Przebiegły wirus

damiann69 · 25 Luty 2007 16:54

Raz zdarzyło się, że musiałem wyłączyć Kasperskiego i w tym czasie wkradł mi się widocznie jakiś wirus. Jego przebiegłość polega na tym, że nie mogłem już z powrotem włączyć antywirusa i podczas instalacji każdego innego usuwa mu pliki exe, lub nie pozwala go zainstalować (tj. wyskakują jakieś błędy). Ponadto włącza od czasu do czasu proces, który zżera bardzo dużo pamięci, na szczęście da się go bezproblemowo wyłączyć.

I pytanie, czy wie ktoś jak mógłbym zainstalować jakiegoś antywirusa, żeby mi nie usuwało plików exe?

Log:

Logfile of HijackThis v1.99.1 Scan saved at 20:27:33, on 2007-02-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\Program Files\LClock\lclock.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Jurkiewicz\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O1 - Hosts: 71.202.66.125 l2authd.lineage2.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: (no name) - {AE6A0D4B-5EF7-4B2F-8AF6-6E075CBCD1B2} - C:\WINDOWS\system32\nlhtml32.dll O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL (file missing) O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [HideBUS] C:\Download\hidebus\HideBUS.exe O4 - HKLM…\Run: [Vistadrv] C:\Download\Vista\Vista_Drive_Status\Vista Drive Status\vsdrv.exe O4 - HKCU…\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe O4 - HKCU…\Run: [LClock] C:\Program Files\LClock\lclock.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{DA6D1F96-AA43-4ED1-8C2E-56B42635AFE3}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

szymoo2 · 25 Luty 2007 17:02

Wrzuć zestaw logów HijackThis i Silent Runners a specjaliści Ci na pewno pomogą

http://forum.dobreprogramy.pl/viewtopic.php?t=36654

c3x · 25 Luty 2007 17:06

Przeskanuj komputer jakimś skanerem on-line, może to coś da. Możesz skorzystać np. z tego skanera http://www.mks.com.pl/skaner/

Rysiu · 25 Luty 2007 17:57

Spróbuj preskanować go w trybie awaryjnym. Po prostu włączasz Kasperskyego w tym trybie i skanujesz

damiann69 · 26 Luty 2007 13:18

Tyko jak nie mam plików exe antywirusa to draczej go nie włacze. I skaner online wykazał mi 40-kilka zainfekowanych plików.

adam9870 · 26 Luty 2007 13:45

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\system32\nlhtml32.dll

Klikasz X czerwony i restart kompa.

Usuń wpis HJT.

Czy masz jeszcze Window Shades? Jeśli nie to ciachnij dodatkowo wpis:

Jaki proces, podaj jego nazwę.

Ale gdzie je wykrył? Po wykonaniu czynności, które podałem przeskanuj http://kaspersky.pl/virusscanner.html i wrzuć raport i nowe logi z:

HijackThis
SilentRunners
Gmer przy takim ustawieniu:

Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

damiann69 · 27 Luty 2007 15:29

Proces ten pojawia się o różnych nazwach, ale zawsze ~(jakaś cyferka lub litera).exe np. ~23.exe ~4n.exe itp. I czasami zabiera (w procesach “Użycie pamięci”) mało jak 1000k, a czasem nawet to setek tysięcy i wtedy mieli komputer strasznie.

Po skanerze online wykrywało głównie na plikach *.exe Dwa pliki się udało usunąć, a reszta została nienaruszona.

SILENTRUNNERS:

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AutoConnect” = “C:\Program Files\AutoConnect\AutoConnect.exe” [“http://autoconnect.prv.pl”] “LClock” = “C:\Program Files\LClock\lclock.exe” [null data] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “HideBUS” = “C:\Download\hidebus\HideBUS.exe” [null data] “Vistadrv” = “C:\Download\Vista\Vista_Drive_Status\Vista Drive Status\vsdrv.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil\Avast4\ashShell.dll” [file not found] “{2F5AC606-70CF-461C-BFE1-734234536262}” = “WindowBlinds CPL Extension” -> {HKLM…CLSID} = “DisplayCplExt Class” \InProcServer32(Default) = “C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll” [“Stardock.Net, Inc”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “wbsys.dll” [“Stardock.Net, Inc”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> WBSrv\DLLName = “C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll” [“Stardock”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil\Avast4\ashShell.dll” [file not found] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil\Avast4\ashShell.dll” [file not found] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “ForceClassicControlPanel” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “NoSMConfigurePrograms” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoRecentDocsMenu” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSharedDocuments” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Remove Shared Documents from My Computer} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “NoInternetOpenWith” = (REG_DWORD) hex:0x00000001 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Download\Vista\Grass.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Download\Vista\Grass.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\Download\Vista\WYGASZ~1\ORIG_B~1.SCR” (orig_bubbles.scr) [MS] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{D2F8F919-690B-4EA2-9FA7-A203D1E04F75}” = (no title provided) -> {HKLM…CLSID} = “StylerToolBar” \InProcServer32(Default) = “C:\Program Files\Styler\TB\StylerTB.dll” [“StyleFantasist”] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = (no title provided) -> {HKLM…CLSID} = “ToolBand Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 1 domain name to an IP address, 1 of the IP addresses is *not* localhost! Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt05\Driver = “hpzsnt05.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 122 seconds, including 28 seconds for message boxes)

Post jest już chyba za długi na log z gmera. Musi ktoś mi odpowiedzieć

adam9870 · 27 Luty 2007 15:33

Silent czysty.

Wklej raport z Kasperskiego, log z Gmer’a jak prosiłem plus log z ComboScan.

Gutek · 27 Luty 2007 15:49

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

damiann69 · 27 Luty 2007 15:57

Z gmera sie nie miesci do posta. Kaspersky jeszcze skanuje.

ComboScan v20070226.18 run by Jurkiewicz on 2007-02-27 at 16:55:56 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as Jurkiewicz.exe) ------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 16:55:57, on 2007-02-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\Program Files\LClock\lclock.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jurkiewicz\Pulpit\gmer\gmer.exe C:\WINDOWS\NOTEPAD.EXE C:\Documents and Settings\Jurkiewicz\Pulpit\comboscan.exe C:\DOCUME~1\JURKIE~1\Pulpit\HIJACK~1\JURKIE~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O1 - Hosts: 71.202.66.125 l2authd.lineage2.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [HideBUS] C:\Download\hidebus\HideBUS.exe O4 - HKLM…\Run: [Vistadrv] C:\Download\Vista\Vista_Drive_Status\Vista Drive Status\vsdrv.exe O4 - HKCU…\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe O4 - HKCU…\Run: [LClock] C:\Program Files\LClock\lclock.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{DA6D1F96-AA43-4ED1-8C2E-56B42635AFE3}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe – Files created between 2007-01-27 and 2007-02-27 ------------------------------ 2007-02-27 15:55:16 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-02-27 15:55:06 0 d-------- C:\WINDOWS\LastGood 2007-02-27 15:49:41 80 --a------ C:\WINDOWS\gmer_uninstall.cmd 2007-02-27 15:40:30 0 d-------- C:!KillBox 2007-02-26 20:18:47 0 d-------- C:\Program Files\Microsoft Games 2007-02-26 15:41:00 1033728 --a------ C:\WINDOWS\explorer.exe 2007-02-25 20:21:36 0 d-------- C:\Program Files\SkanerOnline 2007-02-25 20:12:33 0 d-------- C:\Program Files\Alwil Software 2007-02-25 17:40:09 0 d-------- C:\Nowy folder 2007-02-25 13:05:08 0 d-------- C:\Program Files\microsoft frontpage 2007-02-25 13:01:40 0 d-------- C:\Program Files\HighMAT CD Writing Wizard 2007-02-24 17:47:56 2321280 --a------ C:\WINDOWS\system32\TUKernel.exe 2007-02-24 17:21:15 1033216 --a------ C:\explorer.exe 2007-02-24 17:03:21 303616 --a------ C:\WINDOWS\IsUninst.exe 2007-02-24 13:53:32 187392 --a------ C:\WINDOWS\system32\JPGUtils.dll 2007-02-24 13:53:31 0 d-------- C:\Program Files\WinCustomize 2007-02-24 13:53:31 0 d-------- C:\Program Files\Common Files\Stardock 2007-02-24 13:32:35 504509 --a------ C:\WINDOWS\XP Ultimate Uninstaller.exe 2007-02-24 13:32:35 0 d-------- C:\Program Files\XP Ultimate 2007-02-24 13:00:52 36864 --a------ C:\WINDOWS\system32\wbsys.dll 2007-02-24 13:00:52 20480 --a------ C:\WINDOWS\system32\wbload.dll 2007-02-24 13:00:51 0 d-------- C:\Program Files\Stardock 2007-02-24 12:47:35 0 d-------- C:\Program Files\Styler 2007-02-24 12:47:34 0 d-------- C:\Program Files\VisualTooltip 2007-02-24 12:47:34 0 d-------- C:\Program Files\Blaero Start Orb 2007-02-24 12:47:33 7287808 --a------ C:\WINDOWS\system32\vistaui.exe 2007-02-24 12:47:33 0 d-------- C:\Program Files\Vista Sidebar 2007-02-24 12:47:12 414223 --a------ C:\WINDOWS\system32\vimc.exe 2007-02-24 12:43:11 0 d-------- C:\WINDOWS\system32\VITrans 2007-02-24 12:42:04 111104 --a------ C:\WINDOWS\system32\Uharc.exe 2007-02-24 12:42:03 19968 --a------ C:\WINDOWS\system32\reico.exe 2007-02-24 12:42:03 69632 --a------ C:\WINDOWS\system32\moveex.exe 2007-02-24 12:42:03 8636 --a------ C:\WINDOWS\system32\modifype.exe 2007-02-24 12:42:03 81920 --a------ C:\WINDOWS\system32\CloseApp.exe 2007-02-23 16:46:33 0 d-------- C:\Program Files\LClock 2007-02-23 16:44:25 2919424 --a------ C:\WINDOWS\system32\sysdm.exe 2007-02-23 14:22:31 49152 --a------ C:\WINDOWS\rebuild.exe 2007-02-17 18:27:26 0 d-------- C:\Program Files\Common Files\Skype 2007-02-17 18:27:15 0 d-------- C:\Program Files\Skype 2007-02-16 16:12:19 0 d-------- C:\WINDOWS\system_backup 2007-02-16 15:59:07 0 dr-hs---- C:\cmdcons 2007-02-16 15:59:05 0 d-------- C:\WINDOWS\setup.pss 2007-02-16 15:49:57 0 d-------- C:\WINDOWS\icon_TMP 2007-02-15 20:42:12 0 d–h----- C:\WINDOWS\system32\GroupPolicy 2007-02-11 15:54:28 0 d-------- C:\Program Files\Eidos 2007-02-04 18:15:55 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-02-04 18:15:54 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-02-04 18:15:54 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-02-04 18:15:51 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-02-04 18:15:51 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-02-04 18:15:44 1060864 --a------ C:\WINDOWS\system32\MFC71.dll 2007-02-04 18:15:44 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-02-04 18:15:44 689280 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-02-04 16:56:28 6176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-02-04 16:56:28 292128 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-02-04 16:20:34 8192 --a------ C:\WINDOWS\system32\kbdkor.dll 2007-02-04 16:20:34 8704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2007-02-04 16:20:34 6144 --a------ C:\WINDOWS\system32\kbd106.dll 2007-02-04 16:20:34 5632 --a------ C:\WINDOWS\system32\kbd103.dll 2007-02-04 16:20:34 6144 --a------ C:\WINDOWS\system32\kbd101c.dll 2007-02-04 16:20:34 6144 --a------ C:\WINDOWS\system32\kbd101b.dll 2007-02-04 16:16:28 0 d-------- C:\WINDOWS\exefld 2007-02-01 17:49:12 0 d-------- C:\WINDOWS\WBEM 2007-02-01 17:49:11 0 d-------- C:\WINDOWS\system32\pl-pl 2007-02-01 17:47:27 0 d–h—c- C:\WINDOWS\ie7 2007-02-01 17:47:16 206336 -----n— C:\WINDOWS\system32\WinFXDocObj.exe 2007-02-01 17:47:15 12288 -----n— C:\WINDOWS\system32\msfeedssync.exe 2007-02-01 17:47:15 50688 -----n— C:\WINDOWS\system32\msfeedsbs.dll 2007-02-01 17:47:15 458752 -----n— C:\WINDOWS\system32\msfeeds.dll 2007-02-01 17:47:14 180736 -----n— C:\WINDOWS\system32\ieui.dll 2007-02-01 17:47:14 266752 -----n— C:\WINDOWS\system32\iertutil.dll 2007-02-01 17:47:13 6049280 -----n— C:\WINDOWS\system32\ieframe.dll 2007-02-01 17:47:13 380928 -----n— C:\WINDOWS\system32\ieapfltr.dll 2007-02-01 17:47:12 2451824 -----n— C:\WINDOWS\system32\ieapfltr.dat 2007-02-01 17:47:12 61952 -----n— C:\WINDOWS\system32\icardie.dll 2007-02-01 17:42:42 20480 --a------ C:\WINDOWS\system32\normaliz.dll 2007-02-01 17:42:10 13312 --a------ C:\WINDOWS\system32\ieudinit.exe 2007-01-30 18:56:56 0 d-------- C:\Program Files\jv16 PowerTools 2006 2007-01-28 20:42:36 0 d-------- C:\Program Files\VideoLAN 2007-01-27 18:23:28 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment – Find3M Report ---------------------------------------------------------------- 2007-02-27 16:33:13 0 d-------- C:\Program Files\xp-AntiSpy 2007-02-27 16:18:20 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\Azureus 2007-02-27 15:55:55 458022 --a------ C:\WINDOWS\system32\perfh015.dat 2007-02-27 15:55:55 79408 --a------ C:\WINDOWS\system32\perfc015.dat 2007-02-27 15:42:16 0 d-------- C:\Program Files\AutoConnect 2007-02-26 19:45:34 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\Skype 2007-02-25 14:02:57 4369408 --a------ C:\WINDOWS\system32\logonuiX.exe 2007-02-24 17:46:37 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\TuneUp Software 2007-02-24 12:51:05 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\Styler 2007-02-24 12:47:33 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\Stardock 2007-02-23 16:19:20 0 d-------- C:\Program Files\DAEMON Tools 2007-02-23 16:16:27 0 d-------- C:\Program Files\eMule 2007-02-23 16:15:27 0 d-------- C:\Program Files\Opera 2007-02-23 16:10:20 0 d-------- C:\Program Files\Azureus 2007-02-23 14:56:28 0 d-------- C:\Program Files\Windows NT 2007-02-20 16:20:31 0 d-------- C:\Program Files\Neostrada TP 2007-02-19 12:55:10 0 d-------- C:\Program Files\Konnekt 2007-02-18 19:58:50 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\vlc 2007-02-17 13:38:29 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\Winamp 2007-02-17 13:38:19 0 d-------- C:\Program Files\Winamp 2007-02-17 13:38:04 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\Winampp 2007-02-11 15:29:10 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\GetRightToGo 2007-02-01 19:02:44 0 d-------- C:\Program Files\Common Files\InstallShield 2007-01-28 14:12:36 0 d—s---- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\Microsoft 2007-01-22 12:00:36 719088 --a------ C:\WINDOWS\system32\SkanerOnline.dll 2007-01-19 09:40:42 89088 --a------ C:\WINDOWS\system32\SkanerOnlineUninstall.exe 2007-01-16 17:14:19 0 d-------- C:\Program Files\Deluxe Ski Jump 3 2007-01-10 14:18:52 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-01-05 11:42:37 0 d-------- C:\Program Files\RndLabs 2006-12-29 11:56:30 0 d-------- C:\Documents and Settings\Jurkiewicz\Dane aplikacji\Opera 2006-12-11 01:15:56 498176 --a------ C:\WINDOWS\system32\logon.scr – Registry Dump ---------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “AutoConnect”=“C:\Program Files\AutoConnect\AutoConnect.exe” “LClock”=“C:\Program Files\LClock\lclock.exe” “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “KernelFaultCheck”=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 “HideBUS”=“C:\Download\hidebus\HideBUS.exe” “Vistadrv”=“C:\Download\Vista\Vista_Drive_Status\Vista Drive Status\vsdrv.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “appinit_dlls”=“wbsys.dll” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoRemoteRecursiveEvents”=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “ForceClassicControlPanel”=dword:00000001 “NoSaveSettings”=dword:00000000 “NoSMConfigurePrograms”=dword:00000001 “NoRecentDocsMenu”=dword:00000001 “NoLowDiskSpaceChecks”=dword:00000001 “NoSharedDocuments”=dword:00000001 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_CISVC *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MESSENGER *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_UPNPHOST – End of ComboScan: finished at 2007-02-27 at 16:56:32 -------------------------

Próbowałem 2 razy i dwa razy przerywało.