Witam

Od paru dni zaczęły mi wyskakiwać niechciane reklamy CiD.

Proszę o przejrzenie loga z hijackthis.

Jeśli coś zrobiłem źle przepraszam, ale jestem w tym zielony.

Logfile of HijackThis v1.99.1

Scan saved at 15:59:52, on 2008-04-28

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\BenQ\QMusic2\QMAgent.exe

C:\Program Files\BenQ\Q-MediaBar\QBar.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\WISPTIS.EXE

C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\AcroRd32.exe

C:\Program Files\Atheros\ACU.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Kamil\Pulpit\DOWNLOAD\s\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allegro.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.benq.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)

O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM…\Run: [QMusic2] “C:\Program Files\BenQ\QMusic2\QMAgent.exe”

O4 - HKLM…\Run: [Q-MediaBar] “C:\Program Files\BenQ\Q-MediaBar\QBar.exe” /stop

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”

O4 - HKLM…\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

O4 - HKLM…\Run: [ROAD ITCH AMOK PING] C:\Documents and Settings\All Users\Dane aplikacji\Long slow road itch\Bolt one.exe

O4 - HKLM…\Run: [Corel Photo Downloader] “C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe” -startup

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [iNFO AXIS] C:\DOCUME~1\Kamil\DANEAP~1\1Hide\test plan.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre … 586-jc.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Usługa konfiguracji Atheros (ACS) - Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

Folder::

C:\Documents and Settings\All Users\Dane aplikacji\Long slow road itch

C:\Documents and Settings\All Users\Dane aplikacji\1Hide

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Dzięki oto log

ComboFix 08-04-27.3 - Kamil 2008-04-28 22:33:23.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1065 [GMT 2:00]

Running from: C:\Documents and Settings\Kamil\Pulpit\DOWNLOAD\ComboFix.exe

Command switches used :: C:\Documents and Settings\Kamil\Pulpit\DOWNLOAD\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Dane aplikacji\Long slow road itch

C:\Documents and Settings\All Users\Dane aplikacji\Long slow road itch\Bolt one.exe

.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))

.

2008-04-28 12:28 . 2008-04-28 12:32

2008-04-25 13:22 . 2008-04-25 13:22

2008-04-25 13:22 . 2008-04-25 13:22

2008-04-25 08:43 . 2008-04-25 08:43

2008-04-25 08:43 . 2008-04-25 08:43

2008-04-21 18:20 . 2008-04-21 18:20

2008-04-21 18:20 . 2008-04-21 18:20

2008-04-21 13:52 . 2008-04-21 13:52

2008-04-21 13:51 . 2008-04-21 13:51

2008-04-21 13:50 . 2008-04-21 13:52 32 --a------ C:\WINDOWS\0

2008-04-21 13:50 . 2008-04-21 13:50 0 --a------ C:\WINDOWS\system32\0

2008-04-21 13:43 . 2008-04-21 13:43

2008-04-21 01:37 . 2008-04-21 01:37

2008-04-21 01:37 . 2008-04-21 01:37

2008-04-21 01:37 . 2008-04-28 17:18 2,984 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2008-04-21 01:37 . 2008-04-21 18:22 88 -r-hs---- C:\WINDOWS\system32\5056F8205F.sys

2008-04-20 21:03 . 2008-04-20 21:03

2008-04-20 19:08 . 2008-04-20 19:09

2008-04-20 19:07 . 2008-04-20 19:07

2008-04-20 18:49 . 2008-04-20 18:49

2008-04-20 18:00 . 2004-08-03 23:00 22,016 --a------ C:\WINDOWS\system32\drivers\MSIRCOMM.sys

2008-04-20 18:00 . 2004-08-03 23:00 22,016 --a–c— C:\WINDOWS\system32\dllcache\msircomm.sys

2008-04-20 17:35 . 2001-10-26 17:05 17,920 --a------ C:\WINDOWS\system32\drivers\sermouse.sys

2008-04-20 17:35 . 2001-10-26 17:05 17,920 --a–c— C:\WINDOWS\system32\dllcache\sermouse.sys

2008-04-20 17:31 . 2007-11-20 18:35 49,792 --------- C:\WINDOWS\system32\drivers\ser2pl.sys

2008-04-17 19:02 . 2008-04-23 07:25 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-04-17 18:53 . 2008-04-27 22:55

2008-04-17 18:47 . 2008-04-17 18:51 57 --a------ C:\WINDOWS\wininit.ini

2008-04-17 09:54 . 2008-04-17 09:54

2008-04-17 09:54 . 2008-04-17 09:54

2008-04-17 09:54 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-04-17 09:52 . 2008-04-17 09:52

2008-04-17 08:41 . 2008-04-17 08:41 528 -r-hs---- C:\WINDOWS\PCGWIN32.LI4

2008-04-17 08:32 . 2008-04-17 08:32

2008-04-17 08:27 . 2008-04-17 08:27

2008-04-16 21:46 . 2008-04-16 21:46

2008-04-16 21:27 . 2008-04-16 21:27

2008-04-16 21:09 . 2008-04-16 21:09

2008-04-16 21:07 . 2008-04-16 21:07

2008-04-16 21:07 . 2008-04-16 21:10

2008-04-16 20:56 . 2008-04-16 20:59

2008-04-16 20:56 . 2008-04-16 21:01

2008-04-16 20:47 . 2008-04-16 20:47

2008-04-15 23:41 . 2008-04-18 10:53

2008-04-15 23:35 . 2008-04-15 23:35 0 --ah----- C:\WINDOWS\msds.dat

2008-04-15 23:25 . 2008-04-15 23:25

2008-04-15 23:25 . 2008-04-25 13:21

2008-04-15 23:12 . 2008-04-15 23:18

2008-04-15 23:12 . 2008-04-23 07:19

2008-04-15 23:12 . 2008-04-15 23:12 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll

2008-04-15 22:49 . 2008-04-15 22:53

2008-04-15 22:49 . 2008-04-15 22:49

2008-04-15 21:23 . 2008-04-15 21:27 2,240 --a------ C:\WINDOWS\system32\esnecil.nlp

2008-04-15 21:23 . 2008-04-15 23:56 2,240 --a------ C:\WINDOWS\system32\esnecil.ind

2008-04-15 21:23 . 2008-04-15 23:56 4 --a------ C:\WINDOWS\vx86036.dat

2008-04-15 21:14 . 2008-04-15 21:21

2008-04-15 21:14 . 2008-04-15 23:56

2008-04-15 21:10 . 2007-04-09 15:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll

2008-04-15 21:10 . 2008-04-15 21:19 728 --a------ C:\WINDOWS\ODBC.INI

2008-04-15 21:09 . 2008-04-15 21:09

2008-04-15 21:02 . 2008-04-15 21:02

2008-04-15 21:01 . 2008-04-15 21:01

2008-04-15 20:55 . 2008-04-17 21:05

2008-04-15 20:54 . 2008-04-15 20:54

2008-04-15 20:52 . 2008-04-15 20:52 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-04-15 20:51 . 2008-04-15 20:51

2008-04-15 20:42 . 2008-04-15 20:43

2008-04-15 12:54 . 2008-04-15 12:54

2008-04-15 12:50 . 2008-03-01 15:02 6,066,176 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll

2008-04-15 12:50 . 2007-07-01 05:31 2,455,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-04-15 12:50 . 2007-07-01 05:36 1,036,288 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-04-15 12:50 . 2008-03-01 15:02 459,264 -----c— C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-04-15 12:50 . 2008-03-01 15:02 383,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-04-15 12:50 . 2008-03-01 15:02 267,776 -----c— C:\WINDOWS\system32\dllcache\iertutil.dll

2008-04-15 12:50 . 2008-03-01 15:02 63,488 -----c— C:\WINDOWS\system32\dllcache\icardie.dll

2008-04-15 12:50 . 2008-03-01 15:02 52,224 -----c— C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-04-15 12:50 . 2008-02-22 12:00 13,824 -----c— C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-04-15 12:49 . 2008-04-15 12:50

2008-04-15 12:47 . 2007-08-13 18:54 33,792 --a–c— C:\WINDOWS\system32\dllcache\custsat.dll

2008-04-15 12:32 . 2006-08-21 11:14 128,896 -----c— C:\WINDOWS\system32\dllcache\fltmgr.sys

2008-04-15 12:32 . 2006-08-21 11:14 23,040 -----c— C:\WINDOWS\system32\dllcache\fltmc.exe

2008-04-15 12:32 . 2006-08-21 14:28 16,896 -----c— C:\WINDOWS\system32\dllcache\fltlib.dll

2008-04-15 12:30 . 2008-04-15 12:30

2008-04-15 11:25 . 2007-07-09 15:11 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-04-14 15:03 . 2008-04-14 15:03

2008-04-14 15:02 . 2008-04-28 22:34

2008-04-14 15:02 . 2008-04-27 11:13

2008-04-14 15:02 . 2006-03-07 01:48

2008-04-14 15:02 . 2008-04-28 22:33

2008-04-14 15:02 . 2008-04-25 08:44

2008-04-14 15:02 . 2008-04-16 21:07

2008-04-14 15:02 . 2006-03-07 20:30

2008-04-14 15:02 . 2008-04-25 08:46

2008-04-14 15:02 . 2006-03-07 02:11

2008-04-14 15:02 . 2008-04-28 17:46

2008-04-14 15:02 . 2008-04-28 22:34 1,024 --ah----- C:\Documents and Settings\Kamil\ntuser.dat.LOG

2008-04-14 15:01 . 2006-03-07 20:30

2008-04-14 15:01 . 2006-03-07 02:11

2008-04-14 15:01 . 2008-04-14 15:01

2008-04-14 15:01 . 2006-03-07 02:11

2008-04-14 15:01 . 2008-04-14 15:01 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG

2008-04-03 05:03 . 2008-04-03 05:03 1,333,152 --a------ C:\WINDOWS\system32\drivers\athw.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-20 15:31 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-04-16 12:38 --------- d-----w C:\Program Files\Common Files\Adobe

2008-04-14 13:03 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll

2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll

2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-13 11:52 51,528 ----a-w C:\WINDOWS\system32\ftserui2.dll

2008-03-13 11:51 57,536 ----a-w C:\WINDOWS\system32\drivers\ftdibus.sys

2008-03-13 11:50 72,000 ----a-w C:\WINDOWS\system32\drivers\ftser2k.sys

2008-03-13 11:50 202,048 ----a-w C:\WINDOWS\system32\ftd2xx.dll

2008-03-13 11:49 185,664 ----a-w C:\WINDOWS\system32\FTLang.dll

2008-03-13 11:49 120,128 ----a-w C:\WINDOWS\system32\ftbusui.dll

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 06:00 15360]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24 1694208]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 12:54 2131392]

“INFO AXIS”=“C:\DOCUME~1\Kamil\DANEAP~1\1Hide\test plan.exe” [2008-04-25 08:43 416256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-04-28 17:13 766041]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-04-27 04:48 7561216]

“nwiz”=“nwiz.exe” [2006-04-27 04:48 1519616 C:\WINDOWS\system32\nwiz.exe]

“High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2006-02-03 04:43 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

“QMusic2”=“C:\Program Files\BenQ\QMusic2\QMAgent.exe” [2005-03-07 16:40 151552]

“Q-MediaBar”=“C:\Program Files\BenQ\Q-MediaBar\QBar.exe” [2006-03-07 10:53 282722]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 21:24 32768]

“Ulead AutoDetector”=“C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe” [2003-11-18 18:20 45056]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224]

“DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2006-11-12 12:48 157592]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” []

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784]

“Corel File Shell Monitor”=“C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe” [2008-01-15 15:18 16200]

“ROAD ITCH AMOK PING”=“C:\Documents and Settings\All Users\Dane aplikacji\Long slow road itch\Bolt one.exe” []

“Corel Photo Downloader”=“C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe” [2007-12-14 13:35 531784]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 06:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 11:45:32 618557]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-04-15 20:30:24 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“VIDC.YV12”= yv12vfw.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\BearShare\BearShare.exe”=

“C:\Program Files\BitComet\BitComet.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“18417:TCP”= 18417:TCP:BitComet 18417 TCP

“18417:UDP”= 18417:UDP:BitComet 18417 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2005-11-15 01:51]

*Newly Created Service* - CATCHME

.

Contents of the ‘Scheduled Tasks’ folder

“2008-04-28 20:00:01 C:\WINDOWS\Tasks\AE77D1F193284515.job”

• c:\docume~1\kamil\daneap~1\1hide\default two shim.exe

“2008-04-28 14:24:50 C:\WINDOWS\Tasks\Low Battery Alarm Program.job”

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-28 22:34:50

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-28 22:35:29

ComboFix-quarantined-files.txt 2008-04-28 20:35:26

Pre-Run: 23,441,743,872 bajtów wolnych

Post-Run: 23,557,398,528 bajtów wolnych

206 — E O F — 2008-04-21 11:43:57

W logu nic nie widzę

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

A ja w tym logu dalej widzę elementy tej infekcji “LOP”.

Wklej do Notatnika :

File::

C:\WINDOWS\Tasks\AE77D1F193284515.job

C:\Documents and Settings\Kamil\Dane aplikacji\1Hide\default two shim.exe

C:\Documents and Settings\Kamil\Dane aplikacji\1Hide\test plan.exe


Folder:

C:\Program Files\1Hide

C:\Documents and Settings\Kamil\Dane aplikacji\1Hide


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"INFO AXIS"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ROAD ITCH AMOK PING"=-

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

–>

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log, który powstanie w trakcie usuwania.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:** Qoobox**.

jessi