Temp2.exe, common (prosze o sprawdzenie logow)

namrab · 11 Listopad 2007 10:54

Po każdym odpaleniu windowsa wyskakuje mi błšd temp2.exe czy co� w ten deseń plus otwiera mi się wolder z jakimi� dziwnymi plikami… poniżej screeny a tuż pod nimi log z hijacka, ogółem jest to notebook toshiby, z celeronem 1.6 i 448 ramu, ale i tak chodzi co� za wolno…

błšd:

folder który przy każdym włšczeniu kompa się pojawia:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 08:04:58, on 2007-11-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\TOSHIBA\Tvs\TvsTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\temp1.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\RaUI.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łšcza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM…\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe O4 - HKLM…\Run: [TPSMain] TPSMain.exe O4 - HKLM…\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM…\Run: [smoothView] C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM…\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM…\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [RavTimeXP] C:\WINDOWS\Mstray.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe O8 - Extra context menu item: Eksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Wy�lij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wy�lij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O10 - Unknown file in Winsock LSP: rsvp322.dll O17 - HKLM\System\CCS\Services\Tcpip…{C39B8DDB-08A4-441A-BF7E-6F9197030FEB}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe – End of file - 8297 bytes

Gutek · 11 Listopad 2007 14:00

daruj sobie

usuń wpisy HJT

Daj log z ComboFix oraz

Pobierz program SDFix

namrab · 11 Listopad 2007 14:24

ComboFix 07-11-08.1 - RTV mix AGD 2007-11-11 15:11:20.2 - NTFSx86 Running from: C:\Documents and Settings\RTV mix AGD\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\autorun.inf C:\WINDOWS\system32\pfxzmtaim.dll C:\WINDOWS\system32\pfxzmtforum.dll C:\WINDOWS\system32\pfxzmtgtal.dll C:\WINDOWS\system32\pfxzmticq.dll C:\WINDOWS\system32\pfxzmtsmt.dll C:\WINDOWS\system32\pfxzmtsmtspm.dll C:\WINDOWS\system32\pfxzmtwbmail.dll C:\WINDOWS\system32\pfxzmtymsg.dll C:\WINDOWS\system32\rsvp322.dll C:\WINDOWS\system32\rsvp322.dllgerg . ((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 ))))))))))))))))))))))))))))))) . 2007-11-11 08:04 2007-11-08 23:34 2007-11-08 22:52 2007-11-08 01:04 2007-11-08 01:04 545 --a------ C:\WINDOWS\UC.PIF 2007-11-08 01:04 545 --a------ C:\WINDOWS\RAR.PIF 2007-11-08 01:04 545 --a------ C:\WINDOWS\PKZIP.PIF 2007-11-08 01:04 545 --a------ C:\WINDOWS\PKUNZIP.PIF 2007-11-08 01:04 545 --a------ C:\WINDOWS\NOCLOSE.PIF 2007-11-08 01:04 545 --a------ C:\WINDOWS\LHA.PIF 2007-11-08 01:04 545 --a------ C:\WINDOWS\ARJ.PIF 2007-11-07 21:05 2007-11-07 08:25 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-11-05 21:27 2007-11-05 21:20 2007-11-05 21:20 2007-11-05 21:20 2007-11-05 21:20 1,056,768 --------- C:\WINDOWS\system32\ROBOEX32.DLL 2007-11-05 21:20 49,152 --------- C:\WINDOWS\system32\INETWH32.dll 2007-11-05 20:26 2007-11-05 18:19 314,880 --a------ C:\WINDOWS\system32\qtplugin.exe 2007-11-05 18:19 314,880 --a------ C:\WINDOWS\mljul0.exe 2007-11-05 18:18 8,704 --a------ C:\WINDOWS\system32\sporder.dll 2007-11-04 21:12 2007-11-04 18:28 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2007-11-04 18:15 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys 2007-11-04 18:15 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys 2007-11-04 18:15 5,606 --a------ C:\WINDOWS\system32\stci.dll 2007-11-04 18:15 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys 2007-11-04 18:15 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys 2007-11-04 18:14 2007-11-04 18:13 2007-11-04 18:13 2007-10-20 17:36 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-11 08:23 --------- d-----w C:\Program Files\Java 2007-11-07 21:07 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-05 21:21 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-05 21:20 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-10 20:28 --------- d-----w C:\Documents and Settings\RTV mix AGD\Dane aplikacji\U3 2007-09-26 08:35 --------- d-----w C:\Program Files\Common 2007-09-18 20:01 --------- d-----w C:\Program Files\Realtek 2007-09-11 19:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help 2007-06-17 13:47 0 —ha-w C:\Program Files\Common Files\MSN . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-08-05 20:05] “AGRSMMSG”=“AGRSMMSG.exe” [2005-10-15 13:29 C:\WINDOWS\agrsmmsg.exe] “THotkey”=“C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe” [2005-12-08 11:53] “Tvs”=“C:\Program Files\TOSHIBA\Tvs\TvsTray.exe” [2005-11-30 11:25] “TPSMain”=“TPSMain.exe” [2005-08-04 13:16 C:\WINDOWS\system32\TPSMain.exe] “NDSTray.exe”=“NDSTray.exe” [] “SmoothView”=“C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe” [] “PadTouch”=“C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [2005-08-30 12:21] “DLA”=“C:\WINDOWS\System32\DLA\DLACTRLW.EXE” [2005-08-01 04:10] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 16:40] “CFSServ.exe”=“CFSServ.exe” [] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-26 23:47] “RTHDCPL”=“RTHDCPL.EXE” [2006-05-05 05:59 C:\WINDOWS\RTHDCPL.exe] “RavTimeXP”=“C:\WINDOWS\Mstray.exe” [] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07] “RegistryMonitor1”="" [] “Ulead AutoDetector v2”=“C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe” [2004-11-26 11:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 11:00] “TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2005-04-12 11:04] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-06-01 13:32] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-11-14 09:12] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-07 21:07:28] Ralink Wireless Utility.lnk - C:\WINDOWS\RaUI.exe [2007-01-02 15:08:11] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^RTV mix AGD^Menu Start^Programy^Autostart^Mobile Phone Manager.lnk] path=C:\Documents and Settings\RTV mix AGD\Menu Start\Programy\Autostart\Mobile Phone Manager.lnk backup=C:\WINDOWS\pss\Mobile Phone Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^RTV mix AGD^Menu Start^Programy^Autostart^Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\RTV mix AGD\Menu Start\Programy\Autostart\Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudau.sys . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-11 15:15:56 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-11 15:17:46 - machine was rebooted . — E O F —

Gutek · 11 Listopad 2007 14:42

a prosiłem:

namrab · 11 Listopad 2007 14:49

SDFix: Version 1.114 Run by RTV mix AGD on 2007-11-11 at 15:37 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\mljul0.exe - Deleted C:\WINDOWS\system32\qtplugin.exe - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-11 15:44:18 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:7f,de,1d,1d,1d,3b,3f,10,56,0e,97,44,2a,3d,7d,2a,4f,03,6a,a2,36,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:7f,de,1d,1d,1d,3b,3f,10,56,0e,97,44,2a,3d,7d,2a,4f,03,6a,a2,36,… scanning hidden registry entries … [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\24\xe1\21] “DisplayName”="\x1fe8\x3d1\x1fe8\x3d1\1" “DeviceDesc”="\x1fe8\x3d1\x1fe8\x3d1\1" “ProviderName”="\xfed4\21\xee18\x7c90\xff44\21\b" “MFG”="\x648" “ReinstallString”=“C:\WINDOWS\System32\ReinstallBackups\xe114\21\x80\xc010\DriverFiles.INF” “DeviceInstanceIds”=str(7):“c:\toolscd\display driver\sbdrv\smbus\smbusati.inf” [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe”=“C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Wed 29 Aug 2007 56 …SHR — “C:\WINDOWS\system32\C0BA5A1F94.sys” Fri 9 Nov 2007 10,856 A.SH. — “C:\WINDOWS\system32\KGyGaAvL.sys” Mon 7 May 2007 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Wed 7 Nov 2007 10,856 A.SH. — “C:\System Volume Information_restore{05629D35-582F-4426-A966-71C42E82A9CD}\RP147\A0027330.sys” Thu 7 Dec 2006 3,096,576 A…H. — “C:\Documents and Settings\RTV mix AGD\Dane aplikacji\U3\temp\Launchpad Removal.exe” Finished!

Gutek · 11 Listopad 2007 17:39

Na koniec tylko Prawoklik na Mój Komputer>>Przywracanie systemu>> wyłącz przywracanie systemu na wszystkich dyskach.