Spowolniona neostrada i komputer

Khali · 17 Listopad 2007 09:54

Witam, od pewnego czasu mam strasznie wysokie pingi w grach (w lineage nawet 1700ms ), strony otwierają mi się dużo wolniej. Co jakiś czas avast wyświetla komunikat o trojanach w

C:\windows\system32\drivers\runtime.sys

oraz

C:\windows\system32\drivers\secdriver.sys

Log z HJT:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:42:25, on 2007-11-17 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe E:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Explorer.EXE E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\TBPanel.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\System32\svchoct5.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\System32\nvsvc86.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\dllcache\mravsc32.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system\msnrav.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\System32\WTablet\TabUserW.exe C:\WINDOWS\System32\Tablet.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe E:\Program Files\Konnekt\konnekt.exe E:\Program Files\foobar2000\foobar2000.exe E:\Program Files\Last.fm\LastFM.exe E:\Program Files\Last.fm\LastFMHelper.exe E:\Program Files\Opera\Opera.exe E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe E:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [Network Security XP] C:\WINDOWS\System32\nvsvc86.exe O4 - HKLM…\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe O4 - HKLM…\Run: [Winupdates] svchoct5.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [Winds Sersc Agts] gybtnjnkx.exe O4 - HKLM…\RunServices: [Winds Sersc Agts] gybtnjnkx.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Network Security XP] C:\WINDOWS\System32\nvsvc86.exe O4 - HKCU…\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE O4 - HKCU…\RunOnce: [DefaultP17] P17Def.Exe O4 - HKCU…\RunOnce: [inetReg] “C:\Program Files\Creative\Product Registration\English\InetReg.exe” /PreProcess=RegFlash.exe /Delay=6 O4 - HKCU…\RunOnce: [CTAutoUpdate] “C:\Program Files\Creative\Shared Files\Software Update\AutoUpdate.exe” /RunFromInstaller O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-21-1275210071-1957994488-725345543-1003…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background (User ‘?’) O4 - HKUS\S-1-5-21-1275210071-1957994488-725345543-1003…\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User ‘?’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{1BA0CB0B-5B67-454E-B748-235880D5B322}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{1BA0CB0B-5B67-454E-B748-235880D5B322}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: ivn4reg - C:\Documents and Settings\All Users\Dokumenty\Settings\ivn4.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSN RAV - Unknown owner - C:\WINDOWS\system\msnrav.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe – End of file - 6235 bytes

EDIT: Ehhhh przepraszam 2 tematy Prosze o usunięcie jednego - neostrada…

arekmalek · 17 Listopad 2007 11:08

Najpierw automat:

Użyj SDFix w trybie awaryjnym i daj raport.

Złączono Posta : 17.11.2007 (Sob) 12:10

Potem fix

PS: Jeśli w logu miałbyś nadal wpis

to pokaż nowy log z hijacka

Khali · 17 Listopad 2007 12:40

SDFix:

SDFix: Version 1.114 Run by Kuba on 2007-11-17 at 13:29 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Service asc3550o - Deleted after Reboot Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-17 13:31:48 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “c:\windows\system32\svchoct5.exe”=“c:\windows\system32\svchoct5.exe:*:Enabled:svchoct5” Remaining Files: --------------- Files with Hidden Attributes: Thu 15 Nov 2007 34,816 A…H. — “C:\WINDOWS\system32\krah.exe” Fri 26 Oct 2001 559,104 …SHR — “C:\WINDOWS\system32\gybtnjnkx.exe” Thu 15 Nov 2007 13,069 …SH. — “C:\Documents and Settings\All Users\Dokumenty\Settings\ivn4.dll” Finished!

HJT:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:38:55, on 2007-11-17 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe E:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\system32\notepad.exe E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\TBPanel.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe E:\Program Files\Opera\Opera.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\tftp.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\upds.exe C:\WINDOWS\system32\tftp.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [Windows System Update Tools] upds.exe O4 - HKLM…\RunServices: [Windows System Update Tools] upds.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [setDefaultMIDI] MIDIDef.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-21-1275210071-1957994488-725345543-1003…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background (User ‘?’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O17 - HKLM\System\CCS\Services\Tcpip…{1BA0CB0B-5B67-454E-B748-235880D5B322}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{1BA0CB0B-5B67-454E-B748-235880D5B322}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: ivn4reg - C:\Documents and Settings\All Users\Dokumenty\Settings\ivn4.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe – End of file - 4900 bytes

Gutek · 17 Listopad 2007 17:00

wpisy usuń HJT

Pobierz The Avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:

kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po tym daj log z ComboFix

Khali · 18 Listopad 2007 11:58

ComboFix po uruchomieniu wyświetla mi komunikat, że jest już 18 listopada, prosze o ściągnięciu nowej wersji, a później sam się usuwał dlatego nie wiem czy dobrze zrobiłem, ale zmieniłem date w windowsie na 1 listopada

Log ComboFix:

ComboFix 07-11-08.1 - Kuba 2007-11-01 12:51:06.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.762 [GMT 1:00] Running from: D:\ComboFix.exe * Created a new restore point . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\d.exe C:\WINDOWS\bck1.dat C:\WINDOWS\system32\1_exception.nls C:\WINDOWS\system32\drivers\Hkgw63.sys C:\WINDOWS\system32\drivers\Mpww79.sys C:\WINDOWS\system32\drivers\runtime2.sys C:\WINDOWS\system32\drivers\symavc32.sys C:\WINDOWS\system32\ntos.exe C:\WINDOWS\system32\wsnpoem\audio.dll C:\WINDOWS\system32\wsnpoem\video.dll C:\WINDOWS\system32\xpdx.sys C:\WINDOWS\system32\wsnpoem . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_ASC3550O -------\LEGACY_MPWW79 -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\xpdx -------\xpdx ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) . 2007-11-18 12:46 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-17 19:02 58,368 --a------ C:\ljraohse.exe 2007-11-17 14:00 403,456 --a------ C:\WINDOWS\system32\m2n1.exe 2007-11-17 13:52 403,456 -r-hs---- C:\WINDOWS\system32\dllcache\mravsc32.exe 2007-11-17 13:03 2007-11-17 10:41 2007-11-17 01:35 2007-11-17 01:22 2007-11-17 01:14 2007-11-16 21:37 7,296 --a------ C:\WINDOWS\system32\drivers\changer.sys 2007-11-16 21:37 7,296 --a------ C:\WINDOWS\system32\dllcache\changer.sys 2007-11-16 16:36 2007-11-16 15:55 53,248 --a------ C:\WINDOWS\system32\svchoct5.exe 2007-11-15 20:18 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys 2007-11-15 17:16 2007-11-15 17:15 2007-11-15 17:13 2007-11-15 17:03 2007-11-15 17:03 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys 2007-11-15 17:03 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys 2007-11-15 17:03 5,606 --a------ C:\WINDOWS\system32\stci.dll 2007-11-15 17:03 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys 2007-11-15 17:03 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys 2007-11-15 17:01 2007-11-15 17:00 2007-11-08 12:51 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-15 15:59 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-15 15:50 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-15 15:50 --------- d-----w C:\Program Files\Creative 2007-11-15 15:50 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-15 15:49 --------- d-----w C:\Program Files\Common Files\LightScribe 2007-11-15 15:48 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Ahead 2007-11-15 15:46 --------- d-----w C:\Program Files\Nero 2007-11-15 15:46 --------- d-----w C:\Program Files\Common Files\Ahead 2007-11-15 15:46 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Nero 2007-11-15 15:42 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\WTablet 2007-11-15 15:34 --------- d-----w C:\Program Files\microsoft frontpage 2007-11-15 15:32 --------- d-----w C:\Program Files\Usługi online 2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{0edc4195-77f9-4fec-8893-4499c7f985b5}] C:\WINDOWS\system32\kbdtui.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-10-25 17:20] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 15:40] “CTSysVol”=“C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe” [2005-10-31 10:51] “P17Helper”=“P17.dll” [2005-05-03 12:38 C:\WINDOWS\system32\P17.dll] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 01:00] “Gainward”=“C:\WINDOWS\TBPanel.exe” [] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2007-05-10 23:03] “nwiz”=“nwiz.exe” [2007-05-10 23:03 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2007-05-10 23:03] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38] “Client Server Runtime Process”=“C:\WINDOWS\System32\csrs.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Network Security XP”=C:\WINDOWS\System32\nvsvc86.exe “Winds Sersc Agts”=gybtnjnkx.exe R2 Distributed Allocated Memory Unit;Distributed Allocated Memory Unit;“C:\WINDOWS\system32\dllcache\mravsc32.exe” S3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\System32\DRIVERS\AmdLLD.sys . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-08 12:54:13 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-08 12:54:24 - machine was rebooted . — E O F —

Gutek · 18 Listopad 2007 20:48

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

Khali · 18 Listopad 2007 22:20

ComboFix 07-11-08.1 - Kuba 2007-11-08 23:12:23.4 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.746 [GMT 1:00] Running from: D:\ComboFix.exe . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\bck1.dat C:\WINDOWS\system32\drivers\Pfi30.sys C:\WINDOWS\system32\drivers\symavc32.sys C:\WINDOWS\system32\xpdx.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_ASC3550O -------\LEGACY_PFI30 -------\xpdx ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) . 2007-11-18 14:28 2007-11-18 13:08 402,432 -r-hs---- C:\WINDOWS\system\msnrav.exe 2007-11-18 13:03 168,448 -ra------ C:\WINDOWS\system32\scrcons32.exe 2007-11-18 12:46 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-17 13:03 2007-11-17 10:41 2007-11-17 01:35 2007-11-17 01:22 2007-11-17 01:14 2007-11-16 21:37 7,296 --a------ C:\WINDOWS\system32\drivers\changer.sys 2007-11-16 21:37 7,296 --a------ C:\WINDOWS\system32\dllcache\changer.sys 2007-11-16 16:36 2007-11-15 20:18 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys 2007-11-15 17:16 2007-11-15 17:15 2007-11-15 17:13 2007-11-15 17:03 2007-11-15 17:03 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys 2007-11-15 17:03 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys 2007-11-15 17:03 5,606 --a------ C:\WINDOWS\system32\stci.dll 2007-11-15 17:03 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys 2007-11-15 17:03 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys 2007-11-15 17:01 2007-11-15 17:00 2007-11-08 23:12 58,368 --a------ C:\ljraohse.exe 2007-11-08 23:12 705 --a------ C:\d.exe 2007-11-08 12:51 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-15 15:59 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-15 15:50 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-15 15:50 --------- d-----w C:\Program Files\Creative 2007-11-15 15:50 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-15 15:49 --------- d-----w C:\Program Files\Common Files\LightScribe 2007-11-15 15:48 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Ahead 2007-11-15 15:46 --------- d-----w C:\Program Files\Nero 2007-11-15 15:46 --------- d-----w C:\Program Files\Common Files\Ahead 2007-11-15 15:46 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Nero 2007-11-15 15:42 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\WTablet 2007-11-15 15:34 --------- d-----w C:\Program Files\microsoft frontpage 2007-11-15 15:32 --------- d-----w C:\Program Files\Usługi online 2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr . ((((((((((((((((((((((((((((( snapshot@2007-11-08_23.11.43,46 ))))))))))))))))))))))))))))))))))))))))) . + 2007-11-08 22:15:04 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_38c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-10-25 17:20] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 15:40] “CTSysVol”=“C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe” [2005-10-31 10:51] “P17Helper”=“P17.dll” [2005-05-03 12:38 C:\WINDOWS\system32\P17.dll] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 01:00] “Gainward”=“C:\WINDOWS\TBPanel.exe” [] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2007-05-10 23:03] “nwiz”=“nwiz.exe” [2007-05-10 23:03 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2007-05-10 23:03] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38] “WMI Standard Event Consumer - Scripting”=“C:\WINDOWS\System32\Wbem\scrcons32.exe” [] “Microsoft Anivirus Monitor Process”=“antiv.exe” [] “Windows System Update Tools”=“upds.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05] “WMI Standard Event Consumer - Scripting”=“C:\WINDOWS\System32\Wbem\scrcons32.exe” [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices] “WMI Standard Event Consumer - Scripting”=C:\WINDOWS\System32\Wbem\scrcons32.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “WMI Standard Event Consumer - Scripting”=C:\WINDOWS\System32\Wbem\scrcons32.exe “Microsoft Anivirus Monitor Process”=antiv.exe “Windows System Update Tools”=upds.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\runservices] “WMI Standard Event Consumer - Scripting”=C:\WINDOWS\System32\Wbem\scrcons32.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “WMI Standard Event Consumer - Scripting”=C:\WINDOWS\System32\Wbem\scrcons32.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “WMI Standard Event Consumer - Scripting”= C:\WINDOWS\System32\Wbem\scrcons32.exe R2 MSN RAV;MSN RAV;“C:\WINDOWS\system\msnrav.exe” S2 NET Service;NET Service;“C:\WINDOWS\trkwksvc.exe” S3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\System32\DRIVERS\AmdLLD.sys . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-08 23:15:09 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-08 23:15:21 - machine was rebooted C:\ComboFix3.txt … 2007-11-08 23:09 C:\ComboFix2.txt … 2007-11-08 23:11 . — E O F —

Tak jakby neo działało odrobinke szybciej… Teraz tylko avast pokazuje komunikat o wirusach w każdym pliku z system32/drivers pokolei Na dysku c: cały czas od nowa tworza sie pliki:

d.exe

ljraohse.exe

no i po każdym uruhomieniu komputera przestają działac sterowniki od kart dźwiękowej Kto pomoże wywalić ten cały syf odemnie dostanie nagrode-niespodzianke

Gutek · 18 Listopad 2007 23:51

Wklej do Notatnika:

File:: C:\WINDOWS\system\msnrav.exe C:\WINDOWS\system32\scrcons32.exe C:\WINDOWS\system32\kbdtui.dll C:\WINDOWS\System32\antiv.exe C:\WINDOWS\System32\upds.exe C:\WINDOWS\trkwksvc.exe Driver:: MSN RAV NET Service Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WMI Standard Event Consumer - Scripting”=- “Microsoft Anivirus Monitor Process”=- “Windows System Update Tools”=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WMI Standard Event Consumer - Scripting”=- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices] “WMI Standard Event Consumer - Scripting”=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “WMI Standard Event Consumer - Scripting”=- “Microsoft Anivirus Monitor Process”=- “Windows System Update Tools”=- [HKEY_USERS.default\software\microsoft\windows\currentversion\runservices] “WMI Standard Event Consumer - Scripting”=- [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “WMI Standard Event Consumer - Scripting”=- [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “WMI Standard Event Consumer - Scripting”=-

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

Khali · 20 Listopad 2007 16:57

Wczoraj pojawił mi sie niebieski ekran i komp juz sie nie włączył, jedyne co mi zostało to format Dzisiaj po formacie zainstalowałem Kasperskyego zamiast avasta, ale przed instalacją na dysku C: (odrazu po formacie, nie zdazyłem jeszcze nic zainstalowac)pojawiły się pliki

d.exe 

ljraohse.exe

Włączyłem skanowanie Kasperskym, ponownie uruchomiłem komputer i pliki zikneły, neostrada tez działa normalnie. Jednak zastanawia mnie to, że pliki sie utworzyły ponownie tak szybko po formacie, log z HJT:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:56, on 2007-11-20 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 8.0\avp.exe C:\WINDOWS\system32\dllcache\mravsc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 8.0\avp.exe C:\WINDOWS\TBPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe E:\Program Files\Konnekt\konnekt.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe E:\Program Files\Last.fm\LastFMHelper.exe E:\Program Files\Last.fm\LastFM.exe E:\Program Files\foobar2000\foobar2000.exe E:\Program Files\Opera\Opera.exe E:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [Microsft Security Monitor Process] mssmpp.exe O4 - HKLM…\Run: [Windows System Update Tools] upds.exe O4 - HKLM…\Run: [AVP] “E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 8.0\avp.exe” O4 - HKLM…\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\RunServices: [Microsft Security Monitor Process] mssmpp.exe O4 - HKLM…\RunServices: [Windows System Update Tools] upds.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O9 - Extra button: (no name) - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 8.0\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{1A0F64A4-9EBB-429D-8C15-BBE764C60923}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{1A0F64A4-9EBB-429D-8C15-BBE764C60923}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS2\Services\Tcpip…{1A0F64A4-9EBB-429D-8C15-BBE764C60923}: NameServer = 194.204.159.1 217.98.63.164 O20 - AppInit_DLLs: E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O20 - Winlogon Notify: crehcjid - C:\WINDOWS\SYSTEM32\crehcjid.dll O20 - Winlogon Notify: XŘŘ - XŘŘ (file missing) O20 - Winlogon Notify: đx - đx (file missing) O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 8.0\avp.exe O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing) – End of file - 4083 bytes

adam9870 · 20 Listopad 2007 17:18

Jako, że już wielokrotnie tworzyłeś plik CFScript.txt, pozwolę sobie od razu podać jego zawartość, by zbędnie nie powtarzać po raz kolejny tego samego.

No więc pobierz ComboFix, a następnie utwórz plik CFScript.txt o następującej zawartości:

…dalsze instrukcje już chyba znasz.

Usuń powyżej przedstawione wpisy korzystając z HijackThis.

Puść w ruch SDFix.

Poczytaj o prawidłowej instalacji systemów Windows 2000/XP/2003 - TU.

Po wykonaniu powyżej przedstawionych czynności wykonaj i wklej log z ComboFix.

Khali · 20 Listopad 2007 19:16

ComboFix 07-11-08.1 - Kuba 2007-11-08 20:00:56.2 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.739 [GMT 1:00] Running from: D:\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) . 2007-11-20 19:19 2007-11-20 19:19 75,248 --a------ C:\WINDOWS\zllsputility.exe 2007-11-20 19:19 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2007-11-20 19:19 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-11-20 17:14 2007-11-20 14:09 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys 2007-11-20 14:03 2007-11-19 21:06 2007-11-19 20:51 2007-11-19 20:50 2007-11-19 20:49 1,446,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-19 20:37 2007-11-19 20:37 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys 2007-11-19 20:37 29,056 --a------ C:\WINDOWS\system32\dllcache\ip6fw.sys 2007-11-19 20:35 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-11-19 20:34 2007-11-08 19:44 1,422 --a------ C:\Documents and Settings\Kuba\clean.reg 2007-11-08 19:42 2007-11-08 16:59 2007-11-08 16:59 2007-11-08 16:48 2007-11-08 16:44 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys 2007-11-08 16:35 2007-11-08 16:35 2007-11-08 16:35 2007-11-08 16:35 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys 2007-11-08 16:35 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys 2007-11-08 16:35 5,606 --a------ C:\WINDOWS\system32\stci.dll 2007-11-08 16:35 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys 2007-11-08 16:35 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys 2007-11-08 16:18 2007-11-08 16:18 2007-11-08 16:18 2007-11-08 16:18 2007-11-08 16:18 2007-11-08 16:18 2007-11-08 16:18 2007-11-08 16:18 2007-11-08 16:05 2007-11-08 16:05 2007-11-08 16:05 2007-11-08 16:05 2007-11-08 16:02 2007-11-08 16:02 2007-11-08 16:02 2007-11-08 16:02 2007-11-08 16:02 2007-11-08 16:02 2007-11-08 16:02 2007-11-08 16:01 2007-11-08 16:01 2007-11-08 15:59 2007-11-08 15:47 77,312 --a------ C:\WINDOWS\system32\usbui.dll 2007-11-08 15:47 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2007-11-08 15:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-11-08 15:47 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:46 2007-11-08 15:45 2007-11-01 22:28 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-31 15:51 13,860 --a------ C:\WINDOWS\system32\drivers\klop.dat 2007-10-31 15:47 200,704 --a------ C:\WINDOWS\system32\klogon.dll 2007-10-31 15:40 10,011 --a------ C:\WINDOWS\system32\drivers\klnetinf.sys 2007-10-24 14:16 32,272 --a------ C:\WINDOWS\system32\drivers\klbg.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-08 18:55 22,460 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-11-08 16:36 --------- d-----w C:\Program Files\Creative 2007-11-08 16:28 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\foobar2000 2007-09-06 15:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38] “AVP”=“E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 8.0\avp.exe” [2007-10-31 15:48] “Gainward”=“C:\WINDOWS\TBPanel.exe” [2007-06-26 07:56] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2007-05-10 23:03] “nwiz”=“nwiz.exe” [2007-05-10 23:03 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2007-05-10 23:03] “CTSysVol”=“C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe” [2005-10-31 10:51] “P17Helper”=“P17.dll” [2005-05-03 12:38 C:\WINDOWS\system32\P17.dll] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 01:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 00:44] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll R0 KLBG;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\DRIVERS\klbg.sys R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-08 20:01:45 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-08 20:02:05 C:\ComboFix2.txt … 2007-11-08 19:36 . — E O F —

Gutek · 20 Listopad 2007 21:38

Już powinno być Ok