Przypuszczalnie może coś zżerać ram. Ostatnio tryb awaryjny wogóle nie chciał się uruchomić. Komputer poważnie zwolnił, być może to jakiś trojan. Dołączam log-a z hijacka, może coś fachowym okiem dojrzycie. Z góry dziękuję za pomoc.

Logfile of HijackThis v1.99.1

Scan saved at 13:37:56, on 2007-06-22

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\xxxxxx\Pulpit\RefreshLock.exe

C:\WINDOWS\System32\lddkgoqt.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

D:\Programy\Konnekt\konnekt.exe

D:\Programy\mIRC\mirc.exe

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\xxxxxx\Pulpit\Programy\hijackthis\hijackthis.com


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\System32\tafiebdg.dll

O2 - BHO: (no name) - {61024332-190E-42EE-82C6-5C0757A85567} - C:\WINDOWS\System32\mlljg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O4 - HKLM\..\Run: [RefreshLock] C:\Documents and Settings\xxxxxx\Pulpit\RefreshLock.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [j9241834] rundll32 C:\WINDOWS\System32\j9241834.dll sook

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_30.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS2\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O20 - Winlogon Notify: mlljg - C:\WINDOWS\System32\mlljg.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Programy\Ares\chatServer.exe

O23 - Service: DomainService - - C:\WINDOWS\System32\lddkgoqt.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Infekcja Vundo : w trybie awaryjnym użyj VundoFix + FixVundo + VirtumundoBeGone.

Po pracy pokaż log z Hijack This, VirtumundoBeGone,Silent Runners, ComboFix oraz zawartość pliku C:\Vundofix.txt.

Mógłbyś nieco bliżej wytłumaczyć? Nie jestem w temacie widocznie. Te nazwy nic mi nie mówią. Nazwałbym to schorzenie jako - LAIK.

Podałem trzy programy,których musisz użyć,aby usunąć syf jaki masz w logu z Hijacka.

Następnie po użyciu tych programów,robisz i pokazujesz nowy log z Hijacka, log z VirtumundoBeGone(jednego z tych programów),Silent Runners, ComboFix oraz pokaż nam zawartość pliku C:\Vundofix.txt.

Na razie dodaje loga z silent runners przed zrobieniem tego co dałeś.

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"RefreshLock" = "C:\Documents and Settings\xxxxxx\Pulpit\RefreshLock.exe" ["Gregory Maynard-Hoare"]

"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"j9241834" = "rundll32 C:\WINDOWS\System32\j9241834.dll sook" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\tafiebdg.dll" [null data]

{61024332-190E-42EE-82C6-5C0757A85567}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\mlljg.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR3.41\rarext.dll" [null data]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {HKLM...CLSID} = "Eksplorator pulpitów"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> mlljg\DLLName = "C:\WINDOWS\System32\mlljg.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR3.41\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR3.41\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR3.41\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{74DD705D-6834-439C-A735-A6DBE2677452}"

  -> {HKLM...CLSID} = "&VSAdd-in"

                   \InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_11"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_11"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


DomainService, DomainService, "C:\WINDOWS\System32\lddkgoqt.exe /service" [" "]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

NtmlSvc, NtmlSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll" [null data]}

NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]

hpzsnt12\Driver = "hpzsnt12.dll" ["HP"]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 2974 seconds, including 27 seconds for message boxes)

W chwili obecnej Silent Runners nic nie da.Musisz wykonać to co napisałem w ostatnim poście.

Tutaj jest troche pies pogrzebany. To czego się obawiałem, okazało się prawdą. Nie chce mi się uruchomić system awaryjny. Zrobiłem zatem przynajmniej na sucho więc wkleję logi.

hijack

Logfile of HijackThis v1.99.1

Scan saved at 16:07:10, on 2007-06-22

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\lddkgoqt.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\xxxxxx\Pulpit\RefreshLock.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\xxxxxx\Pulpit\Programy\hijackthis\hijackthis.com


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {E06B8CFF-FC3A-4A5F-9677-4C2E919F7E84} - C:\WINDOWS\System32\mlljg.dll (file missing)

O4 - HKLM\..\Run: [RefreshLock] C:\Documents and Settings\xxxxxx\Pulpit\RefreshLock.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_30.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS2\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Programy\Ares\chatServer.exe

O23 - Service: DomainService - - C:\WINDOWS\System32\lddkgoqt.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

ComboFix

Logfile of HijackThis v1.99.1

Scan saved at 16:07:10, on 2007-06-22

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\lddkgoqt.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\xxxxxx\Pulpit\RefreshLock.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\xxxxxx\Pulpit\Programy\hijackthis\hijackthis.com


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {E06B8CFF-FC3A-4A5F-9677-4C2E919F7E84} - C:\WINDOWS\System32\mlljg.dll (file missing)

O4 - HKLM\..\Run: [RefreshLock] C:\Documents and Settings\xxxxxx\Pulpit\RefreshLock.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_30.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS2\Services\Tcpip\..\{7535FBD8-C1EC-4A9B-ABEA-00E6D094490F}: NameServer = 194.204.159.1,194.204.152.34

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Programy\Ares\chatServer.exe

O23 - Service: DomainService - - C:\WINDOWS\System32\lddkgoqt.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

VBG

[06/22/2007, 15:54:43] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\xxxxxx\Pulpit\VirtumundoBeGone.exe" )

[06/22/2007, 15:54:51] - Detected System Information:

[06/22/2007, 15:54:51] - Windows Version: 5.1.2600, 

[06/22/2007, 15:54:51] - Current Username: xxxxxx (Admin)

[06/22/2007, 15:54:51] - Windows is in NORMAL mode.

[06/22/2007, 15:54:51] - Searching for Browser Helper Objects:

[06/22/2007, 15:54:51] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[06/22/2007, 15:54:51] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[06/22/2007, 15:54:51] - BHO 3: {E06B8CFF-FC3A-4A5F-9677-4C2E919F7E84} ()

[06/22/2007, 15:54:51] - WARNING: BHO has no default name. Checking for Winlogon reference.

[06/22/2007, 15:54:51] - Checking for HKLM\...\Winlogon\Notify\mlljg

[06/22/2007, 15:54:51] - Key not found: HKLM\...\Winlogon\Notify\mlljg, continuing.

[06/22/2007, 15:54:51] - Finished Searching Browser Helper Objects

[06/22/2007, 15:54:51] - Finishing up...

[06/22/2007, 15:54:51] - Nothing found! Exiting...

FixVundo

Symantec Trojan.Vundo Removal Tool 1.5.0


C:\System Volume Information: (not scanned)

D:\System Volume Information: (not scanned)

Trojan.Vundo has not been found on your computer.

VundoFix

Symantec Trojan.Vundo Removal Tool 1.5.0


C:\System Volume Information: (not scanned)

D:\System Volume Information: (not scanned)

Trojan.Vundo has not been found on your computer.

Zamiast dwukrotnie dawać log z Hijacka,daj raz log z ComboFix

Sorki men … btw wszystko ładnie teraz śmiga … nie wiem na ile czasu ale wielkie thx … oczywiście dodaje loga z combofixa.

Ściągnij The Avenger,

wypakuj > uruchom > Input script manually > klikasz w lupkę > w nowo otwartym oknie wklejasz:

Po wklejeniu > Done > klik na zielone światło > ok i będzie restart. Po restarcie wchodzisz gdzie masz The Avenger, i wklejasz raport C:\avenger.txt

Nowy log z ComboFix po tym.

Użyj ATF-Cleaner w trybie awaryjnym. Zaznacz trzy pierwsze kwadraciki i naciśnij Empty Selected.

AVENGER

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\afsisasb


*******************


Script file located at: \??\C:\WINDOWS\System32\qfnmibnu.txt

Script file opened successfully.


Script file read successfully


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


File C:\WINDOWS\system32\hbkjltxj.exe deleted successfully.

File C:\WINDOWS\system32\ngrdkdam.exe deleted successfully.

File C:\WINDOWS\system32\nppigxxi.exe deleted successfully.

File C:\WINDOWS\system32\nltggohl.exe deleted successfully.

File C:\WINDOWS\system32\ilgraojh.exe deleted successfully.

File C:\WINDOWS\system32\imefsiaa.exe deleted successfully.

File C:\WINDOWS\system32\rmpnyamb.exe deleted successfully.

File C:\WINDOWS\system32\lbgkrbet.exe deleted successfully.

File C:\WINDOWS\system32\cmjqjfxc.exe deleted successfully.

File C:\WINDOWS\system32\ikjftcof.exe deleted successfully.

File C:\WINDOWS\system32\tmbxaimf.exe deleted successfully.

File C:\WINDOWS\system32\iftelrjt.exe deleted successfully.

File C:\WINDOWS\system32\deigvdch.exe deleted successfully.

File C:\WINDOWS\system32\gqfrqekw.exe deleted successfully.

File C:\WINDOWS\system32\bddyvjga.exe deleted successfully.

File C:\WINDOWS\system32\clmthpct.exe deleted successfully.

File C:\WINDOWS\system32\unbnufnb.exe deleted successfully.

File C:\WINDOWS\system32\rqtsxuxj.exe deleted successfully.

File C:\WINDOWS\system32\lddkgoqt.exe deleted successfully.

File C:\WINDOWS\system32\vfgpirks.dll deleted successfully.

File C:\WINDOWS\system32\nbvofdls.dll deleted successfully.

File C:\WINDOWS\system32\kncbbmux.dll deleted successfully.

File C:\WINDOWS\system32\ybwlhoqh.dll deleted successfully.

File C:\WINDOWS\system32\wcjacbqq.dll deleted successfully.

File C:\WINDOWS\system32\plxkwrfi.dll deleted successfully.

File C:\WINDOWS\system32\usjxwaol.dll deleted successfully.

File C:\WINDOWS\system32\amniykgm.dll deleted successfully.

File C:\WINDOWS\system32\nbabsqhv.dll deleted successfully.

File C:\WINDOWS\system32\cncugula.dll deleted successfully.

File C:\WINDOWS\system32\jiorlfde.dll deleted successfully.

File C:\WINDOWS\system32\vdilnbey.dll deleted successfully.

File C:\WINDOWS\system32\bwchmunp.dll deleted successfully.

File C:\WINDOWS\system32\rypwhowp.dll deleted successfully.

File C:\WINDOWS\system32\haufxmda.dll deleted successfully.

File C:\WINDOWS\system32\srddsxjc.dll deleted successfully.

File C:\WINDOWS\system32\jqtrqkcq.dll deleted successfully.

File C:\WINDOWS\system32\tfmxdwjg.dll deleted successfully.

File C:\WINDOWS\system32\ykoixvvr.dll deleted successfully.

File C:\WINDOWS\system32\rytfyloe.dll deleted successfully.

File C:\WINDOWS\system32\vbbiooyo.dll deleted successfully.

File C:\WINDOWS\system32\ewnffeic.dll deleted successfully.

File C:\WINDOWS\system32\kfgqxkkr.dll deleted successfully.

File C:\WINDOWS\system32\qymcimqw.dll deleted successfully.

File C:\WINDOWS\system32\srubicpw.dll deleted successfully.

File C:\WINDOWS\system32\jxpsxrjp.dll deleted successfully.

File C:\WINDOWS\system32\jrcrefep.dll deleted successfully.

File C:\WINDOWS\system32\mrymvycg.dll deleted successfully.

File C:\WINDOWS\system32\nxdtagxf.dll deleted successfully.

File C:\WINDOWS\system32\hdjedxdp.dll deleted successfully.

File C:\WINDOWS\system32\ahedfgtn.dll deleted successfully.

File C:\WINDOWS\system32\lrpqfusf.dll deleted successfully.

File C:\WINDOWS\system32\dftvgpqj.dll deleted successfully.

File C:\WINDOWS\system32\lxuiqfgq.dll deleted successfully.

File C:\WINDOWS\system32\rvopjvwr.dll deleted successfully.

File C:\WINDOWS\system32\jrbepbon.dll deleted successfully.

File C:\WINDOWS\system32\dxudyydn.dll deleted successfully.

File C:\WINDOWS\system32\hehmfqak.dll deleted successfully.

File C:\WINDOWS\system32\xfsqduib.dll deleted successfully.

File C:\WINDOWS\system32\erybkdbv.dll deleted successfully.

File C:\WINDOWS\system32\ddcddda.dll deleted successfully.



File C:\WINDOWS\Temp\removalfile.bat not found!

Deletion of file C:\WINDOWS\Temp\removalfile.bat failed!


Could not process line:

C:\WINDOWS\Temp\removalfile.bat

Status: 0xc0000034


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E06B8CFF-FC3A-4A5F-9677-4C2E919F7E84} deleted successfully.


Completed script processing.


*******************


Finished! Terminate.

COMBOFIX

ComboFix 07-06-21.3 - C:\Documents and Settings\xxxxxx\Pulpit\Programy\czysciochy\ComboFix.exe

oraz czyszczenie rejestru - jv16 PowerTools 2006 1.5.2.350

I będzie ok.

Komputer niebagatelnie dabrał rozpędu … teraz mogę się przyznać, że siedzę na mitycznym c466, rivce tnt2 i 192sdram … po waszej pomocy komp dostał drugiego tchnienia za co serdecznie dziękuję … piwko dla was ;*