10-16 00:25

2008-10-16 00:16 . 2004-08-04 02:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-10-15 02:11 . 2008-10-15 02:11 268 --ah----- C:\sqmdata01.sqm

2008-10-15 02:11 . 2008-10-15 02:11 244 --ah----- C:\sqmnoopt01.sqm

2008-10-14 23:17 . 2008-10-14 23:17 268 --ah----- C:\sqmdata00.sqm

2008-10-14 23:17 . 2008-10-14 23:17 244 --ah----- C:\sqmnoopt00.sqm

2008-10-14 23:16 . 2008-08-14 15:40 2,187,264 --------- C:\WINDOWS\system32\DllCache\ntoskrnl.exe

2008-10-14 23:16 . 2008-08-14 15:40 2,144,256 --------- C:\WINDOWS\system32\DllCache\ntkrnlmp.exe

2008-10-14 23:16 . 2008-08-14 15:40 2,064,256 --------- C:\WINDOWS\system32\DllCache\ntkrnlpa.exe

2008-10-14 23:16 . 2008-08-14 15:40 2,022,400 --------- C:\WINDOWS\system32\DllCache\ntkrpamp.exe

2008-10-14 23:16 . 2008-09-15 17:17 1,847,168 --------- C:\WINDOWS\system32\DllCache\win32k.sys

2008-10-14 23:16 . 2008-08-28 12:35 333,056 --------- C:\WINDOWS\system32\DllCache\srv.sys

2008-10-14 00:16 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-10-14 00:16 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\DllCache\bthport.sys

2008-10-14 00:15 . 2006-12-07 07:29 2,374,472 --------- C:\WINDOWS\system32\DllCache\wmvcore.dll

2008-10-14 00:15 . 2008-04-11 20:41 683,520 --------- C:\WINDOWS\system32\DllCache\inetcomm.dll

2008-10-14 00:15 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\DllCache\msadce.dll

2008-10-14 00:15 . 2008-05-08 14:14 203,008 --------- C:\WINDOWS\system32\DllCache\rmcast.sys

2008-10-14 00:14 . 2008-10-16 00:25

2008-10-05 17:02 . 2008-10-05 17:30

2008-10-05 17:02 . 2008-10-05 17:02

2008-10-05 16:56 . 2008-10-05 16:56

2008-10-05 16:56 . 2008-10-05 16:57 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-09-28 22:17 . 2005-10-21 03:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys

2008-09-28 22:17 . 2005-10-21 03:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys

2008-09-28 22:16 . 2008-09-28 22:17

2008-09-25 16:45 . 2008-09-25 16:47

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-18 19:02 --------- d-----w C:\Documents and Settings\agu\Dane aplikacji\Skype

2008-10-18 16:47 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-10-18 14:09 --------- d-----w C:\Documents and Settings\agu\Dane aplikacji\skypePM

2008-10-16 12:18 --------- d-----w C:\Program Files\MPlayer for Windows

2008-10-04 23:26 --------- d-----w C:\Documents and Settings\agu\Dane aplikacji\iMesh

2008-09-15 15:17 1,847,168 ----a-w C:\WINDOWS\system32\win32k.sys

2008-08-31 17:21 --------- d-----w C:\Program Files\Sun

2008-08-31 17:20 --------- d-----w C:\Program Files\Java

2008-08-31 17:18 --------- d-----w C:\Program Files\Common Files\Java

2008-08-30 18:45 --------- d-----w C:\Program Files\NAPI-PROJEKT

2008-08-28 10:35 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-08-20 05:33 151,552 ------w C:\WINDOWS\system32\DllCache\cdfview.dll

2008-08-19 09:38 18,432 ------w C:\WINDOWS\system32\DllCache\iedw.exe

2008-08-14 13:40 2,187,264 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 13:40 2,064,256 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-08-14 09:48 138,368 ------w C:\WINDOWS\system32\DllCache\afd.sys

2008-01-24 19:49 19,944 ----a-w C:\Documents and Settings\agu\Dane aplikacji\GDIPFONTCACHEV1.DAT

2007-12-23 20:11 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2007-09-24 15:12 84,418 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\firstlsp.reg.dat

2007-07-19 23:19 855,886 ----a-w C:\Program Files\AUG2007_d3dx10_35_x64.cab

2007-07-19 23:19 800,467 ----a-w C:\Program Files\AUG2007_d3dx10_35_x86.cab

2007-07-19 23:19 1,803,760 ----a-w C:\Program Files\AUG2007_d3dx9_35_x64.cab

2007-07-19 23:18 44,684 ----a-w C:\Program Files\dxdllreg_x86.cab

2007-07-19 23:18 201,696 ----a-w C:\Program Files\AUG2007_XACT_x64.cab

2007-07-19 23:18 156,612 ----a-w C:\Program Files\AUG2007_XACT_x86.cab

2007-07-19 23:18 1,711,752 ----a-w C:\Program Files\AUG2007_d3dx9_35_x86.cab

2008-06-25 16:29 88 --sh–r C:\WINDOWS\system32\456B4DF211.sys

2008-06-25 16:29 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 15360]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 2119104]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-06-03 21718312]

“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.Exe” [2007-01-19 5674352]

“H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\Wcescomm.exe” [2006-11-13 1289000]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-10-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 155648]

“InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2004-06-04 1400944]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2005-12-07 30208]

“LanguageShortcut”=“C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2006-05-18 49152]

“avgnt”=“C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” [2008-07-19 266497]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]

“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-06-25 185896]

“FixCamera”=“C:\WINDOWS\FixCamera.exe” [2007-02-12 20480]

“tsnp325”=“C:\WINDOWS\tsnp325.exe” [2007-04-21 270336]

“snp325”=“C:\WINDOWS\vsnp325.exe” [2007-04-25 835584]

“PWRISOVM.EXE”=“C:\Program Files\PowerISO\PWRISOVM.EXE” [2006-09-09 196608]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2008-07-18 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“aux”= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

–a------ 2008-07-24 17:02 490952 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

–a------ 2007-10-03 19:41 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\WINDOWS\system32\usmt\migwiz.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\iMesh Applications\iMesh\iMesh.exe”=

“C:\Program Files\MSN Messenger\msnmsgr.exe”=

“C:\Program Files\MSN Messenger\livecall.exe”=

“C:\Program Files\Real\RealPlayer\realplay.exe”=

“C:\Program Files\Microsoft ActiveSync\rapimgr.exe”= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

“C:\Program Files\Microsoft ActiveSync\wcescomm.exe”= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe”= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

“C:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“8056:TCP”= 8056:TCP:BitComet 8056 TCP

“8056:UDP”= 8056:UDP:BitComet 8056 UDP

“8461:TCP”= 8461:TCP:GoD High Port

“8462:TCP”= 8462:TCP:GoD Low Port

“26675:TCP”= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 17149]

R3 SNP325;USB PC Camera (SNPSTD325);C:\WINDOWS\system32\DRIVERS\snp325.sys [2007-04-26 10343168]

R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 362944]

S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 17616]

S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 69680]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-09-13 26496]

*Newly Created Service* - PROCEXP90

.

        • USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe

HKCU-Run-AutoEA - C:\Program Files\Creative\SBLive\AudioHQ\ahqrun.exe

HKLM-Run-Ad-aware - C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

HKLM-Run-AudioHQ - C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe

MSConfigStartUp-BitComet - C:\Program Files\BitComet\BitComet.exe

.

------- Skan uzupełniający -------

.

FireFox -: Profile - C:\Documents and Settings\agu\Dane aplikacji\Mozilla\Firefox\Profiles\dy0h08k2.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=ie=UTF-8oe=UTF-8q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.atcomet.com/b/

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-18 21:02:24

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

C:\DOCUME~1\agu\USTAWI~1\Temp\RGIE.tmp

skanowanie pomyślnie ukończone

ukryte pliki: 1

**************************************************************************

.

Czas ukończenia: 2008-10-18 21:07:07

ComboFix-quarantined-files.txt 2008-10-18 19:06:13

Przed: 14 064 336 896 bajtów wolnych

Po: 14,063,099,904 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

171 — E O F — 2008-10-15 22:25:37

“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

“BitTorrent” = ““C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized” [file not found]

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

“AutoEA” = “C:\Program Files\Creative\SBLive\AudioHQ\ahqrun.exe “C:\Program Files\Creative\SBLive\AudioHQ\AHQ\CTAutoEA.ahq” 0” [file not found]

“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]

“MsnMsgr” = ““C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background” [MS]

“H/PC Connection Agent” = ““C:\Program Files\Microsoft ActiveSync\Wcescomm.exe”” [MS]

“swg” = “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [“Google Inc.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”]

“Ad-aware” = ““C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe” +c” [file not found]

“RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

“LanguageShortcut” = ““C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”” [null data]

“AudioHQ” = “C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE” [file not found]

“avgnt” = ““C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”]

“Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”]

“TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]

“WinampAgent” = ““C:\Program Files\Winamp\winampa.exe”” [file not found]

“FixCamera” = “C:\WINDOWS\FixCamera.exe” [empty string]

“tsnp325” = “C:\WINDOWS\tsnp325.exe” [empty string]

“snp325” = “C:\WINDOWS\vsnp325.exe” [empty string]

“PWRISOVM.EXE” = “C:\Program Files\PowerISO\PWRISOVM.EXE” [“PowerISO Computing, Inc.”]

“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”” [“Sun Microsystems, Inc.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

  • {HKLM…CLSID} = “Adobe PDF Reader Link Helper”

\InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”

  • {HKLM…CLSID} = “Skype add-on (mastermind)”

\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]

{3049C3E9-B461-4BC5-8870-4C09146192CA}(Default) = (no title provided)

  • {HKLM…CLSID} = “RealPlayer Download and Record Plugin for Internet Explorer”

\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll” [“RealPlayer”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

  • {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”]

{9030D464-4C02-4ABF-8ECC-5164760863C6}(Default) = (no title provided)

  • {HKLM…CLSID} = “Windows Live Sign-in Helper”

\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll” [MS]

{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)

  • {HKLM…CLSID} = “Google Toolbar Helper”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided)

  • {HKLM…CLSID} = “Google Toolbar Notifier BHO”

\InProcServer32(Default) = “C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll” [“Google Inc.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

  • {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

  • {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete”

  • {HKLM…CLSID} = “IE Microsoft AutoComplete”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

“{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band”

  • {HKLM…CLSID} = “History Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS]

“{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning”

  • {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

  • {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

  • {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

“{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW”

  • {HKLM…CLSID} = “Shell Extension for CDRW”

\InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

  • {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}” = “Messenger Sharing Folders”

  • {HKLM…CLSID} = “Moje foldery udostępniania”

\InProcServer32(Default) = “C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll” [MS]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

  • {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”

  • {HKLM…CLSID} = “RealOne Player Context Menu Class”

\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”]

“{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO”

  • {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

“{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device”

  • {HKLM…CLSID} = “Urządzenie przenośne”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\Wcesview.dll” [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

  • {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\

PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}”

  • {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

  • {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

  • {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}”

  • {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

  • {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}”

  • {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

  • {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

  • {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“DisableRegistryTools” = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

“DisableCMD” = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|System|

Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\agu\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Windows Portable Device AutoPlay Handlers

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

IMMediaPlayerOnArrival\

“Provider” = “iMesh”

“ProgID” = “iMesh.LauncherEventHandler”

HKLM\SOFTWARE\Classes\iMesh.LauncherEventHandler\CLSID(Default) = “{2C353E32-B8AC-4B82-B988-4C2D3394388A}”

  • {HKLM…CLSID} = “CLauncherEventHandler Object”

\LocalServer32(Default) = ““C:\PROGRA~1\IMESHA~1\iMesh\Launcher.exe”” [“iMesh Inc.”]

IMPlayCDAudioOnArrival\

“Provider” = “iMesh”

“InvokeProgID” = “iMesh.AudioCD”

“InvokeVerb” = “play”

HKLM\SOFTWARE\Classes\iMesh.AudioCD\shell\play\Command(Default) = “C:\PROGRA~1\IMESHA~1\iMesh\iMesh.exe --playdrive %L” [“iMesh, Inc”]

IMRipCDAudioOnArrival\

“Provider” = “iMesh”

“InvokeProgID” = “iMesh.AudioCD”

“InvokeVerb” = “rip”

HKLM\SOFTWARE\Classes\iMesh.AudioCD\shell\rip\Command(Default) = “C:\PROGRA~1\IMESHA~1\iMesh\iMesh.exe --ripdrive %L” [“iMesh, Inc”]

IMShowCDAudioOnArrival\

“Provider” = “iMesh”

“InvokeProgID” = “iMesh.AudioCD”

“InvokeVerb” = “show”

HKLM\SOFTWARE\Classes\iMesh.AudioCD\shell\show\Command(Default) = “C:\PROGRA~1\IMESHA~1\iMesh\iMesh.exe --showdrive %L” [“iMesh, Inc”]

NeroAutoPlayEmptyCD\

“Provider” = “Nero StartSmart”

“InvokeProgID” = “Nero.AutoPlay”

“InvokeVerb” = “EmptyCD”

HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command(Default) = ““C:\Program Files\Ahead\nero startsmart\nerostartsmart.exe” /Drive:%L” [“Ahead Software AG”]

NeroAutoPlayInCDAutorunEmptyCD\

“Provider” = “InCD”

“InvokeProgID” = “Nero.AutoPlay”

“InvokeVerb” = “InCDAutorunEmptyCD”

HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\InCDAutorunEmptyCD\command(Default) = “C:\Program Files\Ahead\InCD\InCDL.exe” [“Ahead Software AG”]

PDVDPlayCDAudioOnArrival\

“Provider” = “PowerDVD”

“InvokeProgID” = “AudioCD”

“InvokeVerb” = “PlayWithPowerDVD”

HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD\Command(Default) = ““C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe” “%L”” [“CyberLink Corp.”]

PDVDPlayVCDMovieOnArrival\

“Provider” = “PowerDVD”

“InvokeProgID” = “VCD”

“InvokeVerb” = “PlayWithPowerDVD”

HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD\Command(Default) = ““C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe” “%l”” [“CyberLink Corp.”]

RPCDBurningOnArrival\

“Provider” = “RealPlayer”

“InvokeProgID” = “RealPlayer.CDBurn.6”

“InvokeVerb” = “open”

HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command(Default) = "“C:\Program Files\Real\RealPlayer\realplay.exe” /burn “%1"” [“RealNetworks, Inc.”]

RPDeviceOnArrival\

“Provider” = “RealPlayer”

“ProgID” = “RealPlayer.HWEventHandler”

HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID(Default) = “{67E76F1D-BDE2-4052-913C-2752366192D2}”

  • {HKLM…CLSID} = “RealNetworks Scheduler”

\LocalServer32(Default) = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -autoplay” [“RealNetworks, Inc.”]

RPPlayCDAudioOnArrival\

“Provider” = “RealPlayer”

“InvokeProgID” = “RealPlayer.AudioCD.6”

“InvokeVerb” = “play”

HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command(Default) = "“C:\Program Files\Real\RealPlayer\realplay.exe” /play %1 " [“RealNetworks, Inc.”]

RPPlayDVDMovieOnArrival\

“Provider” = “RealPlayer”

“InvokeProgID” = “RealPlayer.DVD.6”

“InvokeVerb” = “play”

HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command(Default) = "“C:\Program Files\Real\RealPlayer\realplay.exe” /dvd %1 " [“RealNetworks, Inc.”]

RPPlayMediaOnArrival\

“Provider” = “RealPlayer”

“InvokeProgID” = “RealPlayer.AutoPlay.6”

“InvokeVerb” = “open”

HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command(Default) = "“C:\Program Files\Real\RealPlayer\realplay.exe” /autoplay “%1"” [“RealNetworks, Inc.”]

Startup items in “agu” “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Microsoft Office” - shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS]

“NETGEAR WPN111 Smart Wizard” - shortcut to: “C:\Program Files\NETGEAR\WPN111\wpn111.exe” [“NETGEAR”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

“{2318C2B1-4965-11D4-9B18-009027A5CD4F}”

  • {HKLM…CLSID} = “Google”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{2318C2B1-4965-11D4-9B18-009027A5CD4F}”

  • {HKLM…CLSID} = “Google”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

“{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided)

  • {HKLM…CLSID} = “Google”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}”

  • {HKCU…CLSID} = “Java Plug-in 1.6.0_07”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”]

  • {HKLM…CLSID} = “Java Plug-in 1.6.0_07”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll” [“Sun Microsystems, Inc.”]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

“ButtonText” = “Create Mobile Favorite”

“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”

  • {HKLM…CLSID} = “Create Mobile Favorite”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\INetRepl.dll” [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

“MenuText” = “Utwórz Ulubione dla urządzenia przenośnego…”

“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”

  • {HKLM…CLSID} = “Create Mobile Favorite”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\INetRepl.dll” [MS]

{77BF5300-1474-4EC7-9980-D32B190E9B07}\

“ButtonText” = “Skype”

“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”

  • {HKLM…CLSID} = “Skype add-on (button)”

\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

AntiVir PersonalEdition Classic Guard, AntiVirService, ““C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe”” [“Avira GmbH”]

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ““C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe”” [“Avira GmbH”]

Cyberlink RichVideo Service(CRVS), RichVideo, ““C:\Program Files\CyberLink\Shared files\RichVideo.exe”” [empty string]

InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”]

Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

---------- (launch time: 2008-10-18 20:41:11)

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 63 seconds.

---------- (total run time: 193 seconds)

#7

???

#8

Drugi komputer

Usuń kosmetycznie te wpisy w HJT

Uruchom HijackThis - Do a system scan only - w oknie programu pokaże się log - zaznacz kratki przy podanych wpisach - klikasz Fix checked

wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Loga wklej na www.wklejto.pl lub http://www.wklej.org/ a w poście daj tylko linka

#9

oto logi

http://www.wklejto.pl/12614

#10

Nic się nie usunęło, tak jak by Script był pusty - powtórka!

====================

K.

#11

powtórka:

http://www.wklejto.pl/12616

#12

Coś u Ciebie te pliki się nie chce usuwać.

Pobierz —> The Avenger

Wklej do niego ten tekst:

Files to delete:

C:\sqmdata04.sqm

C:\sqmnoopt04.sqm

C:\sqmdata03.sqm

C:\sqmnoopt03.sqm

C:\sqmdata02.sqm

C:\sqmnoopt02.sqm

C:\sqmdata01.sqm

C:\sqmnoopt01.sqm

C:\sqmdata00.sqm

C:\sqmnoopt00.sqm

Kopiujesz - Klikasz na Paste Script from Clipboard - Execute - Potwierdzasz i zgadzasz się na restart klikając OK.

Po wykonaniu skasuj z dysku plik: C:\Avenger\backup.zip i wklej raport na forum C:\avenger.txt

Potem nowy normalny log z ComboFixa.

===================

K.

#13

log z combo

http://www.wklejto.pl/12624

raport avengera:

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Dodatek Service Pack 2)

Sun Oct 19 13:36:06 2008

13:36:06: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File “C:\sqmdata04.sqm” deleted successfully.

File “C:\sqmnoopt04.sqm” deleted successfully.

File “C:\sqmdata03.sqm” deleted successfully.

File “C:\sqmnoopt03.sqm” deleted successfully.

File “C:\sqmdata02.sqm” deleted successfully.

File “C:\sqmnoopt02.sqm” deleted successfully.

File “C:\sqmdata01.sqm” deleted successfully.

File “C:\sqmnoopt01.sqm” deleted successfully.

File “C:\sqmdata00.sqm” deleted successfully.

File “C:\sqmnoopt00.sqm” deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#14

Pliki usunięte :slight_smile:

usuń ręcznie folder C: \Qoobox oraz instalkę Combofix z dysku.

Przeczyść system oraz rejestr CCleaner

Wykonaj optymalizacje Autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar Mój komputer Kaspersky Online Scanner Uruchom pod IE daj raport na forum

lub Dr.WEB CureIt!