Msnrav.exe mravsc32.exe Isass.exe

alienx7 · 17 Październik 2007 07:54

jakis syf dostal mi sie do komputra, otworzyl sobie cmd.exe ftp.exe i ladowal mi pliki z Tematu…

jest na to jakas łatka czy cos, bo dopiero co zrobilem format, zainstalowalem SP1 i zone alarma - jak zawsze po formacie, zawsze bylo w porzadku, a tym razem jest zle.

Logfile of HijackThis v1.99.1 Scan saved at 09:51:22, on 2007-10-17 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\WINDOWS\System32\PnkBstrA.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Gadu-Gadu\gg.exe C:\FRAPS\FRAPS.EXE C:\Program Files\Netia\Net\netianet.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\dllcache\mravsc32.exe C:\WINDOWS\system\msnrav.exe C:\WINDOWS\System32\Isass.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ftp.exe D:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe” O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [Local Security Authority Service] C:\WINDOWS\System32\Isass.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Fraps] C:\FRAPS\FRAPS.EXE O4 - HKCU…\Run: [NETIANET] C:\Program Files\Netia\Net\netianet.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{19B12AAB-63BE-4F15-B93D-2515243C9DF3}: NameServer = 213.241.79.37 83.238.255.76 O17 - HKLM\System\CS1\Services\Tcpip…{19B12AAB-63BE-4F15-B93D-2515243C9DF3}: NameServer = 213.241.79.37 83.238.255.76 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe O23 - Service: MSN RAV - Unknown owner - C:\WINDOWS\system\msnrav.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Gutek · 17 Październik 2007 21:45

Daj log z ComboFix

Pobierz program SDFix

alienx7 · 18 Październik 2007 14:44

usunac wpisy w HJT rozumiem ?

Wrócę z pracy ok 19, wszystkie logi wrzuce. thx

Złączono Posta : 18.10.2007 (Czw) 17:56

ComboFix 07-10-17.8@ - alienx7___ 2007-10-18 17:53:01.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.713 [GMT 2:00] Running from: C:\Documents and Settings\alienx7___\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 ))))))))))))))))))))))))))))))) . 2007-10-18 17:51 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-17 20:00 2007-10-17 19:39 2007-10-17 19:28 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-10-17 09:47 421,656 --a------ C:\WINDOWS\system32\wuapi.dll 2007-10-17 09:47 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll 2007-10-17 09:47 170,264 --a------ C:\WINDOWS\system32\wuauclt1.exe 2007-10-17 09:47 120,288 --a------ C:\WINDOWS\system32\wuweb.dll 2007-10-17 09:47 119,576 --a------ C:\WINDOWS\system32\wucltui.dll 2007-10-17 09:47 39,704 --a------ C:\WINDOWS\system32\wups.dll 2007-10-17 09:45 418,816 -r-hs---- C:\WINDOWS\system\msnrav.exe 2007-10-17 09:44 415,232 -r-hs---- C:\WINDOWS\system32\dllcache\mravsc32.exe 2007-10-17 09:40 0 --a------ C:\WINDOWS\system32\m2n1.exe 2007-10-16 22:18 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-10-16 22:14 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-10-16 22:04 2007-10-16 22:04 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-10-16 22:00 2007-10-16 21:58 2007-10-16 21:58 1,156 --a------ C:\WINDOWS\mozver.dat 2007-10-16 21:53 2007-10-16 21:53 2007-10-16 21:49 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2007-10-16 21:39 2007-10-16 21:35 2007-10-16 21:35 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys 2007-10-16 21:35 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys 2007-10-16 21:35 5,606 --a------ C:\WINDOWS\system32\stci.dll 2007-10-16 21:35 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys 2007-10-16 21:35 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys 2007-10-16 21:34 2007-10-16 21:29 0 --a------ C:\WINDOWS\nsreg.dat 2007-10-16 21:28 2007-10-16 21:28 2007-10-16 21:28 675,328 --a------ C:\WINDOWS\is-SUC6Q.exe 2007-10-16 21:28 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-10-16 21:28 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll 2007-10-16 21:27 2007-10-16 21:27 2007-10-16 21:27 2007-10-16 21:27 2007-10-16 21:27 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-10-16 21:26 2007-10-16 21:26 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-10-16 21:26 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-10-16 21:26 740,442 --a------ C:\WINDOWS\system32\divx.dll 2007-10-16 21:26 282,624 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-10-16 21:26 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-10-16 21:26 163,840 --a------ C:\WINDOWS\system32\unrar.dll 2007-10-16 21:26 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-10-16 21:26 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-10-16 21:24 2007-10-16 21:24 2007-10-16 21:23 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-10-16 21:20 2007-10-16 21:20 2007-10-16 21:17 2007-10-16 21:16 2007-10-16 21:15 2,953,216 --------- C:\WINDOWS\system32\xpsp2res.dll 2007-10-16 21:15 614,912 --a------ C:\WINDOWS\system32\h323msp.dll 2007-10-16 21:15 601,600 --------- C:\WINDOWS\system32\dllcache\xpsp2res.dll 2007-10-16 21:15 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll 2007-10-16 21:15 39,936 --a------ C:\WINDOWS\system32\mf3216.dll 2007-10-16 21:15 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe 2007-10-16 21:11 97,280 --a------ C:\WINDOWS\system32\dpcdll.dll 2007-10-16 21:04 2007-10-16 21:04 100,352 --------- C:\WINDOWS\system32\CNMLM53.DLL 2007-10-16 21:04 73,728 -ra------ C:\WINDOWS\system32\CNMCP53.exe 2007-10-16 21:04 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-10-16 21:04 5,632 --a------ C:\WINDOWS\system32\CNMVS53.DLL 2007-10-16 21:02 2007-10-16 21:00 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-16 18:57 --------- d-----w C:\Program Files\Common Files\ATI Technologies 2007-10-16 18:52 --------- d-----w C:\Program Files\ATI Technologies 2007-10-16 18:51 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-16 18:48 --------- d-----w C:\Program Files\C-Media Audio 2007-10-16 18:45 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-16 18:41 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-16 18:37 --------- d-----w C:\Program Files\Usługi online 2002-06-24 13:46 3,360 ----a-r C:\WINDOWS\inf\OTHER\cmiainfo.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe” [2006-09-25 09:12] “Zone Labs Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2004-11-28 05:22] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2005-03-31 11:18] “Fraps”=“C:\FRAPS\FRAPS.EXE” [2006-06-18 15:46] “NETIANET”=“C:\Program Files\Netia\Net\netianet.exe” [2007-10-14 10:00] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “NETIANET”=C:\Program Files\Netia\Net\netianet.exe S4 Distributed Allocated Memory Unit;Distributed Allocated Memory Unit;“C:\WINDOWS\system32\dllcache\mravsc32.exe” S4 MSN RAV;MSN RAV;“C:\WINDOWS\system\msnrav.exe” *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-18 17:54:02 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-18 17:54:29 . — E O F —

edit:

HJT

Logfile of HijackThis v1.99.1 Scan saved at 18:06:46, on 2007-10-18 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\PnkBstrA.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Gadu-Gadu\gg.exe C:\FRAPS\FRAPS.EXE C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Netia\Net\netianet.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\wuauclt.exe D:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe” O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Fraps] C:\FRAPS\FRAPS.EXE O4 - HKCU…\Run: [NETIANET] C:\Program Files\Netia\Net\netianet.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

SR

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“sms-express.com”] “Fraps” = “C:\FRAPS\FRAPS.EXE” [“Beepa P/L”] “NETIANET” = “C:\Program Files\Netia\Net\netianet.exe” [“OF.PL sp.z .o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”” [null data] “Zone Labs Client” = ““C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs Inc.”] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] PnkBstrA, PnkBstrA, “C:\WINDOWS\System32\PnkBstrA.exe” [null data] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZONELABS\vsmon.exe -service” [“Zone Labs Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor i350\Driver = “CNMLM53.DLL” [“CANON INC.”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 5 seconds. ---------- (total run time: 39 seconds)

SDFix

SDFix: Version 1.109 Run by alienx7___ on 2007-10-18 at 18:02 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix\SDFix Safe Mode: Checking Services: Name: Distributed Allocated Memory Unit MSN RAV ImagePath: “C:\WINDOWS\system32\dllcache\mravsc32.exe” “C:\WINDOWS\system\msnrav.exe” Distributed Allocated Memory Unit - Deleted MSN RAV - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\SYSTEM32\M2N1.EXE - Deleted C:\WINDOWS\system\msnrav.exe - Deleted C:\WINDOWS\system32\dllcache\mravsc32.exe - Deleted C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\TFTP3196 - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes: Wed 7 Mar 2001 311,296 …HR — “C:\WINDOWS\system32\Tools\AC2K.exe” Wed 21 Feb 2001 310,784 …HR — “C:\WINDOWS\system32\Tools\AC98.exe” Wed 21 Feb 2001 311,296 …HR — “C:\WINDOWS\system32\Tools\ACL98.exe” Wed 21 Feb 2001 311,808 …HR — “C:\WINDOWS\system32\Tools\ACLME.exe” Fri 27 Apr 2001 327,168 …HR — “C:\WINDOWS\system32\Tools\All.exe” Fri 24 Nov 2000 316,416 …HR — “C:\WINDOWS\system32\Tools\AutoClick.exe” Tue 16 Oct 2001 363,008 …HR — “C:\WINDOWS\system32\Tools\Change.exe” Thu 11 Apr 2002 547,840 …HR — “C:\WINDOWS\system32\Tools\CheckPath.exe” Fri 31 Aug 2001 381,440 …HR — “C:\WINDOWS\system32\Tools\Counter.exe” Mon 21 Jan 2002 360,960 …HR — “C:\WINDOWS\system32\Tools\DelDv.exe” Mon 21 Jan 2002 360,960 …HR — “C:\WINDOWS\system32\Tools\DelT2.exe” Mon 21 Jan 2002 360,960 …HR — “C:\WINDOWS\system32\Tools\DelT2Dv.exe” Wed 6 Mar 2002 360,960 …HR — “C:\WINDOWS\system32\Tools\DelTools.exe” Tue 20 Mar 2001 532,480 …HR — “C:\WINDOWS\system32\Tools\DeleteFiles.exe” Mon 11 Mar 2002 361,472 …HR — “C:\WINDOWS\system32\Tools\LostRun.exe” Tue 3 Apr 2001 296,960 …HR — “C:\WINDOWS\system32\Tools\RegClean.exe” Fri 8 Mar 2002 369,152 …HR — “C:\WINDOWS\system32\Tools\Regexe.exe” Fri 8 Mar 2002 382,464 …HR — “C:\WINDOWS\system32\Tools\Restart.exe” Fri 8 Mar 2002 374,784 …HR — “C:\WINDOWS\system32\Tools\RunAP.exe” Fri 8 Mar 2002 360,960 …HR — “C:\WINDOWS\system32\Tools\RunRegexe.exe” Fri 2 Nov 2001 379,392 …HR — “C:\WINDOWS\system32\Tools\SDW98ME.exe” Fri 9 Mar 2001 312,832 …HR — “C:\WINDOWS\system32\Tools\SoundDrv.exe” Fri 20 Sep 2002 33,792 A…H. — “C:\System Volume Information_restore{8D6783EE-2D84-40F7-89D0-3750D8BB5A6A}\RP18\A0011682.exe” Finished!

Jeśli jest już czysto, daj znać.