Drow
(Drow 89)
25 Październik 2006 19:47
#1
Mam taki problem uzywam Kasperskiego 6.0 po kazdym restarcie komputera i połonczenie sie z internetem (neo) Wyskakuje mi :
Koń trojański:
Backdoor.Win32.Rbot.aeu
Plik:
C:\WINDOWS\system32\salvage.exe
Usuwam go i podkład pusty plik Txt(zmieniam na slavage.exe) ale to dalej nie pomaga.
Nawet po formacie c: po formacie dalej mam ten sam problem, czyli jest prawtopodobienstwo ze wirus z innej partycji jakos to przekierowuje, ale kasperski nic nie znalazł ;/ Nie mam zamiaru formatowac wszytkich dysków wiec zwaracam sie o pomoc:
Logi
Logfile of HijackThis v1.99.1 Scan saved at 21:48:14, on 2006-10-25 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Opera\Opera.exe C:\Documents and Settings\Drow\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM…\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM…\Run: [kis] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKLM…\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU…\Run: [TuneUp MemOptimizer] “C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe” autostart O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Reboot.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: Dodaj do Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O17 - HKLM\System\CCS\Services\Tcpip…{2D731156-CDF0-4C74-9148-4E4A4AD74575}: NameServer = 194.204.152.34 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{2D731156-CDF0-4C74-9148-4E4A4AD74575}: NameServer = 194.204.152.34 217.98.63.164 O17 - HKLM\System\CS2\Services\Tcpip…{2D731156-CDF0-4C74-9148-4E4A4AD74575}: NameServer = 194.204.152.34 217.98.63.164 O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing) O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
Bieniol
(Bbieniol)
25 Październik 2006 20:05
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (jeżeli jakieś znaczki są żółte, to niech takie zostaną). Po użyciu tego narzędzia wymagany jest reset sysa.
Log jest czysty, ale co do tego wpisu:
To są dwie możliwości:
Ale prawdopodobnie do usunięcia
Zrób skan EWIDO po update
Przeskanuj komputer programami Ad-aware SE Personal 1.06 oraz Spybot Search & Destroy 1.4
Wrzuć jeszcze log z Silent Runners
Drow
(Drow 89)
25 Październik 2006 20:57
#3
Użyłem Windows Worms Doors Cleanera i pozamykałem wszytkie porty i Wszytko jest ok, Wielkie dzieki za pomoc.
Czyli poprostu wbijał mi sie przez otwarte porty neo.
Ale na wszelki wypadek jeszcze skanuje Ewido(Ad-aware SE Personal 1.06 skanowałem wczesniej[oczywiscie zawsze cos sie znalazło]) i wywaliłem Reboot.exe z autostartu.
A to Log:
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit” [MS] “TuneUp MemOptimizer” = ““C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe” autostart” [“TuneUp Software GmbH”] “ctfmon.exe” = “C:\WINDOWS\System32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “PHIME2002ASync” = “C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC” [MS] “PHIME2002A” = “C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName” [MS] “kis” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”” [“Kaspersky Lab”] “(Default)” = “(empty string)” [file not found] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “cFosSpeed” = “C:\Program Files\cFosSpeed\cFosSpeed.exe” [“cFos Software GmbH”] “HTpatch” = “C:\WINDOWS\htpatch.exe” [null data] “SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Ochrona WWW” -> {HKLM…CLSID} = “Ochrona WWW” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll” [“Kaspersky Lab”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów” -> {HKLM…CLSID} = “Eksplorator pulpitów” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” = “TuneUp Shredder Shell Context Menu Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““C:\Program Files\TuneUp Utilities 2006\sdshelex.dll”” [“TuneUp Software GmbH”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> klogon\DLLName = “C:\WINDOWS\System32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll” [“Kaspersky Lab”] TuneUp Shredder(Default) = “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““C:\Program Files\TuneUp Utilities 2006\sdshelex.dll”” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Shredder(Default) = “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““C:\Program Files\TuneUp Utilities 2006\sdshelex.dll”” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Drow\Dane aplikacji\Opera\Opera\profile\skin\Titanium Biohazard Login.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Drow” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Ochrona WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll” [“Kaspersky Lab”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Ochrona WWW” Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ cFosSpeed System Service, cFosSpeedS, ““C:\Program Files\cFosSpeed\spd.exe” -service” [“cFos Software GmbH”] Kaspersky Internet Security 6.0, AVP, “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe -r” [“Kaspersky Lab”] NVIDIA Driver Helper Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] TuneUp WinStyler Theme Service, TUWinStylerThemeSvc, “C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe” [“TuneUp Software GmbH”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 29 seconds. ---------- (total run time: 109 seconds)
Drow
(Drow 89)
25 Październik 2006 21:06
#5
Ok.
Dzisiaj tylko wieksze skanowanie. Xp repair pro, kasperski, AVG, Ad-aware.
Jeszcze raz wielkie dzieki 8)
Edit:
Ocho widze jak to robił
wykryto: riskware RootShell Uruchomiony proces: C:\WINDOWS\System32\svchost.exe
Oczywiscie Przerwałem proces, moze jakies porady zeby uniknac tego w przyszłosci ? :>