Nagrywanie plyt.. sporo virusów

Ramsik · 30 Czerwiec 2007 16:52

Witam.

Prosiłbym o sprawdzenie logów… mam kilka problemów komputer ledwo chodzi… internet muli ciągle wykrywa mi nowe virusy… jednym z największych problemów jest (nie wiem czy to od virosów) to problem z nagrywaniem plyt … tzn gdy wkładam czysta płytę uruchamiam nero naciskam wypal… komputer sie zawiesza i trzeba resetowac zmieniałem program na inny lecz ciągle to samo… lecz sam nie wiem czy to wina nagrywarki czy komputera.

Z góry dziekuje.

Logfile of HijackThis v1.99.1

Scan saved at 18:38:22, on 2007-06-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

E:\Program Files\Comodo\Firewall\cmdagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\RUNDLL32.EXE

E:\Program Files\Comodo\Firewall\CPF.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Eset\nod32krn.exe

D:\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 217.153.219.170 L2authd.lineage2.com

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\CPF.exe" /background

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} (luna Class) - http://axcab.wrs.mcboo.com/website.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_34.cab

O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsauw.exe (file missing)

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - E:\Program Files\Comodo\Firewall\cmdagent.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\mfisdguf.exe (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTSysVol" = "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"!AVG Anti-Spyware" = ""E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"COMODO Firewall Pro" = ""E:\Program Files\Comodo\Firewall\CPF.exe" /background" ["COMODO"]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02059350-D04D-4396-A71B-49A2591FE498}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\khhec.dll" [null data]

{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\rlbmpirp.dll" [null data]

{674DDFA6-BB3D-427B-961F-E9EEEF293004}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\qomnkhi.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{674DDFA6-BB3D-427B-961F-E9EEEF293004}" = "*g" (unwritable string)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\qomnkhi.dll" [null data]

<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> khhec\DLLName = "C:\WINDOWS\system32\khhec.dll" [null data]

<> qomnkhi\DLLName = "qomnkhi.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper2.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Michaś\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper2.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



HOSTS file

----------


C:\WINDOWS\System32\drivers\etc\HOSTS


maps: 2 domain names to IP addresses,

      1 of the IP addresses is *not* localhost!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]

Comodo Application Agent, CmdAgent, "E:\Program Files\Comodo\Firewall\cmdagent.exe" ["COMODO"]

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

StarWind AE Service, StarWindServiceAE, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 213 seconds.

---------- (total run time: 332 seconds)

adam9870 · 30 Czerwiec 2007 18:17

W logach:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02059350-D04D-4396-A71B-49A2591FE498}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\khhec.dll” [null data] {1F6581D5-AA53-4b73-A6F9-41420C6B61F1}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\rlbmpirp.dll” [null data] {674DDFA6-BB3D-427B-961F-E9EEEF293004}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\qomnkhi.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> khhec\DLLName = “C:\WINDOWS\system32\khhec.dll” [null data] <> qomnkhi\DLLName = “qomnkhi.dll” [null data]

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.

Po wykonaniu wklej nowy log z HijackThis plus log z ComboFix. Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C. Dodatkowo przedstaw wynik skanowania tych plików:

na stronie http://virusscan.jotti.org/ bądź http://www.virustotal.com/en/indexx.html

Ramsik · 30 Czerwiec 2007 22:10

Przed użyciem “VundoFix + FixVundo + VirtumundoBeGone”

Przeskanowałem system AVG Anti-spyware nic nie znalazło…

Nod znalazł kolo 10 virusów…

Po skanowaniu nodem tych 2 plików już nie nie było…

"C:\WINDOWS\system32\dsauw.exe

C:\WINDOWS\system32\mfisdguf.exe"

VundoFix - znalazł również kilka virusów FixVundo - nic nie znalazł VirtumundoBeGone - nic nie znalazł Komputer chodzi już znacznie szybciej… Combofix:

ComboFix 07-06-18.2 - C:\Documents and Settings\Micha˜\Pulpit\ComboFix.exe

"Micha˜" - 2007-06-30 23:55:24 - Dodatek Service Pack 2 NTFS  



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



C:\DOCUME~1\MICHA~1\DANEAP~1.\macromedia\Flash Player\#SharedObjects\34NLNU7S\www.broadcaster.com

C:\DOCUME~1\MICHA~1\DANEAP~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com

C:\DOCUME~1\MICHA~1\DANEAP~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

C:\WINDOWS\system32\drivers\uzcx.exe

C:\WINDOWS\wr.txt



((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))



2007-06-30 23:54	49,152	--a------	C:\WINDOWS\nircmd.exe

2007-06-30 21:08	




HijackThis:

[code]Logfile of HijackThis v1.99.1 Scan saved at 00:05:13, on 2007-07-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Eset\nod32kui.exe E:\Program Files\Comodo\Firewall\CPF.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe E:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe E:\Program Files\FlashGet\flashget.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe D:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 217.153.219.170 L2authd.lineage2.com O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [!AVG Anti-Spyware] “E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [COMODO Firewall Pro] “E:\Program Files\Comodo\Firewall\CPF.exe” /background O4 - HKLM…\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - E:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - E:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} (luna Class) - http://axcab.wrs.mcboo.com/website.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_34.cab O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsauw.exe (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - E:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\mfisdguf.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
Dodam logi jeszcze tyc programów: VundoFix:

Beginning removal...


VundoFix V6.5.4


Checking Java version...


Scan started at 21:08:38 2007-06-30


Listing files found while scanning....


C:\WINDOWS\system32\bnopaesj.dll

C:\WINDOWS\system32\cehhk.bak1

C:\WINDOWS\system32\cehhk.bak2

C:\WINDOWS\system32\cehhk.ini

C:\WINDOWS\system32\khhec.dll

C:\WINDOWS\system32\qomnkhi.dll

C:\WINDOWS\system32\rlbmpirp.dll

C:\windows\system32\selhebjw.dll

C:\windows\system32\wjbehles.ini


Beginning removal...


 Attempting to delete C:\WINDOWS\system32\cehhk.bak1

C:\WINDOWS\system32\cehhk.bak1 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\cehhk.bak2

C:\WINDOWS\system32\cehhk.bak2 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\cehhk.ini

C:\WINDOWS\system32\cehhk.ini Has been deleted!


 Attempting to delete C:\WINDOWS\system32\khhec.dll

C:\WINDOWS\system32\khhec.dll Could not be deleted.


 Attempting to delete C:\WINDOWS\system32\qomnkhi.dll

C:\WINDOWS\system32\qomnkhi.dll Could not be deleted.


 Attempting to delete C:\WINDOWS\system32\rlbmpirp.dll

C:\WINDOWS\system32\rlbmpirp.dll Has been deleted!


 Attempting to delete C:\windows\system32\selhebjw.dll

C:\windows\system32\selhebjw.dll Has been deleted!


 Attempting to delete C:\windows\system32\wjbehles.ini

C:\windows\system32\wjbehles.ini Has been deleted!


Performing Repairs to the registry.

Done!


Beginning removal...


 Attempting to delete C:\WINDOWS\system32\cehhk.ini

C:\WINDOWS\system32\cehhk.ini Has been deleted!


Performing Repairs to the registry.

Done!

HAXFIX logfile - by Marckie


version 4.47 

2007-06-30 18:44:23,81 


--- Checking for Haxdoor ---


checking for a3d files

a3d files not found


checking for matching notify keys

no matching notify keys found 


checking for matching services

no matching services found 


checking for matching safeboot services

no matching safeboot services found 


checking for other Haxdoor-files

no other Haxdoor-files found



--- Checking for Goldun ---


checking for SSODL keys

no ssodl keys found


checking for notify keys

no notify keys found


checking for services

no services found


checking for other Goldun-files

no other Goldun-files found


checking iexplore.exe

iexplore.exe is not infected 



--- Catchme logfile - thank you Gmer ---


catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-30 18:44:25

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden services ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0



--- Analysing Catchme logfile ---


no matching regkeys found



Finished!

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-30 18:44:25

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden services ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

To nie wiem co to jest… przed sekunda jak skanowalem Combofixem nod wykrył coś… w folderze C:/QooBox A na dysku C w pliku tekstowym “ComboFix-quarantined-files.txt” znalazłem takie coś

2007-06-20 23:10 183 --a------ C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir

2007-06-22 22:31 89 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\MICHA~1\DANEAP~1\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol.vir



Zmienna PATH folderu

Numer seryjny woluminu: B0E6-436A

C:\QOOBOX

\---Quarantine

    +---C

    | +---DOCUME~1

    | | \---MICHA~1

    | | \---DANEAP~1

    | | \---Macromedia

    | | \---Flash Player

    | | \---macromedia.com

    | | \---support

    | | \---flashplayer

    | | \---sys

    | | \---#www.broadcaster.com

    | | settings.sol.vir

    | |                                           

    | \---WINDOWS

    | | wr.txt.vir

    | |   

    | \---system32

    | \---drivers

    \---Registry_backups

Joan · 1 Lipiec 2007 21:47

Przeskanuj te pliki na stronie http://virusscan.jotti.org/ i podaj wynik.

Ściągasz narzędzie KillBox, zaznaczasz Delete on Reboot, potem klikasz All Files i wklejasz do pola Full Path of File to Delete ścieżki:

C:\WINDOWS\retadpu41.exe

C:\WINDOWS\system32\esaajspl.dll

C:\WINDOWS\system32\selhebjw.dll

c:\windows\system32\drivers\uzcx.exe

Klikasz X i reset sysa.

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa

daj nowy log z combo, folder C:\qoobox usun

Ramsik · 2 Lipiec 2007 07:40

wymxrskq.exe

File: wymxrskq.exe

Status: 	

INFECTED/MALWARE

MD5: f61a17f9e28fab68ef6b9bb82f6cc246

Packers detected: 	

-

Bit9 reports: File not found

Scanner results

Scan taken on 02 Jul 2007 07:32:46 (GMT)

A-Squared 	

Found nothing

AntiVir 	

Found TR/Click.Agent.NP

ArcaVir 	

Found nothing

Avast 	

Found nothing

AVG Antivirus 	

Found nothing

BitDefender 	

Found Trojan.Clicker.Agent.NP

ClamAV 	

Found nothing

Dr.Web 	

Found Trojan.Click.2799

F-Prot Antivirus 	

Found nothing

F-Secure Anti-Virus 	

Found Trojan-Downloader.Win32.Tiny.id

Fortinet 	

Found nothing

Kaspersky Anti-Virus 	

Found Trojan-Downloader.Win32.Tiny.id

NOD32 	

Found nothing

Norman Virus Control 	

Found nothing

Panda Antivirus 	

Found Trj/Downloader.PCQ

Rising Antivirus 	

Found nothing

VirusBuster 	

Found nothing

VBA32 	

Found Trojan.Click.2799

umknspkq.exe

File: umknspkq.exe

Status: 	

INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5: f61a17f9e28fab68ef6b9bb82f6cc246

Packers detected: 	

-

Bit9 reports: File not found

Scanner results

Scan taken on 02 Jul 2007 07:35:57 (GMT)

A-Squared 	

Found nothing

AntiVir 	

Found TR/Click.Agent.NP

ArcaVir 	

Found nothing

Avast 	

Found nothing

AVG Antivirus 	

Found nothing

BitDefender 	

Found Trojan.Clicker.Agent.NP

ClamAV 	

Found nothing

Dr.Web 	

Found Trojan.Click.2799

F-Prot Antivirus 	

Found nothing

F-Secure Anti-Virus 	

Found Trojan-Downloader.Win32.Tiny.id

Fortinet 	

Found nothing

Kaspersky Anti-Virus 	

Found Trojan-Downloader.Win32.Tiny.id

NOD32 	

Found nothing

Norman Virus Control 	

Found nothing

Panda Antivirus 	

Found Trj/Downloader.PCQ

Rising Antivirus 	

Found nothing

VirusBuster 	

Found nothing

VBA32 	

Found Trojan.Click.2799

A mam takie pytanko poza temat… posiadam Antyvirusa NOD 32… widzę ze w tych 2 skanowaniach na stronie NOD nic nie wykrył… czy jest zły?

Combofix

ComboFix 07-06-18.2 - C:\Documents and Settings\Micha\Pulpit\ComboFix.exe

adam9870 · 2 Lipiec 2007 08:41

Ściągnij program KillBox, zaznacz Delete on reboot , w polu full path of file wklej kolejno ścieżki:

C:\WINDOWS\system32\aefacdbdcfac_r.dll

C:\WINDOWS\system32\wymxrskq.exe

C:\WINDOWS\system32\umknspkq.exe

Po wklejeniu każdej ścieżki z osobna kliknij na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgódź się na restart.

Po wykonaniu wklej nowy log z ComboFix.

Ogólnie rzecz biorąc żaden program zabezpieczający nie jest doskonały. Używany przez Ciebie NOD32 nie widnieje w czołówce testów programów zabezpieczających, więc na pewno są lepsze programy tego typu od niego. Chociażby Kaspersky. Nie oznacza to jednak, że NOD jest zły. NOD jest trochę gorszy od liderów rynku antyvirusowego i na pewno lepiej jest mieć system zabezpieczony nawet darmowym czy słabszym programem niż nie mieć w ogóle, a uzupełnieniem zainstalowanego oprogramowania zabezpieczającego mogą być skanery on-line. Osobiście polecam http://www.ewido.net/de/onlinescan/ oraz http://www.kaspersky.pl/virusscanner.html.

Ramsik · 2 Lipiec 2007 16:51

Combofix

ComboFix 07-06-18.2 - C:\Documents and Settings\Micha\Pulpit\ComboFix.exe “Micha” - 2007-07-02 18:44:20 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 ))))))))))))))))))))))))))))))) 2007-07-02 10:24 2007-07-02 10:24 2007-07-02 09:45 373 --a------ C:\rootkit.reg 2007-07-02 09:39 73,728 --a------ C:\KillBox.exe 2007-07-02 09:39 2007-07-01 11:26 2007-06-30 23:54 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-30 21:08 2007-06-30 18:44 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe 2007-06-30 18:44 9,006 --a------ C:\clean.bat 2007-06-30 18:44 86,528 --a------ C:\WINDOWS\system32\catchme.exe 2007-06-30 18:44 53,248 --a------ C:\WINDOWS\system32\process.exe 2007-06-30 18:44 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2007-06-29 16:33 188,416 --a------ C:\WINDOWS\amuninst.exe 2007-06-29 00:29 2007-06-26 22:33 2007-06-25 20:04 2007-06-25 17:16 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys 2007-06-25 17:04 2007-06-25 17:04 2007-06-25 13:24 4 --a------ C:\WINDOWS\system32\proc-220146841.bin 2007-06-25 13:24 2007-06-25 13:19 2007-06-25 00:01 774,144 --a------ C:\WINDOWS\system32\vsfilter.dll 2007-06-25 00:01 77,824 --a------ C:\WINDOWS\system32\vorbisfile.dll 2007-06-25 00:01 75,264 --a------ C:\WINDOWS\system32\MACDec.dll 2007-06-25 00:01 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-06-25 00:01 61,440 --a------ C:\WINDOWS\system32\ogg.dll 2007-06-25 00:01 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll 2007-06-25 00:01 421,888 --a------ C:\WINDOWS\system32\OpenQuicktimeLib.dll 2007-06-25 00:01 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll 2007-06-25 00:01 39,936 --a------ C:\WINDOWS\system32\huffyuv.dll 2007-06-25 00:01 368,640 --a------ C:\WINDOWS\system32\vobsub.dll 2007-06-25 00:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-06-25 00:01 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2007-06-25 00:01 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll 2007-06-25 00:01 245,408 --a------ C:\WINDOWS\system32\unicows.dll 2007-06-25 00:01 237,568 --a------ C:\WINDOWS\system32\OggDS.dll 2007-06-25 00:01 2,024,448 --a------ C:\WINDOWS\system32\divx.dll 2007-06-25 00:01 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll 2007-06-25 00:01 157,696 --a------ C:\WINDOWS\system32\unrar.dll 2007-06-25 00:01 155,648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-06-25 00:01 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll 2007-06-25 00:01 1,163,264 --a------ C:\WINDOWS\system32\vorbis.dll 2007-06-25 00:01 1,040,384 --a------ C:\WINDOWS\system32\vorbisenc.dll 2007-06-25 00:01 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll 2007-06-25 00:01 2007-06-24 23:43 2007-06-24 23:43 2007-06-23 13:48 2007-06-22 22:43 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-06-22 22:43 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-06-22 22:43 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-06-22 22:39 1,277 --a------ C:\WINDOWS\mozver.dat 2007-06-22 22:37 0 --a------ C:\WINDOWS\nsreg.dat 2007-06-22 09:52 2007-06-21 20:53 2007-06-21 20:00 2007-06-21 19:56 1,048,576 --ah----- C:\DOCUME~1\MACIU~1\NTUSER.DAT 2007-06-21 19:56 2007-06-21 19:56 2007-06-21 19:56 2007-06-21 19:56 2007-06-21 19:56 2007-06-21 19:56 2007-06-21 19:56 2007-06-20 23:39 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-20 23:14 2007-06-20 23:10 2007-06-20 23:07 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-06-20 23:07 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-06-20 23:07 2007-06-20 23:07 2007-06-20 23:03 41,984 --------- C:\WINDOWS\Ctregrun.exe 2007-06-20 23:00 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE 2007-06-20 23:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE 2007-06-20 22:59 2007-06-20 22:59 2007-06-20 22:53 90,112 --------- C:\WINDOWS\Updreg.EXE 2007-06-20 22:53 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2007-06-20 22:53 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2007-06-20 22:53 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2007-06-20 22:53 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2007-06-20 22:53 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2007-06-20 22:53 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2007-06-20 22:53 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys 2007-06-20 22:52 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys 2007-06-20 22:52 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2007-06-20 22:52 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-06-20 22:52 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2007-06-20 22:52 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys 2007-06-20 22:52 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2007-06-20 22:52 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-06-20 22:52 133,632 -ra------ C:\WINDOWS\system32\CtDvInst.dll 2007-06-20 22:51 11,264 --a------ C:\WINDOWS\INRES.DLL 2007-06-20 22:51 2007-06-20 22:46 2007-06-20 22:45 2007-06-20 22:43 2007-06-20 22:42 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-20 18:41:59 49,712 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-20 18:41:59 355,830 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-20 18:29:18 -------- d-----w C:\Program Files\Usługi online ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=E:\Program Files\FlashGet\jccatch.dll [2007-06-11 11:55] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {F156768E-81EF-470C-9057-481BA8380DBA}=E:\Program Files\FlashGet\getflash.dll [2007-05-16 07:05] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTSysVol”=“C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe” [2005-10-31 10:51] “!AVG Anti-Spyware”=“E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-06-22 22:43] “COMODO Firewall Pro”=“E:\Program Files\Comodo\Firewall\CPF.exe” [2007-06-25 14:25] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2007-04-04 00:29] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper] Rundll32 P17.dll,P17Helper [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop] C:\Program Files\WinPop\winpop.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-02 18:46:40 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-02 18:48:23 C:\ComboFix-quarantined-files.txt … 2007-06-30 23:58 C:\ComboFix2.txt … 2007-07-02 09:52 C:\ComboFix3.txt … 2007-06-30 23:59 — E O F —

Z góry dziękuje za wszystko… a jeśli można wiedzieć jakiego Ty antyvirusa i firewalla używasz?

adam9870 · 2 Lipiec 2007 17:55

Uruchom system w trybie awaryjnym, a następnie skasuj ręcznie folder C:\Program Files** BearShare Applications**

Ramsik · 2 Lipiec 2007 18:05

Ale dlaczego…? Tym programem ściągam muzykę… naprzykład…

Nadal nie odpowiedziałeś na moje pytanie

adam9870 · 2 Lipiec 2007 18:35

Muzykę ściągasz programem BearShare natomiast BearShare Applications jest szkodnikiem instalującym się w postaci toolbara w przeglądarce Internet Explorer. Dodatek ten nie jest potrzebny do prawidłowej pracy programu i instalator aplikacji daje możliwość nieinstalowania go, co zresztą jest napisane w licencji programu.

Nie jest to żadną tajemnicą - korzystam z pakietu G DATA Internet Security.

Ramsik · 2 Lipiec 2007 19:14

Ale w tym folderze znajduję się cały BearShare…

Dowód jakby co http://www.republika.pl/jk3_gsm/1.JPG