Malware Doctor


(D2508156) #1

Mam problem z programem Malware Doctor. Poniżej zamieszcam logi z combofixa:

ComboFix 09-05-28.07 - Kuba 2009-05-29 11:09.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1508 [GMT 2:00]

Uruchomiony z: d:\moje dokumenty\Maszyny\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.


((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.


f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\wiaserva.log

f:\documents and settings\LocalService\Dane aplikacji\691447002.exe

f:\windows\system\mmtaskclean.log

f:\windows\system32\avast!Antivirus.exe

f:\windows\system32\drivers\zexdvsw.sys

f:\windows\system32\sft.res


.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.


-------\Legacy_avast!antivirus

-------\Service_avast!antivirus



((((((((((((((((((((((((( Pliki utworzone od 2009-04-28 do 2009-05-29 )))))))))))))))))))))))))))))))

.


2009-05-29 08:28 . 2009-05-29 08:28	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Malwarebytes

2009-05-29 08:28 . 2009-05-26 11:20	40160	----a-w	f:\windows\system32\drivers\mbamswissarmy.sys

2009-05-29 08:28 . 2009-05-29 08:28	--------	d-----w	f:\documents and settings\All Users\Dane aplikacji\Malwarebytes

2009-05-29 08:28 . 2009-05-26 11:19	19096	----a-w	f:\windows\system32\drivers\mbam.sys

2009-05-29 08:17 . 2009-05-29 08:17	32768	----a-w	f:\windows\system32\avast!Antivirus(3).exe

2009-05-03 22:50 . 2009-05-03 22:50	--------	d-----w	f:\documents and settings\KUBA~1~KUB\USTAWI~1

2009-05-03 22:50 . 2009-05-03 22:50	--------	d-----w	f:\documents and settings\KUBA~1~KUB

2009-05-03 21:58 . 2009-05-03 21:58	--------	d-----w	f:\program files\Common Files\Wise Installation Wizard

2009-05-03 21:21 . 2009-05-03 21:48	--------	d-----w	f:\program files\AGEIA Technologies

2009-05-03 21:21 . 2009-05-03 21:21	--------	d-----w	f:\windows\system32\AGEIA

2009-05-02 08:51 . 2009-05-02 08:51	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\New Technology Studio

2009-04-29 22:18 . 2009-04-29 22:18	--------	d-----w	F:\t

2009-04-29 22:05 . 2009-04-29 22:05	--------	d-----w	F:\d

2009-04-29 21:53 . 2007-07-24 13:58	95616	----a-w	F:\junction.exe


.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-29 09:13 . 2009-04-05 08:53	83294	----a-w	f:\windows\system32\drivers\45ec582f.sys

2009-05-29 09:13 . 2008-11-27 15:25	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Orbit

2009-05-29 09:10 . 2008-12-03 17:56	814312	----a-w	f:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat

2009-05-29 08:52 . 2008-03-31 07:42	--------	d-----w	f:\program files\Kalendarz XP

2009-05-29 08:13 . 2009-05-03 21:44	4904	----a-w	f:\windows\system32\PerfStringBackup.TMP

2009-05-29 08:13 . 2004-08-04 12:00	90632	----a-w	f:\windows\system32\perfc015.dat

2009-05-29 08:13 . 2004-08-04 12:00	503918	----a-w	f:\windows\system32\perfh015.dat

2009-05-28 20:28 . 2008-03-29 10:21	--------	d-----w	f:\program files\Mozilla Thunderbird

2009-05-20 22:10 . 2008-04-20 16:02	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Skype

2009-05-20 06:00 . 2008-04-20 16:13	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\skypePM

2009-05-03 22:50 . 2008-02-28 21:38	--------	d-----w	f:\program files\Realtek

2009-05-03 21:08 . 2008-09-15 16:20	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\GetRightToGo

2009-04-29 22:33 . 2008-03-29 10:14	--------	d-----w	f:\program files\Microsoft Office backup

2009-04-28 22:58 . 2009-04-28 22:58	221252	----a-w	f:\windows\system32\maskDll.dll

2009-04-28 22:58 . 2009-04-28 22:58	200776	----a-w	f:\windows\system32\unMaskDLL.dll

2009-04-27 16:33 . 2008-02-28 21:25	78800	----a-w	f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-04-26 23:46 . 2008-02-28 21:35	--------	d--h--w	f:\program files\InstallShield Installation Information

2009-04-19 19:21 . 2009-04-19 19:20	--------	d-----w	f:\program files\DOSBox-0.72

2009-04-15 11:24 . 2009-04-15 11:24	29184	----a-w	f:\windows\system32\smstf.dll

2009-04-11 17:16 . 2008-11-27 15:25	--------	d-----w	f:\program files\Orbitdownloader

2009-04-07 18:19 . 2008-03-29 10:49	--------	d-----w	f:\program files\Gadu-Gadu

2009-03-30 20:57 . 2008-05-12 10:18	--------	d-----w	f:\program files\NAPI-PROJEKT

2009-03-27 06:14 . 2008-03-10 17:50	453152	----a-w	f:\windows\system32\NVUNINST.EXE

.


((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  

REGEDIT4


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290}]

2009-05-29 09:13	29184	----a-w	f:\windows\system32\jhxm32.dll


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="f:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"SkinClock"="f:\program files\Desktop Tray Clock\DTClock.exe" [2006-08-18 1712128]

"DAEMON Tools"="f:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="f:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"AdobeUpdater"="f:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

"RGSC"="e:\gta4\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-13 306088]

"Malware Doctor"="f:\documents and settings\LocalService\Dane aplikacji\691447002.exe" [2009-05-29 96768]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-27 13684736]

"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"WinampAgent"="f:\program files\winamp\winampa.exe" [2008-01-15 37376]

"avgnt"="f:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]

"NeroFilterCheck"="f:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]

"NBKeyScan"="e:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]

"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-27 86016]

"Malware Doctor"="f:\documents and settings\LocalService\Dane aplikacji\691447002.exe" [2009-05-29 96768]

"RTHDCPL"="RTHDCPL.EXE" - f:\windows\RTHDCPL.exe [2007-03-21 16126464]

"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2009-03-27 1657376]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="f:\windows\system32\CTFMON.EXE" [2004-08-04 15360]


f:\documents and settings\Kuba.KUBA-NW\Menu Start\Programy\Autostart\

kalendarz.lnk - f:\program files\Kalendarz XP\Start.exe [2008-3-31 30208]


f:\documents and settings\All Users\Menu Start\Programy\Autostart\

Orbit.lnk - f:\program files\Orbitdownloader\orbitdm.exe [2008-11-27 1690824]

Przyspieszenie uruchomienia programu AutoCAD.lnk - f:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Test drive\\TestDriveUnlimited.exe"=

"f:\\Program Files\\Gadu-Gadu\\gg.exe"=

"f:\\Program Files\\mIRC\\mirc.exe"=

"d:\\Alien Shooter 2\\AlienShooter.exe"=

"d:\\Program Files\\WapSter\\AQQ\\AQQ.exe"=

"d:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe"=

"d:\\Program Files\\Gadu-Gadu\\gg.exe"=

"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=

"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=

"d:\\Program Files\\eMule\\emule.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords_PitBoss.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

"g:\\HEROES3\\Death\\Heroes3.exe"=

"d:\\Herosi\\Heroes3.exe"=

"f:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"f:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"e:\\GTA 4\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

"e:\\GTA 4\\Grand Theft Auto IV\\GTAIV.exe"=

"e:\\GTA4\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"f:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Supreme Commander\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=

"d:\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=

"d:\\Supreme Commander\\GPGNet\\GPG.Multiplayer.Client.exe"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"444:UDP"= 444:UDP:444

"444:TCP"= 444:TCP:444


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)


R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;f:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]

R2 avast!Antivirus;avast!Antivirus;f:\windows\System32\avast!Antivirus.exe -k netsvcs --> f:\windows\System32\avast!Antivirus.exe -k netsvcs [?]

R2 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-07-13 98488]

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;f:\windows\system32\drivers\atl01_xp.sys [2008-02-28 38656]

R3 DDCCI;DDC/CI monitor;f:\windows\system32\drivers\Moni2c.sys [2008-03-27 6494]

S0 bvli;bvli;f:\windows\system32\drivers\zexdvsw.sys --> f:\windows\system32\drivers\zexdvsw.sys [?]

S3 NDSPCIIO;NDSPCIIO;\??\f:\windows\system32\DRIVERS\NDSPCIIO.SYS --> f:\windows\system32\DRIVERS\NDSPCIIO.SYS [?]


--- Inne Usługi/Sterowniki w Pamięci ---


*NewlyCreated* - avast!antivirus

.

- - - - USUNIĘTO PUSTE WPISY - - - -


HKCU-Run-wsctf.exe - wsctf.exe

Notify-WgaLogon - (no file)

SafeBoot-procexp90.sys



.

------- Skan uzupełniający -------

.

uStart Page = hxxp://search.orbitdownloader.com/

IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200

IE: Do&wnload selected by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&ksport do programu Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Mozilla\Firefox\Profiles\d0gqwv3v.default\

FF - prefs.js: browser.startup.homepage - www.onet.pl

FF - plugin: d:\opera\program\plugins\npdsplay.dll

FF - plugin: d:\opera\program\plugins\npwmsdrm.dll

FF - plugin: f:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: f:\program files\Mozilla Firefox\plugins\npOggX.dll


---- FIREFOX - SPOSÓB POSTĘPOWANIA ----

FF - user.js: security.checkloaduri - false

FF - user.js: capability.policy.default.checkloaduri.enabled - allAccess.


**************************************************************************


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-29 11:13

Windows 5.1.2600 Dodatek Service Pack 3 NTFS


skanowanie ukrytych procesów ...  


skanowanie ukrytych wpisów autostartu ... 


skanowanie ukrytych plików ...  



f:\windows\system32\jhxm32.dll


skanowanie pomyślnie ukończone

ukryte pliki: 1


**************************************************************************


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\45ec582f]

"ImagePath"="\SystemRoot\System32\drivers\45ec582f.sys"

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------


[HKEY_USERS\s-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c2,f8,76,21,3f,ba,cb,dc,db,5a,01,5d,88,f1,d9,d2,bc,9e,27,dc,a5,da,35,

   19,14,4d,ab,35,3a,d6,19,05,19,64,b2,27,f9,5c,f4,8d,64,2e,3c,e0,31,aa,21,29,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50


[HKEY_USERS\s-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:d8,60,ff,89,e6,f2,7c,f6,a6,e0,c6,52,85,09,f2,67,a4,70,ea,f0,ba,

   e7,03,7f,b2,9c,08,8e,ab,e8,ee,83,0f,66,eb,ed,29,bc,7c,5b,1e,d5,eb,19,13,f3,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------


- - - - - - - > 'explorer.exe'(1732)

f:\program files\Desktop Tray Clock\Clock.dll

f:\windows\system32\WPDShServiceObj.dll

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

f:\windows\system32\browselc.dll

f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

f:\windows\system32\jhxm32.dll

f:\program files\Microsoft Office\OFFICE11\msohev.dll

f:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll

f:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

f:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

d:\program files junction\Adobe\Reader 8.0\Reader\reader_sl.exe

f:\windows\system32\rundll32.exe

f:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

f:\program files\Java\jre6\bin\jqs.exe

f:\program files\Orbitdownloader\orbitnet.exe

e:\program files\Nero\Nero8\Nero BackItUp\NBService.exe

f:\program files\Kalendarz XP\Kalendarz.exe

f:\windows\system32\nvsvc32.exe

f:\windows\system32\IoctlSvc.exe

f:\windows\system32\wscntfy.exe

f:\program files\Common Files\Nero\Lib\NMIndexingService.exe

f:\windows\system32\wbem\wmiapsrv.exe

f:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

f:\windows\system32\avast!Antivirus.exe

f:\windows\system32\notepad.exe

.

**************************************************************************

.

Czas ukończenia: 2009-05-29 11:14 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2009-05-29 09:14


Przed: 1 818 087 424 bajtów wolnych

Po: 2 388 976 128 bajtów wolnych


WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


234	--- E O F ---	2009-03-12 02:01

Co z tym fantem zrobić?


(Spandau) #2

Przeskanuj ten plik f:\ junction.exe tutaj http://www.virustotal.com/pl/ daj raport na forum

wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Loga wklej na www.wklejto.pl lub http://www.wklej.org/ a w poście daj linka


(D2508156) #3

log z Combodiska:

ComboFix 09-05-28.07 - Kuba 2009-05-29 11:56.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1506 [GMT 2:00]

Uruchomiony z: d:\moje dokumenty\Maszyny\ComboFix.exe

Użyto następujących komend :: d:\moje dokumenty\Maszyny\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}


FILE ::

"f:\documents and settings\LocalService\Dane aplikacji\691447002.exe"

"f:\windows\system32\avast!Antivirus(3).exe"

"f:\windows\system32\drivers\45ec582f.sys"

"f:\windows\system32\jhxm32.dll"

"f:\windows\system32\smstf.dll"

.


((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.


f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\burnlib.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\dsp_sps.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_aacplus.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_flac.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_lame.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_vorbis.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_wav.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\enc_wma.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_crasher.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_ff.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_hotkeys.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_ml.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\gen_tray.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_cdda.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_dshow.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_flac.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_linein.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_midi.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_mod.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_mp3.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_mp4.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_nsv.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_vorbis.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_wave.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\in_wm.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_autotag.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_bookmarks.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_dash.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_disc.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_history.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_local.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_nowplaying.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_online.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_orb.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_playlists.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_plg.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_pmp.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_rg.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_transcode.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\ml_wire.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\out_disk.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\out_ds.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\out_wave.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_activesync.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_ipod.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_njb.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_p4s.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\pmp_usb.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\tagz.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_avs.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_avs_282.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_milk.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_milk2.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\vis_nsfs.lng

f:\docume~1\KUBA~1.KUB\USTAWI~1\Temp\WLZA180.tmp\winamp.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\burnlib.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\dsp_sps.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_aacplus.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_flac.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_lame.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_vorbis.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_wav.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\enc_wma.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_crasher.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_ff.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_hotkeys.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_ml.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\gen_tray.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_cdda.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_dshow.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_flac.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_linein.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_midi.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_mod.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_mp3.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_mp4.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_nsv.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_vorbis.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_wave.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\in_wm.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_autotag.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_bookmarks.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_dash.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_disc.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_history.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_local.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_nowplaying.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_online.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_orb.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_playlists.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_plg.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_pmp.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_rg.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_transcode.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\ml_wire.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\out_disk.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\out_ds.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\out_wave.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_activesync.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_ipod.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_njb.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_p4s.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\pmp_usb.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\tagz.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_avs.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_avs_282.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_milk.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_milk2.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\vis_nsfs.lng

f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Temp\WLZA180.tmp\winamp.lng

f:\documents and settings\LocalService\Dane aplikacji\691447002.exe

f:\program files\Internet Explorer\setupapi.dll

f:\windows\system32\avast!Antivirus(3).exe

f:\windows\system32\avast!Antivirus.exe

f:\windows\system32\drivers\45ec582f.sys

f:\windows\system32\jhxm32.dll

f:\windows\system32\sft.res

f:\windows\system32\smstf.dll


.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.


-------\Legacy_avast!antivirus

-------\Service_bvli

-------\Service_45ec582f



((((((((((((((((((((((((( Pliki utworzone od 2009-04-28 do 2009-05-29 )))))))))))))))))))))))))))))))

.


2009-05-29 08:28 . 2009-05-29 08:28	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Malwarebytes

2009-05-29 08:28 . 2009-05-26 11:20	40160	----a-w	f:\windows\system32\drivers\mbamswissarmy.sys

2009-05-29 08:28 . 2009-05-29 08:28	--------	d-----w	f:\documents and settings\All Users\Dane aplikacji\Malwarebytes

2009-05-29 08:28 . 2009-05-26 11:19	19096	----a-w	f:\windows\system32\drivers\mbam.sys

2009-05-03 22:50 . 2009-05-03 22:50	--------	d-----w	f:\documents and settings\KUBA~1~KUB\USTAWI~1

2009-05-03 22:50 . 2009-05-03 22:50	--------	d-----w	f:\documents and settings\KUBA~1~KUB

2009-05-03 21:58 . 2009-05-03 21:58	--------	d-----w	f:\program files\Common Files\Wise Installation Wizard

2009-05-03 21:21 . 2009-05-03 21:48	--------	d-----w	f:\program files\AGEIA Technologies

2009-05-03 21:21 . 2009-05-03 21:21	--------	d-----w	f:\windows\system32\AGEIA

2009-05-02 08:51 . 2009-05-02 08:51	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\New Technology Studio

2009-04-29 22:18 . 2009-04-29 22:18	--------	d-----w	F:\t

2009-04-29 22:05 . 2009-04-29 22:05	--------	d-----w	F:\d

2009-04-29 21:53 . 2007-07-24 13:58	95616	----a-w	F:\junction.exe


.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-29 10:00 . 2008-11-27 15:25	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Orbit

2009-05-29 09:57 . 2008-12-03 17:56	814312	----a-w	f:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat

2009-05-29 09:57 . 2008-03-31 07:42	--------	d-----w	f:\program files\Kalendarz XP

2009-05-29 08:13 . 2009-05-03 21:44	4904	----a-w	f:\windows\system32\PerfStringBackup.TMP

2009-05-29 08:13 . 2004-08-04 12:00	90632	----a-w	f:\windows\system32\perfc015.dat

2009-05-29 08:13 . 2004-08-04 12:00	503918	----a-w	f:\windows\system32\perfh015.dat

2009-05-28 20:28 . 2008-03-29 10:21	--------	d-----w	f:\program files\Mozilla Thunderbird

2009-05-20 22:10 . 2008-04-20 16:02	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Skype

2009-05-20 06:00 . 2008-04-20 16:13	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\skypePM

2009-05-03 22:50 . 2008-02-28 21:38	--------	d-----w	f:\program files\Realtek

2009-05-03 21:08 . 2008-09-15 16:20	--------	d-----w	f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\GetRightToGo

2009-04-29 22:33 . 2008-03-29 10:14	--------	d-----w	f:\program files\Microsoft Office backup

2009-04-28 22:58 . 2009-04-28 22:58	221252	----a-w	f:\windows\system32\maskDll.dll

2009-04-28 22:58 . 2009-04-28 22:58	200776	----a-w	f:\windows\system32\unMaskDLL.dll

2009-04-27 16:33 . 2008-02-28 21:25	78800	----a-w	f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-04-26 23:46 . 2008-02-28 21:35	--------	d--h--w	f:\program files\InstallShield Installation Information

2009-04-19 19:21 . 2009-04-19 19:20	--------	d-----w	f:\program files\DOSBox-0.72

2009-04-11 17:16 . 2008-11-27 15:25	--------	d-----w	f:\program files\Orbitdownloader

2009-04-07 18:19 . 2008-03-29 10:49	--------	d-----w	f:\program files\Gadu-Gadu

2009-03-30 20:57 . 2008-05-12 10:18	--------	d-----w	f:\program files\NAPI-PROJEKT

2009-03-27 06:14 . 2008-03-10 17:50	453152	----a-w	f:\windows\system32\NVUNINST.EXE

.


((((((((((((((((((((((((((((( SnapShot@2009-05-29_09.13.04 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-29 09:59 . 2009-05-29 09:59	16384 f:\windows\Temp\Perflib_Perfdata_31c.dat

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="f:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"SkinClock"="f:\program files\Desktop Tray Clock\DTClock.exe" [2006-08-18 1712128]

"DAEMON Tools"="f:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="f:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"AdobeUpdater"="f:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

"RGSC"="e:\gta4\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-13 306088]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-27 13684736]

"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"WinampAgent"="f:\program files\winamp\winampa.exe" [2008-01-15 37376]

"avgnt"="f:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]

"NeroFilterCheck"="f:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]

"NBKeyScan"="e:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]

"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-27 86016]

"RTHDCPL"="RTHDCPL.EXE" - f:\windows\RTHDCPL.exe [2007-03-21 16126464]

"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2009-03-27 1657376]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="f:\windows\system32\CTFMON.EXE" [2004-08-04 15360]


f:\documents and settings\Kuba.KUBA-NW\Menu Start\Programy\Autostart\

kalendarz.lnk - f:\program files\Kalendarz XP\Start.exe [2008-3-31 30208]


f:\documents and settings\All Users\Menu Start\Programy\Autostart\

Orbit.lnk - f:\program files\Orbitdownloader\orbitdm.exe [2008-11-27 1690824]

Przyspieszenie uruchomienia programu AutoCAD.lnk - f:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Test drive\\TestDriveUnlimited.exe"=

"f:\\Program Files\\Gadu-Gadu\\gg.exe"=

"f:\\Program Files\\mIRC\\mirc.exe"=

"d:\\Alien Shooter 2\\AlienShooter.exe"=

"d:\\Program Files\\WapSter\\AQQ\\AQQ.exe"=

"d:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe"=

"d:\\Program Files\\Gadu-Gadu\\gg.exe"=

"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=

"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=

"d:\\Program Files\\eMule\\emule.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords_PitBoss.exe"=

"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

"g:\\HEROES3\\Death\\Heroes3.exe"=

"d:\\Herosi\\Heroes3.exe"=

"f:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"f:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"e:\\GTA 4\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

"e:\\GTA 4\\Grand Theft Auto IV\\GTAIV.exe"=

"e:\\GTA4\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"f:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Supreme Commander\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=

"d:\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=

"d:\\Supreme Commander\\GPGNet\\GPG.Multiplayer.Client.exe"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"444:UDP"= 444:UDP:444

"444:TCP"= 444:TCP:444


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)


R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;f:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]

R2 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-07-13 98488]

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;f:\windows\system32\drivers\atl01_xp.sys [2008-02-28 38656]

R3 DDCCI;DDC/CI monitor;f:\windows\system32\drivers\Moni2c.sys [2008-03-27 6494]

S3 NDSPCIIO;NDSPCIIO;\??\f:\windows\system32\DRIVERS\NDSPCIIO.SYS --> f:\windows\system32\DRIVERS\NDSPCIIO.SYS [?]

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://search.orbitdownloader.com/

IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200

IE: Do&wnload selected by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&ksport do programu Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Mozilla\Firefox\Profiles\d0gqwv3v.default\

FF - prefs.js: browser.startup.homepage - www.onet.pl


---- FIREFOX - SPOSÓB POSTĘPOWANIA ----

FF - user.js: security.checkloaduri - false

FF - user.js: capability.policy.default.checkloaduri.enabled - allAccess.


**************************************************************************


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-29 11:59

Windows 5.1.2600 Dodatek Service Pack 3 NTFS


skanowanie ukrytych procesów ...  


skanowanie ukrytych wpisów autostartu ... 


skanowanie ukrytych plików ...  


skanowanie pomyślnie ukończone

ukryte pliki: 0


**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------


[HKEY_USERS\S-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c2,f8,76,21,3f,ba,cb,dc,db,5a,01,5d,88,f1,d9,d2,bc,9e,27,dc,a5,da,35,

   19,14,4d,ab,35,3a,d6,19,05,19,64,b2,27,f9,5c,f4,8d,64,2e,3c,e0,31,aa,21,29,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50


[HKEY_USERS\S-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:d8,60,ff,89,e6,f2,7c,f6,a6,e0,c6,52,85,09,f2,67,a4,70,ea,f0,ba,

   e7,03,7f,b2,9c,08,8e,ab,e8,ee,83,0f,66,eb,ed,29,bc,7c,5b,1e,d5,eb,19,13,f3,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------


- - - - - - - > 'explorer.exe'(3700)

f:\program files\Desktop Tray Clock\Clock.dll

f:\windows\system32\WPDShServiceObj.dll

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

f:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

d:\program files junction\Adobe\Reader 8.0\Reader\reader_sl.exe

f:\windows\system32\rundll32.exe

f:\program files\Kalendarz XP\Kalendarz.exe

f:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

f:\program files\Orbitdownloader\orbitnet.exe

f:\program files\Java\jre6\bin\jqs.exe

e:\program files\Nero\Nero8\Nero BackItUp\NBService.exe

e:\gta4\Rockstar Games Social Club\1_1_3_0\RGSC.exe

f:\windows\system32\nvsvc32.exe

f:\windows\system32\IoctlSvc.exe

f:\program files\Common Files\Nero\Lib\NMIndexingService.exe

f:\windows\system32\wbem\wmiapsrv.exe

f:\windows\system32\wscntfy.exe

f:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

.

**************************************************************************

.

Czas ukończenia: 2009-05-29 12:01 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2009-05-29 10:01

ComboFix2.txt 2009-05-29 09:14


Przed: 2 264 782 336 bajtów wolnych

Po: 2 252 440 064 bajtów wolnych


319	--- E O F ---	2009-03-12 02:01

Problem wyglada na rozwiazany, Malware Doctor znikł :slight_smile: Co do f:\junction.exe:

Plik junction.exe otrzymany 2009.05.13 15:54:27 (UTC)

Obecny status: zakończono 

Wynik: 0/39 (0.00%)

 Zwięzły 

Drukuj wyniki Antywirus	Wersja	Ostatnia aktualizacja	Wynik

a-squared	4.0.0.101	2009.05.13	-

AhnLab-V3	5.0.0.2	2009.05.13	-

AntiVir	7.9.0.166	2009.05.13	-

Antiy-AVL	2.0.3.1	2009.05.13	-

Authentium	5.1.2.4	2009.05.13	-

Avast	4.8.1335.0	2009.05.12	-

AVG	8.5.0.327	2009.05.13	-

BitDefender	7.2	2009.05.13	-

CAT-QuickHeal	10.00	2009.05.13	-

ClamAV	0.94.1	2009.05.13	-

Comodo	1157	2009.05.08	-

DrWeb	5.0.0.12182	2009.05.13	-

eSafe	7.0.17.0	2009.05.12	-

eTrust-Vet	31.6.6503	2009.05.13	-

F-Prot	4.4.4.56	2009.05.13	-

F-Secure	8.0.14470.0	2009.05.13	-

Fortinet	3.117.0.0	2009.05.13	-

GData	19	2009.05.13	-

Ikarus	T3.1.1.49.0	2009.05.13	-

K7AntiVirus	7.10.734	2009.05.13	-

Kaspersky	7.0.0.125	2009.05.13	-

McAfee	5613	2009.05.12	-

McAfee+Artemis	5613	2009.05.12	-

McAfee-GW-Edition	6.7.6	2009.05.13	-

Microsoft	1.4602	2009.05.13	-

NOD32	4071	2009.05.13	-

Norman	6.01.05	2009.05.13	-

nProtect	2009.1.8.0	2009.05.13	-

Panda	10.0.0.14	2009.05.13	-

PCTools	4.4.2.0	2009.05.07	-

Prevx	3.0	2009.05.13	-

Rising	21.29.24.00	2009.05.13	-

Sophos	4.41.0	2009.05.13	-

Sunbelt	3.2.1858.2	2009.05.13	-

Symantec	1.4.4.12	2009.05.13	-

TheHacker	6.3.4.1.325	2009.05.12	-

TrendMicro	8.950.0.1092	2009.05.13	-

VBA32	3.12.10.5	2009.05.13	-

ViRobot	2009.5.13.1733	2009.05.13	-

Dodatkowe informacje

File size: 95616 bytes

MD5 : a12686c5e71180980b51bc44dbbed50c

SHA1 : b081534131e27eade755677c54d28f3a146b7787

SHA256: 51d8cfee549e7338e62bf453388e7160bffc5892eaf338bde3e82192137a2bc7

PEInfo: PE Structure information


( base data )

entrypointaddress.: 0x406C

timedatestamp.....: 0x46A67AD0 (Wed Jul 25 00:18:56 2007)

machinetype.......: 0x14C (Intel I386)


( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0xADC4 0xB000 6.59 88b04182b7dcdc384e0ef2acab693c00

.rdata 0xC000 0x52BA 0x6000 4.89 67bccad983c71261ca80bd9e68253ed8

.data 0x12000 0x2D24 0x2000 1.38 8ef0691a51a3581e53432ed3c1351d08

.rsrc 0x15000 0x480 0x1000 3.79 5e137fc11c99662cb030b38cf6606c97


( 5 imports )


> advapi32.dll: RegQueryValueExW, RegSetValueExW, RegCloseKey, RegCreateKeyW

> comdlg32.dll: PrintDlgW

> gdi32.dll: SetMapMode, StartDocW, StartPage, EndPage, EndDoc, GetDeviceCaps

> kernel32.dll: CreateDirectoryW, GetVolumeInformationW, GetFullPathNameW, GetCurrentDirectoryW, RemoveDirectoryW, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, FindFirstFileW, FindNextFileW, FindClose, CreateFileW, GetLastError, DeviceIoControl, GetFileAttributesW, FormatMessageW, CloseHandle, LocalAlloc, LoadLibraryW, LocalFree, CreateFileA, GetModuleHandleW, HeapAlloc, HeapFree, EnterCriticalSection, LeaveCriticalSection, HeapReAlloc, GetProcAddress, GetModuleHandleA, ExitProcess, GetVersionExA, GetProcessHeap, DeleteCriticalSection, VirtualFree, VirtualAlloc, HeapDestroy, HeapCreate, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetHandleCount, GetFileType, GetStartupInfoA, Sleep, HeapSize, LoadLibraryA, InitializeCriticalSection, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, SetFilePointer, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA

> user32.dll: DialogBoxIndirectParamW, GetDlgItem, GetSysColorBrush, EndDialog, SetWindowTextW, LoadCursorW, SetCursor, InflateRect, SendMessageW


( 0 exports )

TrID : File type identification

60.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)

16.6% (.EXE) Win32 Executable Generic (8527/13/3)

14.7% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)

3.9% (.EXE) Generic Win/DOS Executable (2002/3)

3.8% (.EXE) DOS Executable Generic (2000/1)

ThreatExpert: http://www.threatexpert.com/report.aspx?md5=a12686c5e71180980b51bc44dbbed50c

ssdeep: 1536:85pItDPiPtaEtZuOxEb7rKP3wY+I0WFE2gsg5XYcAy/FaeE:BPifUbvKgsg5XYcAy/Ev

PEiD : -

RDS : NSRL Reference Data Set

Ten plik raczej jest w porządku - to mały dosowy program służący do tworzenia tworzenie na dysku "linków" do katalogu, które dla programów widoczne są jako oddzielne katalogi. Przydatna opcja jak ktos ma kilka partycji i mały systemowy dysk :slight_smile:


(Spandau) #4

Chciałem się upewnić :slight_smile:

Log wygląda na czysty.

usuń ręcznie folder C: \Qoobox oraz instalkê Combofix z dysku.

Przeczyść system oraz rejestr CCleaner

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj system programem Malwarebytes który masz na dysku (pełne skanowanie)

lub dodatkowo Dr.WEB CureIt!


(D2508156) #5

Ok, wielkie dzięki za pomoc, jestecie w porzadku :slight_smile: