pawelek23
(Pawelek M)
29 Grudzień 2007 15:22
#1
Witam.
Proszę o sprawdzenie loga. komp mi muli i pojawia się komunikat o błędzie systemu
Z góry dziękuje
Hijackthis:
Logfile of HijackThis v1.99.1 Scan saved at 16:06:50, on 2007-12-29 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe E:\z neostrady\programy\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BDEX System - {3DAF1739-AB9E-493E-8DD7-F65CDF363BCB} - C:\WINDOWS\domnftwqpd.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\superfindout.dll O3 - Toolbar: The emlkdvo - {A972081B-E5FE-45E4-BE29-856D23403C4F} - C:\WINDOWS\emlkdvo.dll O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [inter bib audio army] C:\Documents and Settings\All Users\Dane aplikacji\setup film inter bib\Send obj.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [TheDate] C:\DOCUME~1\pawelek1\DANEAP~1\STOPLO~1\FIND GLOBAL.exe O4 - HKCU…\Run: [steam] “C:\Program Files\Steam\Steam.exe” -silent O4 - HKCU…\Run: [Firewall auto setup] C:\DOCUME~1\pawelek1\USTAWI~1\Temp\winlogon.exe O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_35.cab O21 - SSODL: alxvdvm - {DBD93813-2AA8-4399-89A1-80D664FFEE34} - C:\WINDOWS\alxvdvm.dll O21 - SSODL: bvtqfvx - {B5338100-D46C-46E3-8B3D-7EC77BE9E78A} - C:\WINDOWS\bvtqfvx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
Silent runner:
“Silent Runners.vbs”, revision 47, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “TheDate” = “C:\DOCUME~1\pawelek1\DANEAP~1\STOPLO~1\FIND GLOBAL.exe” [null data] “Steam” = ““C:\Program Files\Steam\Steam.exe” -silent” [“Valve Corporation”] “Firewall auto setup” = “C:\DOCUME~1\pawelek1\USTAWI~1\Temp\winlogon.exe” [** WMI GetObject error **] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “Inter bib audio army” = “C:\Documents and Settings\All Users\Dane aplikacji\setup film inter bib\Send obj.exe” [null data] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {3DAF1739-AB9E-493E-8DD7-F65CDF363BCB}(Default) = (no title provided) -> {HKLM…CLSID} = “BDEX System” \InProcServer32(Default) = “C:\WINDOWS\domnftwqpd.dll” [empty string] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] {F10587E9-0E47-4CBE-84AE-7DD20B8684BB}(Default) = “e404 helper” -> {HKLM…CLSID} = “e404mgr Class” \InProcServer32(Default) = “C:\Program Files\Helper\superfindout.dll” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Uchwyt nakładania ikony podpisu cyfrowego” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real Alternative\rpshell.dll” [“RealNetworks, Inc.”] “{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References” -> {HKLM…CLSID} = “ShellLink for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {HKLM…CLSID} = “Shell Icon Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{E0D79300-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\wzshlext.dll” [null data] “{E0D79301-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\wzshlext.dll” [null data] “{E0D79302-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\wzshlext.dll” [null data] “{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.69 Context Menu Shell Extension” -> {HKLM…CLSID} = “WinAceContext Menu Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.69 DragDrop Shell Extension” -> {HKLM…CLSID} = “WinAceDrag-Drop Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.69 Context Menu Shell Extension” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.69 Property Sheet Shell Extension” -> {HKLM…CLSID} = “WinAceProperty Sheet Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “alxvdvm” = “{DBD93813-2AA8-4399-89A1-80D664FFEE34}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\alxvdvm.dll” [null data] “bvtqfvx” = “{B5338100-D46C-46E3-8B3D-7EC77BE9E78A}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\bvtqfvx.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Autodesk.DWF.ContextMenu(Default) = “{6C18531F-CA85-45F7-8278-FF33CF0A5964}” -> {HKLM…CLSID} = “DWFShellExt Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk shared\dwf common\DWFShellExtension.dll” [“Autodesk, Inc.”] MyPhoneExplorer(Default) = “{2D30AAA2-9084-4686-B8B9-B9B62EEFFD4E}” -> {HKLM…CLSID} = “MyPhoneExplorer_ShellEx.ShellExt” \InProcServer32(Default) = “C:\Program Files\MyPhoneExplorer\DLL\ShellMgr.dll” [“F.J. Wechselberger”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\wzshlext.dll” [null data] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\wzshlext.dll” [null data] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\wzshlext.dll” [null data] Default executables: -------------------- HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” INFECTION WARNING! HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = "“C:\WINDOWS\system32\NOTEPAD.EXE” “%1"” [MS] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\pawelek1\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “pawelek1” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Przyspieszenie uruchomienia programu AutoCAD” -> shortcut to: “C:\Program Files\Common Files\Autodesk Shared\acstart17.exe” [null data] Enabled Scheduled Tasks: ------------------------ “A27DA97090422050” -> launches: “c:\docume~1\pawelek1\daneap~1\stoplo~1\support body name.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{A972081B-E5FE-45E4-BE29-856D23403C4F}” = (no title provided) -> {HKLM…CLSID} = “The emlkdvo” \InProcServer32(Default) = “C:\WINDOWS\emlkdvo.dll” [null data] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided) -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\ “ButtonText” = “BitComet” “Script” = “res://E:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206” [“BitComet”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ Missing lines (compared with English-language version): HIJACK WARNING! “Tabs” = “res://ieframe.dll/tabswelcome.htm” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Kerio Personal Firewall 4, KPF4, ““C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe”” [“Kerio Technologies”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 57 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 26 seconds. ---------- (total run time: 140 seconds)
Gutek
(Gutek)
29 Grudzień 2007 16:36
#2
Najpierw automaty: Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i Użyj narzędzia NoLop
po tym - Daj log z ComboFix
pawelek23
(Pawelek M)
29 Grudzień 2007 17:19
#3
Combo FIx:
ComboFix 07-12-21.4 - pawelek1 2007-12-29 18:09:31.2 - NTFSx86 MINIMAL
Gutek
(Gutek)
29 Grudzień 2007 18:23
#4
Wklej do Notatnika:
File::
C:\WINDOWS\alxvdvm.dll
C:\WINDOWS\domnftwqpd.dll
C:\WINDOWS\bvtqfvx.dll
C:\WINDOWS\emlkdvo.dll
C:\WINDOWS\fvkwdrt.exe
C:\Program Files\Gadu-Gadu\ggwhook.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DAF1739-AB9E-493E-8DD7-F65CDF363BCB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A972081B-E5FE-45E4-BE29-856D23403C4F}"=-
[-HKEY_CLASSES_ROOT\clsid\{a972081b-e5fe-45e4-be29-856d23403c4f}]
[-HKEY_CLASSES_ROOT\emlkdvo.ToolBar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{5D2CE196-B43D-4C95-B39D-6324AAECCD68}]
[-HKEY_CLASSES_ROOT\emlkdvo.ToolBar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"alxvdvm"=-
"bvtqfvx"=-
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
pawelek23
(Pawelek M)
29 Grudzień 2007 20:47
#5
Zrobiłem wszystko jw.
podaję nowego loga Combo:
ComboFix 07-12-21.4 - pawelek1 2007-12-29 21:39:02.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1121 [GMT 1:00] Running from: E:\z neostrady\programy\do syfu i logów\ComboFix1.exe Command switches used :: E:\z neostrady\programy\do syfu i logów\CFScript.txt * Created a new restore point FILE C:\Program Files\Gadu-Gadu\ggwhook.dll C:\WINDOWS\alxvdvm.dll C:\WINDOWS\bvtqfvx.dll C:\WINDOWS\domnftwqpd.dll C:\WINDOWS\emlkdvo.dll C:\WINDOWS\fvkwdrt.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Gadu-Gadu\ggwhook.dll C:\WINDOWS\alxvdvm.dll C:\WINDOWS\bvtqfvx.dll C:\WINDOWS\dat.txt C:\WINDOWS\domnftwqpd.dll C:\WINDOWS\emlkdvo.dll C:\WINDOWS\fvkwdrt.exe C:\WINDOWS\rs.txt C:\WINDOWS\search_res.txt . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 ))))))))))))))))))))))))))))))) . 2007-12-29 17:58 . 2007-12-29 17:59 2007-12-29 17:57 . 2007-12-29 18:00 106 --a------ C:\delete.bat 2007-12-29 17:56 . 2007-12-29 17:56 1,764 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-29 14:59 . 2007-12-29 14:59 2007-12-29 10:24 . 2007-12-29 10:25 2 --a------ C:-990777490 2007-12-29 09:56 . 2007-12-29 09:56 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll 2007-12-23 10:34 . 2007-12-29 18:14 2007-12-22 15:30 . 2007-12-22 15:30 2007-12-22 14:14 . 2007-12-22 14:14 82,774 --a------ C:\WINDOWS\Uninstall Jade Empire.exe 2007-12-22 13:11 . 2007-12-22 13:13 2007-12-22 12:25 . 2007-12-22 12:25 2007-12-22 12:24 . 2007-12-22 12:24 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-12-22 12:10 . 2007-12-22 12:10 2007-12-22 12:10 . 2007-12-29 15:15 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll 2007-12-17 18:34 . 2007-12-17 18:34 2007-12-17 18:34 . 2007-12-17 18:34 2007-12-17 18:07 . 2007-12-29 15:29 2007-12-17 18:07 . 2007-12-17 18:07 2007-12-17 17:37 . 2007-12-17 17:37 2007-12-15 13:53 . 2007-12-17 17:43 2007-12-15 13:41 . 2007-12-15 13:41 2007-12-15 13:41 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2007-12-13 13:05 . 2007-12-13 13:05 531,248 --a------ C:\WINDOWS\system32\es.scr 2007-12-12 20:09 . 2007-12-14 19:16 117,640 --a------ C:\test.htm 2007-12-11 20:44 . 2007-12-11 20:44 2007-12-11 20:44 . 2002-07-23 12:17 225,280 --a------ C:\WINDOWS\T610phmgunin.exe 2007-12-09 22:20 . 2007-12-09 22:27 2007-12-08 18:11 . 2007-12-08 18:11 2007-12-05 04:05 . 2007-12-05 04:05 368,640 --a------ C:\WINDOWS\system32\ATIDEMGX.dll 2007-12-05 03:48 . 2007-12-05 03:48 9,535,488 --a------ C:\WINDOWS\system32\atioglx2.dll 2007-12-05 03:33 . 2007-12-05 03:33 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat 2007-12-05 03:33 . 2007-12-05 03:33 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat 2007-12-05 03:33 . 2007-12-05 03:33 887,724 --a------ C:\WINDOWS\system32\ativva6x.dat 2007-12-05 03:19 . 2007-12-05 03:19 385,024 --a------ C:\WINDOWS\system32\atikvmag.dll 2007-12-05 03:16 . 2007-12-05 03:16 49,152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll 2007-12-05 03:14 . 2007-12-05 03:14 180,224 --a------ C:\WINDOWS\system32\atiok3x2.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-29 20:40 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-29 09:24 14,336 ----a-w C:\WINDOWS\system32\svchost.exe 2007-12-22 14:32 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-12-16 16:24 --------- d-----w C:\Program Files\SubEdit-Player 2007-12-15 12:31 --------- d-----w C:\Program Files\NAPI-PROJEKT 2007-12-11 19:59 --------- d-----w C:\Program Files\SendFile 2007-12-11 19:59 --------- d-----w C:\Program Files\Fma 2007-12-08 17:13 --------- d-----w C:\Documents and Settings\pawelek1\Dane aplikacji\StopLocks 2007-12-08 17:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\setup film inter bib 2007-12-08 17:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Default Second Htm Wait 2007-12-05 13:17 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe 2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll 2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll 2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2007-11-21 18:21 --------- d-----w C:\Program Files\Graitec 2007-11-21 17:58 --------- d-----w C:\Program Files\RegCleaner 2007-11-17 13:46 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson 2007-11-17 13:45 --------- d-----w C:\Program Files\Sony Ericsson 2007-11-17 13:14 --------- d-----w C:\Program Files\Usb to Serial Driver 1.12.28 2007-11-17 13:14 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-17 12:45 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-11-17 12:45 249,856 ------w C:\WINDOWS\Setup1.exe 2007-11-17 12:32 --------- d-----w C:\Documents and Settings\pawelek1\Dane aplikacji\FMA 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll 2001-11-23 04:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler] @={36A21736-36C2-4C11-8ACB-D4136F2B57BD} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Uchwyt nakładania ikony podpisu cyfrowego] @={36A21736-36C2-4C11-8ACB-D4136F2B57BD} [HKEY_CLASSES_ROOT\CLSID{36A21736-36C2-4C11-8ACB-D4136F2B57BD}] 2006-03-05 13:55 185448 --a------ C:\WINDOWS\system32\AcSignIcon.dll [HKEY_CLASSES_ROOT\CLSID{36A21736-36C2-4C11-8ACB-D4136F2B57BD}] 2006-03-05 13:55 185448 --a------ C:\WINDOWS\system32\AcSignIcon.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2005-08-30 19:51] “TheDate”=“C:\DOCUME~1\pawelek1\DANEAP~1\STOPLO~1\FIND GLOBAL.exe” [2007-12-08 18:11] “Steam”=“C:\Program Files\Steam\Steam.exe” [2007-12-23 10:37] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SiSUSBRG”=“C:\WINDOWS\SiSUSBrg.exe” [2002-04-26 10:17] “Cmaudio”=“RunDll32 cmicnfg.cpl” [] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “Inter bib audio army”=“C:\Documents and Settings\All Users\Dane aplikacji\setup film inter bib\Send obj.exe” [2007-12-29 18:14] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2006-11-12 11:48] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-03 23:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Przyspieszenie uruchomienia programu AutoCAD.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 14:43:54] R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-09-22 16:14] S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 09:47] S3 SER120;OTI Serial port driver;C:\WINDOWS\system32\DRIVERS\SER120.sys [2005-03-22 10:03] S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08] . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-29 21:40:23 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-29 21:40:59 C:\ComboFix-quarantined-files.txt … 2007-09-05 18:15 C:\ComboFix2.txt … 2007-12-29 18:15 C:\ComboFix3.txt … 2007-09-05 18:16 . 2007-12-21 20:38:37 — E O F —