Problem z TrojanDownloader.xl i Windows registry… systematycznie co jakieś 15-20 minut pojawiał się na ekranie monitora jedna z trzech informacji o zagrożeniu spowodowanym albo jakimś plikiem wml.exe albo TrojanDownloader.xs albo jakiś błąd krytyczny w Windows registry, a wszystko sprowadza się do tego że mogę to zlikwidować instalując jeden z programów, który jest do kupienia na stronie http://antispyware-reviews.biz/?wmid=46 … R3n1c2Bg8A Używam antywirusa avast! Ale zakupilam wyżej podany program ale problem nie znika tzn nie pojawiaja sie już komunikaty ale komuter strasznie muli i co chwile się zawieszaa. Podobne wątki już się pojawiły, ale jestem laikiem i przyznam, że mam problem ze zrozumieniem ich treści, tzn. wiem już jak zrobić log za pomocą programu HijackThis i na dole zamieszczam, ale nie wiem co dalej? Co mam usunąć, jak i za pomocą czego? Proszę o pomoc i o to, żeby wyjaśnić to najprościej jak się da :glupek2: Z góry bardzo dziękuję za wszelką pomoc.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:20, on 2008-04-14

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATKOSD2\ATKOSD2.exe

C:\Program Files\ATK Hotkey\Hcontrol.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

C:\Program Files\ASUS\ASUS Live Update\ALU.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ASUS\Splendid\ACMON.exe

C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Wireless Console 2\wcourier.exe

C:\WINDOWS\system32\ASUSTPE.exe

C:\WINDOWS\system32\ACEngSvr.exe

C:\WINDOWS\ASScrPro.exe

C:\Program Files\Atheros\ACU.exe

C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\PC-Antispyware\PCA-Purchased.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Gadu-Gadu\gg.exe

c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\ATK Hotkey\ATKOSD.exe

C:\Program Files\ATK Hotkey\KBFiltr.exe

C:\Program Files\ATK Hotkey\WDC.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll

O4 - HKLM…\Run: [ATKOSD2] “C:\Program Files\ATKOSD2\ATKOSD2.exe”

O4 - HKLM…\Run: [ATKHOTKEY] “C:\Program Files\ATK Hotkey\Hcontrol.exe”

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [skyTel] SkyTel.EXE

O4 - HKLM…\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

O4 - HKLM…\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe

O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [ACMON] “C:\Program Files\ASUS\Splendid\ACMON.exe”

O4 - HKLM…\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe”

O4 - HKLM…\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM…\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM…\Run: [PowerForPhone] “C:\Program Files\P4P\P4P.exe”

O4 - HKLM…\Run: [Wireless Console 2] “C:\Program Files\Wireless Console 2\wcourier.exe”

O4 - HKLM…\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe

O4 - HKLM…\Run: [ASUS Camera ScreenSaver] C:\WINDOWS\ASScrProlog.exe

O4 - HKLM…\Run: [ASUS Screen Saver Protector] C:\WINDOWS\ASScrPro.exe

O4 - HKLM…\Run: [ACU] “C:\Program Files\Atheros\ACU.exe” -nogui

O4 - HKLM…\Run: [symantec PIF AlertEng] “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll”

O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime

O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”

O4 - HKLM…\Run: [PC-Antispyware] “C:\Program Files\PC-Antispyware\PCA-Purchased.exe” hide

O4 - HKCU…\Run: [startCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKLM…\Policies\Explorer\Run: [bI2IhdoNX3] C:\Documents and Settings\All Users\Dane aplikacji\ejyfmxwr\kjirklmx.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - .DEFAULT User Startup: CCC.lnk = ? (User ‘Default user’)

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: vtULcaYq - vtULcaYq.dll (file missing)

O23 - Service: Usługa konfiguracji Atheros (ACS) - Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

–

End of file - 12166 bytes

zrób jeszcze raz scana hijackThis,wyszukaj wartości:

O4 - HKLM…\Policies\Explorer\Run: [bI2IhdoNX3] C:\Documents and Settings\All Users\Dane aplikacji\ejyfmxwr\kjirklmx.exe

O20 - Winlogon Notify: vtULcaYq - vtULcaYq.dll (file missing)

Zaznacz je po lewej stronie ptaszakiem w tym takim małym białym kwadraciku a później wybierz “fix error”

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Pobierz program SDFix

dziękuje bardzo za pomoc ale niestety jestem az takim laikiem ze nie mogę sobie poradzić już na samym początku przy wejsciu do trybu awaryjnego. Nie pojawia mi sie żaden plik o nazwie SDFix mimo że go wcześniej wypakowałam

Sprawdź gdzie wypakowałaś ten plik ale najprawdopodobniej powinien być tutaj:

Plik jest wypakowany tak jak powinien byc, problem raczej mam w momencie uruchomienia trybu awaryjnego. W momencie gdy chcę uruchomic windowsa w tym trybie pojawia się czarny obraz z migająca ‘kreską’ i to przez bardzo dlugi czas. Czy to tak powinno byc?

(Chciałam tylko przypomniec że w tych spawach jestem kompletnym laikiem i nigdy wczesniej takich operacji na moim komputerze nie przeprowadzałam)

Skoro masz problemy z trybem awaryjnym więc pobierz Combofix i w trybie normalnym przeskanuj system potem pokaż log

Oto log:

ComboFix 08-04-13.1 - Agosh 2008-04-15 19:41:20.4 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1472 [GMT 1:00]

Running from: C:\Documents and Settings\Agosh\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))

.

2008-04-14 20:41 . 2008-04-14 05:41

2008-04-14 20:32 . 2008-04-14 20:32

2008-04-14 18:43 . 2008-04-14 18:43

2008-04-14 18:38 . 2008-04-14 18:38

2008-04-13 23:59 . 2008-04-13 23:59

2008-04-13 22:58 . 2008-04-13 22:58

2008-04-13 22:58 . 2008-04-13 22:58 25,472 --a------ C:\WINDOWS\system32\drivers\pca-firewall.sys

2008-04-13 22:35 . 2008-04-13 22:36

2008-04-13 21:54 . 2008-03-29 18:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr

2008-04-13 21:54 . 2008-03-29 18:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2008-04-13 21:54 . 2008-03-29 18:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2008-04-13 21:54 . 2008-03-29 18:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2008-04-13 21:54 . 2008-03-29 18:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-13 21:53 . 2008-04-13 21:53

2008-04-13 21:53 . 2008-03-29 18:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe

2008-04-13 21:53 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx

2008-04-13 21:53 . 2008-03-29 18:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2008-04-13 21:53 . 2008-01-17 16:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2008-04-13 21:53 . 2008-03-29 18:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-13 21:43 . 2008-04-13 21:43

2008-04-13 19:44 . 2008-04-13 19:45

2008-04-13 19:00 . 2008-04-13 19:00

2008-04-13 19:00 . 2008-04-13 14:08 217,088 --a------ C:\WINDOWS\dsktbwfe.dll

2008-04-13 19:00 . 2008-04-13 14:08 204,800 --a------ C:\WINDOWS\sgoblxtm.dll

2008-04-13 19:00 . 2008-04-13 14:08 200,704 --a------ C:\WINDOWS\ogxtsepr.dll

2008-04-13 19:00 . 2008-04-13 14:08 98,304 --a------ C:\WINDOWS\spnkfwad.exe

2008-04-13 18:55 . 2008-04-13 18:55

2008-04-13 17:24 . 2007-11-22 17:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx

2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

2008-03-23 14:56 . 2008-03-23 14:56

2008-03-22 19:35 . 2008-03-22 19:35

2008-03-22 19:35 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-03-22 19:33 . 2008-03-22 19:33

2008-03-20 20:18 . 2008-03-20 20:18

2008-03-20 09:09 . 2008-03-20 09:09 1,845,504 --------- C:\WINDOWS\system32\dllcache\win32k.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-12 18:26 --------- d-----w C:\Program Files\QuickTime

2008-03-12 06:54 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Yahoo! Companion

2008-03-12 06:54 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Yahoo!

2008-03-09 14:52 --------- d-----w C:\Program Files\SopCast

2008-03-09 14:50 --------- d-----w C:\Program Files\7-Zip

2008-03-08 07:19 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\DivX

2008-03-08 07:13 --------- d-----w C:\Program Files\Yahoo!

2008-03-08 07:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Yahoo!

2008-03-04 20:54 --------- d-----w C:\Program Files\DivX

2008-03-04 19:50 892,928 ----a-w C:\WINDOWS\system32\iconv.dll

2008-03-04 19:50 405,504 ----a-w C:\WINDOWS\system32\libmplayer.dll

2008-03-04 19:50 3,108,864 ----a-w C:\WINDOWS\system32\libavcodec.dll

2008-03-04 19:50 126,976 ----a-w C:\WINDOWS\system32\libmpeg2_ff.dll

2008-03-04 19:48 79,360 ----a-w C:\WINDOWS\system32\mkzlib.dll

2008-03-04 19:48 23,552 ----a-w C:\WINDOWS\system32\mkunicode.dll

2008-03-04 19:48 163,840 ----a-w C:\WINDOWS\system32\ts.dll

2008-03-04 19:48 159,744 ----a-w C:\WINDOWS\system32\mmfinfo.dll

2008-03-04 19:48 148,480 ----a-w C:\WINDOWS\system32\mkx.dll

2008-03-04 19:48 141,312 ----a-w C:\WINDOWS\system32\mp4.dll

2008-03-04 19:48 120,832 ----a-w C:\WINDOWS\system32\ogm.dll

2008-03-04 19:48 --------- d-----w C:\Program Files\Real Alternative

2008-03-02 20:14 --------- d-----w C:\Program Files\Common Files\xing shared

2008-03-02 20:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-03-02 20:13 --------- d-----w C:\Program Files\Real

2008-03-02 20:13 --------- d-----w C:\Program Files\Common Files\Real

2008-03-02 20:09 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\BESTplayer

2008-03-01 17:32 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-29 18:44 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-02-29 08:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-02-29 08:59 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-02-26 20:23 --------- d-----w C:\Program Files\Kyodai Mahjongg 2006

2008-02-26 20:03 --------- d-----w C:\Program Files\Kyodai

2008-02-25 21:06 --------- d-----w C:\Program Files\MarBit

2008-02-25 21:04 --------- d-----w C:\Program Files\iTunes

2008-02-25 21:04 --------- d-----w C:\Program Files\Bonjour

2008-02-25 21:04 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Apple Computer

2008-02-25 21:03 --------- d-----w C:\Program Files\Apple Software Update

2008-02-25 21:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2008-02-25 21:02 --------- d-----w C:\Program Files\Common Files\Apple

2008-02-25 21:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple

2008-02-25 20:59 --------- d-----w C:\Program Files\Google

2008-02-25 07:37 --------- d-----w C:\Program Files\MSXML 4.0

2008-02-23 17:12 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-02-23 17:12 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\skypePM

2008-02-23 17:10 --------- d-----w C:\Program Files\Skype

2008-02-23 17:10 --------- d-----w C:\Program Files\Common Files\Skype

2008-02-23 17:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-02-23 17:10 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Skype

2008-02-23 17:06 --------- d-----w C:\Program Files\Gadu-Gadu

2008-02-22 22:45 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\LightScribe

2008-02-22 22:45 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Ahead

2008-02-22 22:43 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink

2008-02-22 22:37 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\ATI

2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-02-21 01:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:38 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:38 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-01-30 21:35 606,848 ----a-w C:\WINDOWS\flashax.exe

2008-01-30 21:35 503,808 ----a-w C:\WINDOWS\Asus_Camera_ScreenSaver.scr

2008-01-30 21:35 4,499,453 ----a-w C:\WINDOWS\ASUS Camera ScreenSaver.exe

2008-01-30 21:35 37,232 ----a-w C:\WINDOWS\ASScrProlog.exe

2008-01-30 21:35 33,136 ----a-w C:\WINDOWS\ASScrPro.exe

2008-01-30 21:35 274,800 ----a-w C:\WINDOWS\ASUS Camera ScreenSaver Uninstaller.exe

2008-01-30 21:35 12,288 ----a-w C:\WINDOWS\impborl.dll

2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

.

((((((((((((((((((((((((((((( snapshot@2008-04-13_23.43.19.81 )))))))))))))))))))))))))))))))))))))))))

.

• 2008-04-13 22:41:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat

• 2008-04-15 17:22:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat

• 2008-04-15 17:23:00 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_128.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{10F0C2A9-8E38-43e3-204D-45524C494E20}]

2008-04-13 23:03 176128 --a------ C:\Program Files\PC-Antispyware\IeExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“StartCCC”=“c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-01 17:26 22014760]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-03-03 18:37 68856]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360]

“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 17:43 4670704]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATKOSD2”=“C:\Program Files\ATKOSD2\ATKOSD2.exe” [2007-07-03 10:48 7708672]

“ATKHOTKEY”=“C:\Program Files\ATK Hotkey\Hcontrol.exe” [2007-07-12 10:25 225280]

“RTHDCPL”=“RTHDCPL.EXE” [2006-10-30 04:49 16269312 C:\WINDOWS\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]

“ATKMEDIA”=“C:\Program Files\ASUS\ATK Media\DMEDIA.EXE” [2006-11-02 08:27 61440]

“ASUS Live Update”=“C:\Program Files\ASUS\ASUS Live Update\ALU.exe” [2007-07-19 15:41 49520]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-05-25 05:02 786521]

“ACMON”=“C:\Program Files\ASUS\Splendid\ACMON.exe” [2007-07-10 10:59 851968]

“ABLKSR”=“C:\WINDOWS\ABLKSR\ABLKSR.exe” [2006-01-02 19:14 61440]

“RemoteControl”=“C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe” [2007-01-08 22:26 68640]

“SecurDisc”=“C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe” [2007-06-01 10:06 1629744]

“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [2006-11-22 02:31 630784]

“PowerForPhone”=“C:\Program Files\P4P\P4P.exe” []

“Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2007-07-05 16:53 1040384]

“ASUSTPE”=“C:\WINDOWS\system32\ASUSTPE.exe” [2007-01-16 16:13 106496]

“ASUS Camera ScreenSaver”=“C:\WINDOWS\ASScrProlog.exe” [2008-01-30 22:35 37232]

“ASUS Screen Saver Protector”=“C:\WINDOWS\ASScrPro.exe” [2008-01-30 22:35 33136]

“ACU”=“C:\Program Files\Atheros\ACU.exe” [2007-05-03 17:42 376921]

“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2008-01-29 17:38 583048]

“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-03-02 21:13 185896]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37 413696]

“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-03-30 10:36 267048]

“PC-Antispyware”=“C:\Program Files\PC-Antispyware\PCA-Purchased.exe” [2008-04-13 23:03 10772480]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360]

[HKLM~\startupfolder\C:^Documents and Settings^Agosh^Menu Start^Programy^Autostart^CCC.lnk]

path=C:\Documents and Settings\Agosh\Menu Start\Programy\Autostart\CCC.lnk

backup=C:\WINDOWS\pss\CCC.lnkStartup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

–a------ 2007-06-01 10:05 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

–a------ 2007-01-08 22:17 52256 C:\Program Files\ASUSTek\ASUSDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

–a------ 2007-06-20 12:49 451872 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]

–a------ 2006-07-26 18:01 90112 C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

“FirewallOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=

“C:\Program Files\Yahoo!\Messenger\YServer.exe”=

“C:\Program Files\iTunes\iTunes.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]

R1 pca-firewall;pca-firewall;C:\WINDOWS\system32\drivers\pca-firewall.sys [2008-04-13 22:58]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]

R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-08-21 01:50]

R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2006-06-10 00:07]

R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

S3 usbstor;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-03-02 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

“C:\Program Files\Common Files\LightScribe\LSRunOnce.exe”

.

Contents of the ‘Scheduled Tasks’ folder

“2008-03-21 16:10:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

• C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 19:43:04

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

• C:\Program Files\PC-Antispyware\PopupBlocker.dll

.

Completion time: 2008-04-15 19:43:26

ComboFix-quarantined-files.txt 2008-04-15 18:43:20

ComboFix3.txt 2008-04-13 22:43:40

ComboFix2.txt 2008-04-14 20:40:34

Pre-Run: 103,642,136,576 bajtów wolnych

Post-Run: 103,628,832,768 bajtów wolnych

.

2008-04-11 01:54:39 — E O F —

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\dsktbwfe.dll

C:\WINDOWS\sgoblxtm.dll

C:\WINDOWS\ogxtsepr.dll

C:\WINDOWS\spnkfwad.exe

C:\WINDOWS\system32\drivers\pca-firewall.sys


Folder::

C:\FOUND.003

C:\FOUND.002

C:\FOUND.001

C:\Documents and Settings\All Users\Dane aplikacji\ejyfmxwr


Driver::

pca-firewall

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox

Oto log:

ComboFix 08-04-13.1 - Agosh 2008-04-16 8:06:52.6 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1318 [GMT 1:00]

Running from: C:\Documents and Settings\Agosh\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Agosh\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\WINDOWS\dsktbwfe.dll

C:\WINDOWS\ogxtsepr.dll

C:\WINDOWS\sgoblxtm.dll

C:\WINDOWS\spnkfwad.exe

C:\WINDOWS\system32\drivers\pca-firewall.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\drivers\pca-firewall.sys

.

---- Previous Run -------

.

C:\Documents and Settings\All Users\Dane aplikacji\ejyfmxwr

C:\FOUND.001

C:\FOUND.001\FILE0000.CHK

C:\FOUND.002

C:\FOUND.002\FILE0000.CHK

C:\FOUND.002\FILE0001.CHK

C:\FOUND.003

C:\FOUND.003\FILE0000.CHK

C:\FOUND.003\FILE0001.CHK

C:\FOUND.003\FILE0002.CHK

C:\FOUND.003\FILE0003.CHK

C:\FOUND.003\FILE0004.CHK

C:\FOUND.003\FILE0005.CHK

C:\WINDOWS\dsktbwfe.dll

C:\WINDOWS\ogxtsepr.dll

C:\WINDOWS\sgoblxtm.dll

C:\WINDOWS\spnkfwad.exe

C:\WINDOWS\system32\drivers\pca-firewall.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PCA-FIREWALL

-------\Service_pca-firewall

-------\Legacy_PCA-FIREWALL

-------\Service_pca-firewall

((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))

.

2008-04-16 08:09 . 2003-07-29 03:18 3,839 --a------ C:\WINDOWS\system32\drivers\GETPADD.sys

2008-04-14 20:41 . 2008-04-14 05:41

2008-04-14 18:38 . 2008-04-14 18:38

2008-04-13 22:58 . 2008-04-13 22:58

2008-04-13 22:35 . 2008-04-13 22:36

2008-04-13 21:54 . 2008-03-29 18:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr

2008-04-13 21:54 . 2008-03-29 18:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2008-04-13 21:54 . 2008-03-29 18:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2008-04-13 21:54 . 2008-03-29 18:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2008-04-13 21:54 . 2008-03-29 18:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-13 21:53 . 2008-04-13 21:53

2008-04-13 21:53 . 2008-03-29 18:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe

2008-04-13 21:53 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx

2008-04-13 21:53 . 2008-03-29 18:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2008-04-13 21:53 . 2008-01-17 16:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2008-04-13 21:53 . 2008-03-29 18:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-13 21:43 . 2008-04-13 21:43

2008-04-13 19:44 . 2008-04-13 19:45

2008-04-13 18:55 . 2008-04-13 18:55

2008-04-13 17:24 . 2007-11-22 17:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx

2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

2008-03-23 14:56 . 2008-03-23 14:56

2008-03-22 19:35 . 2008-03-22 19:35

2008-03-22 19:35 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-03-22 19:33 . 2008-03-22 19:33

2008-03-20 20:18 . 2008-03-20 20:18

2008-03-20 09:09 . 2008-03-20 09:09 1,845,504 --------- C:\WINDOWS\system32\dllcache\win32k.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-12 18:26 --------- d-----w C:\Program Files\QuickTime

2008-03-12 06:54 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Yahoo! Companion

2008-03-12 06:54 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Yahoo!

2008-03-09 14:52 --------- d-----w C:\Program Files\SopCast

2008-03-09 14:50 --------- d-----w C:\Program Files\7-Zip

2008-03-08 07:19 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\DivX

2008-03-08 07:13 --------- d-----w C:\Program Files\Yahoo!

2008-03-08 07:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Yahoo!

2008-03-04 20:54 --------- d-----w C:\Program Files\DivX

2008-03-04 19:50 892,928 ----a-w C:\WINDOWS\system32\iconv.dll

2008-03-04 19:50 405,504 ----a-w C:\WINDOWS\system32\libmplayer.dll

2008-03-04 19:50 3,108,864 ----a-w C:\WINDOWS\system32\libavcodec.dll

2008-03-04 19:50 126,976 ----a-w C:\WINDOWS\system32\libmpeg2_ff.dll

2008-03-04 19:48 79,360 ----a-w C:\WINDOWS\system32\mkzlib.dll

2008-03-04 19:48 23,552 ----a-w C:\WINDOWS\system32\mkunicode.dll

2008-03-04 19:48 163,840 ----a-w C:\WINDOWS\system32\ts.dll

2008-03-04 19:48 159,744 ----a-w C:\WINDOWS\system32\mmfinfo.dll

2008-03-04 19:48 148,480 ----a-w C:\WINDOWS\system32\mkx.dll

2008-03-04 19:48 141,312 ----a-w C:\WINDOWS\system32\mp4.dll

2008-03-04 19:48 120,832 ----a-w C:\WINDOWS\system32\ogm.dll

2008-03-04 19:48 --------- d-----w C:\Program Files\Real Alternative

2008-03-02 20:14 --------- d-----w C:\Program Files\Common Files\xing shared

2008-03-02 20:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-03-02 20:13 --------- d-----w C:\Program Files\Real

2008-03-02 20:13 --------- d-----w C:\Program Files\Common Files\Real

2008-03-02 20:09 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\BESTplayer

2008-03-01 17:32 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-29 18:44 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-02-29 08:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-02-29 08:59 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-02-26 20:23 --------- d-----w C:\Program Files\Kyodai Mahjongg 2006

2008-02-26 20:03 --------- d-----w C:\Program Files\Kyodai

2008-02-25 21:06 --------- d-----w C:\Program Files\MarBit

2008-02-25 21:04 --------- d-----w C:\Program Files\iTunes

2008-02-25 21:04 --------- d-----w C:\Program Files\Bonjour

2008-02-25 21:04 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Apple Computer

2008-02-25 21:03 --------- d-----w C:\Program Files\Apple Software Update

2008-02-25 21:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2008-02-25 21:02 --------- d-----w C:\Program Files\Common Files\Apple

2008-02-25 21:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple

2008-02-25 20:59 --------- d-----w C:\Program Files\Google

2008-02-25 07:37 --------- d-----w C:\Program Files\MSXML 4.0

2008-02-23 17:12 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-02-23 17:12 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\skypePM

2008-02-23 17:10 --------- d-----w C:\Program Files\Skype

2008-02-23 17:10 --------- d-----w C:\Program Files\Common Files\Skype

2008-02-23 17:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-02-23 17:10 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Skype

2008-02-23 17:06 --------- d-----w C:\Program Files\Gadu-Gadu

2008-02-22 22:45 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\LightScribe

2008-02-22 22:45 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Ahead

2008-02-22 22:43 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink

2008-02-22 22:37 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\ATI

2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-02-21 01:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:38 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:38 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-01-30 21:35 606,848 ----a-w C:\WINDOWS\flashax.exe

2008-01-30 21:35 503,808 ----a-w C:\WINDOWS\Asus_Camera_ScreenSaver.scr

2008-01-30 21:35 4,499,453 ----a-w C:\WINDOWS\ASUS Camera ScreenSaver.exe

2008-01-30 21:35 37,232 ----a-w C:\WINDOWS\ASScrProlog.exe

2008-01-30 21:35 33,136 ----a-w C:\WINDOWS\ASScrPro.exe

2008-01-30 21:35 274,800 ----a-w C:\WINDOWS\ASUS Camera ScreenSaver Uninstaller.exe

2008-01-30 21:35 12,288 ----a-w C:\WINDOWS\impborl.dll

2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

.

((((((((((((((((((((((((((((( snapshot@2008-04-13_23.43.19.81 )))))))))))))))))))))))))))))))))))))))))

.

• 2008-04-13 22:41:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat

• 2008-04-16 07:09:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat

• 2008-04-16 07:09:50 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_140.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{10F0C2A9-8E38-43e3-204D-45524C494E20}]

2008-04-13 23:03 176128 --a------ C:\Program Files\PC-Antispyware\IeExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“StartCCC”=“c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-01 17:26 22014760]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-03-03 18:37 68856]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360]

“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 17:43 4670704]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATKOSD2”=“C:\Program Files\ATKOSD2\ATKOSD2.exe” [2007-07-03 10:48 7708672]

“ATKHOTKEY”=“C:\Program Files\ATK Hotkey\Hcontrol.exe” [2007-07-12 10:25 225280]

“RTHDCPL”=“RTHDCPL.EXE” [2006-10-30 04:49 16269312 C:\WINDOWS\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]

“ATKMEDIA”=“C:\Program Files\ASUS\ATK Media\DMEDIA.EXE” [2006-11-02 08:27 61440]

“ASUS Live Update”=“C:\Program Files\ASUS\ASUS Live Update\ALU.exe” [2007-07-19 15:41 49520]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-05-25 05:02 786521]

“ACMON”=“C:\Program Files\ASUS\Splendid\ACMON.exe” [2007-07-10 10:59 851968]

“ABLKSR”=“C:\WINDOWS\ABLKSR\ABLKSR.exe” [2006-01-02 19:14 61440]

“RemoteControl”=“C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe” [2007-01-08 22:26 68640]

“SecurDisc”=“C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe” [2007-06-01 10:06 1629744]

“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [2006-11-22 02:31 630784]

“PowerForPhone”=“C:\Program Files\P4P\P4P.exe” []

“Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2007-07-05 16:53 1040384]

“ASUSTPE”=“C:\WINDOWS\system32\ASUSTPE.exe” [2007-01-16 16:13 106496]

“ASUS Camera ScreenSaver”=“C:\WINDOWS\ASScrProlog.exe” [2008-01-30 22:35 37232]

“ASUS Screen Saver Protector”=“C:\WINDOWS\ASScrPro.exe” [2008-01-30 22:35 33136]

“ACU”=“C:\Program Files\Atheros\ACU.exe” [2007-05-03 17:42 376921]

“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2008-01-29 17:38 583048]

“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-03-02 21:13 185896]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37 413696]

“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-03-30 10:36 267048]

“PC-Antispyware”=“C:\Program Files\PC-Antispyware\PCA-Purchased.exe” [2008-04-13 23:03 10772480]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360]

[HKLM~\startupfolder\C:^Documents and Settings^Agosh^Menu Start^Programy^Autostart^CCC.lnk]

path=C:\Documents and Settings\Agosh\Menu Start\Programy\Autostart\CCC.lnk

backup=C:\WINDOWS\pss\CCC.lnkStartup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

–a------ 2007-06-01 10:05 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

–a------ 2007-01-08 22:17 52256 C:\Program Files\ASUSTek\ASUSDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

–a------ 2007-06-20 12:49 451872 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]

–a------ 2006-07-26 18:01 90112 C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“FirewallDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

“FirewallOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=

“C:\Program Files\Yahoo!\Messenger\YServer.exe”=

“C:\Program Files\iTunes\iTunes.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]

R1 pca-firewall;pca-firewall;C:\WINDOWS\system32\drivers\pca-firewall.sys [2008-04-16 08:10]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]

R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-08-21 01:50]

R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2006-06-10 00:07]

R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

S3 usbstor;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-03-02 14:00]

*Newly Created Service* - PCA-FIREWALL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

“C:\Program Files\Common Files\LightScribe\LSRunOnce.exe”

.

Contents of the ‘Scheduled Tasks’ folder

“2008-03-21 16:10:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

• C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-16 08:10:10

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

• C:\Program Files\PC-Antispyware\PopupBlocker.dll

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE

C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE

C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE

C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE

C:\WINDOWS\SYSTEM32\ACS.EXE

C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE

C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE

C:\PROGRAM FILES\NERO\NERO 7\INCD\INCDSRV.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\SYSTEM32\ACENGSVR.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\PROGRAM FILES\ATK HOTKEY\ATKOSD.EXE

C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\MOM.EXE

C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

C:\Program Files\ATK Hotkey\KBFiltr.exe

C:\Program Files\ATK Hotkey\WDC.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2008-04-16 8:12:01 - machine was rebooted [Agosh]

ComboFix-quarantined-files.txt 2008-04-16 07:11:56

ComboFix4.txt 2008-04-13 22:43:40

ComboFix3.txt 2008-04-14 20:40:34

ComboFix2.txt 2008-04-15 18:43:28

Pre-Run: 103,531,446,272 bajtów wolnych

Post-Run: 103,518,011,392 bajt˘w wolnych

.

2008-04-11 01:54:39 — E O F —

Log wygląda na czysty

Przeskanuj komputer tym http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

oto raport kasperskiego:

http://wklej.org/id/ae82112896

Dziekuje Wam bardzo za pomoc.

Log jest czysty

przeskanuj Kasperskim obszar Mój komputer