Net się wyłącza

lolex44 · 18 Czerwiec 2007 20:55

Tak jak w temacie… Od niedawna mam taki problem, otóż po jakimś czasie internet się wył an cza (mam modem, netia). Oczywiście podłanczam go spowrotem ale po jakimś czase znowu to robi :-x Jest to bardzo kłopotliwe przy ściąganiu jakiegoś pliku. Prosze o sprawdzenie loga. (chodzi mi o tylko ten problem, inne wirusy możecie zostawić w spokoju, bo najbardziej zależy mi na tym). Bardzo prosze o pomoc.

HJ

Logfile of HijackThis v1.99.1 Scan saved at 22:48:49, on 2007-06-18 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\svchost.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Documents and Settings\ja\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {CE5E1D69-DEDD-8959-DD7D-F9ADD29273E3} - D:\WINDOWS\system32\dbsjd.dll O4 - HKLM…\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [uVS10 Preload] C:\URBAN\uvPL.exe O4 - HKLM…\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [ipmon] ipmon.exe O4 - HKLM…\Run: [AutoSys] D:\WINDOWS\system32\autosys.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [Rusa] “D:\WINDOWS\DOBE~1\dvdplay.exe” -vt yazb O4 - HKCU…\Run: [Aqb] D:\WINDOWS\system32??sks\m?config.exe O4 - HKCU…\Run: [eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: UniSpiker-2.6.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O17 - HKLM\System\CCS\Services\Tcpip…{68F02E44-5E54-4B10-927D-F9370F8F2EF4}: NameServer = 83.238.255.76 213.241.79.37 O17 - HKLM\System\CS1\Services\Tcpip…{68F02E44-5E54-4B10-927D-F9370F8F2EF4}: NameServer = 83.238.255.76 213.241.79.37 O20 - Winlogon Notify: winzdn32 - D:\WINDOWS\SYSTEM32\winzdn32.dll O20 - Winlogon Notify: wudb - D:\WINDOWS\system32\wudb.dll O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Silent Runners

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Rusa” = ““D:\WINDOWS\DOBE~1\dvdplay.exe” -vt yazb” [null data] “Aqb” = “D:\WINDOWS\system32**sks\m*config.exe” (unwritable string) [null data] “eMuleAutoStart” = “D:\Program Files\eMule\emule.exe -AutoStart” [“http://www.emule-project.net”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AudioDeck” = “D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1” [“VIA Technologies, Inc.”] “SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “KernelFaultCheck” = “D:\WINDOWS\system32\dumprep 0 -k” “UVS10 Preload” = “C:\URBAN\uvPL.exe” [file not found] “QuickTime Task” = ““D:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “ipmon” = “ipmon.exe” [MS] “AutoSys” = “D:\WINDOWS\system32\autosys.exe” [null data] “DAEMON Tools-1033” = ““D:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {CE5E1D69-DEDD-8959-DD7D-F9ADD29273E3}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\dbsjd.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver” -> {HKLM…CLSID} = “USIShellExt Class” \InProcServer32(Default) = “D:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> winzdn32\DLLName = “winzdn32.dll” [null data] <> wudb\DLLName = “D:\WINDOWS\system32\wudb.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\ja\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “ja” & “All Users” startup folders: ---------------------------------------------------- D:\Documents and Settings\ja\Menu Start\Programy\Autostart “Adobe Gamma” -> shortcut to: “D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “UniSpiker-2.6” -> shortcut to: “D:\Program Files\ivo\UniSpiker-2.6\uni_spiker-2.6.exe” [file not found] D:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “D:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Windows User Mode Driver Framework, UMWdf, “D:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 135 seconds. ---------- (total run time: 178 seconds)

dzikimuflon · 18 Czerwiec 2007 21:04

Zobacz w opcjach połączeń internetowych czy nie masz rozłączania po iluś tam minutach. U mnie to pomogło.

lolex44 · 18 Czerwiec 2007 21:19

gdzie to sprawdzić? (konkretnie, bo jestem zielony)

P.S. Czy tak powinno być http://images21.fotosik.pl/375/5ff40a118cd15049med.jpg

Gutek · 18 Czerwiec 2007 22:25

Daj log z Combofix

pliki do usunięcia w trybie awaryjnym

lolex44 · 18 Czerwiec 2007 22:57

Jeszcze nie usunełem tych plików (które podałeś) ale wstawiam skana:

ComboFix 07-06-13.7 - D:\Documents and Settings\ja\Pulpit\ComboFix.exe “ja” - 2007-06-19 0:58:23 - Dodatek Service Pack 2 NTFS Rootkit driver xpdt is present. … attempting disinfection xpdt … driver unloaded successfully. (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) D:\WINDOWS\system32\winzdn32.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) D:\Program Files\Common Files\Yazzle1162OinAdmin.exe D:\Program Files\Common Files\Yazzle1162OinUninstaller.exe D:\Program Files\mbols~1 D:\Program Files\outerinfo D:\Program Files\outerinfo\Terms.rtf D:\WINDOWS\dobe~1 D:\WINDOWS\dobe~1\dvdplay.exe D:\WINDOWS\dobe~1\dvdplay.exe~ D:\WINDOWS\system32\sks~1 D:\WINDOWS\system32\sks~1\m?config.exe D:\WINDOWS\system32\xpdt.sys ((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 ))))))))))))))))))))))))))))))) 2007-06-19 00:53 49,152 --a------ D:\WINDOWS\nircmd.exe 2007-06-19 00:43 2007-06-18 14:40 1,156 --a------ D:\WINDOWS\mozver.dat 2007-06-14 17:56 2007-06-12 16:45 2007-06-12 16:41 81,768 --a------ D:\WINDOWS\system32\xinput1_3.dll 2007-06-12 16:41 62,744 --a------ D:\WINDOWS\system32\xinput1_2.dll 2007-06-12 16:41 443,752 --a------ D:\WINDOWS\system32\d3dx10_33.dll 2007-06-12 16:41 3,495,784 --a------ D:\WINDOWS\system32\d3dx9_33.dll 2007-06-12 16:41 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll 2007-06-12 16:41 261,480 --a------ D:\WINDOWS\system32\xactengine2_7.dll 2007-06-12 16:41 255,848 --a------ D:\WINDOWS\system32\xactengine2_6.dll 2007-06-12 16:41 251,672 --a------ D:\WINDOWS\system32\xactengine2_5.dll 2007-06-12 16:41 237,848 --a------ D:\WINDOWS\system32\xactengine2_4.dll 2007-06-12 16:41 236,824 --a------ D:\WINDOWS\system32\xactengine2_3.dll 2007-06-12 16:41 2,414,360 --a------ D:\WINDOWS\system32\d3dx9_31.dll 2007-06-12 16:41 2,297,552 --a------ D:\WINDOWS\system32\d3dx9_26.dll 2007-06-12 16:41 15,128 --a------ D:\WINDOWS\system32\x3daudio1_1.dll 2007-06-12 16:41 1,123,696 --a------ D:\WINDOWS\system32\D3DCompiler_33.dll 2007-06-10 16:00 60,928 --a------ D:\WINDOWS\system32\dbsjd.dll 2007-06-09 15:26 2007-06-09 15:08 2007-06-09 14:50 2007-06-09 14:50 2007-06-09 14:49 685,816 --a------ D:\WINDOWS\system32\drivers\sptd.sys 2007-06-09 03:30 1,742 --a------ D:\WINDOWS\system32\sdbackup.reg 2007-06-09 03:19 438,272 -ra------ D:\WINDOWS\system32\vp6vfw.dll 2007-06-09 02:50 5,248 --a------ D:\WINDOWS\system32\drivers\d347prt.sys 2007-06-09 02:50 155,136 --a------ D:\WINDOWS\system32\drivers\d347bus.sys 2007-06-09 02:50 2007-06-09 02:50 2007-06-06 20:34 1,040,384 --a------ D:\WINDOWS\system32\libeay32.dll 2007-06-06 20:30 196,608 --a------ D:\WINDOWS\system32\ssleay32.dll 2007-06-06 18:32 2007-06-06 18:26 2007-06-04 08:31 71,680 --a------ D:\WINDOWS\g243234.exe 2007-06-04 08:31 33,792 --a------ D:\WINDOWS\system32\wudb.dll 2007-05-29 17:26 2 --a------ D:\WINDOWS\system32\wapiisv.exe 2007-05-28 18:13 206 --a------ D:\WINDOWS\g14111828.exe 2007-05-28 14:42 2007-05-27 19:49 2007-05-26 23:06 2007-05-26 23:06 2007-05-26 13:10 2007-05-26 11:50 6,144 --a------ D:\WINDOWS\system32\autosys.exe 2007-05-26 11:50 30,720 --a------ D:\WINDOWS\system32\ipmon.exe 2007-05-26 11:17 2007-05-26 11:17 2007-05-26 11:16 2007-05-26 11:16 2007-05-26 11:16 2007-05-26 11:15 2007-05-26 11:14 2007-05-26 11:14 2007-05-26 02:33 2007-05-23 20:43 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-18 17:08:59 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat 2007-06-18 17:08:59 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat 2007-06-18 17:05:25 -------- d-----w D:\Program Files\eMule 2007-06-16 11:05:17 -------- d-----w D:\Program Files\Mózgo_Trzep 2007-06-15 23:31:53 -------- d-----w D:\Program Files\Gadu-Gadu 2007-06-15 00:44:06 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Azureus 2007-06-12 15:10:44 -------- d–h--w D:\Program Files\InstallShield Installation Information 2007-06-09 13:42:52 163,644 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-06-06 21:57:57 365 ----a-w D:\WINDOWS\system32\FlashSaver.dat 2007-06-06 16:32:11 55 ----a-w D:\WINDOWS\system32\FsmSaver.dat 2007-05-26 09:14:37 -------- d-----w D:\Program Files\Common Files\InstallShield 2007-05-26 00:27:50 -------- d-----w D:\Program Files\IrfanView 2007-05-18 17:00:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-05-17 16:04:22 -------- d-----w D:\Program Files\NAPI-PROJEKT 2007-05-16 23:00:53 -------- d-----w D:\Program Files\Common Files\Adobe Systems Shared 2007-05-08 16:29:31 -------- d-----w D:\Program Files\San Andreas Mod Installer 2007-05-08 00:52:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Real 2007-05-07 21:47:28 -------- d-----w D:\Program Files\Azureus 2007-05-06 22:37:43 -------- d-----w D:\Program Files\Game Cam 2007-05-02 18:08:41 98,304 ----a-w D:\WINDOWS\system32\CmdLineExt.dll 2007-04-23 21:05:54 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Help 2007-04-23 20:34:36 -------- d-----w D:\Program Files\Real Alternative 2007-04-23 20:34:35 -------- d-----w D:\Program Files\Media Player Classic 2007-04-23 14:13:43 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Media Player Classic 2007-04-23 14:13:18 -------- d-----w D:\Program Files\K-Lite Codec Pack 2007-04-23 14:02:57 -------- d-----w D:\Program Files\Winamp 2007-04-23 13:18:51 -------- d-----w D:\Program Files\MarBit 2007-04-22 23:05:49 -------- d-----w D:\Program Files\VIAudioi 2007-04-22 22:03:45 -------- d-----w D:\Program Files\Symantec 2007-04-22 22:03:45 -------- d-----w D:\Program Files\Common Files\Symantec Shared 2007-04-22 22:03:44 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Symantec 2007-04-22 19:00:54 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Opera 2007-04-22 17:52:46 -------- d-----w D:\Program Files\Wapster 2007-04-22 17:03:12 0 ----a-w D:\WINDOWS\nsreg.dat 2007-04-22 16:33:57 -------- d-----w D:\Program Files\Thomson 2007-04-22 16:31:54 -------- d-----w D:\Program Files\neostrada tp 2007-04-22 14:54:59 -------- d-----w D:\Program Files\Messenger 2007-04-22 13:36:33 -------- d-----w D:\Program Files\AMD 2007-04-22 13:32:56 -------- d-----w D:\Program Files\VIA 2007-04-22 08:15:52 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Lavasoft 2007-04-22 08:15:21 -------- d-----w D:\Program Files\Common Files\Wise Installation Wizard 2007-04-22 02:55:45 -------- d-----w D:\Program Files\Common Files\ODBC 2007-04-22 02:55:41 -------- d-----w D:\Program Files\Common Files\SpeechEngines 2007-04-22 02:00:22 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Gadu-Gadu 2007-04-22 01:04:25 -------- d-----w D:\Program Files\microsoft frontpage 2007-04-22 01:02:24 -------- d–h--w D:\Program Files\WindowsUpdate 2007-04-22 01:02:21 -------- d-----w D:\Program Files\Usługi online 2007-04-22 01:01:27 -------- d-----w D:\Program Files\Common Files\MSSoap 2007-04-22 01:01:19 -------- d-----w D:\Program Files\Movie Maker 2007-04-22 01:00:22 21,856 ----a-w D:\WINDOWS\system32\emptyregdb.dat 2007-04-22 00:59:50 -------- d-----w D:\Program Files\MSN Gaming Zone 2007-04-22 00:59:41 -------- d-----w D:\Program Files\Windows NT 2007-04-14 08:12:58 10,752 ----a-w D:\WINDOWS\system32\ff_vfw.dll 2007-03-22 19:05:00 520,192 ------w D:\WINDOWS\system32\ati2sgag.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 06:12] {CE5E1D69-DEDD-8959-DD7D-F9ADD29273E3}=D:\WINDOWS\system32\dbsjd.dll [2007-05-21 15:59] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2007-05-26 11:16] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Aqb”=“D:\WINDOWS\system32??sks\m?config.exe” [] “Odkurzacz-MCD”=“D:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 10:02] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb] D:\WINDOWS\system32\wudb.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^ja^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=D:\Documents and Settings\ja\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=D:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^ja^Menu Start^Programy^Autostart^UniSpiker-2.6.lnk] path=D:\Documents and Settings\ja\Menu Start\Programy\Autostart\UniSpiker-2.6.lnk backup=D:\WINDOWS\pss\UniSpiker-2.6.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoSys] D:\WINDOWS\system32\autosys.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon] ipmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rusa] “D:\WINDOWS\DOBE~1\dvdplay.exe” -vt yazb [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload] C:\URBAN\uvPL.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-19 01:03:13 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-19 1:04:33 - machine was rebooted D:\ComboFix-quarantined-files.txt … 2007-06-19 01:04 — E O F —

Złączono Posta : 19.06.2007 (Wto) 1:46

Usunąłem wszystkie oprócz “winzdn32.dll” bo niebyło, i “wudb.dll” bo nie można było.

Złączono Posta : 19.06.2007 (Wto) 11:51

Teraz jest jeszcze gorzej. Net wyłancza się co 15 min i włączyć go spowrotem moge dopiero po restarcie.

Bardzo prosze o pomc

qrczak13 · 19 Czerwiec 2007 20:29

Ściągnij The Avenger,

wypakuj > uruchom > Input script manually > klikasz w lupkę > w nowo otwartym oknie wklejasz:

Po wklejeniu > Done > klik na zielone światło > ok i będzie restart. Po restarcie wchodzisz gdzie masz The Avenger i wklejasz raport C:\avenger.txt.

Nowy log z combo

lolex44 · 19 Czerwiec 2007 21:23

Avenger: (były chyba jakieś błędy więc niewiem czy wszystko ok.)

////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 1813 Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | "Aqb ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\fvrlmuol ******************* Script file located at: ??\D:\WINDOWS\cxpcmcse.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at D:\Avenger ******************* Beginning to process script file: File D:\WINDOWS\system32\dbsjd.dll not found! Deletion of file D:\WINDOWS\system32\dbsjd.dll failed! Could not process line: D:\WINDOWS\system32\dbsjd.dll Status: 0xc0000034 File D:\WINDOWS\g243234.exe not found! Deletion of file D:\WINDOWS\g243234.exe failed! Could not process line: D:\WINDOWS\g243234.exe Status: 0xc0000034 File D:\WINDOWS\system32\wudb.dll deleted successfully. File D:\WINDOWS\system32\wapiisv.exe deleted successfully. File D:\WINDOWS\g14111828.exe deleted successfully. File D:\WINDOWS\system32\autosys.exe not found! Deletion of file D:\WINDOWS\system32\autosys.exe failed! Could not process line: D:\WINDOWS\system32\autosys.exe Status: 0xc0000034 File D:\WINDOWS\system32\ipmon.exe not found! Deletion of file D:\WINDOWS\system32\ipmon.exe failed! Could not process line: D:\WINDOWS\system32\ipmon.exe Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{CE5E1D69-DEDD-8959-DD7D-F9ADD29273E3} deleted successfully. Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb deleted successfully. Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoSys not found! Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoSys failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon not found! Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon failed! Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate.

qrczak13 · 19 Czerwiec 2007 21:27

Przeczyść rejestr > jv16 PowerTools 2006 1.5.2.350 i wklej nowy log z combofix.

lolex44 · 19 Czerwiec 2007 21:56

Rejestr wyczyszczony. Combo:

ComboFix 07-06-13.7 - D:\Documents and Settings\ja\Pulpit\ComboFix.exe “ja” - 2007-06-20 0:05:02 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 ))))))))))))))))))))))))))))))) 2007-06-19 23:51 2007-06-19 22:23 95,872 --a------ D:\WINDOWS\system32\AvastSS.scr 2007-06-19 22:23 94,552 --a------ D:\WINDOWS\system32\drivers\aswmon2.sys 2007-06-19 22:23 85,952 --a------ D:\WINDOWS\system32\drivers\aswmon.sys 2007-06-19 22:23 745,600 --a------ D:\WINDOWS\system32\aswBoot.exe 2007-06-19 22:23 43,176 --a------ D:\WINDOWS\system32\drivers\aswTdi.sys 2007-06-19 22:23 26,888 --a------ D:\WINDOWS\system32\drivers\aavmker4.sys 2007-06-19 22:23 23,416 --a------ D:\WINDOWS\system32\drivers\aswRdr.sys 2007-06-19 22:23 2007-06-19 00:53 49,152 --a------ D:\WINDOWS\nircmd.exe 2007-06-19 00:43 2007-06-18 14:40 1,156 --a------ D:\WINDOWS\mozver.dat 2007-06-14 17:56 2007-06-12 16:45 2007-06-12 16:41 81,768 --a------ D:\WINDOWS\system32\xinput1_3.dll 2007-06-12 16:41 62,744 --a------ D:\WINDOWS\system32\xinput1_2.dll 2007-06-12 16:41 443,752 --a------ D:\WINDOWS\system32\d3dx10_33.dll 2007-06-12 16:41 3,495,784 --a------ D:\WINDOWS\system32\d3dx9_33.dll 2007-06-12 16:41 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll 2007-06-12 16:41 261,480 --a------ D:\WINDOWS\system32\xactengine2_7.dll 2007-06-12 16:41 255,848 --a------ D:\WINDOWS\system32\xactengine2_6.dll 2007-06-12 16:41 251,672 --a------ D:\WINDOWS\system32\xactengine2_5.dll 2007-06-12 16:41 237,848 --a------ D:\WINDOWS\system32\xactengine2_4.dll 2007-06-12 16:41 236,824 --a------ D:\WINDOWS\system32\xactengine2_3.dll 2007-06-12 16:41 2,414,360 --a------ D:\WINDOWS\system32\d3dx9_31.dll 2007-06-12 16:41 2,297,552 --a------ D:\WINDOWS\system32\d3dx9_26.dll 2007-06-12 16:41 15,128 --a------ D:\WINDOWS\system32\x3daudio1_1.dll 2007-06-12 16:41 1,123,696 --a------ D:\WINDOWS\system32\D3DCompiler_33.dll 2007-06-09 15:26 2007-06-09 15:08 2007-06-09 14:50 2007-06-09 14:50 2007-06-09 14:49 685,816 --a------ D:\WINDOWS\system32\drivers\sptd.sys 2007-06-09 03:30 1,742 --a------ D:\WINDOWS\system32\sdbackup.reg 2007-06-09 03:19 438,272 -ra------ D:\WINDOWS\system32\vp6vfw.dll 2007-06-09 02:50 5,248 --a------ D:\WINDOWS\system32\drivers\d347prt.sys 2007-06-09 02:50 155,136 --a------ D:\WINDOWS\system32\drivers\d347bus.sys 2007-06-09 02:50 2007-06-09 02:50 2007-06-06 20:34 1,040,384 --a------ D:\WINDOWS\system32\libeay32.dll 2007-06-06 20:30 196,608 --a------ D:\WINDOWS\system32\ssleay32.dll 2007-06-06 18:32 2007-06-06 18:26 2007-05-28 14:42 2007-05-27 19:49 2007-05-26 23:06 2007-05-26 23:06 2007-05-26 13:10 2007-05-26 11:17 2007-05-26 11:17 2007-05-26 11:16 2007-05-26 11:16 2007-05-26 11:16 2007-05-26 11:15 2007-05-26 11:14 2007-05-26 11:14 2007-05-26 02:33 2007-05-23 20:43 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-19 21:46:56 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat 2007-06-19 21:46:56 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat 2007-06-19 21:42:57 -------- d-----w D:\Program Files\eMule 2007-06-16 11:05:17 -------- d-----w D:\Program Files\Mózgo_Trzep 2007-06-15 23:31:53 -------- d-----w D:\Program Files\Gadu-Gadu 2007-06-15 00:44:06 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Azureus 2007-06-12 15:10:44 -------- d–h--w D:\Program Files\InstallShield Installation Information 2007-06-09 13:42:52 163,644 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-06-06 21:57:57 365 ----a-w D:\WINDOWS\system32\FlashSaver.dat 2007-06-06 16:32:11 55 ----a-w D:\WINDOWS\system32\FsmSaver.dat 2007-05-26 09:14:37 -------- d-----w D:\Program Files\Common Files\InstallShield 2007-05-26 00:27:50 -------- d-----w D:\Program Files\IrfanView 2007-05-18 17:00:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-05-17 16:04:22 -------- d-----w D:\Program Files\NAPI-PROJEKT 2007-05-16 23:00:53 -------- d-----w D:\Program Files\Common Files\Adobe Systems Shared 2007-05-08 16:29:31 -------- d-----w D:\Program Files\San Andreas Mod Installer 2007-05-08 00:52:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Real 2007-05-07 21:47:28 -------- d-----w D:\Program Files\Azureus 2007-05-06 22:37:43 -------- d-----w D:\Program Files\Game Cam 2007-05-02 18:08:41 98,304 ----a-w D:\WINDOWS\system32\CmdLineExt.dll 2007-04-23 21:05:54 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Help 2007-04-23 20:34:36 -------- d-----w D:\Program Files\Real Alternative 2007-04-23 20:34:35 -------- d-----w D:\Program Files\Media Player Classic 2007-04-23 14:13:43 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Media Player Classic 2007-04-23 14:13:18 -------- d-----w D:\Program Files\K-Lite Codec Pack 2007-04-23 14:02:57 -------- d-----w D:\Program Files\Winamp 2007-04-23 13:18:51 -------- d-----w D:\Program Files\MarBit 2007-04-22 23:05:49 -------- d-----w D:\Program Files\VIAudioi 2007-04-22 22:03:45 -------- d-----w D:\Program Files\Symantec 2007-04-22 22:03:45 -------- d-----w D:\Program Files\Common Files\Symantec Shared 2007-04-22 22:03:44 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Symantec 2007-04-22 19:00:54 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Opera 2007-04-22 17:52:46 -------- d-----w D:\Program Files\Wapster 2007-04-22 17:03:12 0 ----a-w D:\WINDOWS\nsreg.dat 2007-04-22 16:33:57 -------- d-----w D:\Program Files\Thomson 2007-04-22 16:31:54 -------- d-----w D:\Program Files\neostrada tp 2007-04-22 14:54:59 -------- d-----w D:\Program Files\Messenger 2007-04-22 13:36:33 -------- d-----w D:\Program Files\AMD 2007-04-22 13:32:56 -------- d-----w D:\Program Files\VIA 2007-04-22 08:15:52 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Lavasoft 2007-04-22 08:15:21 -------- d-----w D:\Program Files\Common Files\Wise Installation Wizard 2007-04-22 02:55:45 -------- d-----w D:\Program Files\Common Files\ODBC 2007-04-22 02:55:41 -------- d-----w D:\Program Files\Common Files\SpeechEngines 2007-04-22 02:00:22 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Gadu-Gadu 2007-04-22 01:04:25 -------- d-----w D:\Program Files\microsoft frontpage 2007-04-22 01:02:24 -------- d–h--w D:\Program Files\WindowsUpdate 2007-04-22 01:02:21 -------- d-----w D:\Program Files\Usługi online 2007-04-22 01:01:27 -------- d-----w D:\Program Files\Common Files\MSSoap 2007-04-22 01:01:19 -------- d-----w D:\Program Files\Movie Maker 2007-04-22 01:00:22 21,856 ----a-w D:\WINDOWS\system32\emptyregdb.dat 2007-04-22 00:59:50 -------- d-----w D:\Program Files\MSN Gaming Zone 2007-04-22 00:59:41 -------- d-----w D:\Program Files\Windows NT 2007-04-14 08:12:58 10,752 ----a-w D:\WINDOWS\system32\ff_vfw.dll 2007-03-22 19:05:00 520,192 ------w D:\WINDOWS\system32\ati2sgag.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 06:12] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2007-05-26 11:16] “SpeedTouch USB Diagnostics”=“D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-08-06 09:45] “ipmon”=“ipmon.exe” [] “DAEMON Tools-1033”=“D:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05] “AudioDeck”=“D:\Program Files\VIAudioi\SBADeck\ADeck.exe” [2006-03-20 16:26] “avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Aqb”=“D:\WINDOWS\system32??sks\m?config.exe” [] “Odkurzacz-MCD”=“D:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 10:02] “MSMSGS”=“D:\Program Files\Messenger\msmsgs.exe” [] “eMuleAutoStart”=“D:\Program Files\eMule\emule.exe” [2006-09-14 16:15] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-20 00:06:42 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-20 0:07:26 D:\ComboFix-quarantined-files.txt … 2007-06-20 00:07 D:\ComboFix2.txt … 2007-06-19 23:38 D:\ComboFix3.txt … 2007-06-19 01:04 — E O F —

qrczak13 · 19 Czerwiec 2007 22:11

Do notatnika wklej:

Plik > zapisz jako > zmień rozszerzenie z .txt na wszystkie pliki > zapisz pod nazwą Fix.reg np na

pulpicie > dwuklik na Fix.reg > potwierdzasz > restart.

I będzie ok.

lolex44 · 20 Czerwiec 2007 00:10

Działało przez ok. 2h i znowu Jeszcze jakieś pomysły?

Jeszcze dam HJ:

Logfile of HijackThis v1.99.1 Scan saved at 02:33:05, on 2007-06-20 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Mozilla Firefox\firefox.exe D:\Documents and Settings\ja\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [ipmon] ipmon.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKCU…\Run: [Aqb] D:\WINDOWS\system32??sks\m?config.exe O4 - HKCU…\Run: [Odkurzacz-MCD] D:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: UniSpiker-2.6.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O17 - HKLM\System\CCS\Services\Tcpip…{68F02E44-5E54-4B10-927D-F9370F8F2EF4}: NameServer = 83.238.255.76 213.241.79.37 O17 - HKLM\System\CS1\Services\Tcpip…{68F02E44-5E54-4B10-927D-F9370F8F2EF4}: NameServer = 83.238.255.76 213.241.79.37 O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Złączono Posta : 20.06.2007 (Sro) 10:58

Niewiem czy to ważne (ale możliwe że charakterystyczne dla jakiegoś trojana) ale przy “odłączaniu” na sekundę styl zmienia się na ten z Windows 98/95.

qrczak13 · 20 Czerwiec 2007 19:59

Pobierz Windows Worms Doors Cleaner, ustaw znaczki na zielono, Netbios może być na żółto.

Po użyciu narzędzia wymagany jest restart.

Plik na czerwono usuń w trybie awaryjnym, a wpis w HJT.

Poczytaj o usuwaniu Purity i zastosuj.

Po wykonaniu w/w daj log z ComboFix.

lolex44 · 28 Czerwiec 2007 09:38

Jakiś czas działało, raz dłużej, raz krócej. Zamieszczam skany:

HJ

Logfile of HijackThis v1.99.1 Scan saved at 11:40:03, on 2007-06-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\system32\spoolsv.exe D:\Documents and Settings\ja\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kotor2.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKCU…\Run: [steam] “c:\urban\half-life 2®\steam.exe” -silent O4 - HKCU…\Run: [WhenUSave] “D:\Program Files\Save\Save.exe” O4 - HKCU…\Run: [eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart O17 - HKLM\System\CCS\Services\Tcpip…{68F02E44-5E54-4B10-927D-F9370F8F2EF4}: NameServer = 83.238.255.76 213.241.79.37 O17 - HKLM\System\CS1\Services\Tcpip…{68F02E44-5E54-4B10-927D-F9370F8F2EF4}: NameServer = 83.238.255.76 213.241.79.37 O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

SL

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Steam” = ““c:\urban\half-life 2®\steam.exe” -silent” [“Valve Corporation”] “WhenUSave” = ““D:\Program Files\Save\Save.exe”” [“WhenU.com, Inc.”] “eMuleAutoStart” = “D:\Program Files\eMule\emule.exe -AutoStart” [“http://www.emule-project.net”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver” -> {HKLM…CLSID} = “USIShellExt Class” \InProcServer32(Default) = “D:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\ja\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “D:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Windows User Mode Driver Framework, UMWdf, “D:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 143 seconds. ---------- (total run time: 192 seconds)

ComboFix

ComboFix 07-06-13.7 - D:\Documents and Settings\ja\Pulpit\Czyszczenie\ComboFix.exe “ja” - 2007-06-28 11:27:54 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) D:\Program Files\newdotnet D:\Program Files\newdotnet\newdotnet7_48.dll D:\Program Files\newdotnet\readme.html D:\Program Files\newdotnet\uninstall6_38.exe D:\Program Files\newdotnet\uninstall7_48.exe D:\WINDOWS\NDNuninstall6_38.exe D:\WINDOWS\NDNuninstall7_48.exe D:\WINDOWS\system32\rlvknlg.exe ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 ))))))))))))))))))))))))))))))) 2007-06-25 22:35 2007-06-25 22:33 8,464 --a------ D:\WINDOWS\system32\sporder.dll 2007-06-25 22:33 2007-06-24 15:59 2007-06-19 23:51 2007-06-19 22:23 2007-06-19 00:53 49,152 --a------ D:\WINDOWS\nircmd.exe 2007-06-19 00:43 2007-06-18 14:40 1,290 --a------ D:\WINDOWS\mozver.dat 2007-06-14 17:56 2007-06-12 16:45 2007-06-12 16:41 81,768 --a------ D:\WINDOWS\system32\xinput1_3.dll 2007-06-12 16:41 62,744 --a------ D:\WINDOWS\system32\xinput1_2.dll 2007-06-12 16:41 443,752 --a------ D:\WINDOWS\system32\d3dx10_33.dll 2007-06-12 16:41 3,495,784 --a------ D:\WINDOWS\system32\d3dx9_33.dll 2007-06-12 16:41 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll 2007-06-12 16:41 261,480 --a------ D:\WINDOWS\system32\xactengine2_7.dll 2007-06-12 16:41 255,848 --a------ D:\WINDOWS\system32\xactengine2_6.dll 2007-06-12 16:41 251,672 --a------ D:\WINDOWS\system32\xactengine2_5.dll 2007-06-12 16:41 237,848 --a------ D:\WINDOWS\system32\xactengine2_4.dll 2007-06-12 16:41 236,824 --a------ D:\WINDOWS\system32\xactengine2_3.dll 2007-06-12 16:41 2,414,360 --a------ D:\WINDOWS\system32\d3dx9_31.dll 2007-06-12 16:41 2,297,552 --a------ D:\WINDOWS\system32\d3dx9_26.dll 2007-06-12 16:41 15,128 --a------ D:\WINDOWS\system32\x3daudio1_1.dll 2007-06-12 16:41 1,123,696 --a------ D:\WINDOWS\system32\D3DCompiler_33.dll 2007-06-09 15:26 2007-06-09 15:08 2007-06-09 14:50 2007-06-09 14:50 2007-06-09 14:49 685,816 --a------ D:\WINDOWS\system32\drivers\sptd.sys 2007-06-09 03:30 1,742 --a------ D:\WINDOWS\system32\sdbackup.reg 2007-06-09 03:19 438,272 -ra------ D:\WINDOWS\system32\vp6vfw.dll 2007-06-09 02:50 5,248 --a------ D:\WINDOWS\system32\drivers\d347prt.sys 2007-06-09 02:50 155,136 --a------ D:\WINDOWS\system32\drivers\d347bus.sys 2007-06-09 02:50 2007-06-09 02:50 2007-06-06 20:34 1,040,384 --a------ D:\WINDOWS\system32\libeay32.dll 2007-06-06 20:30 196,608 --a------ D:\WINDOWS\system32\ssleay32.dll 2007-06-06 18:32 2007-06-06 18:26 2007-05-28 14:42 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-28 09:08:43 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat 2007-06-28 09:08:43 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat 2007-06-28 09:05:25 -------- d-----w D:\Program Files\eMule 2007-06-25 11:20:42 219,648 ----a-w D:\WINDOWS\system32\uxtheme.dll 2007-06-23 20:26:44 -------- d-----w D:\Program Files\IrfanView 2007-06-20 12:02:20 -------- d–h--w D:\Program Files\InstallShield Installation Information 2007-06-16 11:05:17 -------- d-----w D:\Program Files\Mózgo_Trzep 2007-06-15 23:31:53 -------- d-----w D:\Program Files\Gadu-Gadu 2007-06-15 00:44:06 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Azureus 2007-06-09 13:42:52 163,644 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-06-06 21:57:57 365 ----a-w D:\WINDOWS\system32\FlashSaver.dat 2007-06-06 16:32:11 55 ----a-w D:\WINDOWS\system32\FsmSaver.dat 2007-05-27 17:49:37 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Petroglyph 2007-05-26 21:06:35 -------- d-----w D:\Program Files\ivo 2007-05-26 11:13:07 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Ulead Systems 2007-05-26 09:17:28 -------- d-----w D:\Program Files\SmartSound Software 2007-05-26 09:17:04 -------- d-----w D:\Program Files\QuickTime 2007-05-26 09:16:08 -------- d-----w D:\Program Files\Windows Media Components 2007-05-26 09:14:44 -------- d-----w D:\Program Files\Common Files\Ulead Systems 2007-05-26 09:14:37 -------- d-----w D:\Program Files\Common Files\InstallShield 2007-05-26 00:33:34 -------- d-----w D:\Program Files\GIF Movie Gear 2007-05-23 18:44:54 -------- d-----w D:\Program Files\DkZ Studio 2007-05-18 17:00:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-05-17 16:04:22 -------- d-----w D:\Program Files\NAPI-PROJEKT 2007-05-16 23:00:53 -------- d-----w D:\Program Files\Common Files\Adobe Systems Shared 2007-05-08 16:29:31 -------- d-----w D:\Program Files\San Andreas Mod Installer 2007-05-08 00:52:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Real 2007-05-07 21:47:28 -------- d-----w D:\Program Files\Azureus 2007-05-06 22:37:43 -------- d-----w D:\Program Files\Game Cam 2007-05-02 18:08:41 98,304 ----a-w D:\WINDOWS\system32\CmdLineExt.dll 2007-04-23 00:15:18 200,704 ----a-w D:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w D:\WINDOWS\system32\libdivx.dll 2007-04-22 17:03:12 0 ----a-w D:\WINDOWS\nsreg.dat 2007-04-22 01:00:22 21,856 ----a-w D:\WINDOWS\system32\emptyregdb.dat 2007-04-14 08:12:58 10,752 ----a-w D:\WINDOWS\system32\ff_vfw.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 06:12] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Steam”=“c:\urban\half-life 2®\steam.exe” [] “WhenUSave”=“D:\Program Files\Save\Save.exe” [2006-08-25 14:45] “eMuleAutoStart”=“D:\Program Files\eMule\emule.exe” [2006-09-14 16:15] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^ja^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=D:\Documents and Settings\ja\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=D:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^ja^Menu Start^Programy^Autostart^UniSpiker-2.6.lnk] path=D:\Documents and Settings\ja\Menu Start\Programy\Autostart\UniSpiker-2.6.lnk backup=D:\WINDOWS\pss\UniSpiker-2.6.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aqb] D:\WINDOWS\system32??sks\m?config.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon] ipmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] D:\Program Files\Odkurzacz\odk_mcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-28 11:29:38 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-28 11:30:14 D:\ComboFix-quarantined-files.txt … 2007-06-28 11:29 D:\ComboFix2.txt … 2007-06-20 00:07 D:\ComboFix3.txt … 2007-06-19 23:38 — E O F —

Złączono Posta : 28.06.2007 (Czw) 11:40

Jakiś czas działało, raz dłużej, raz krócej. Zamieszczam skany:

HJ

Logfile of HijackThis v1.99.1 Scan saved at 11:40:03, on 2007-06-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\system32\spoolsv.exe D:\Documents and Settings\ja\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kotor2.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKCU…\Run: [steam] “c:\urban\half-life 2®\steam.exe” -silent O4 - HKCU…\Run: [WhenUSave] “D:\Program Files\Save\Save.exe” O4 - HKCU…\Run: [eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart O17 - HKLM\System\CCS\Services\Tcpip…{68F02E44-5E54-4B10-927D-F9370F8F2EF4}: NameServer = 83.238.255.76 213.241.79.37 O17 - HKLM\System\CS1\Services\Tcpip…{68F02E44-5E54-4B10-927D-F9370F8F2EF4}: NameServer = 83.238.255.76 213.241.79.37 O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

SL

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Steam” = ““c:\urban\half-life 2®\steam.exe” -silent” [“Valve Corporation”] “WhenUSave” = ““D:\Program Files\Save\Save.exe”” [“WhenU.com, Inc.”] “eMuleAutoStart” = “D:\Program Files\eMule\emule.exe -AutoStart” [“http://www.emule-project.net”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver” -> {HKLM…CLSID} = “USIShellExt Class” \InProcServer32(Default) = “D:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\ja\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “D:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Windows User Mode Driver Framework, UMWdf, “D:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 143 seconds. ---------- (total run time: 192 seconds)

ComboFix

ComboFix 07-06-13.7 - D:\Documents and Settings\ja\Pulpit\Czyszczenie\ComboFix.exe “ja” - 2007-06-28 11:27:54 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) D:\Program Files\newdotnet D:\Program Files\newdotnet\newdotnet7_48.dll D:\Program Files\newdotnet\readme.html D:\Program Files\newdotnet\uninstall6_38.exe D:\Program Files\newdotnet\uninstall7_48.exe D:\WINDOWS\NDNuninstall6_38.exe D:\WINDOWS\NDNuninstall7_48.exe D:\WINDOWS\system32\rlvknlg.exe ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 ))))))))))))))))))))))))))))))) 2007-06-25 22:35 2007-06-25 22:33 8,464 --a------ D:\WINDOWS\system32\sporder.dll 2007-06-25 22:33 2007-06-24 15:59 2007-06-19 23:51 2007-06-19 22:23 2007-06-19 00:53 49,152 --a------ D:\WINDOWS\nircmd.exe 2007-06-19 00:43 2007-06-18 14:40 1,290 --a------ D:\WINDOWS\mozver.dat 2007-06-14 17:56 2007-06-12 16:45 2007-06-12 16:41 81,768 --a------ D:\WINDOWS\system32\xinput1_3.dll 2007-06-12 16:41 62,744 --a------ D:\WINDOWS\system32\xinput1_2.dll 2007-06-12 16:41 443,752 --a------ D:\WINDOWS\system32\d3dx10_33.dll 2007-06-12 16:41 3,495,784 --a------ D:\WINDOWS\system32\d3dx9_33.dll 2007-06-12 16:41 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll 2007-06-12 16:41 261,480 --a------ D:\WINDOWS\system32\xactengine2_7.dll 2007-06-12 16:41 255,848 --a------ D:\WINDOWS\system32\xactengine2_6.dll 2007-06-12 16:41 251,672 --a------ D:\WINDOWS\system32\xactengine2_5.dll 2007-06-12 16:41 237,848 --a------ D:\WINDOWS\system32\xactengine2_4.dll 2007-06-12 16:41 236,824 --a------ D:\WINDOWS\system32\xactengine2_3.dll 2007-06-12 16:41 2,414,360 --a------ D:\WINDOWS\system32\d3dx9_31.dll 2007-06-12 16:41 2,297,552 --a------ D:\WINDOWS\system32\d3dx9_26.dll 2007-06-12 16:41 15,128 --a------ D:\WINDOWS\system32\x3daudio1_1.dll 2007-06-12 16:41 1,123,696 --a------ D:\WINDOWS\system32\D3DCompiler_33.dll 2007-06-09 15:26 2007-06-09 15:08 2007-06-09 14:50 2007-06-09 14:50 2007-06-09 14:49 685,816 --a------ D:\WINDOWS\system32\drivers\sptd.sys 2007-06-09 03:30 1,742 --a------ D:\WINDOWS\system32\sdbackup.reg 2007-06-09 03:19 438,272 -ra------ D:\WINDOWS\system32\vp6vfw.dll 2007-06-09 02:50 5,248 --a------ D:\WINDOWS\system32\drivers\d347prt.sys 2007-06-09 02:50 155,136 --a------ D:\WINDOWS\system32\drivers\d347bus.sys 2007-06-09 02:50 2007-06-09 02:50 2007-06-06 20:34 1,040,384 --a------ D:\WINDOWS\system32\libeay32.dll 2007-06-06 20:30 196,608 --a------ D:\WINDOWS\system32\ssleay32.dll 2007-06-06 18:32 2007-06-06 18:26 2007-05-28 14:42 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-28 09:08:43 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat 2007-06-28 09:08:43 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat 2007-06-28 09:05:25 -------- d-----w D:\Program Files\eMule 2007-06-25 11:20:42 219,648 ----a-w D:\WINDOWS\system32\uxtheme.dll 2007-06-23 20:26:44 -------- d-----w D:\Program Files\IrfanView 2007-06-20 12:02:20 -------- d–h--w D:\Program Files\InstallShield Installation Information 2007-06-16 11:05:17 -------- d-----w D:\Program Files\Mózgo_Trzep 2007-06-15 23:31:53 -------- d-----w D:\Program Files\Gadu-Gadu 2007-06-15 00:44:06 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Azureus 2007-06-09 13:42:52 163,644 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-06-06 21:57:57 365 ----a-w D:\WINDOWS\system32\FlashSaver.dat 2007-06-06 16:32:11 55 ----a-w D:\WINDOWS\system32\FsmSaver.dat 2007-05-27 17:49:37 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Petroglyph 2007-05-26 21:06:35 -------- d-----w D:\Program Files\ivo 2007-05-26 11:13:07 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Ulead Systems 2007-05-26 09:17:28 -------- d-----w D:\Program Files\SmartSound Software 2007-05-26 09:17:04 -------- d-----w D:\Program Files\QuickTime 2007-05-26 09:16:08 -------- d-----w D:\Program Files\Windows Media Components 2007-05-26 09:14:44 -------- d-----w D:\Program Files\Common Files\Ulead Systems 2007-05-26 09:14:37 -------- d-----w D:\Program Files\Common Files\InstallShield 2007-05-26 00:33:34 -------- d-----w D:\Program Files\GIF Movie Gear 2007-05-23 18:44:54 -------- d-----w D:\Program Files\DkZ Studio 2007-05-18 17:00:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-05-17 16:04:22 -------- d-----w D:\Program Files\NAPI-PROJEKT 2007-05-16 23:00:53 -------- d-----w D:\Program Files\Common Files\Adobe Systems Shared 2007-05-08 16:29:31 -------- d-----w D:\Program Files\San Andreas Mod Installer 2007-05-08 00:52:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Real 2007-05-07 21:47:28 -------- d-----w D:\Program Files\Azureus 2007-05-06 22:37:43 -------- d-----w D:\Program Files\Game Cam 2007-05-02 18:08:41 98,304 ----a-w D:\WINDOWS\system32\CmdLineExt.dll 2007-04-23 00:15:18 200,704 ----a-w D:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w D:\WINDOWS\system32\libdivx.dll 2007-04-22 17:03:12 0 ----a-w D:\WINDOWS\nsreg.dat 2007-04-22 01:00:22 21,856 ----a-w D:\WINDOWS\system32\emptyregdb.dat 2007-04-14 08:12:58 10,752 ----a-w D:\WINDOWS\system32\ff_vfw.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 06:12] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Steam”=“c:\urban\half-life 2®\steam.exe” [] “WhenUSave”=“D:\Program Files\Save\Save.exe” [2006-08-25 14:45] “eMuleAutoStart”=“D:\Program Files\eMule\emule.exe” [2006-09-14 16:15] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^ja^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=D:\Documents and Settings\ja\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=D:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^ja^Menu Start^Programy^Autostart^UniSpiker-2.6.lnk] path=D:\Documents and Settings\ja\Menu Start\Programy\Autostart\UniSpiker-2.6.lnk backup=D:\WINDOWS\pss\UniSpiker-2.6.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aqb] D:\WINDOWS\system32??sks\m?config.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon] ipmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] D:\Program Files\Odkurzacz\odk_mcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-28 11:29:38 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-28 11:30:14 D:\ComboFix-quarantined-files.txt … 2007-06-28 11:29 D:\ComboFix2.txt … 2007-06-20 00:07 D:\ComboFix3.txt … 2007-06-19 23:38 — E O F —

qrczak13 · 28 Czerwiec 2007 18:38

Usuń folder w trybie awaryjnym.

Do notatnika wklej:

Plik > zapisz jako > zmień rozszerzenie z .txt na wszystkie pliki > zapisz pod nazwą Fix.reg np na

pulpicie > dwuklik na Fix.reg > potwierdzasz > restart.

Czyszczenie rejestru - jv16 PowerTools 2006 1.5.2.350

Nowy log z combo.

lolex44 · 28 Czerwiec 2007 21:23

zrobione i nowy log z combo:

ComboFix 07-06-13.7 - D:\Documents and Settings\ja\Pulpit\Czyszczenie\ComboFix.exe “ja” - 2007-06-28 23:31:26 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 ))))))))))))))))))))))))))))))) 2007-06-25 22:33 8,464 --a------ D:\WINDOWS\system32\sporder.dll 2007-06-25 22:33 2007-06-24 15:59 2007-06-19 23:51 2007-06-19 22:23 2007-06-19 00:53 49,152 --a------ D:\WINDOWS\nircmd.exe 2007-06-19 00:43 2007-06-18 14:40 1,290 --a------ D:\WINDOWS\mozver.dat 2007-06-14 17:56 2007-06-12 16:45 2007-06-12 16:41 81,768 --a------ D:\WINDOWS\system32\xinput1_3.dll 2007-06-12 16:41 62,744 --a------ D:\WINDOWS\system32\xinput1_2.dll 2007-06-12 16:41 443,752 --a------ D:\WINDOWS\system32\d3dx10_33.dll 2007-06-12 16:41 3,495,784 --a------ D:\WINDOWS\system32\d3dx9_33.dll 2007-06-12 16:41 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll 2007-06-12 16:41 261,480 --a------ D:\WINDOWS\system32\xactengine2_7.dll 2007-06-12 16:41 255,848 --a------ D:\WINDOWS\system32\xactengine2_6.dll 2007-06-12 16:41 251,672 --a------ D:\WINDOWS\system32\xactengine2_5.dll 2007-06-12 16:41 237,848 --a------ D:\WINDOWS\system32\xactengine2_4.dll 2007-06-12 16:41 236,824 --a------ D:\WINDOWS\system32\xactengine2_3.dll 2007-06-12 16:41 2,414,360 --a------ D:\WINDOWS\system32\d3dx9_31.dll 2007-06-12 16:41 2,297,552 --a------ D:\WINDOWS\system32\d3dx9_26.dll 2007-06-12 16:41 15,128 --a------ D:\WINDOWS\system32\x3daudio1_1.dll 2007-06-12 16:41 1,123,696 --a------ D:\WINDOWS\system32\D3DCompiler_33.dll 2007-06-09 15:26 2007-06-09 15:08 2007-06-09 14:50 2007-06-09 14:50 2007-06-09 14:49 685,816 --a------ D:\WINDOWS\system32\drivers\sptd.sys 2007-06-09 03:30 1,742 --a------ D:\WINDOWS\system32\sdbackup.reg 2007-06-09 03:19 438,272 -ra------ D:\WINDOWS\system32\vp6vfw.dll 2007-06-09 02:50 5,248 --a------ D:\WINDOWS\system32\drivers\d347prt.sys 2007-06-09 02:50 155,136 --a------ D:\WINDOWS\system32\drivers\d347bus.sys 2007-06-09 02:50 2007-06-09 02:50 2007-06-06 20:34 1,040,384 --a------ D:\WINDOWS\system32\libeay32.dll 2007-06-06 20:30 196,608 --a------ D:\WINDOWS\system32\ssleay32.dll 2007-06-06 18:32 2007-06-06 18:26 2007-05-28 14:42 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-28 21:30:31 -------- d-----w D:\Program Files\eMule 2007-06-28 21:19:21 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat 2007-06-28 21:19:21 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat 2007-06-25 11:20:42 219,648 ----a-w D:\WINDOWS\system32\uxtheme.dll 2007-06-23 20:26:44 -------- d-----w D:\Program Files\IrfanView 2007-06-20 12:02:20 -------- d–h--w D:\Program Files\InstallShield Installation Information 2007-06-16 11:05:17 -------- d-----w D:\Program Files\Mózgo_Trzep 2007-06-15 23:31:53 -------- d-----w D:\Program Files\Gadu-Gadu 2007-06-15 00:44:06 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Azureus 2007-06-09 13:42:52 163,644 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-06-06 21:57:57 365 ----a-w D:\WINDOWS\system32\FlashSaver.dat 2007-06-06 16:32:11 55 ----a-w D:\WINDOWS\system32\FsmSaver.dat 2007-05-27 17:49:37 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Petroglyph 2007-05-26 21:06:35 -------- d-----w D:\Program Files\ivo 2007-05-26 11:13:07 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Ulead Systems 2007-05-26 09:17:28 -------- d-----w D:\Program Files\SmartSound Software 2007-05-26 09:17:04 -------- d-----w D:\Program Files\QuickTime 2007-05-26 09:16:08 -------- d-----w D:\Program Files\Windows Media Components 2007-05-26 09:14:44 -------- d-----w D:\Program Files\Common Files\Ulead Systems 2007-05-26 09:14:37 -------- d-----w D:\Program Files\Common Files\InstallShield 2007-05-26 00:33:34 -------- d-----w D:\Program Files\GIF Movie Gear 2007-05-23 18:44:54 -------- d-----w D:\Program Files\DkZ Studio 2007-05-18 17:00:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-05-17 16:04:22 -------- d-----w D:\Program Files\NAPI-PROJEKT 2007-05-16 23:00:53 -------- d-----w D:\Program Files\Common Files\Adobe Systems Shared 2007-05-08 16:29:31 -------- d-----w D:\Program Files\San Andreas Mod Installer 2007-05-08 00:52:25 -------- d-----w D:\DOCUME~1\ja\DANEAP~1\Real 2007-05-07 21:47:28 -------- d-----w D:\Program Files\Azureus 2007-05-06 22:37:43 -------- d-----w D:\Program Files\Game Cam 2007-05-02 18:08:41 98,304 ----a-w D:\WINDOWS\system32\CmdLineExt.dll 2007-04-23 00:15:18 200,704 ----a-w D:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w D:\WINDOWS\system32\libdivx.dll 2007-04-22 17:03:12 0 ----a-w D:\WINDOWS\nsreg.dat 2007-04-22 01:00:22 21,856 ----a-w D:\WINDOWS\system32\emptyregdb.dat 2007-04-14 08:12:58 10,752 ----a-w D:\WINDOWS\system32\ff_vfw.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 06:12] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Steam”=“c:\urban\half-life 2®\steam.exe” [] “eMuleAutoStart”=“D:\Program Files\eMule\emule.exe” [2006-09-14 16:15] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^ja^Menu Start^Programy^Autostart^Adobe Gamma.lnk] backup=D:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^ja^Menu Start^Programy^Autostart^UniSpiker-2.6.lnk] backup=D:\WINDOWS\pss\UniSpiker-2.6.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aqb] D:\WINDOWS\system32??sks\m?config.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon] ipmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] D:\Program Files\Odkurzacz\odk_mcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-28 23:33:10 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-28 23:33:50 D:\ComboFix-quarantined-files.txt … 2007-06-28 23:33 D:\ComboFix2.txt … 2007-06-28 11:30 D:\ComboFix3.txt … 2007-06-20 00:07 — E O F —

qrczak13 · 28 Czerwiec 2007 22:12

Czysto.

Czyszczenie rejestru - jv16 PowerTools 2006 1.5.2.350

lolex44 · 28 Czerwiec 2007 23:17

wyczyściłem…

Złączono Posta : 29.06.2007 (Pią) 23:40

Już nic się nie da zrobić?

qrczak13 · 29 Czerwiec 2007 21:49

http://images21.fotosik.pl/375/5ff40a118cd15049med.jpg

A co tak dużo połączeń? Daj większego screena.

A co na to Netia?

Możesz jeszcze spróbować przeinstalować soft od neta.

Przeskanuj paroma Skanerami Online + AVG AntySpyware 7.5 po update.

lolex44 · 29 Czerwiec 2007 22:05

Te połączenia już usunąłem, ale nic to nie dało. Jestem pewny że to jakiś trojan blokuje połączenia, bo kiedyś dostałem owego w korespondencji i wtedy po raz pierwszy styl zmienił się na ten starszy (i odłączył się net).

Widocznie jest on trudny do wykrycia, jeszcze poskanuje.

qrczak13 · 29 Czerwiec 2007 22:39

Daj jeszcze z Gmer’a dwa logi:

1. Rootkit=>szukaj=>bez zaznaczania pokaż wszystko=> Ctrl + V do posta wklej

2. Rootkit => zaznaczone tylko Pokazuj wszystko + Usługi => Szukaj => Kopiuj => Ctrl + V do posta wklej

Jakby się czasem nie mieściły w logu to wrzuć tu > http://wklej.org/ i podaj link.