Siemano mam problem z System Defender Security Center wyskakuje mi taka stronka co jakies 30 minut nie wiem jak sie tego pozbyc ;/

nie wiem o co chodzi zabardzo z tymi HiJack

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 13:03:20, on 2005-07-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

E:\JETAUDIO\JetAudio.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\User\Pulpit\HiJack\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {73984FE0-9702-4C55-9C7B-9BA3C5861F25} - C:\WINDOWS\system32\khfGwWMf.dll

O2 - BHO: (no name) - {C0FAEB84-FB1F-43F8-9540-5ED5B47E77A5} - C:\WINDOWS\system32\nnnoMCUl.dll

O3 - Toolbar: sqvgnrpx - {9437C997-89E6-4B84-A745-BEFD3A910FF5} - C:\WINDOWS\sqvgnrpx.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [fc777f5a] rundll32.exe “C:\WINDOWS\system32\fgivwivr.dll”,b

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Default user’)

O18 - Protocol: bw00 - {9AD51BC0-535D-4C8E-88E0-0E67104B86E9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - Winlogon Notify: khfGwWMf - C:\WINDOWS\SYSTEM32\khfGwWMf.dll

O21 - SSODL: fdxbameg - {533375B0-76A1-4BE3-86EC-7F1A605C8A3F} - (no file)

O21 - SSODL: fsrpknov - {6E119825-4DDC-413A-A21A-864B20998430} - C:\WINDOWS\fsrpknov.dll

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

–

End of file - 3050 bytes

prosze o pomoc:) pozdrawiam

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked

Daj log z -----> ComboFix.

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Otwórz notatnik i wklej do niego:

File::

C:\WINDOWS\system32\khfGwWMf.dll

C:\WINDOWS\system32\nnnoMCUl.dll

C:\WINDOWS\sqvgnrpx.dll

C:\WINDOWS\system32\fgivwivr.dll

C:\WINDOWS\fsrpknov.dll

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklejto.pl lub na http://wklej.org a w poście dajesz tylko link

DZIEKUJE BARDZO

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 13:38:21, on 2005-08-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\User\Pulpit\HiJack\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {73984FE0-9702-4C55-9C7B-9BA3C5861F25} - C:\WINDOWS\system32\khfGwWMf.dll

O2 - BHO: (no name) - {F4F45BC3-A4D5-4329-B7B4-8D401AE64C34} - C:\WINDOWS\system32\nnnoMCUl.dll

O4 - HKLM…\Run: [fc777f5a] rundll32.exe “C:\WINDOWS\system32\wnjuiowx.dll”,b

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O18 - Protocol: bw00 - {9AD51BC0-535D-4C8E-88E0-0E67104B86E9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: khfGwWMf - C:\WINDOWS\SYSTEM32\khfGwWMf.dll

O21 - SSODL: fsrpknov - {CEA6145F-FC75-4FC9-A01A-49E17368B26A} - C:\WINDOWS\fsrpknov.dll

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

–

End of file - 2573 bytes

Wykonaj wskazówke z Combofix a następnie:

fix w hijackthis

oki zaraz zrobie bo przed chwila znowu wyszkoczylo

zrobilem jak kazaliscie i wyszkoczylo znowu;/

i jak przekaladam CFScript.txt na ComboFix to trwa usuwanie i na koniec wyszkoczy DATE error …

Wyłącz antywirusa

Spróbuj podczas pobierania zapisać nie pod nazwą ComboFix.exe tylko z kreską pomiędzy:

Combo-Fix.exe

i spróbuj ponownie

to jest to ze ja nie mam antyvirusa narazie bo myslem ze to przez to tak gdzies wyczytalem. a teraz kazales zrobic to Combo-Fix nio i to samo a w dodatku jakies informacje o wyjatku wyszkoczyly;/

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 15:00:25, on 2005-08-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

E:\JETAUDIO\JetAudio.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\User\Pulpit\HiJack\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {31E7B3BE-10E7-46A8-8F6D-EFE84C967181} - C:\WINDOWS\system32\nnnoMCUl.dll

O2 - BHO: (no name) - {73984FE0-9702-4C55-9C7B-9BA3C5861F25} - C:\WINDOWS\system32\khfGwWMf.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O17 - HKLM\System\CCS\Services\Tcpip…{5C149324-DE72-4062-857C-9CC20A47FBCA}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CCS\Services\Tcpip…{BBA527F0-0FFD-4FBC-9104-E6674CCE3A63}: NameServer = 208.67.222.222,208.67.220.220

O18 - Protocol: bw00 - {9AD51BC0-535D-4C8E-88E0-0E67104B86E9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: khfGwWMf - C:\WINDOWS\SYSTEM32\khfGwWMf.dll

O21 - SSODL: fsrpknov - {81A99A30-C2B0-4AC9-841E-29C125650B59} - C:\WINDOWS\fsrpknov.dll

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

–

End of file - 2742 bytes

a ta stronak wyskakuje mi w IE moze cos trzeba usunac z IE?

moze to :

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Podaj log z pliku main.txt z Deckard’s System Scanner

Daj log z DSS,temat przyklejony w dziale Bezpieczeństwo i logi HijackThis.

tu logo z DSS. Deckard’s System Scanner v20071014.68

Run by User on 2005-08-03 15:08:08

Computer is in Normal Mode.

---

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –

16: 2005-08-03 13:08:10 UTC - RP39 - Deckard’s System Scanner Restore Point

15: 2005-08-03 12:11:39 UTC - RP38 - Punkt kontrolny systemu

14: 2005-08-02 10:35:30 UTC - RP37 - Punkt kontrolny systemu

13: 2005-07-30 19:22:44 UTC - RP36 - Punkt kontrolny systemu

12: 2005-07-28 20:26:48 UTC - RP35 - Punkt kontrolny systemu

– First Restore Point –

1: 2005-07-12 11:38:10 UTC - RP24 - Usunięto ESET NOD32 Antivirus

Backed up registry hives.

Performed disk cleanup.

– HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:09:01, on 2005-08-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\User\Pulpit\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {31E7B3BE-10E7-46A8-8F6D-EFE84C967181} - C:\WINDOWS\system32\nnnoMCUl.dll

O2 - BHO: (no name) - {73984FE0-9702-4C55-9C7B-9BA3C5861F25} - C:\WINDOWS\system32\khfGwWMf.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O17 - HKLM\System\CCS\Services\Tcpip…{5C149324-DE72-4062-857C-9CC20A47FBCA}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CCS\Services\Tcpip…{BBA527F0-0FFD-4FBC-9104-E6674CCE3A63}: NameServer = 208.67.222.222,208.67.220.220

O18 - Protocol: bw00 - {9AD51BC0-535D-4C8E-88E0-0E67104B86E9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: khfGwWMf - C:\WINDOWS\SYSTEM32\khfGwWMf.dll

O21 - SSODL: fsrpknov - {81A99A30-C2B0-4AC9-841E-29C125650B59} - C:\WINDOWS\fsrpknov.dll

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

–

End of file - 2447 bytes

– File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL “%1”,%*

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser “%1”,%*

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sisidex - c:\windows\system32\drivers\sisidex.sys

R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys

R2 TBPanel - c:\windows\system32\drivers\tbpanel.sys

S3 Cardex - c:\windows\system32\drivers\tbpanel.sys

S3 gwiopm - d:\unknown device identifier\gwiopm.sys (file missing)

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

– Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

– Files created between 2005-07-03 and 2005-08-03 -----------------------------

2007-10-11 09:55:10 88576 --a------ C:\WINDOWS\system32\infocardapi.dll

2007-10-09 12:58:20 16896 --a------ C:\WINDOWS\system32\tswpfwrp.exe

2007-05-12 11:06:08 218624 --a------ C:\WINDOWS\system32\uxtheme.dll

2007-05-12 11:06:08 140800 --a------ C:\WINDOWS\system32\sfc_os.dll

2007-05-11 12:28:03 2707456 --a------ C:\WINDOWS\system32\winntbbu.dll

2007-05-11 11:56:04 476672 --a------ C:\WINDOWS\system32\zipfldr.dll

2007-05-11 11:52:36 764928 --a------ C:\WINDOWS\system32\wiashext.dll

2007-05-11 11:52:00 113664 --a------ C:\WINDOWS\system32\stobject.dll

2007-05-11 11:51:34 494080 --a------ C:\WINDOWS\system32\shimgvw.dll

2007-05-11 11:51:23 1271296 --a------ C:\WINDOWS\system32\setupapi.dll

2007-05-11 11:51:08 858112 --a------ C:\WINDOWS\system32\rasdlg.dll

2007-05-11 11:50:47 175104 --a------ C:\WINDOWS\system32\photowiz.dll

2007-05-11 11:49:49 1561088 --a------ C:\WINDOWS\system32\msgina.dll

2007-05-11 11:49:21 404992 --a------ C:\WINDOWS\system32\fontext.dll

2007-05-11 11:48:47 504832 --a------ C:\WINDOWS\system32\cmdial32.dll

2007-05-11 11:48:36 37888 --a------ C:\WINDOWS\system32\batmeter.dll

2007-05-11 08:57:43 83456 --a------ C:\WINDOWS\system32\dfrgres.dll

2007-05-10 21:55:50 354816 --a------ C:\WINDOWS\system32\mydocs.dll

2007-05-10 21:55:33 1423872 --a------ C:\WINDOWS\explorer.exe

2007-05-10 18:22:31 494080 --a------ C:\WINDOWS\system32\wiaacmgr.exe

2007-05-10 18:22:14 225280 --a------ C:\WINDOWS\system32\taskmgr.exe

2007-05-10 18:21:33 71680 --a------ C:\WINDOWS\system32\notepad.exe

2007-05-10 18:20:12 1153536 --a------ C:\WINDOWS\system32\logonui.exe

2007-05-10 17:57:24 15360 --a------ C:\WINDOWS\system32\msisip.dll

2007-05-10 17:57:12 884736 --a------ C:\WINDOWS\system32\msimsg.dll

2007-05-10 17:57:02 271360 --a------ C:\WINDOWS\system32\msihnd.dll

2007-05-10 17:56:50 78848 --a------ C:\WINDOWS\system32\msiexec.exe

2007-05-10 17:56:44 2890240 --a------ C:\WINDOWS\system32\msi.dll

2007-05-10 16:51:30 1548288 --a------ C:\WINDOWS\system32\sfcfiles.dll

2007-05-10 16:14:49 45056 --a------ C:\WINDOWS\system32\rcimlby.exe

2007-05-10 16:14:39 293888 --a------ C:\WINDOWS\system32\osk.exe

2007-05-10 16:14:32 58880 --a------ C:\WINDOWS\system32\narrator.exe

2007-05-10 16:13:56 168960 --a------ C:\WINDOWS\system32\mobsync.exe

2007-05-10 16:13:34 76288 --a------ C:\WINDOWS\system32\magnify.exe

2007-03-22 20:25:02 124928 -----n— C:\WINDOWS\system32\prntvpt.dll

2005-08-03 15:08:55 0 d-------- C:\Program Files\Trend Micro

2005-08-03 15:03:19 0 d-------- C:\Combo-Fix

2005-08-02 21:42:28 98688 --a------ C:\WINDOWS\system32\wnjuiowx.dll

2005-07-30 22:22:56 99712 --a------ C:\WINDOWS\system32\wueujwhy.dll

2005-07-30 21:22:53 99712 --a------ C:\WINDOWS\system32\mhyemyyj.dll

2005-07-29 20:32:40 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2005-07-29 20:30:53 0 d-------- C:\Program Files\Skype

2005-07-29 20:30:53 0 d-------- C:\Program Files\Common Files\Skype

2005-07-25 18:13:03 94848 --a------ C:\WINDOWS\system32\rkwrcbxr.dll

2005-07-17 13:05:19 92672 --a------ C:\WINDOWS\system32\psyxgkga.dll

2005-07-13 01:19:21 0 d-------- C:\Program Files\Alwil Software

2005-07-09 02:43:16 32060 --ahs---- C:\WINDOWS\system32\lUCMonnn.ini2

2005-07-09 02:43:10 318208 -----n— C:\WINDOWS\system32\nnnoMCUl.dll

2005-07-09 02:38:07 29568 --a------ C:\WINDOWS\system32\yayvUMGy.dll

2005-07-09 02:38:07 29568 --a------ C:\WINDOWS\system32\khfGwWMf.dll

2005-07-09 02:37:42 200704 --a------ C:\WINDOWS\sqvgnrpx.dll

2005-07-09 02:37:42 270336 -----n— C:\WINDOWS\fsrpknov.dll

– Find3M Report ---------------------------------------------------------------

2007-05-11 11:50:25 335360 --a------ C:\WINDOWS\system32\mstask.dll

2007-05-10 18:21:56 159744 --a------ C:\WINDOWS\system32\sndvol32.exe

2007-05-10 18:21:24 718336 --a------ C:\WINDOWS\system32\mstsc.exe

2007-05-10 18:19:30 118272 --a------ C:\WINDOWS\system32\calc.exe

2007-05-10 16:13:09 190976 --a------ C:\WINDOWS\system32\accwiz.exe

2005-08-03 14:57:26 0 d-------- C:\Program Files\Tlen.pl

2005-08-03 14:15:37 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Skype

2005-08-03 13:01:36 0 d-------- C:\Program Files\MoorHunt

2005-08-03 12:01:38 0 d-------- C:\Program Files\HLSW

2005-08-03 11:12:11 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Tlen.pl

2005-08-03 10:27:00 0 d-------- C:\Documents and Settings\User\Dane aplikacji\skypePM

2005-07-31 07:59:08 0 d-------- C:\Documents and Settings\User\Dane aplikacji\teamspeak2

2005-07-29 20:30:53 0 d-------- C:\Program Files\Common Files

2005-07-27 13:19:53 0 d-------- C:\Program Files\DMW Client 3

2005-07-14 15:31:34 0 d-------- C:\Program Files\Common Files\InstallShield

2005-07-13 11:40:22 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Identities

2005-07-13 00:11:29 488436 --a------ C:\WINDOWS\system32\perfh015.dat

2005-07-13 00:11:29 82614 --a------ C:\WINDOWS\system32\perfc015.dat

2005-07-10 16:11:10 0 d-------- C:\Documents and Settings\User\Dane aplikacji\COWON

– Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{31E7B3BE-10E7-46A8-8F6D-EFE84C967181}]

2005-07-09 02:43 318208 --------- C:\WINDOWS\system32\nnnoMCUl.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{73984FE0-9702-4C55-9C7B-9BA3C5861F25}]

2005-07-09 02:38 29568 --a------ C:\WINDOWS\system32\khfGwWMf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-01-29 12:57]

“MSConfig”=“C:\WINDOWS\system32\msconfig.exe” [2007-05-10 16:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-04-01 11:39]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“DisableCAD”=1 (0x1)

“DisableStatusMessages”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

“DisableRegistryTools”=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoSMHelp”=1 (0x1)

“NoSMMyPictures”=1 (0x1)

“NoSMConfigurePrograms”=1 (0x1)

“ClearRecentDocsOnExit”=1 (0x1)

“NoRecentDocsMenu”=1 (0x1)

“NoRecentDocsHistory”=1 (0x1)

“NoStartBanner”=1 (0x1)

“NoInstrumentation”=1 (0x1)

“NoStartMenuMFUprogramsList”=1 (0x1)

“NoLowDiskSpaceChecks”=1 (0x1)

“NoResolveTrack”=1 (0x1)

“LinkResolveIgnoreLinkInfo”=1 (0x1)

“NoResolveSearch”=1 (0x1)

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]

“NoSMHelp”=1 (0x1)

“NoSMMyPictures”=1 (0x1)

“NoSMConfigurePrograms”=1 (0x1)

“ClearRecentDocsOnExit”=1 (0x1)

“NoRecentDocsMenu”=1 (0x1)

“NoRecentDocsHistory”=1 (0x1)

“NoStartBanner”=1 (0x1)

“NoInstrumentation”=1 (0x1)

“NoStartMenuMFUprogramsList”=1 (0x1)

“NoLowDiskSpaceChecks”=1 (0x1)

“NoResolveTrack”=1 (0x1)

“LinkResolveIgnoreLinkInfo”=1 (0x1)

“NoResolveSearch”=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{73984FE0-9702-4C55-9C7B-9BA3C5861F25}”= C:\WINDOWS\system32\khfGwWMf.dll [2005-07-09 02:38 29568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

“fsrpknov”= {81A99A30-C2B0-4AC9-841E-29C125650B59} - C:\WINDOWS\fsrpknov.dll [2008-07-08 11:01 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGwWMf]

khfGwWMf.dll 2005-07-09 02:38 29568 C:\WINDOWS\system32\khfGwWMf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

“Authentication Packages”= msv1_0 C:\WINDOWS\system32\nnnoMCUl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

“C:\Program Files\AdVantage\AdVantage.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

C:\Program Files\DAEMON Tools Lite\daemon.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]

“C:\Program Files\DMW Client 3\dmwclient.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vcs6diamond]

D:\AV Vcs 6.0 DIAMOND\Vcs6Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalService WebClient LmHosts RemoteRegistry upnphost SSDPSRV

– Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.system-defender.com/freeware … id=37&p=01

– End of Deckard’s System Scanner: finished at 2005-08-03 15:10:00 ------------

(ja za godzinke wroce to dalej bedziemy probowac) pozdrawiam

– Security Center -------------------------------------------------------------

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\User\Dane aplikacji

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=CIPKIS

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\User

LOGONSERVER=\CIPKIS

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0209

ProgramFiles=C:\Program Files

PROMPT=$P$G

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\User\USTAWI~1\Temp

TMP=C:\DOCUME~1\User\USTAWI~1\Temp

USERDOMAIN=CIPKIS

USERNAME=User

USERPROFILE=C:\Documents and Settings\User

windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

User (admin)

– Add/Remove Programs ---------------------------------------------------------

Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

AdVantage (Powering DAEMON Tools) --> “C:\Program Files\AdVantage\AdVUninst.exe” /r DAEM /d “AdVantage (Powering DAEMON Tools)” /m “AdVantage is safe advertising software that supports Freeze.com.\nAdVantage is certified by TRUSTe as a Trusted Download.\n\nAre you sure you want to uninstall AdVantage support for DAEMON Tools?”

Aktualizacja dla systemu Windows XP (KB922120) -->

Aktualizacja dla systemu Windows XP (KB931836) -->

Archiwizator WinRAR --> C:\Program Files\WinRAR\uninstall.exe

DMW Client SE --> C:\Program Files\DMW Client 3\uninst.exe

EXPERTool --> RunDll32 Setupapi.dll,InstallHinfSection TB.Remove 4 TBNT4.inf

HijackThis 2.0.2 --> “C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe” /uninstall

HLSW v1.1.6 --> “C:\Program Files\HLSW\unins000.exe”

Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\SETUP.exe” -l0x9 UNINSTALL -removeonly

Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe” -l0x15 -removeonly

LS-USBMX 1/2/3 Steering Wheel W/Vibration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{476330CF-F63D-4BA6-B8A0-757A26DABAE4}\setup.exe” -l0x9

MoorHunt 0.5.5.5 --> “C:\Program Files\MoorHunt\unins000.exe”

Mozilla 1.7.13 (PL) --> C:\WINDOWS\MozillaUninstall.exe /ua “1.7.13 (PL)”

Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}

Need for Speed™ Carbon --> F:\Electronic Arts\Need for Speed Carbon\EAUninstall.exe

NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI

Peer2Mail (remove only) --> “C:\Program Files\Peer2Mail\uninst.exe”

Poprawka dla systemu Windows XP (KB918093) -->

Pro Evolution Soccer 6 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EBB794ED-D282-4334-92FB-254481EFF514} /l1045

SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe

Skype™ 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}

SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe”

TeamSpeak 2 RC2 --> “C:\Program Files\Teamspeak2_RC2\unins000.exe”

Theorica Divx Codecs (remove only) --> C:\Program Files\Theorica Divx Codecs\Uninstall.exe

Tlen.pl --> “C:\Program Files\Tlen.pl\uninstall.exe”

Windows Imaging Component --> “C:\WINDOWS$NtUninstallWIC$\spuninst\spuninst.exe”

XML Paper Specification Shared Components Language Pack 1.0 --> “C:\WINDOWS$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe”

XML Paper Specification Shared Components Pack 1.0 -->

– Application Event Log -------------------------------------------------------

No Errors/Warnings found.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type3090 / Warning

Event Submitted/Written: 08/03/2005 03:06:09 PM

Event ID/Source: 4226 / Tcpip

Event Description:

Protokół TCP/IP osiągnął limit zabezpieczeń ustalony dla liczby równoczesnych prób połączeń TCP.

Event Record #/Type3054 / Warning

Event Submitted/Written: 08/03/2005 11:54:55 AM

Event ID/Source: 4226 / Tcpip

Event Description:

Protokół TCP/IP osiągnął limit zabezpieczeń ustalony dla liczby równoczesnych prób połączeń TCP.

Event Record #/Type2489 / Error

Event Submitted/Written: 07/22/2005 01:18:20 AM

Event ID/Source: 34 / W32Time

Event Description:

Usługa czas wykryła, że trzeba zmienić czas systemowy

o +94694212 s. Usługa czasu nie zmieni czasu systemowego

o więcej niż +54000 s. Sprawdź, czy czas i strefa czasowa

są poprawne i czy źródło czasu time.windows.com (ntp.m|0x1|192.168.100.102:123->207.46.232.182:123) działa poprawnie.

Event Record #/Type2332 / Warning

Event Submitted/Written: 07/19/2005 11:20:24 AM

Event ID/Source: 1007 / Dhcp

Event Description:

Komputer ma automatycznie skonfigurowany adres IP dla karty

sieciowej o adresie 000C6EA45684. Używanym adresem IP jest 169.254.216.34.

Event Record #/Type2330 / Warning

Event Submitted/Written: 07/19/2005 11:18:24 AM

Event ID/Source: 3019 / MRxSmb

Event Description:

Readresator nie mógł określić typu połączenia.

– End of Deckard’s System Scanner: finished at 2005-08-03 15:10:00 ------------

jeszcze to cos wyskoczylo

Pobierz ----> The Avenger

Wklej do niego ten tekst:

Files to delete:

C:\WINDOWS\system32\wnjuiowx.dll

C:\WINDOWS\system32\wueujwhy.dll

C:\WINDOWS\system32\mhyemyyj.dll

C:\WINDOWS\system32\psyxgkga.dll

C:\WINDOWS\system32\rkwrcbxr.dll

C:\WINDOWS\system32\lUCMonnn.ini2

C:\WINDOWS\system32\nnnoMCUl.dll

C:\WINDOWS\system32\yayvUMGy.dll

C:\WINDOWS\system32\khfGwWMf.dll

C:\WINDOWS\sqvgnrpx.dll

C:\WINDOWS\fsrpknov.dll


Registry keys to delete:

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31E7B3BE-10E7-46A8-8F6D-EFE84C967181}]

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73984FE0-9702-4C55-9C7B-9BA3C5861F25}]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{73984FE0-9702-4C55-9C7B-9BA3C5861F25}"=-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"fsrpknov"=-

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGwWMf]  

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

Kopiujesz - klikasz na Paste Script from Clipboard - Execute - Potwierdzasz i zgadzasz się na restart klikając OK.

Po wykonaniu skasuj z dysku plik: C:\Avenger\backup.zip i wklej raport na forum C:\avenger.txt

Poten nowy log z DSS i…

Użyj—>SDFix.(niżej na stronie linku).

Uruchom go w trybie awaryjnym

Pokaż Report.txt znajdujący się w folderze SDFix.

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Dodatek Service Pack 2)

Wed Aug 03 17:05:03 2005

17:04:50: Error: Invalid registry syntax in command:

“”{73984FE0-9702-4C55-9C7B-9BA3C5861F25}"=-"

Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.

Skipping line. (Registry key deletion mode)

17:04:52: Error: Invalid registry syntax in command:

““fsrpknov”=-”

Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.

Skipping line. (Registry key deletion mode)

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File “C:\WINDOWS\system32\wnjuiowx.dll” deleted successfully.

File “C:\WINDOWS\system32\wueujwhy.dll” deleted successfully.

File “C:\WINDOWS\system32\mhyemyyj.dll” deleted successfully.

File “C:\WINDOWS\system32\psyxgkga.dll” deleted successfully.

File “C:\WINDOWS\system32\rkwrcbxr.dll” deleted successfully.

File “C:\WINDOWS\system32\lUCMonnn.ini2” deleted successfully.

File “C:\WINDOWS\system32\nnnoMCUl.dll” deleted successfully.

File “C:\WINDOWS\system32\yayvUMGy.dll” deleted successfully.

File “C:\WINDOWS\system32\khfGwWMf.dll” deleted successfully.

File “C:\WINDOWS\sqvgnrpx.dll” deleted successfully.

File “C:\WINDOWS\fsrpknov.dll” deleted successfully.

Error: registry key “HKEY_LOCAL_MACHINE~\Browser Helper Objects{31E7B3BE-10E7-46A8-8F6D-EFE84C967181}]” not found!

Deletion of registry key “HKEY_LOCAL_MACHINE~\Browser Helper Objects{31E7B3BE-10E7-46A8-8F6D-EFE84C967181}]” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

Error: registry key “HKEY_LOCAL_MACHINE~\Browser Helper Objects{73984FE0-9702-4C55-9C7B-9BA3C5861F25}]” not found!

Deletion of registry key “HKEY_LOCAL_MACHINE~\Browser Helper Objects{73984FE0-9702-4C55-9C7B-9BA3C5861F25}]” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

Error: registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]” not found!

Deletion of registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

Error: registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]” not found!

Deletion of registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

Error: registry key “HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGwWMf]” not found!

Deletion of registry key “HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGwWMf]” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

Error: registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]” not found!

Deletion of registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

logo z DSS

Deckard’s System Scanner v20071014.68

Run by User on 2005-08-03 17:08:25

Computer is in Normal Mode.

---

– HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:08:28, on 2005-08-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\User\Pulpit\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {31E7B3BE-10E7-46A8-8F6D-EFE84C967181} - C:\WINDOWS\system32\nnnoMCUl.dll (file missing)

O2 - BHO: (no name) - {73984FE0-9702-4C55-9C7B-9BA3C5861F25} - C:\WINDOWS\system32\khfGwWMf.dll (file missing)

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O17 - HKLM\System\CCS\Services\Tcpip…{5C149324-DE72-4062-857C-9CC20A47FBCA}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CCS\Services\Tcpip…{BBA527F0-0FFD-4FBC-9104-E6674CCE3A63}: NameServer = 208.67.222.222,208.67.220.220

O18 - Protocol: bw00 - {9AD51BC0-535D-4C8E-88E0-0E67104B86E9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: khfGwWMf - khfGwWMf.dll (file missing)

O21 - SSODL: fsrpknov - {81A99A30-C2B0-4AC9-841E-29C125650B59} - C:\WINDOWS\fsrpknov.dll (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

–

End of file - 2497 bytes

– Files created between 2005-07-03 and 2005-08-03 -----------------------------

2007-10-11 09:55:10 88576 --a------ C:\WINDOWS\system32\infocardapi.dll

2007-10-09 12:58:20 16896 --a------ C:\WINDOWS\system32\tswpfwrp.exe

2007-05-12 11:06:08 218624 --a------ C:\WINDOWS\system32\uxtheme.dll

2007-05-12 11:06:08 140800 --a------ C:\WINDOWS\system32\sfc_os.dll

2007-05-11 12:28:03 2707456 --a------ C:\WINDOWS\system32\winntbbu.dll

2007-05-11 11:56:04 476672 --a------ C:\WINDOWS\system32\zipfldr.dll

2007-05-11 11:52:36 764928 --a------ C:\WINDOWS\system32\wiashext.dll

2007-05-11 11:52:00 113664 --a------ C:\WINDOWS\system32\stobject.dll

2007-05-11 11:51:34 494080 --a------ C:\WINDOWS\system32\shimgvw.dll

2007-05-11 11:51:23 1271296 --a------ C:\WINDOWS\system32\setupapi.dll

2007-05-11 11:51:08 858112 --a------ C:\WINDOWS\system32\rasdlg.dll

2007-05-11 11:50:47 175104 --a------ C:\WINDOWS\system32\photowiz.dll

2007-05-11 11:49:49 1561088 --a------ C:\WINDOWS\system32\msgina.dll

2007-05-11 11:49:21 404992 --a------ C:\WINDOWS\system32\fontext.dll

2007-05-11 11:48:47 504832 --a------ C:\WINDOWS\system32\cmdial32.dll

2007-05-11 11:48:36 37888 --a------ C:\WINDOWS\system32\batmeter.dll

2007-05-11 08:57:43 83456 --a------ C:\WINDOWS\system32\dfrgres.dll

2007-05-10 21:55:50 354816 --a------ C:\WINDOWS\system32\mydocs.dll

2007-05-10 21:55:33 1423872 --a------ C:\WINDOWS\explorer.exe

2007-05-10 18:22:31 494080 --a------ C:\WINDOWS\system32\wiaacmgr.exe

2007-05-10 18:22:14 225280 --a------ C:\WINDOWS\system32\taskmgr.exe

2007-05-10 18:21:33 71680 --a------ C:\WINDOWS\system32\notepad.exe

2007-05-10 18:20:12 1153536 --a------ C:\WINDOWS\system32\logonui.exe

2007-05-10 17:57:24 15360 --a------ C:\WINDOWS\system32\msisip.dll

2007-05-10 17:57:12 884736 --a------ C:\WINDOWS\system32\msimsg.dll

2007-05-10 17:57:02 271360 --a------ C:\WINDOWS\system32\msihnd.dll

2007-05-10 17:56:50 78848 --a------ C:\WINDOWS\system32\msiexec.exe

2007-05-10 17:56:44 2890240 --a------ C:\WINDOWS\system32\msi.dll

2007-05-10 16:51:30 1548288 --a------ C:\WINDOWS\system32\sfcfiles.dll

2007-05-10 16:14:49 45056 --a------ C:\WINDOWS\system32\rcimlby.exe

2007-05-10 16:14:39 293888 --a------ C:\WINDOWS\system32\osk.exe

2007-05-10 16:14:32 58880 --a------ C:\WINDOWS\system32\narrator.exe

2007-05-10 16:13:56 168960 --a------ C:\WINDOWS\system32\mobsync.exe

2007-05-10 16:13:34 76288 --a------ C:\WINDOWS\system32\magnify.exe

2007-03-22 20:25:02 124928 -----n— C:\WINDOWS\system32\prntvpt.dll

2005-08-03 15:08:55 0 d-------- C:\Program Files\Trend Micro

2005-08-03 15:03:19 0 d-------- C:\Combo-Fix

2005-07-29 20:32:40 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2005-07-29 20:30:53 0 d-------- C:\Program Files\Skype

2005-07-29 20:30:53 0 d-------- C:\Program Files\Common Files\Skype

2005-07-13 01:19:21 0 d-------- C:\Program Files\Alwil Software

– Find3M Report ---------------------------------------------------------------

2007-05-11 11:50:25 335360 --a------ C:\WINDOWS\system32\mstask.dll

2007-05-10 18:21:56 159744 --a------ C:\WINDOWS\system32\sndvol32.exe

2007-05-10 18:21:24 718336 --a------ C:\WINDOWS\system32\mstsc.exe

2007-05-10 18:19:30 118272 --a------ C:\WINDOWS\system32\calc.exe

2007-05-10 16:13:09 190976 --a------ C:\WINDOWS\system32\accwiz.exe

2005-08-03 16:54:51 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Skype

2005-08-03 16:33:03 0 d-------- C:\Documents and Settings\User\Dane aplikacji\skypePM

2005-08-03 14:57:26 0 d-------- C:\Program Files\Tlen.pl

2005-08-03 13:01:36 0 d-------- C:\Program Files\MoorHunt

2005-08-03 12:01:38 0 d-------- C:\Program Files\HLSW

2005-08-03 11:12:11 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Tlen.pl

2005-07-31 07:59:08 0 d-------- C:\Documents and Settings\User\Dane aplikacji\teamspeak2

2005-07-29 20:30:53 0 d-------- C:\Program Files\Common Files

2005-07-27 13:19:53 0 d-------- C:\Program Files\DMW Client 3

2005-07-14 15:31:34 0 d-------- C:\Program Files\Common Files\InstallShield

2005-07-13 11:40:22 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Identities

2005-07-13 00:11:29 488436 --a------ C:\WINDOWS\system32\perfh015.dat

2005-07-13 00:11:29 82614 --a------ C:\WINDOWS\system32\perfc015.dat

2005-07-10 16:11:10 0 d-------- C:\Documents and Settings\User\Dane aplikacji\COWON

– Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{31E7B3BE-10E7-46A8-8F6D-EFE84C967181}]

C:\WINDOWS\system32\nnnoMCUl.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{73984FE0-9702-4C55-9C7B-9BA3C5861F25}]

C:\WINDOWS\system32\khfGwWMf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-01-29 12:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-04-01 11:39]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“DisableCAD”=1 (0x1)

“DisableStatusMessages”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

“DisableRegistryTools”=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoSMHelp”=1 (0x1)

“NoSMMyPictures”=1 (0x1)

“NoSMConfigurePrograms”=1 (0x1)

“ClearRecentDocsOnExit”=1 (0x1)

“NoRecentDocsMenu”=1 (0x1)

“NoRecentDocsHistory”=1 (0x1)

“NoStartBanner”=1 (0x1)

“NoInstrumentation”=1 (0x1)

“NoStartMenuMFUprogramsList”=1 (0x1)

“NoLowDiskSpaceChecks”=1 (0x1)

“NoResolveTrack”=1 (0x1)

“LinkResolveIgnoreLinkInfo”=1 (0x1)

“NoResolveSearch”=1 (0x1)

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]

“NoSMHelp”=1 (0x1)

“NoSMMyPictures”=1 (0x1)

“NoSMConfigurePrograms”=1 (0x1)

“ClearRecentDocsOnExit”=1 (0x1)

“NoRecentDocsMenu”=1 (0x1)

“NoRecentDocsHistory”=1 (0x1)

“NoStartBanner”=1 (0x1)

“NoInstrumentation”=1 (0x1)

“NoStartMenuMFUprogramsList”=1 (0x1)

“NoLowDiskSpaceChecks”=1 (0x1)

“NoResolveTrack”=1 (0x1)

“LinkResolveIgnoreLinkInfo”=1 (0x1)

“NoResolveSearch”=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{73984FE0-9702-4C55-9C7B-9BA3C5861F25}”= C:\WINDOWS\system32\khfGwWMf.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

“fsrpknov”= {81A99A30-C2B0-4AC9-841E-29C125650B59} - C:\WINDOWS\fsrpknov.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGwWMf]

khfGwWMf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

“Authentication Packages”= msv1_0 C:\WINDOWS\system32\nnnoMCUl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

“C:\Program Files\AdVantage\AdVantage.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

C:\Program Files\DAEMON Tools Lite\daemon.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]

“C:\Program Files\DMW Client 3\dmwclient.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vcs6diamond]

D:\AV Vcs 6.0 DIAMOND\Vcs6Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalService WebClient LmHosts RemoteRegistry upnphost SSDPSRV

– End of Deckard’s System Scanner: finished at 2005-08-03 17:09:10 ------------

SmitFraudFix v2.333

Scan done at 17:18:16,59, 2005-08-03

Run from C:\Documents and Settings\User\Pulpit\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

Pliki się usunęły,ale klucze nie.

Wklej do Notatnika taki tekst:

Windows Registry Editor Version 5.00


[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31E7B3BE-10E7-46A8-8F6D-EFE84C967181}]


[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73984FE0-9702-4C55-9C7B-9BA3C5861F25}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{73984FE0-9702-4C55-9C7B-9BA3C5861F25}"=-


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"fsrpknov"=-


[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGwWMf] 


[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na: “Wszystkie pliki” >>> Zapisz jako FIX.REG** >>>plik uruchom** (dwuklik i OK- zgódź się na dodanie do Rejestru).

Zrestartuj komputer.

Wykonaj optymalizację autostartu

Przeczyść komputer Ccleanerem

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!.