Witam!Prosze o pomoc w usunieciu wirusa vundo i reszty robakow.Nie moge otwierac stronek przez mozille i wyskakuja błędy,znikaja ikonki odswierza się pulpit i w ogóle komp muli. zamieszczam logi…
Logfile of HijackThis v1.99.1
Scan saved at 20:37:53, on 2009-05-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\DialNet\WrOS.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Progsy\programy\Antywiry\Do ręcznej walki z wirusami\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM…\Run: [] “C:\PROGRA~1\DialNet\FPLICE~1.EXE zhimakaimen//WINPOET_QUITTING_EVENT”
O4 - HKLM…\Run: [z-WrDialer] C:\Program Files\DialNet\WrDialer.exe
O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM…\Run: [bM07ca9cef] Rundll32.exe “C:\WINDOWS\system32\felmydcw.dll”,s
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip…{F5F10BEE-F203-467A-B500-77B7050F1616}: NameServer = 217.30.129.149 217.30.137.200
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - Fine Point Technologies, Inc. - C:\Program Files\DialNet\WrOS.EXE
Administrator - 09-05-12 20:24:34,43 Dodatek Service Pack 2
ComboFix 06.09.28 - Running from: “D:\Progsy\programy\Antywiry\Do r©cznej walki z wirusami”
Command switches used :: C:\ComboFix.txt
((((((((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 ))))))))))))))))))))))))))))))))))
2009-05-12 19:26 2,112 --a------ C:\WINDOWS\system32\nhpimshc.exe
2009-05-12 19:23 90,688 --a------ C:\WINDOWS\system32\pnkmvhyc.dll
2009-05-12 19:20 3,648 --a------ C:\WINDOWS\system32\bonvbsqe.dll
2009-05-12 19:17 100,416 --a------ C:\WINDOWS\system32\felmydcw.dll
2009-04-17 18:58 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2009-04-17 18:57 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-05-12 20:22 301066 --ahs---- C:\WINDOWS\system32\orutv.ini2
2009-05-12 20:16 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2009-05-12 19:14 -------- d-------- C:\Program Files\Norton Security Scan
2009-03-25 18:33 -------- d-------- C:\Program Files\SubEdit-Player
2009-03-24 17:50 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent
2009-03-07 22:16 91200 --a------ C:\WINDOWS\system32\iwmuemqg.dll
2009-03-07 22:13 96320 --a------ C:\WINDOWS\system32\rqrjywpa.dll
2009-03-07 22:12 92736 --a------ C:\WINDOWS\system32\yvpneifu.dll
2009-03-07 14:58 96320 --a------ C:\WINDOWS\system32\blgshrcr.dll
2009-03-07 14:57 92736 --a------ C:\WINDOWS\system32\qyiifbyf.dll
2009-03-06 22:04 96832 --a------ C:\WINDOWS\system32\jcugwcaj.dll
2009-03-06 22:01 91712 --a------ C:\WINDOWS\system32\whcgocvy.dll
2009-03-06 21:54 96832 --a------ C:\WINDOWS\system32\beqysgpw.dll
2009-03-06 21:54 91712 --a------ C:\WINDOWS\system32\fpxmwixt.dll
2009-03-05 21:55 96832 --a------ C:\WINDOWS\system32\pbqqtbng.dll
2009-03-05 21:52 91712 --a------ C:\WINDOWS\system32\gnlscmbw.dll
2009-03-01 12:47 88640 --a------ C:\WINDOWS\system32\wjlcahsj.dll
2009-03-01 12:42 91712 --a------ C:\WINDOWS\system32\kxjierry.dll
2009-02-28 21:39 89664 --a------ C:\WINDOWS\system32\pjjeikar.dll
2009-02-28 21:38 91712 --a------ C:\WINDOWS\system32\iodkavwy.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@="“C:\PROGRA~1\DialNet\FPLICE~1.EXE zhimakaimen//WINPOET_QUITTING_EVENT”"
“z-WrDialer”=“C:\Program Files\DialNet\WrDialer.exe”
“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto”
“BM07ca9cef”=“Rundll32.exe “C:\WINDOWS\system32\felmydcw.dll”,s”
“04f9af73”=“rundll32.exe “C:\WINDOWS\system32\pnkmvhyc.dll”,b”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
“DeskHtmlVersion”=dword:00000110
“DeskHtmlMinorVersion”=dword:00000005
“Settings”=dword:00000001
“GeneralFlags”=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“Moja bieżąca strona główna”
“Flags”=dword:00000002
“Position”=hex:2c,00,00,00,0d,02,00,00,00,00,00,00,73,02,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
“CurrentState”=hex:04,00,00,40
“OriginalStateInfo”=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
“RestoredStateInfo”=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=""
“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}”=“Groove GFS Stub Execution Hook”
“{E0EA1F31-B58F-47E8-A185-20C52DF9F168}”=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
“NTSpool”=“NTSpool.exe”
“Windows Printing Driver”=“WinPrint.exe”
“NT Security Service”=“NTSecurity.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“dontdisplaylastusername”=dword:00000000
“legalnoticecaption”=""
“legalnoticetext”=""
“shutdownwithoutlogon”=dword:00000001
“undockwithoutlogon”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveAutoRun”=dword:03ffffff
“NoDriveTypeAutoRun”=dword:000000ff
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
“PostBootReminder”="{7849596a-48ea-486e-8937-a2a3009f31a9}"
“CDBurn”="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
“WebCheck”="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
“SysTray”="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
“MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
“path”=“C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk”
“backup”=“C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup”
“location”=“Startup”
“command”=“C:\PROGRA~1\MICROS~2\Office12\ONENOTEM.EXE /tsr”
“item”=“Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
“path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk”
“backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup”
“location”=“Common Startup”
“command”="C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE "
“item”=“Adobe Reader Speed Launch”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\04f9af73]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“rhqetvnn”
“hkey”=“HKLM”
“command”=“rundll32.exe “C:\WINDOWS\system32\rhqetvnn.dll”,b”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\a-winpoet-service]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“winpppoverethernet”
“hkey”=“HKLM”
“command”="“C:\Program Files\DialNet\winpppoverethernet.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Alcmtr]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ALCMTR”
“hkey”=“HKLM”
“command”=“ALCMTR.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NMBgMonitor”
“hkey”=“HKCU”
“command”="“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BM07ca9cef]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“nbrithec”
“hkey”=“HKLM”
“command”=“Rundll32.exe “C:\WINDOWS\system32\nbrithec.dll”,s”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\combofix]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Combobatch”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\kmd.exe /c C:\ComboFix(2)\Combobatch.bat”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ctfmon”
“hkey”=“HKCU”
“command”=“C:\WINDOWS\system32\ctfmon.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“daemon”
“hkey”=“HKCU”
“command”="“C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Drmupgds]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Drmupgds”
“hkey”=“HKCU”
“command”=“C:\Program Files\Drmupgds\Drmupgds.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\GrooveMonitor]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“GrooveMonitor”
“hkey”=“HKLM”
“command”="“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Host Process]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“svchost”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\Fonts\svchost.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“dumprep 0 -k”
“hkey”=“HKLM”
“command”="%systemroot%\system32\dumprep 0 -k"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msmsgs”
“hkey”=“HKCU”
“command”="“C:\Program Files\Messenger\msmsgs.exe” /background"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NeroCheck”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\NeroCheck.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvCpl”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvMcTray”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“nwiz”
“hkey”=“HKLM”
“command”=“nwiz.exe /install”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RTHDCPL]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“RTHDCPL”
“hkey”=“HKLM”
“command”=“RTHDCPL.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\runner1]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“mrofinu1188”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\S3Trayp]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“S3trayp”
“hkey”=“HKLM”
“command”=“S3trayp.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Skype”
“hkey”=“HKCU”
“command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SkyTel]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“SkyTel”
“hkey”=“HKLM”
“command”=“SkyTel.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“jusched”
“hkey”=“HKLM”
“command”="“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VTTimer]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“VTTimer”
“hkey”=“HKLM”
“command”=“VTTimer.exe”
“inimapping”=“0”
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzwkcomc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyvu
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the ‘Scheduled Tasks’ folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Norton Security Scan.job
Completion time: 2009-05-12 20:26:26.04
ComboFix.txt
ComboFix2.txt
fix w hijackthis
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
File::
C:\Program Files\DialNet\WrDialer.exe
C:\WINDOWS\system32\felmydcw.dll
C:\WINDOWS\system32\nhpimshc.exe
C:\WINDOWS\system32\pnkmvhyc.dll
C:\WINDOWS\system32\bonvbsqe.dll
C:\WINDOWS\system32\felmydcw.dll
C:\WINDOWS\system32\iwmuemqg.dll
C:\WINDOWS\system32\rqrjywpa.dll
C:\WINDOWS\system32\yvpneifu.dll
C:\WINDOWS\system32\blgshrcr.dll
C:\WINDOWS\system32\qyiifbyf.dll
C:\WINDOWS\system32\jcugwcaj.dll
C:\WINDOWS\system32\whcgocvy.dll
C:\WINDOWS\system32\beqysgpw.dll
C:\WINDOWS\system32\fpxmwixt.dll
C:\WINDOWS\system32\pbqqtbng.dll
C:\WINDOWS\system32\gnlscmbw.dll
C:\WINDOWS\system32\wjlcahsj.dll
C:\WINDOWS\system32\kxjierry.dll
C:\WINDOWS\system32\pjjeikar.dll
C:\WINDOWS\system32\iodkavwy.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"z-WrDialer"=-
"MSConfig"=-
"BM07ca9cef"=-
"04f9af73"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BM07ca9cef]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\04f9af73]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzwkcomc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyvu]
Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.
pushd “C:\327882R2FWJFW”
=============================================
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Dane aplikacji
cfldr=327882R2FWJFW
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ADAM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
kmd=CF3167.exe
LOGONSERVER=\ADAM
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Samsung\Samsung PC Studio 3\
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$
SESSIONNAME=Console
sfxname=C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
system=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
USERDOMAIN=ADAM
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
=============================================
if not defined sfxname goto END
Nircmd win close ititle “ComboFix”
If [“C:\Documents and Settings\Administrator\Pulpit\CFScript.txt”] == [] Set “SfxCmd=”
if /I “C:\327882R2FWJFW” NEQ “C:\327882R2FWJFW” goto Abort
if exist “C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\327882R2FWJFW327882R2FWJFW.log” del “C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\327882R2FWJFW327882R2FWJFW.log”
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
Ownerchange for “C:\WINDOWS\system32\cmd.exe” to Administrators group was successful
copy /y “C:\WINDOWS\system32\cmd.exe” “C:\WINDOWS\system32\CF3167.exe”
Liczba skopiowanych plików: 1.
if not exist “C:\WINDOWS\system32\CF3167.exe” catchme -l nul -c “C:\WINDOWS\system32\cmd.exe” “C:\WINDOWS\system32\CF3167.exe”
For /F “tokens=*” %g in (“C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe”) do @(
set “FileName=%~ng”
set “FilePath=%~dpg”
)
Set FileName 2>nul | GREP -Gisqx “FileName=[-[:alnum:]@.]*” || (
nircmd infobox “You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters” “”
goto END
)
DIR /AD/B C:* | FindStr.exe -IVX ComboFix 1>dirname00
FindStr.exe -LIXC:“ComboFix” dirname00 1>nul && call :NameChk
If exist dirname0? del /Q dirname0?
If exist “\ComboFix” DIR /AD “\ComboFix” 1>nul && (
rd /s/q “\ComboFix”
If exist “\ComboFix” (
PV -kf findstr.exe *.cfexe
rd /s/q “\ComboFix”
)
If exist “\ComboFix” (
handle “C:\ComboFix” | SED -r “/pid:/!d; s/.*: (.*): .*/\1/” 1>temp00
for /F “tokens=1,2” %g in (temp00) do @echo.y | Handle -p %g -c %h
del /q temp00
rd /s/q “\ComboFix”
)
)
If exist “\ComboFix” rd /s/q “\ComboFix”
If exist “\ComboFix” goto :eof
VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) ||
CD …
Set “comspec=C:\WINDOWS\system32\CF3167.exe”
(
echo.md “\ComboFix”
echo.Move /y “\327882R2FWJFW*” “\ComboFix”
echo.RD /S/Q “\327882R2FWJFW”
echo.Start “.” /d"C:\ComboFix" “C:\WINDOWS\system32\CF3167.exe” /k c.bat
echo.pv -kf cmd.exe
) 1>Start_.cmd
NirCmd exec hide “C:\WINDOWS\system32\CF3167.exe” /f:off /d /c call Start_.cmd
NirCmd execmd del “\327882R2FWJFW\prep.cmd”
EXIT
Daj loga z usuwania z combofix
Administrator - 09-05-12 21:02:31,33 Dodatek Service Pack 2
ComboFix 06.09.28 - Running from: “D:\Progsy\programy\Antywiry\Do r©cznej walki z wirusami”
((((((((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 ))))))))))))))))))))))))))))))))))
2009-05-12 19:26 2,112 --a------ C:\WINDOWS\system32\nhpimshc.exe
2009-05-12 19:23 90,688 --a------ C:\WINDOWS\system32\pnkmvhyc.dll
2009-05-12 19:20 3,648 --a------ C:\WINDOWS\system32\bonvbsqe.dll
2009-05-12 19:17 100,416 --a------ C:\WINDOWS\system32\felmydcw.dll
2009-04-17 18:58 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2009-04-17 18:57 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-05-12 21:01 303722 --ahs---- C:\WINDOWS\system32\orutv.ini2
2009-05-12 20:16 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2009-05-12 19:14 -------- d-------- C:\Program Files\Norton Security Scan
2009-03-25 18:33 -------- d-------- C:\Program Files\SubEdit-Player
2009-03-24 17:50 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent
2009-03-07 22:16 91200 --a------ C:\WINDOWS\system32\iwmuemqg.dll
2009-03-07 22:13 96320 --a------ C:\WINDOWS\system32\rqrjywpa.dll
2009-03-07 22:12 92736 --a------ C:\WINDOWS\system32\yvpneifu.dll
2009-03-07 14:58 96320 --a------ C:\WINDOWS\system32\blgshrcr.dll
2009-03-07 14:57 92736 --a------ C:\WINDOWS\system32\qyiifbyf.dll
2009-03-06 22:04 96832 --a------ C:\WINDOWS\system32\jcugwcaj.dll
2009-03-06 22:01 91712 --a------ C:\WINDOWS\system32\whcgocvy.dll
2009-03-06 21:54 96832 --a------ C:\WINDOWS\system32\beqysgpw.dll
2009-03-06 21:54 91712 --a------ C:\WINDOWS\system32\fpxmwixt.dll
2009-03-05 21:55 96832 --a------ C:\WINDOWS\system32\pbqqtbng.dll
2009-03-05 21:52 91712 --a------ C:\WINDOWS\system32\gnlscmbw.dll
2009-03-01 12:47 88640 --a------ C:\WINDOWS\system32\wjlcahsj.dll
2009-03-01 12:42 91712 --a------ C:\WINDOWS\system32\kxjierry.dll
2009-02-28 21:39 89664 --a------ C:\WINDOWS\system32\pjjeikar.dll
2009-02-28 21:38 91712 --a------ C:\WINDOWS\system32\iodkavwy.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@="“C:\PROGRA~1\DialNet\FPLICE~1.EXE zhimakaimen//WINPOET_QUITTING_EVENT”"
“z-WrDialer”=“C:\Program Files\DialNet\WrDialer.exe”
“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto”
“BM07ca9cef”=“Rundll32.exe “C:\WINDOWS\system32\felmydcw.dll”,s”
“04f9af73”=“rundll32.exe “C:\WINDOWS\system32\pnkmvhyc.dll”,b”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
“DeskHtmlVersion”=dword:00000110
“DeskHtmlMinorVersion”=dword:00000005
“Settings”=dword:00000001
“GeneralFlags”=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“Moja bieżąca strona główna”
“Flags”=dword:00000002
“Position”=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,27,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
“CurrentState”=hex:04,00,00,40
“OriginalStateInfo”=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
“RestoredStateInfo”=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=""
“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}”=“Groove GFS Stub Execution Hook”
“{E0EA1F31-B58F-47E8-A185-20C52DF9F168}”=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
“NTSpool”=“NTSpool.exe”
“Windows Printing Driver”=“WinPrint.exe”
“NT Security Service”=“NTSecurity.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“dontdisplaylastusername”=dword:00000000
“legalnoticecaption”=""
“legalnoticetext”=""
“shutdownwithoutlogon”=dword:00000001
“undockwithoutlogon”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveAutoRun”=dword:03ffffff
“NoDriveTypeAutoRun”=dword:000000ff
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
“PostBootReminder”="{7849596a-48ea-486e-8937-a2a3009f31a9}"
“CDBurn”="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
“WebCheck”="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
“SysTray”="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
“MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
“path”=“C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk”
“backup”=“C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup”
“location”=“Startup”
“command”=“C:\PROGRA~1\MICROS~2\Office12\ONENOTEM.EXE /tsr”
“item”=“Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
“path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk”
“backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup”
“location”=“Common Startup”
“command”="C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE "
“item”=“Adobe Reader Speed Launch”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\04f9af73]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“pnkmvhyc”
“hkey”=“HKLM”
“command”=“rundll32.exe “C:\WINDOWS\system32\pnkmvhyc.dll”,b”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\a-winpoet-service]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“winpppoverethernet”
“hkey”=“HKLM”
“command”="“C:\Program Files\DialNet\winpppoverethernet.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Alcmtr]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ALCMTR”
“hkey”=“HKLM”
“command”=“ALCMTR.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NMBgMonitor”
“hkey”=“HKCU”
“command”="“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BM07ca9cef]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“felmydcw”
“hkey”=“HKLM”
“command”=“Rundll32.exe “C:\WINDOWS\system32\felmydcw.dll”,s”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\combofix]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Combobatch”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\kmd.exe /c C:\ComboFix(2)\Combobatch.bat”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ctfmon”
“hkey”=“HKCU”
“command”=“C:\WINDOWS\system32\ctfmon.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“daemon”
“hkey”=“HKCU”
“command”="“C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Drmupgds]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Drmupgds”
“hkey”=“HKCU”
“command”=“C:\Program Files\Drmupgds\Drmupgds.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\GrooveMonitor]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“GrooveMonitor”
“hkey”=“HKLM”
“command”="“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Host Process]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“svchost”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\Fonts\svchost.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“dumprep 0 -k”
“hkey”=“HKLM”
“command”="%systemroot%\system32\dumprep 0 -k"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msmsgs”
“hkey”=“HKCU”
“command”="“C:\Program Files\Messenger\msmsgs.exe” /background"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NeroCheck”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\NeroCheck.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvCpl”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvMcTray”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“nwiz”
“hkey”=“HKLM”
“command”=“nwiz.exe /install”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RTHDCPL]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“RTHDCPL”
“hkey”=“HKLM”
“command”=“RTHDCPL.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\runner1]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“mrofinu1188”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\S3Trayp]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“S3trayp”
“hkey”=“HKLM”
“command”=“S3trayp.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Skype”
“hkey”=“HKCU”
“command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SkyTel]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“SkyTel”
“hkey”=“HKLM”
“command”=“SkyTel.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“jusched”
“hkey”=“HKLM”
“command”="“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VTTimer]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“VTTimer”
“hkey”=“HKLM”
“command”=“VTTimer.exe”
“inimapping”=“0”
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzwkcomc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyvu
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the ‘Scheduled Tasks’ folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Norton Security Scan.job
Completion time: 2009-05-12 21:04:29.33
ComboFix.txt
Wykonaj moją poprzednią wskazówkę
nie ma tego loga,jesli robie tak jak ty mowisz ten cały combofix znika…i zostaje tylko ten BUg.txt
zfixuj to co ci kazałem i zrób tak:
Pobierz Avenger
wklej do niego ten tekst:
Files to delete:
C:\Program Files\DialNet\WrDialer.exe
C:\WINDOWS\system32\felmydcw.dll
C:\WINDOWS\system32\nhpimshc.exe
C:\WINDOWS\system32\pnkmvhyc.dll
C:\WINDOWS\system32\bonvbsqe.dll
C:\WINDOWS\system32\felmydcw.dll
C:\WINDOWS\system32\iwmuemqg.dll
C:\WINDOWS\system32\rqrjywpa.dll
C:\WINDOWS\system32\yvpneifu.dll
C:\WINDOWS\system32\blgshrcr.dll
C:\WINDOWS\system32\qyiifbyf.dll
C:\WINDOWS\system32\jcugwcaj.dll
C:\WINDOWS\system32\whcgocvy.dll
C:\WINDOWS\system32\beqysgpw.dll
C:\WINDOWS\system32\fpxmwixt.dll
C:\WINDOWS\system32\pbqqtbng.dll
C:\WINDOWS\system32\gnlscmbw.dll
C:\WINDOWS\system32\wjlcahsj.dll
C:\WINDOWS\system32\kxjierry.dll
C:\WINDOWS\system32\pjjeikar.dll
C:\WINDOWS\system32\iodkavwy.dll
Registry keys to delete:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"z-WrDialer"=-
"MSConfig"=-
"BM07ca9cef"=-
"04f9af73"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BM07ca9cef]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\04f9af73]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzwkcomc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyvu]
kopiuj to i klikasz na Paste Script from Clipboard wybierasz Execute oraz Potwierdzasz i zgadzasz się na restart klikając OK.
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt
wyskoczył Error Invalid script.A valid script must be begin witha command directive.
Aborting executions!
W dniu 12.05.2008 , o godzinie 21:54 został dopisany post przez apollo13
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:26:42 2009
21:26:42: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:26:59 2009
21:26:59: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:27:03 2009
21:27:03: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:27:35 2009
21:27:35: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:28:11 2009
21:28:11: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:28:14 2009
21:28:14: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:28:23 2009
21:28:23: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:28:44 2009
21:28:44: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:29:08 2009
21:29:08: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:29:23 2009
21:29:23: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:30:00 2009
21:30:00: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:30:20 2009
21:30:20: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:30:42 2009
21:30:42: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Completed script processing.
*******************
Finished! Terminate.
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:34:39 2009
21:34:39: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:34:47 2009
21:34:46: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Completed script processing.
*******************
Finished! Terminate.
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:41:05 2009
21:41:05: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:41:14 2009
21:41:14: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Tue May 12 21:41:52 2009
21:41:33: Warning: Trying to solve a NULL hostname: giving up
21:41:35: Error: Could not open input stream to URL:
http:// (error 6: nieprawid?owe doj?cie.)
21:41:52: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File “C:\Program Files\DialNet\WrDialer.exe” deleted successfully.
File “C:\WINDOWS\system32\felmydcw.dll” deleted successfully.
File “C:\WINDOWS\system32\nhpimshc.exe” deleted successfully.
File “C:\WINDOWS\system32\pnkmvhyc.dll” deleted successfully.
File “C:\WINDOWS\system32\bonvbsqe.dll” deleted successfully.
Error: file “C:\WINDOWS\system32\felmydcw.dll” not found!
Deletion of file “C:\WINDOWS\system32\felmydcw.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist
Error: file “C:\WINDOWS\system32\iwmuemqg.dll” not found!
Deletion of file “C:\WINDOWS\system32\iwmuemqg.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist
File “C:\WINDOWS\system32\rqrjywpa.dll” deleted successfully.
File “C:\WINDOWS\system32\yvpneifu.dll” deleted successfully.
File “C:\WINDOWS\system32\blgshrcr.dll” deleted successfully.
File “C:\WINDOWS\system32\qyiifbyf.dll” deleted successfully.
File “C:\WINDOWS\system32\jcugwcaj.dll” deleted successfully.
File “C:\WINDOWS\system32\whcgocvy.dll” deleted successfully.
File “C:\WINDOWS\system32\beqysgpw.dll” deleted successfully.
File “C:\WINDOWS\system32\fpxmwixt.dll” deleted successfully.
File “C:\WINDOWS\system32\pbqqtbng.dll” deleted successfully.
File “C:\WINDOWS\system32\gnlscmbw.dll” deleted successfully.
File “C:\WINDOWS\system32\wjlcahsj.dll” deleted successfully.
File “C:\WINDOWS\system32\kxjierry.dll” deleted successfully.
File “C:\WINDOWS\system32\pjjeikar.dll” deleted successfully.
File “C:\WINDOWS\system32\iodkavwy.dll” deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
i co teraz mam czynic:)??
Daj nowego loga z combofix
Otwórz notatnik i wklej
zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart
powstanie plik o takiej ikonie
w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart
potem nowy log Combofix
Administrator - 09-05-12 22:10:53,57 Dodatek Service Pack 2
ComboFix 06.09.28 - Running from: “D:\Progsy\programy\Antywiry\Do r©cznej walki z wirusami”
((((((((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 ))))))))))))))))))))))))))))))))))
2009-05-12 22:07 806 --a------ C:\plik.reg
2009-05-12 21:54 90,688 --a------ C:\WINDOWS\system32\tvqtxxkv.dll
2009-05-12 21:54 2,112 --a------ C:\WINDOWS\system32\wumwpnmk.exe
2009-05-12 21:51 3,648 --a------ C:\WINDOWS\system32\pdqjnnfh.dll
2009-05-12 21:51 100,416 --a------ C:\WINDOWS\system32\eixfwkvy.dll
2009-05-12 21:24 731,136 --a------ C:\avenger.exe
2009-05-12 21:15 28,160 -ra------ C:\WINDOWS\nircmd.exe
2009-04-17 18:58 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2009-04-17 18:57 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-05-12 22:12 291375 --ahs---- C:\WINDOWS\system32\orutv.ini2
2009-05-12 22:11 -------- d-------- C:\Program Files\DialNet
2009-05-12 22:08 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent
2009-05-12 21:50 -------- d-------- C:\Program Files\Mozilla Firefox
2009-05-12 20:16 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2009-05-12 19:14 -------- d-------- C:\Program Files\Norton Security Scan
2009-03-25 18:33 -------- d-------- C:\Program Files\SubEdit-Player
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“a-winpoet-service”="“C:\Program Files\DialNet\winpppoverethernet.exe”"
“BM07ca9cef”=“Rundll32.exe “C:\WINDOWS\system32\eixfwkvy.dll”,s”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
“DeskHtmlVersion”=dword:00000110
“DeskHtmlMinorVersion”=dword:00000005
“Settings”=dword:00000001
“GeneralFlags”=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“Moja bieżąca strona główna”
“Flags”=dword:00000002
“Position”=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
“CurrentState”=hex:04,00,00,40
“OriginalStateInfo”=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
“RestoredStateInfo”=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=""
“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}”=“Groove GFS Stub Execution Hook”
“{E0EA1F31-B58F-47E8-A185-20C52DF9F168}”=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
“NTSpool”=“NTSpool.exe”
“Windows Printing Driver”=“WinPrint.exe”
“NT Security Service”=“NTSecurity.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“dontdisplaylastusername”=dword:00000000
“legalnoticecaption”=""
“legalnoticetext”=""
“shutdownwithoutlogon”=dword:00000001
“undockwithoutlogon”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveAutoRun”=dword:03ffffff
“NoDriveTypeAutoRun”=dword:000000ff
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
“PostBootReminder”="{7849596a-48ea-486e-8937-a2a3009f31a9}"
“CDBurn”="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
“WebCheck”="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
“SysTray”="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
“MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
“path”=“C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk”
“backup”=“C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup”
“location”=“Startup”
“command”=“C:\PROGRA~1\MICROS~2\Office12\ONENOTEM.EXE /tsr”
“item”=“Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
“path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk”
“backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup”
“location”=“Common Startup”
“command”="C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE "
“item”=“Adobe Reader Speed Launch”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“FPLICE~1”
“hkey”=“HKLM”
“command”="“C:\PROGRA~1\DialNet\FPLICE~1.EXE zhimakaimen//WINPOET_QUITTING_EVENT”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Alcmtr]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ALCMTR”
“hkey”=“HKLM”
“command”=“ALCMTR.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NMBgMonitor”
“hkey”=“HKCU”
“command”="“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\combofix]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Combobatch”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\kmd.exe /c C:\ComboFix(2)\Combobatch.bat”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ctfmon”
“hkey”=“HKCU”
“command”=“C:\WINDOWS\system32\ctfmon.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“daemon”
“hkey”=“HKCU”
“command”="“C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Drmupgds]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Drmupgds”
“hkey”=“HKCU”
“command”=“C:\Program Files\Drmupgds\Drmupgds.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\GrooveMonitor]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“GrooveMonitor”
“hkey”=“HKLM”
“command”="“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Host Process]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“svchost”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\Fonts\svchost.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msmsgs”
“hkey”=“HKCU”
“command”="“C:\Program Files\Messenger\msmsgs.exe” /background"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NeroCheck”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\NeroCheck.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvCpl”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvMcTray”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“nwiz”
“hkey”=“HKLM”
“command”=“nwiz.exe /install”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RTHDCPL]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“RTHDCPL”
“hkey”=“HKLM”
“command”=“RTHDCPL.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\S3Trayp]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“S3trayp”
“hkey”=“HKLM”
“command”=“S3trayp.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Skype”
“hkey”=“HKCU”
“command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SkyTel]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“SkyTel”
“hkey”=“HKLM”
“command”=“SkyTel.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“jusched”
“hkey”=“HKLM”
“command”="“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VTTimer]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“VTTimer”
“hkey”=“HKLM”
“command”=“VTTimer.exe”
“inimapping”=“0”
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the ‘Scheduled Tasks’ folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Norton Security Scan.job
Completion time: 2009-05-12 22:13:20.27
ComboFix.txt
Otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
http://img.wklej.org/images/88953CFScri … iemoes.gif
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
COS MI SIE ZDAJE,ZE BEDZIE TRZEBA COS LEPSZEGO ZAAPLIKOWAC MOJEMU KOMPUTEROWI BO TEN WIRUS STRASZNIE UPARTY JEST… WKLEJAM AKTUALNY LOG Z COMBOFIXA PO UPRZEDNICH CZYSTKACH:
Administrator - 09-05-13 18:40:08,72 Dodatek Service Pack 2
ComboFix 06.09.28 - Running from: “C:\Documents and Settings\Administrator”
Command switches used :: “D:\Progsy\programy\Antywiry\Do r©cznej walki z wirusami\CFScript.txt”
((((((((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 ))))))))))))))))))))))))))))))))))
2009-05-13 14:59 90,688 --a------ C:\WINDOWS\system32\uieudptr.dll
2009-05-13 14:55 2,112 --a------ C:\WINDOWS\system32\rpnokefs.exe
2009-05-13 14:52 3,648 --a------ C:\WINDOWS\system32\qrxltemp.dll
2009-05-13 14:52 100,928 --a------ C:\WINDOWS\system32\ndioqnog.dll
2009-05-13 09:41 2,112 --a------ C:\WINDOWS\system32\lypvtnyb.exe
2009-05-13 09:38 90,688 --------- C:\WINDOWS\system32\qnjbbknl.dll
2009-05-13 09:38 3,648 --a------ C:\WINDOWS\system32\begsxkqw.dll
2009-05-13 09:35 100,416 --a------ C:\WINDOWS\system32\udqwrmfe.dll
2009-05-12 23:16 2,112 --a------ C:\WINDOWS\system32\lnyrxeuf.exe
2009-05-12 23:14 3,648 --a------ C:\WINDOWS\system32\ehkqhmyg.dll
2009-05-12 23:14 100,416 --a------ C:\WINDOWS\system32\fclxajes.dll
2009-05-12 22:07 806 --a------ C:\plik.reg
2009-05-12 21:54 90,688 --a------ C:\WINDOWS\system32\tvqtxxkv.dll
2009-05-12 21:54 2,112 --a------ C:\WINDOWS\system32\wumwpnmk.exe
2009-05-12 21:51 3,648 --a------ C:\WINDOWS\system32\pdqjnnfh.dll
2009-05-12 21:51 100,416 --a------ C:\WINDOWS\system32\eixfwkvy.dll
2009-05-12 21:24 731,136 --a------ C:\avenger.exe
2009-04-17 18:58 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2009-04-17 18:57 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-05-13 18:38 297601 --ahs---- C:\WINDOWS\system32\orutv.ini2
2009-05-13 18:38 -------- d-------- C:\Program Files\Mozilla Firefox
2009-05-13 14:58 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2009-05-13 11:45 -------- d-------- C:\Program Files\DialNet
2009-05-12 22:08 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent
2009-05-12 19:14 -------- d-------- C:\Program Files\Norton Security Scan
2009-03-25 18:33 -------- d-------- C:\Program Files\SubEdit-Player
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“a-winpoet-service”="“C:\Program Files\DialNet\winpppoverethernet.exe”"
“BM07ca9cef”=“Rundll32.exe “C:\WINDOWS\system32\ndioqnog.dll”,s”
“04f9af73”=“rundll32.exe “C:\WINDOWS\system32\uieudptr.dll”,b”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
“DeskHtmlVersion”=dword:00000110
“DeskHtmlMinorVersion”=dword:00000005
“Settings”=dword:00000001
“GeneralFlags”=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“Moja bieżąca strona główna”
“Flags”=dword:00000002
“Position”=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
“CurrentState”=hex:04,00,00,40
“OriginalStateInfo”=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
“RestoredStateInfo”=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=""
“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}”=“Groove GFS Stub Execution Hook”
“{E0EA1F31-B58F-47E8-A185-20C52DF9F168}”=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
“NTSpool”=“NTSpool.exe”
“Windows Printing Driver”=“WinPrint.exe”
“NT Security Service”=“NTSecurity.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“dontdisplaylastusername”=dword:00000000
“legalnoticecaption”=""
“legalnoticetext”=""
“shutdownwithoutlogon”=dword:00000001
“undockwithoutlogon”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveAutoRun”=dword:03ffffff
“NoDriveTypeAutoRun”=dword:000000ff
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
“PostBootReminder”="{7849596a-48ea-486e-8937-a2a3009f31a9}"
“CDBurn”="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
“WebCheck”="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
“SysTray”="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
“MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
“path”=“C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk”
“backup”=“C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup”
“location”=“Startup”
“command”=“C:\PROGRA~1\MICROS~2\Office12\ONENOTEM.EXE /tsr”
“item”=“Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
“path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk”
“backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup”
“location”=“Common Startup”
“command”="C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE "
“item”=“Adobe Reader Speed Launch”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“FPLICE~1”
“hkey”=“HKLM”
“command”="“C:\PROGRA~1\DialNet\FPLICE~1.EXE zhimakaimen//WINPOET_QUITTING_EVENT”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Alcmtr]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ALCMTR”
“hkey”=“HKLM”
“command”=“ALCMTR.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NMBgMonitor”
“hkey”=“HKCU”
“command”="“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\combofix]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Combobatch”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\kmd.exe /c C:\ComboFix(2)\Combobatch.bat”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ctfmon”
“hkey”=“HKCU”
“command”=“C:\WINDOWS\system32\ctfmon.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“daemon”
“hkey”=“HKCU”
“command”="“C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Drmupgds]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Drmupgds”
“hkey”=“HKCU”
“command”=“C:\Program Files\Drmupgds\Drmupgds.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\GrooveMonitor]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“GrooveMonitor”
“hkey”=“HKLM”
“command”="“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Host Process]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“svchost”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\Fonts\svchost.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msmsgs”
“hkey”=“HKCU”
“command”="“C:\Program Files\Messenger\msmsgs.exe” /background"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NeroCheck”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\NeroCheck.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvCpl”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvMcTray”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“nwiz”
“hkey”=“HKLM”
“command”=“nwiz.exe /install”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RTHDCPL]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“RTHDCPL”
“hkey”=“HKLM”
“command”=“RTHDCPL.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\S3Trayp]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“S3trayp”
“hkey”=“HKLM”
“command”=“S3trayp.exe”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Skype”
“hkey”=“HKCU”
“command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SkyTel]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“SkyTel”
“hkey”=“HKLM”
“command”=“SkyTel.EXE”
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“jusched”
“hkey”=“HKLM”
“command”="“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”"
“inimapping”=“0”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VTTimer]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“VTTimer”
“hkey”=“HKLM”
“command”=“VTTimer.exe”
“inimapping”=“0”
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the ‘Scheduled Tasks’ folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Norton Security Scan.job
Completion time: 2009-05-13 18:42:12.02
ComboFix.txt
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
File::
C:\WINDOWS\system32\uieudptr.dll
C:\WINDOWS\system32\rpnokefs.exe
C:\WINDOWS\system32\qrxltemp.dll
C:\WINDOWS\system32\ndioqnog.dll
C:\WINDOWS\system32\lypvtnyb.exe
C:\WINDOWS\system32\qnjbbknl.dll
C:\WINDOWS\system32\begsxkqw.dll
C:\WINDOWS\system32\udqwrmfe.dll
C:\WINDOWS\system32\lnyrxeuf.exe
C:\WINDOWS\system32\ehkqhmyg.dll
C:\WINDOWS\system32\fclxajes.dll
C:\WINDOWS\system32\tvqtxxkv.dll
C:\WINDOWS\system32\wumwpnmk.exe
C:\WINDOWS\system32\pdqjnnfh.dll
C:\WINDOWS\system32\eixfwkvy.dll
C:\\WINDOWS\\system32\\ndioqnog.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a-winpoet-service"=-
"BM07ca9cef"=-
"04f9af73"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay]
Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.
Logi dajesz na http://www.wklej.org
To aktualny LOG
ComboFix 08-05-12.1 - Administrator 2008-05-13 18:55:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.31 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\Combo-Fix.exe
Command switches used :: D:\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\system32\eixfwkvy.dll
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\pdqjnnfh.dll
C:\WINDOWS\system32\tvqtxxkv.dll
C:\WINDOWS\system32\wumwpnmk.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Menu Start\Programy\BulletProofSoft.com
C:\Documents and Settings\All Users\Menu Start\Programy\BulletProofSoft.com\Youtube Google Video Grabber\Help.lnk
C:\Documents and Settings\All Users\Menu Start\Programy\BulletProofSoft.com\Youtube Google Video Grabber\Uninstall.lnk
C:\Documents and Settings\All Users\Menu Start\Programy\BulletProofSoft.com\Youtube Google Video Grabber\Video Grabber.lnk
C:\Program Files\BulletProofSoft.com
C:\Program Files\BulletProofSoft.com\Youtube Google Video Grabber\Clip.exe
C:\Program Files\BulletProofSoft.com\Youtube Google Video Grabber\Help.chm
C:\Program Files\BulletProofSoft.com\Youtube Google Video Grabber\Main.swf
C:\Program Files\BulletProofSoft.com\Youtube Google Video Grabber\Parse.wvi
C:\Program Files\BulletProofSoft.com\Youtube Google Video Grabber\unins000.dat
C:\Program Files\BulletProofSoft.com\Youtube Google Video Grabber\unins000.exe
C:\Program Files\BulletProofSoft.com\Youtube Google Video Grabber\YG VideoGrabber.exe
C:\Program Files\Drmupgds
C:\Program Files\Drmupgds\Drmupgds.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aavwlwql.dll
C:\WINDOWS\system32\akheacje.dll
C:\WINDOWS\system32\aniptfhd.dll
C:\WINDOWS\system32\apijjsan.ini
C:\WINDOWS\system32\apuhnsdd.dll
C:\WINDOWS\system32\bcmfrpjr.dll
C:\WINDOWS\system32\begsxkqw.dll
C:\WINDOWS\system32\beifvggw.ini
C:\WINDOWS\system32\bihcskeu.dll
C:\WINDOWS\system32\bqgugnqh.ini
C:\WINDOWS\system32\bufwonjb.ini
C:\WINDOWS\system32\bvelxfcj.dll
C:\WINDOWS\system32\bvuuswdw.dll
C:\WINDOWS\system32\bxkpqqlc.dll
C:\WINDOWS\system32\bymdtjaq.dll
C:\WINDOWS\system32\caidpdhp.dll
C:\WINDOWS\system32\chysftqg.ini
C:\WINDOWS\system32\clqqpkxb.ini
C:\WINDOWS\system32\cmresqfu.ini
C:\WINDOWS\system32\cuwecadn.ini
C:\WINDOWS\system32\cvqsgbps.ini
C:\WINDOWS\system32\cyhvmknp.ini
C:\WINDOWS\system32\cyjhbnml.dll
C:\WINDOWS\system32\dernrfwu.dll
C:\WINDOWS\system32\dggowgjt.ini
C:\WINDOWS\system32\dretodsw.ini
C:\WINDOWS\system32\dtmauikv.ini
C:\WINDOWS\system32\dviuxvwp.ini
C:\WINDOWS\system32\ecjbgvsh.dll
C:\WINDOWS\system32\efccddc.dll
C:\WINDOWS\system32\egwadgli.ini
C:\WINDOWS\system32\ehkqhmyg.dll
C:\WINDOWS\system32\eixfwkvy.dll
C:\WINDOWS\system32\ejviqqoo.ini
C:\WINDOWS\system32\elcknrlq.dll
C:\WINDOWS\system32\entodjgx.ini
C:\WINDOWS\system32\eqehehuh.dll
C:\WINDOWS\system32\eracrgec.ini
C:\WINDOWS\system32\esixwscq.ini
C:\WINDOWS\system32\euwqgnxh.dll
C:\WINDOWS\system32\eycgjtjy.ini
C:\WINDOWS\system32\facrpfdn.dll
C:\WINDOWS\system32\fclxajes.dll
C:\WINDOWS\system32\fnvurqte.dll
C:\WINDOWS\system32\gebyyay.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\gjcbgglb.ini
C:\WINDOWS\system32\gqieeirq.dll
C:\WINDOWS\system32\gqjecwfs.dll
C:\WINDOWS\system32\gqmeumwi.ini
C:\WINDOWS\system32\gtavfgui.ini
C:\WINDOWS\system32\gwkjpcrc.ini
C:\WINDOWS\system32\hdloddeo.dll
C:\WINDOWS\system32\hvaqnowt.dll
C:\WINDOWS\system32\hwssmffp.dll
C:\WINDOWS\system32\iifccab.dll
C:\WINDOWS\system32\ixaqmnog.ini
C:\WINDOWS\system32\jafcwrtu.ini
C:\WINDOWS\system32\jjfbpwho.ini
C:\WINDOWS\system32\jjsroccy.dll
C:\WINDOWS\system32\jkkjiij.dll
C:\WINDOWS\system32\jkklmno.dll
C:\WINDOWS\system32\jxwximap.ini
C:\WINDOWS\system32\kcpsfmmo.dll
C:\WINDOWS\system32\knvtpxml.ini
C:\WINDOWS\system32\kptfhhoi.ini
C:\WINDOWS\system32\krijxiyu.ini
C:\WINDOWS\system32\krwefgjs.dll
C:\WINDOWS\system32\ktwykknx.ini
C:\WINDOWS\system32\kujmvxmu.ini
C:\WINDOWS\system32\kvaifgku.ini
C:\WINDOWS\system32\kyaotroj.dll
C:\WINDOWS\system32\lhpmyukr.ini
C:\WINDOWS\system32\ljjhhhf.dll
C:\WINDOWS\system32\llywnwya.dll
C:\WINDOWS\system32\lmxptvnk.dll
C:\WINDOWS\system32\lnkbbjnq.ini
C:\WINDOWS\system32\ltiegwva.dll
C:\WINDOWS\system32\mcbyylbl.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgumyini.dll
C:\WINDOWS\system32\mpdhfdkj.dll
C:\WINDOWS\system32\nbrithec.dll
C:\WINDOWS\system32\ndioqnog.dll
C:\WINDOWS\system32\ndytdude.dll
C:\WINDOWS\system32\nncytsan.ini
C:\WINDOWS\system32\nnnklll.dll
C:\WINDOWS\system32\nnvteqhr.ini
C:\WINDOWS\system32\nqpmiusm.dll
C:\WINDOWS\system32\nrojhnqf.dll
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\nxagaxxv.dll
C:\WINDOWS\system32\nykrapif.dll
C:\WINDOWS\system32\obdibojg.dll
C:\WINDOWS\system32\oewkeajf.ini
C:\WINDOWS\system32\ommfspck.ini
C:\WINDOWS\system32\opnolkl.dll
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\paykjyei.dll
C:\WINDOWS\system32\pdqjnnfh.dll
C:\WINDOWS\system32\pevmwmnd.dll
C:\WINDOWS\system32\phdpdiac.ini
C:\WINDOWS\system32\pktirosb.ini
C:\WINDOWS\system32\qevlrhxv.dll
C:\WINDOWS\system32\qnjbbknl.dll
C:\WINDOWS\system32\qnpbmtku.dll
C:\WINDOWS\system32\qomljgh.dll
C:\WINDOWS\system32\qphpbpvk.dll
C:\WINDOWS\system32\qrxltemp.dll
C:\WINDOWS\system32\qwmsymso.dll
C:\WINDOWS\system32\qwpqpuyk.dll
C:\WINDOWS\system32\qxhqtxwf.dll
C:\WINDOWS\system32\rabemuae.ini
C:\WINDOWS\system32\rcrrtoig.ini
C:\WINDOWS\system32\rfmtobkj.dll
C:\WINDOWS\system32\rhqetvnn.dll
C:\WINDOWS\system32\rhuolbny.ini
C:\WINDOWS\system32\rkuymphl.dll
C:\WINDOWS\system32\rnjwgckx.ini
C:\WINDOWS\system32\rqrrqqq.dll
C:\WINDOWS\system32\rtpdueiu.ini
C:\WINDOWS\system32\sbqoyjsg.dll
C:\WINDOWS\system32\sducsjdf.ini
C:\WINDOWS\system32\shirwxic.dll
C:\WINDOWS\system32\skednsjs.dll
C:\WINDOWS\system32\sknodasc.dll
C:\WINDOWS\system32\smcvdkmn.dll
C:\WINDOWS\system32\smrubfxn.ini
C:\WINDOWS\system32\snvfvdmr.ini
C:\WINDOWS\system32\sqwexhnv.dll
C:\WINDOWS\system32\tkcqpgyd.dll
C:\WINDOWS\system32\tpcpivcw.dll
C:\WINDOWS\system32\tphntoui.dll
C:\WINDOWS\system32\tvqtxxkv.dll
C:\WINDOWS\system32\twwlantb.ini
C:\WINDOWS\system32\txjmtmkm.dll
C:\WINDOWS\system32\uakeyyom.dll
C:\WINDOWS\system32\ucbxneoy.ini
C:\WINDOWS\system32\udqwrmfe.dll
C:\WINDOWS\system32\uekschib.ini
C:\WINDOWS\system32\ufmaafdm.dll
C:\WINDOWS\system32\uieudptr.dll
C:\WINDOWS\system32\undyguut.ini
C:\WINDOWS\system32\unrufkrb.ini
C:\WINDOWS\system32\uprrffub.ini
C:\WINDOWS\system32\upuqrlxj.dll
C:\WINDOWS\system32\uqxnctte.dll
C:\WINDOWS\system32\vcvhxbcs.ini
C:\WINDOWS\system32\vhsanqfh.dll
C:\WINDOWS\system32\vkxxtqvt.ini
C:\WINDOWS\system32\vokhqmkv.ini
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\vxhrlveq.ini
C:\WINDOWS\system32\vxsyymjc.ini
C:\WINDOWS\system32\wdynevbf.dll
C:\WINDOWS\system32\wflmarjk.dll
C:\WINDOWS\system32\wldoelkm.dll
C:\WINDOWS\system32\wmosnvsr.dll
C:\WINDOWS\system32\wrmpxoio.dll
C:\WINDOWS\system32\wsdoterd.dll
C:\WINDOWS\system32\wumwpnmk.exe
C:\WINDOWS\system32\wxofhuur.ini
C:\WINDOWS\system32\wynwduge.dll
C:\WINDOWS\system32\xddndnkc.dll
C:\WINDOWS\system32\xkspgudu.dll
C:\WINDOWS\system32\xopgynwc.ini
C:\WINDOWS\system32\xxywwxw.dll
C:\WINDOWS\system32\xxyyyvu.dll
C:\WINDOWS\system32\ycgmksvv.dll
C:\WINDOWS\system32\yoenxbcu.dll
C:\WINDOWS\system32\yqgctrfs.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.
2010-05-12 13:46 . 2010-05-12 13:46 2,112 --a------ C:\WINDOWS\system32\iycjpiar.exe
2010-05-12 13:19 . 2010-05-12 13:19 2,112 --a------ C:\WINDOWS\system32\irpghjdl.exe
2010-05-12 09:07 . 2009-05-13 11:45
2010-05-12 09:07 . 2007-07-04 16:27 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2009-05-13 18:36 . 2009-05-13 18:37
2009-05-13 14:55 . 2009-05-13 14:55 2,112 --a------ C:\WINDOWS\system32\rpnokefs.exe
2009-05-13 09:41 . 2009-05-13 09:41 2,112 --a------ C:\WINDOWS\system32\lypvtnyb.exe
2009-05-12 23:16 . 2009-05-12 23:16 2,112 --a------ C:\WINDOWS\system32\lnyrxeuf.exe
2009-05-12 22:07 . 2009-05-12 22:07 806 --a------ C:\plik.reg
2009-05-12 21:24 . 2009-05-12 21:24 731,136 --a------ C:\avenger.exe
2009-05-12 19:59 . 2009-05-12 19:59
2009-04-17 18:59 . 2009-04-17 20:38 138,893 --a------ C:\WINDOWS\system32\nvapps.xml
2009-04-17 18:58 . 2009-04-17 18:58
2009-04-17 18:58 . 2007-09-16 19:07 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2009-04-17 18:58 . 2007-09-16 19:07 17,525 --a------ C:\WINDOWS\system32\nvdisp.nvu
2009-04-17 18:57 . 2007-09-17 02:10 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2009-03-19 22:32 . 2009-03-19 22:32
2008-05-13 18:50 . 2008-05-13 18:50 2,112 --a------ C:\WINDOWS\system32\gvgefljd.exe
2008-04-30 20:03 . 2008-04-30 20:46
2008-04-30 19:44 . 2008-04-30 19:44
2008-04-14 13:26 . 2008-04-14 13:29
2008-04-14 13:23 . 2008-04-14 13:23
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 17:05 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\MSN6
2010-05-12 17:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MSN6
2010-05-12 12:58 --------- d-----w C:\Program Files\SkanerOnline
2010-05-12 07:07 --------- d–h--w C:\Program Files\InstallShield Installation Information
2010-05-12 07:06 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield
2009-05-13 12:59 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2009-05-13 12:58 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2009-05-12 20:08 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent
2009-05-12 17:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2009-05-12 17:14 --------- d-----w C:\Program Files\Norton Security Scan
2009-04-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles
2009-03-25 16:33 --------- d-----w C:\Program Files\SubEdit-Player
2008-05-13 17:02 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-12-09 16:01 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{0672fff3-cb8a-4c72-99a7-02de1cffc342}]
C:\WINDOWS\system32\rqrjywpa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“a-winpoet-service”=“C:\Program Files\DialNet\winpppoverethernet.exe” [2007-07-06 08:40 405504]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 01:44 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
“Windows Printing Driver”= WinPrint.exe
“NT Security Service”= NTSecurity.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12”= yv12vfw.dll
[HKLM~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
path=C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk
backup=C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
–a------ 2007-07-04 16:27 110592 C:\PROGRA~1\DialNet\FPLICE~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
–a------ 2005-05-03 19:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
C:\WINDOWS\system32\kmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
–a------ 2004-08-04 01:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
–a------ 2007-04-04 00:29 165784 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drmupgds]
C:\Program Files\Drmupgds\Drmupgds.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
–a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:44 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
–a------ 2007-09-16 19:07 8491008 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2007-09-16 19:07 81920 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
–a------ 2007-09-16 19:07 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
–a------ 2007-06-13 15:49 16377344 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
-ra------ 2007-02-06 01:30 176128 C:\WINDOWS\system32\S3Trayp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-11-12 16:51 21877544 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
–a------ 2007-06-15 17:45 1826816 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2006-09-21 10:36 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“MSConfig”=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2007-03-26 09:26]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 05:36]
R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2007-03-26 09:26]
R2 TopWinPoETDriver;WinPoET PPPoE Optimized Driver;C:\WINDOWS\system32\DRIVERS\WrKPoET2000.sys [2007-07-04 16:27]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 10:14]
R3 FPD;Fine Point Packet Service;C:\WINDOWS\system32\drivers\fpd.sys [2007-07-04 16:27]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2007-03-05 03:54]
R3 WrKPoET2000;WrKPoET2000;C:\Program Files\DialNet\WrKPoET2000.sys [2007-07-04 16:27]
R3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2007-07-04 16:27]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the ‘Scheduled Tasks’ folder
“2008-05-07 17:44:01 C:\WINDOWS\Tasks\1-Click Maintenance.job”
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
“2009-05-12 17:16:32 C:\WINDOWS\Tasks\Norton Security Scan.job”
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 19:02:07
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\vssvc.exe
C:\Program Files\DialNet\WrOS.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-13 19:05:19 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-13 17:05:13
ComboFix2.txt 2009-05-13 16:42:12
Pre-Run: 7,738,007,552 bajtów wolnych
Post-Run: 7,659,008,000 bajt˘w wolnych
368
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
File::
C:\WINDOWS\system32\iycjpiar.exe
C:\WINDOWS\system32\irpghjdl.exe
C:\WINDOWS\system32\rpnokefs.exe
C:\WINDOWS\system32\lypvtnyb.exe
C:\WINDOWS\system32\lnyrxeuf.exe
C:\WINDOWS\system32\gvgefljd.exe
C:\WINDOWS\system32\rqrjywpa.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0672fff3-cb8a-4c72-99a7-02de1cffc342}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.
Logi dajesz na http://www.wklej.org
CHYBA JEST DOBRZE CO??
ComboFix 08-05-12.1 - Administrator 2008-05-13 19:43:07.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.53 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.
2010-05-12 13:46 . 2010-05-12 13:46 2,112 --a------ C:\WINDOWS\system32\iycjpiar.exe
2010-05-12 13:19 . 2010-05-12 13:19 2,112 --a------ C:\WINDOWS\system32\irpghjdl.exe
2010-05-12 09:07 . 2008-05-13 19:34
2010-05-12 09:07 . 2007-07-04 16:27 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2009-05-13 14:55 . 2009-05-13 14:55 2,112 --a------ C:\WINDOWS\system32\rpnokefs.exe
2009-05-13 09:41 . 2009-05-13 09:41 2,112 --a------ C:\WINDOWS\system32\lypvtnyb.exe
2009-05-12 23:16 . 2009-05-12 23:16 2,112 --a------ C:\WINDOWS\system32\lnyrxeuf.exe
2009-05-12 22:07 . 2009-05-12 22:07 806 --a------ C:\plik.reg
2009-05-12 21:24 . 2009-05-12 21:24 731,136 --a------ C:\avenger.exe
2009-05-12 19:59 . 2009-05-12 19:59
2009-04-17 18:59 . 2009-04-17 20:38 138,893 --a------ C:\WINDOWS\system32\nvapps.xml
2009-04-17 18:58 . 2009-04-17 18:58
2009-04-17 18:58 . 2007-09-16 19:07 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2009-04-17 18:58 . 2007-09-16 19:07 17,525 --a------ C:\WINDOWS\system32\nvdisp.nvu
2009-04-17 18:57 . 2007-09-17 02:10 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2009-03-19 22:32 . 2009-03-19 22:32
2008-05-13 18:50 . 2008-05-13 18:50 2,112 --a------ C:\WINDOWS\system32\gvgefljd.exe
2008-04-30 20:03 . 2008-04-30 20:46
2008-04-30 19:44 . 2008-04-30 19:44
2008-04-14 13:26 . 2008-04-14 13:29
2008-04-14 13:23 . 2008-04-14 13:23
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 17:05 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\MSN6
2010-05-12 17:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MSN6
2010-05-12 12:58 --------- d-----w C:\Program Files\SkanerOnline
2010-05-12 07:07 --------- d–h--w C:\Program Files\InstallShield Installation Information
2010-05-12 07:06 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield
2009-05-13 12:59 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2009-05-13 12:58 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2009-05-12 20:08 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent
2009-05-12 17:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2009-05-12 17:14 --------- d-----w C:\Program Files\Norton Security Scan
2009-04-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles
2009-03-25 16:33 --------- d-----w C:\Program Files\SubEdit-Player
2008-05-13 17:33 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-03-05 19:50 32,256 ----a-w C:\WINDOWS\system32\NTSecurity.exe
2007-12-09 16:01 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
.
((((((((((((((((((((((((((((( snapshot@2008-05-13_19.04.51.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 17:01:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-13 17:33:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2010-05-12 12:54:08 40,972 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-13 17:07:48 40,972 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2010-05-12 12:54:08 50,968 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2008-05-13 17:07:48 50,968 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2010-05-12 12:54:08 314,644 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-05-13 17:07:48 314,644 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2010-05-12 12:54:08 359,178 ----a-w C:\WINDOWS\system32\perfh015.dat
- 2008-05-13 17:07:48 359,178 ----a-w C:\WINDOWS\system32\perfh015.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“a-winpoet-service”=“C:\Program Files\DialNet\winpppoverethernet.exe” [2007-07-06 08:40 405504]
“MSConfig”=“C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe” [2004-08-04 01:44 159744]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 01:44 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
“Windows Printing Driver”= WinPrint.exe
“NT Security Service”= NTSecurity.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12”= yv12vfw.dll
[HKLM~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
path=C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk
backup=C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
–a------ 2007-07-04 16:27 110592 C:\PROGRA~1\DialNet\FPLICE~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
–a------ 2005-05-03 19:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
C:\WINDOWS\system32\kmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
–a------ 2004-08-04 01:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
–a------ 2007-04-04 00:29 165784 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drmupgds]
C:\Program Files\Drmupgds\Drmupgds.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
–a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:44 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
–a------ 2007-09-16 19:07 8491008 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2007-09-16 19:07 81920 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
–a------ 2007-09-16 19:07 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
–a------ 2007-06-13 15:49 16377344 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
-ra------ 2007-02-06 01:30 176128 C:\WINDOWS\system32\S3Trayp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-11-12 16:51 21877544 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
–a------ 2007-06-15 17:45 1826816 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2006-09-21 10:36 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“MSConfig”=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2007-03-26 09:26]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 05:36]
R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2007-03-26 09:26]
R2 TopWinPoETDriver;WinPoET PPPoE Optimized Driver;C:\WINDOWS\system32\DRIVERS\WrKPoET2000.sys [2007-07-04 16:27]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 10:14]
R3 FPD;Fine Point Packet Service;C:\WINDOWS\system32\drivers\fpd.sys [2007-07-04 16:27]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2007-03-05 03:54]
R3 WrKPoET2000;WrKPoET2000;C:\Program Files\DialNet\WrKPoET2000.sys [2007-07-04 16:27]
R3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2007-07-04 16:27]
S4 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:44]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
*Newly Created Service* - CATCHME
.
Contents of the ‘Scheduled Tasks’ folder
“2008-05-07 17:44:01 C:\WINDOWS\Tasks\1-Click Maintenance.job”
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
“2009-05-12 17:16:32 C:\WINDOWS\Tasks\Norton Security Scan.job”
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 19:44:50
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-13 19:46:39
ComboFix-quarantined-files.txt 2008-05-13 17:46:36
ComboFix2.txt 2009-05-13 16:42:12
Pre-Run: 7,637,659,648 bajtów wolnych
Post-Run: 7,631,417,344 bajtów wolnych
165