Win32/TrojanProxy.Dlena trojan + Obszerne logi

CyraX_X · 4 Marzec 2007 09:10

Przeskanowałem kompa siorki i wyszły takie kwiatki:

Win32/TrojanProxy.Dlena trojan

ulokowany w bardzo wielu plikach katalogu system32 np.

C:\WINDOWS\system32\58143122ld.exe

Plików nie można było wyleczyć Nod32 tylko skasować - zostawiłem bo nie wiem do czego służą te pliki :roll:

Wszystko zostało usunięte/naprawione tylko ten trojan został, komputer został przeskanowany:

Ad-awere SE Personal

Spybot Search & Destroy

jv16 PowerTools

Nod32

WWDC - wszystkie porty zamknięte

Zapory: ZoneAlarm + Systemowa z SP2

Trojan.Vundo Removal Tool 1.5.0 nic nie znalazł

VundoFix V4.2.22 nic nie znalazł

Kaspersky Skanner Online wykrył też go ale w nim chyba nie ma opcji usunięcia/leczenia.

HJT:

Logfile of HijackThis v1.99.1 Scan saved at 09:59:10, on 2007-03-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Trust\Trust keyboard utility\1.1\nhksrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trust\Trust keyboard utility\1.1\MMKEYB.EXE C:\Program Files\Trust\Trust keyboard utility\1.1\TrayMon.exe C:\Program Files\Trust\Trust keyboard utility\1.1\osd.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe D:\Michał_pliki\System_rec\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM…\Run: [soundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [jv16PT - Privacy Protector] C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb” O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Norton SystemWorks] “C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_72.cab O17 - HKLM\System\CCS\Services\Tcpip…{56830C5B-F382-43C2-AFBF-70BF881FC0DA}: NameServer = 81.219.24.1,81.219.24.221 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Trust\Trust keyboard utility\1.1\nhksrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Silent Runners:

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Norton SystemWorks” = ““C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz” [“Symantec Corporation”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “FLMOFFICEKEYBOARD” = “C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe” [empty string] “SoundMAXPnP” = “C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [“Analog Devices, Inc.”] “SoundMAX” = ““C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray” [“Analog Devices, Inc.”] “Zone Labs Client” = ““C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “jv16PT - Privacy Protector” = “C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb”” [“Macecraft Software”] “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) - {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” - {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\IrfanView\IrfanView_Wallpaper.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\M_M_M\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” - launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”] “Norton SystemWorks One Button Checkup” - launches: “C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO” [“Symantec Corporation”] “Symantec Drmc” - launches: “C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE” [“Symantec Corporation”] “Symantec NetDetect” - launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” - {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] - {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Netropa NHK Server, nhksrv, “C:\Program Files\Trust\Trust keyboard utility\1.1\nhksrv.exe” [null data] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Speed Disk service, Speed Disk service, “C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE” [“Symantec Corporation”] Symantec Core LC, Symantec Core LC, “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe” [“Symantec Corporation”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class{4D36E96B-E325-11CE-BFC1-08002BE10318}\ “UpperFilters” = “msikbd2k” [“Netropa Corporation”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt04\Driver = “hpzlnt04.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- : Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 21 seconds. ---------- (total run time: 90 seconds)

Comboscan

supplementary:

ComboScan v20070226.18 run by M_M_M on 2007-03-02 at 18:38:04 Supplementary logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- – System Information ----------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: Polish CPU 0: Intel® Celeron® CPU 2.00GHz Percentage of Memory in Use: 71% Physical Memory (total/avail): 510.73 MiB / 144.23 MiB Pagefile Memory (total/avail): 1249.38 MiB / 940.25 MiB Virtual Memory (total/avail): 2047.88 MiB / 1997.74 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 9.77 GiB total, 2.03 GiB free. D: is Fixed (FAT32) - 29.28 GiB total, 6.66 GiB free. E: is Fixed (NTFS) - 35.46 GiB total, 30.32 GiB free. F: is CDROM (No Media) – Security Center -------------------------------------------------------------- AUOptions is disabled. Windows Internal Firewall is disabled. – Environment Variables -------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\M_M_M\Dane aplikacji CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=ST220 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\M_M_M LOGONSERVER=\ST220 NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0209 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\M_M_M\USTAWI~1\Temp TMP=C:\DOCUME~1\M_M_M\USTAWI~1\Temp tvdumpflags=8 USERDOMAIN=ST220 USERNAME=M_M_M USERPROFILE=C:\Documents and Settings\M_M_M windir=C:\WINDOWS – User Profiles ---------------------------------------------------------------- M_M_M (admin) – Add/Remove Programs ---------------------------------------------------------- – rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 3DMark03 – RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{FF35F637-72B9-43BE-A281-06EB2854393A}\Setup.exe” -l0x9 Ad-Aware SE Personal – C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG Adobe Flash Player 9 ActiveX – C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Reader 7.0.8 – MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000} ALLPlayer V2.3.1 – “C:\Program Files\MarBit\ALLPlayer\unins000.exe” Apple Software Update – MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D} Archiwizator WinRAR – C:\Program Files\WinRAR\uninstall.exe ATI Display Driver (Omega 3.8.252) – rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean ATITool Overclocking Utility – “C:\Program Files\ATITool\Uninstall.exe” ccCommon – MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB} eMule – “C:\Program Files\eMule\Uninstall.exe” EVEREST Home Edition v2.20 – “C:\Program Files\Identyfikacja\EVEREST Home Edition\unins000.exe” Gadu-Gadu 7.6 – C:\Program Files\Gadu-Gadu\Setup.exe GEAR 32bit Driver Installer – MsiExec.exe /X{E89B484C-B913-49A0-959B-89E836001658} GryOnline.wp.pl – C:\PROGRA~1\ONLINE~1\UNWISE.EXE C:\PROGRA~1\ONLINE~1\INSTALL.LOG HijackThis 1.99.1 – D:\Michał_pliki\System_rec\hijackthis\HijackThis.exe /uninstall hp deskjet 930c series (Tylko usuń) – C:\Program Files\hp deskjet 930c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport= -vproduct=930c -huninstall IrfanView (remove only) – C:\Program Files\IrfanView\iv_uninstall.exe J2SE Runtime Environment 5.0 Update 11 – MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110} jv16 PowerTools 2006 – “C:\Program Files\jv16 PowerTools 2006\unins000.exe” K-Lite Codec Pack 2.80 Full – “C:\Program Files\K-Lite Codec Pack\unins000.exe” LiveReg (Symantec Corporation) – C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE LiveUpdate 2.5 (Symantec Corporation) – C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U Marvell Miniport Driver – MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B} Microsoft Office Professional Edition 2003 – MsiExec.exe /I{90110415-6000-11D3-8CFE-0150048383C9} Mozilla Firefox (2.0.0.2) – C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSRedist – MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA} MultiRes (remove only) – C:\Program Files\MultiRes\uninstal.exe Nero - Burning Rom – MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0} NOD32 antivirus system – C:\Program Files\Eset\Setup\setup.exe /UNINSTALL NOD32 FiX v2.1 – “C:\Program Files\Eset\unins000.exe” Norton CleanSweep – MsiExec.exe /I{634B01DF-A45B-4623-80E1-E15FF82A4979} Norton SystemWorks – MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66} Norton SystemWorks 2005 (Symantec Corporation) – C:\Program Files\Common Files\Symantec Shared\SymSetup{71E7B3F5-CFAF-4C1E-B494-528E28707937}.exe /X Norton Utilities – MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5} NSW_DRM_COLLECTION – MsiExec.exe /I{900B1884-2D6F-4a70-A3C7-C3F4DA873FDB} QuickTime – MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8} Radeon Omega Drivers v3.8.252 Setup Files and Tools – “C:\WINDOWS\Radeon Omega Drivers v3.8.252 Uninstall.exe” “/U:C:\Program Files\Radeon Omega Drivers\v3.8.252\Omega Uninstall.xml” Real Alternative 1.51 – “C:\Program Files\Real Alternative\unins000.exe” Skaner Online – C:\WINDOWS\system32\ArcaOnlineUninstall.exe Skype 3.0 – “C:\Program Files\Skype\Phone\unins000.exe” Skype Plugin Manager – MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03} SoundMAX – RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe” SpeedFan (remove only) – “C:\Program Files\SpeedFan\uninstall.exe” Spybot - Search Destroy 1.4 – “C:\Program Files\Spybot - Search Destroy\unins000.exe” Trust keyboard utility 1.1 – C:\Program Files\Trust\Trust keyboard utility\1.1\uninst00.exe Virtual Machine Network Services Driver – MsiExec.exe /I{A1795AC0-9B6A-40D9-8E07-A82662268D9F} Winamp (remove only) – “C:\Program Files\Winamp\UninstWA.exe” ZoneAlarm – C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe – End of ComboScan: finished at 2007-03-02 at 18:39:04 -------------------------

Comboscan:

ComboScan v20070226.18 run by M_M_M on 2007-03-02 at 18:38:04 Computer is in Normal Mode. -------------------------------------------------------------------------------- Successfully created restore point. Performed disk cleanup. – HijackThis (run as M_M_M.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 18:38:20, on 2007-03-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Trust\Trust keyboard utility\1.1\nhksrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trust\Trust keyboard utility\1.1\MMKEYB.EXE C:\Program Files\Trust\Trust keyboard utility\1.1\TrayMon.exe C:\Program Files\Trust\Trust keyboard utility\1.1\osd.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Michał_pliki\System_rec\Nowe\Combocsan\comboscan.exe D:\MICHAŁ~1\SYSTEM~1\HIJACK~1\M_M_M.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM…\Run: [soundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [jv16PT - Privacy Protector] C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb” O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Norton SystemWorks] “C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_72.cab O17 - HKLM\System\CCS\Services\Tcpip…{56830C5B-F382-43C2-AFBF-70BF881FC0DA}: NameServer = 81.219.24.1,81.219.24.221 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Trust\Trust keyboard utility\1.1\nhksrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe – HijackThis Fixed Entries (D:\MICHAŁ~1\SYSTEM~1\HIJACK~1\backups) ------------ backup-20070111-130726-943 O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll backup-20070111-131126-772 O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing) – File Associations ------------------------------------------------------------ .bat - batfile - “%1” %* .chm - chm.file - “C:\WINDOWS\hh.exe” %1 .cmd - cmdfile - “%1” %* .com - comfile - “%1” %* .exe - exefile - “%1” %* .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1 .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1 .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1 .js - JSFile - %SystemRoot%\System32\WScript.exe “%1” %* .lnk - lnkfile - {00021401-0000-0000-C000-000000000046} .pif - piffile - “%1” %* .reg - regfile - regedit.exe “%1” .scr - scrfile - “%1” /S .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1 .vbs - VBSFile - %SystemRoot%\System32\WScript.exe “%1” %* – Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------- 3R aeaudio - C:\WINDOWS\system32\drivers\aeaudio.sys 2R AMON - C:\WINDOWS\system32\drivers\amon.sys 3S ASUSHWIO - C:\WINDOWS\system32\drivers\ASUSHWIO.sys (not found) 3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys 1R ATITool (ATITool Overclocking Utility) - C:\WINDOWS\system32\drivers\ATITool.sys 1R atitray - C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys 3R EL2000 (3Com 3C2000x EtherLink XL Adapter) - C:\WINDOWS\system32\drivers\EL2K_XP.sys 3S EL98x (3Com EtherLink 10/100 PCI) - C:\WINDOWS\system32\drivers\el98xn5.sys 3S ENTECH - C:\WINDOWS\system32\drivers\Entech.sys 3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 0R giveio - C:\WINDOWS\system32\giveio.sys 3R HidUsb (Sterownik Microsoft klasy HID) - C:\WINDOWS\system32\drivers\hidusb.sys 1R intelppm (Sterownik procesora Intel) - C:\WINDOWS\system32\drivers\intelppm.sys 3S MidiSyn - C:\WINDOWS\system32\drivers\MidiSyn.sys 3R mouhid (Sterownik myszy HID) - C:\WINDOWS\system32\drivers\mouhid.sys 1R msikbd2k (Multimedia Keyboard Filter Driver) - C:\WINDOWS\system32\drivers\msikbd2k.sys 1R nod32drv - C:\WINDOWS\system32\drivers\nod32drv.sys 0R PxHelp20 - C:\WINDOWS\system32\drivers\PxHelp20.sys 3S SDdriver - C:\WINDOWS\system32\drivers\SdDriver.SYS 3R smwdm - C:\WINDOWS\system32\drivers\smwdm.sys 0R speedfan - C:\WINDOWS\system32\speedfan.sys 0R srescan - C:\WINDOWS\system32\ZoneLabs\srescan.sys 3S SymEvent - C:\Program Files\Symantec\SYMEVENT.SYS 2R symlcbrd - C:\WINDOWS\system32\drivers\symlcbrd.sys 3S tap0801 (TAP-Win32 Adapter V8) - C:\WINDOWS\system32\drivers\tap0801.sys 3R usbehci (Sterownik Miniport rozszerzonego kontrolera hosta USB 2.0 Microsoft) - C:\WINDOWS\system32\drivers\usbehci.sys 3S USBSTOR (Sterownik magazynu masowego USB) - C:\WINDOWS\system32\drivers\USBSTOR.SYS 3R VPCNetS2 (Virtual Machine Network Services Driver) - C:\WINDOWS\system32\drivers\VMNetSrv.sys 1R vsdatant - C:\WINDOWS\system32\vsdatant.sys 1R WS2IFSL (Środowisko wspomagające dostawcę usług innych niż IFS - Windows Socket 2.0) - C:\WINDOWS\system32\drivers\ws2ifsl.sys – Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe 2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe 2R ccEvtMgr (Symantec Event Manager) - “C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe” 3S ccPwdSvc (Symantec Password Validation) - “C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe” 2R ccSetMgr (Symantec Settings Manager) - “C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe” 3S IDriverT (InstallDriver Table Manager) - “C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe” 2R nhksrv (Netropa NHK Server) - C:\Program Files\Trust\Trust keyboard utility\1.1\nhksrv.exe 2R NOD32krn (NOD32 Kernel Service) - “C:\Program Files\Eset\nod32krn.exe” 3S ose (Office Source Engine) - “C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE” 2R SoundMAX Agent Service (default) (SoundMAX Agent Service) - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe 2R Speed Disk service - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE 2R Symantec Core LC - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe 2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe 2R vsmon (TrueVector Internet Monitor) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service – Scheduled Tasks -------------------------------------------------------------- 2007-03-02 11:54:24 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job 2007-03-02 00:00:00 308 --a------ C:\WINDOWS\Tasks\Symantec Drmc.job 2007-02-26 12:01:10 292 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job 2007-01-28 15:45:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job – Files created between 2007-02-02 and 2007-03-02 ------------------------------ 2007-02-25 12:55:48 0 d-------- C:\Program Files\Online Games 2007-02-25 12:35:32 0 d-------- C:\Program Files\GinCards 2007-02-25 12:19:06 0 d-------- C:\Program Files\Common Files\Java 2007-02-23 21:29:08 0 d-------- C:\Program Files\Media Player Classic 2007-02-23 21:29:06 0 d-------- C:\Program Files\Real Alternative 2007-02-22 11:47:32 0 d-------- C:\Program Files\VMNetSrv 2007-02-22 11:46:58 0 d-------- C:\Program Files\Steganos Internet Anonym VPN 2007-02-20 19:11:20 0 d-------- C:\Program Files\Common Files\Skype 2007-02-20 19:10:56 0 d-------- C:\Program Files\Skype 2007-02-15 18:48:14 26624 --a------ C:\WINDOWS\system32\drivers\tap0801.sys 2007-02-13 14:05:22 0 d-------- C:\Program Files\jv16 PowerTools 2006 2007-02-06 23:59:06 0 d-------- C:\Program Files\Temp 2007-02-06 23:59:06 0 d-------- C:\Program Files\GinMarbles 2007-02-06 23:59:06 0 d-------- C:\Program Files\Common 2007-02-06 23:59:06 0 d-------- C:\Program Files\Adv 2007-02-05 11:44:39 0 d-------- C:\Program Files\ATITool 2007-02-05 11:31:39 516096 -----n— C:\WINDOWS\system32\ati2sgag.exe 2007-02-05 11:26:59 0 d-------- C:\Program Files\MultiRes 2007-02-05 11:25:36 0 d-------- C:\Program Files\Radeon Omega Drivers 2007-02-05 11:23:10 0 d-------- C:\Program Files\Grafika-Stery – Find3M Report ---------------------------------------------------------------- 2007-03-02 18:30:30 0 d-------- C:\Program Files\SpeedFan 2007-03-02 16:08:46 0 d-------- C:\Program Files\GanymedeNet 2007-03-02 13:55:02 0 d-------- C:\Program Files\Mozilla Firefox 2007-02-25 12:22:32 0 d-------- C:\Program Files\Java 2007-02-24 23:15:58 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\Skype 2007-02-23 21:29:06 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\Real 2007-02-23 13:24:05 0 d-------- C:\Program Files\Norton SystemWorks 2007-02-22 11:47:29 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\Steganos VPN 2007-02-15 19:35:02 5409 --a------ C:\WINDOWS\mozver.dat 2007-02-13 14:03:41 41 --a------ C:\WINDOWS\system32\ddff4_s.dll 2007-02-09 14:18:15 0 d-------- C:\Program Files\eMule 2007-02-05 11:42:46 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\atitray 2007-02-05 11:16:49 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-02-05 11:16:49 0 d-------- C:\Program Files\ATI Technologies 2007-01-30 15:30:08 0 d-------- C:\Program Files\3DMark03 2007-01-30 15:21:02 0 d-------- C:\Program Files\Common Files\InstallShield 2007-01-29 11:22:46 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\BinarySense 2007-01-28 15:48:27 0 d-------- C:\Program Files\QuickTime 2007-01-26 14:32:42 0 d-------- C:\Program Files\ASUS 2007-01-22 12:52:32 0 d-------- C:\Program Files\Microsoft Works 2007-01-18 20:52:08 0 d—s---- C:\Documents and Settings\M_M_M\Dane aplikacji\Microsoft 2007-01-16 12:06:27 155648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-01-16 12:06:24 679936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-01-16 12:06:13 626688 --a------ C:\WINDOWS\system32\xvid.dll 2007-01-11 13:00:14 30208 --a------ C:\WINDOWS\system32\0133752ld.exe013375~1.EXE 2007-01-11 12:50:10 30208 --a------ C:\WINDOWS\system32\5091402ld.exe509140~1.EXE 2007-01-10 17:30:15 13140 --a------ C:\WINDOWS\system32\3015622ld.exe301562~1.EXE 2007-01-10 16:44:13 20440 --a------ C:\WINDOWS\system32\43224062ld.exe432240~1.EXE 2007-01-10 13:42:55 20440 --a------ C:\WINDOWS\system32\42533432ld.exe425334~1.EXE 2007-01-10 13:32:29 21900 --a------ C:\WINDOWS\system32\32284212ld.exe322842~1.EXE 2007-01-10 13:22:21 30208 --a------ C:\WINDOWS\system32\2265462ld.exe226546~1.EXE 2007-01-09 18:18:00 30208 --a------ C:\WINDOWS\system32\17595152ld.exe175951~1.EXE 2007-01-09 18:07:47 30208 --a------ C:\WINDOWS\system32\7463592ld.exe746359~1.EXE 2007-01-09 17:57:33 30208 --a------ C:\WINDOWS\system32\57306402ld.exe573064~1.EXE 2007-01-09 17:47:17 30208 --a------ C:\WINDOWS\system32\47109682ld.exe471096~1.EXE 2007-01-09 17:36:56 30208 --a------ C:\WINDOWS\system32\36545462ld.exe365454~1.EXE 2007-01-09 17:26:40 30208 --a------ C:\WINDOWS\system32\26381712ld.exe263817~1.EXE 2007-01-09 16:00:49 30208 --a------ C:\WINDOWS\system32\0486092ld.exe048609~1.EXE 2007-01-09 15:18:16 30208 --a------ C:\WINDOWS\system32\18152032ld.exe181520~1.EXE 2007-01-09 15:07:37 30208 --a------ C:\WINDOWS\system32\7369842ld.exe736984~1.EXE 2007-01-09 14:56:59 30208 --a------ C:\WINDOWS\system32\56589062ld.exe565890~1.EXE 2007-01-06 18:39:08 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\IrfanView 2007-01-06 12:58:05 30208 --a------ C:\WINDOWS\system32\5831402ld.exe583140~1.EXE 2007-01-06 12:47:51 30208 --a------ C:\WINDOWS\system32\4749152ld.exe474915~1.EXE 2007-01-06 12:37:31 30208 --a------ C:\WINDOWS\system32\37285932ld.exe372859~1.EXE 2007-01-06 12:05:00 30208 --a------ C:\WINDOWS\system32\4557502ld.exe455750~1.EXE 2007-01-06 11:53:44 30208 --a------ C:\WINDOWS\system32\53426402ld.exe534264~1.EXE 2007-01-05 23:07:17 30208 --a------ C:\WINDOWS\system32\716622ld.exe 2007-01-05 22:55:43 30208 --a------ C:\WINDOWS\system32\55421402ld.exe554214~1.EXE 2007-01-05 22:42:34 30208 --a------ C:\WINDOWS\system32\42324532ld.exe423245~1.EXE 2007-01-05 22:26:19 30208 --a------ C:\WINDOWS\system32\26184682ld.exe261846~1.EXE 2007-01-05 22:15:43 30208 --a------ C:\WINDOWS\system32\15417182ld.exe154171~1.EXE 2007-01-05 22:04:30 30208 --a------ C:\WINDOWS\system32\429622ld.exe 2007-01-05 21:52:01 30208 --a------ C:\WINDOWS\system32\5201872ld.exe520187~1.EXE 2007-01-05 20:58:15 30208 --a------ C:\WINDOWS\system32\58143122ld.exe581431~1.EXE 2007-01-05 20:47:34 30208 --a------ C:\WINDOWS\system32\47329532ld.exe473295~1.EXE 2007-01-05 20:28:54 30208 --a------ C:\WINDOWS\system32\28497032ld.exe284970~1.EXE 2007-01-05 19:08:23 0 d-------- C:\Program Files\ArcaOnline 2007-01-05 18:35:58 0 d-------- C:\Program Files\hp deskjet 930c series 2007-01-05 18:29:40 0 d-------- C:\Program Files\Hewlett-Packard 2007-01-05 08:30:59 30208 --a------ C:\WINDOWS\system32\30585232ld.exe305852~1.EXE 2007-01-05 08:20:43 30208 --a------ C:\WINDOWS\system32\20423242ld.exe204232~1.EXE 2007-01-05 08:10:26 30208 --a------ C:\WINDOWS\system32\10253432ld.exe102534~1.EXE – Registry Dump ---------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” “Norton SystemWorks”="“C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz" “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “ccApp”="“C:\Program Files\Common Files\Symantec Shared\ccApp.exe”" “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “FLMOFFICEKEYBOARD”=“C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe” “SoundMAXPnP”=“C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” “SoundMAX”="“C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray" “Zone Labs Client”="“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”" “jv16PT - Privacy Protector”=“C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb”” “AtiPTA”=“atiptaxx.exe” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVKTray] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AVKTray” “hkey”=“HKLM” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“hpztsb04” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“qttask” “hkey”=“HKLM” “command”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AdobeUpdateManager” “hkey”=“HKCU” “command”="“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_0_8 -reboot 1" “inimapping”=“0” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9f787f92-7c6f-11db-810e-000c6e85161e}] Shell\1\Command G:.\RECYCLER\RECYCLER\autorun.exe Shell\2\Command G:.\RECYCLER\RECYCLER\autorun.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d4eaaf5e-815b-11db-8122-000c6e85161e}] Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d4eaaf5f-815b-11db-8122-000c6e85161e}] Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d4eaaf61-815b-11db-8122-000c6e85161e}] Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe – End of ComboScan: finished at 2007-03-02 at 18:39:04 -------------------------

Bardzo proszę o pomoc w walce z tym trojanem ewentualnie z innym zauważonym syfem :-

adam9870 · 4 Marzec 2007 10:22

Otwórz Notatnik i wklej w nim to:

gmer -del file C:\WINDOWS\system32\0133752ld.exe gmer -del file C:\WINDOWS\system32\5091402ld.exe gmer -del file C:\WINDOWS\system32\3015622ld.exe gmer -del file C:\WINDOWS\system32\43224062ld.exe gmer -del file C:\WINDOWS\system32\42533432ld.exe gmer -del file C:\WINDOWS\system32\32284212ld.exe gmer -del file C:\WINDOWS\system32\2265462ld.exe gmer -del file C:\WINDOWS\system32\17595152ld.exe gmer -del file C:\WINDOWS\system32\7463592ld.exe gmer -del file C:\WINDOWS\system32\57306402ld.exe gmer -del file C:\WINDOWS\system32\47109682ld.exe gmer -del file C:\WINDOWS\system32\36545462ld.exe gmer -del file C:\WINDOWS\system32\26381712ld.exe gmer -del file C:\WINDOWS\system32\0486092ld.exe gmer -del file C:\WINDOWS\system32\18152032ld.exe gmer -del file C:\WINDOWS\system32\7369842ld.exe gmer -del file C:\WINDOWS\system32\56589062ld.exe gmer -del file C:\WINDOWS\system32\5831402ld.exe gmer -del file C:\WINDOWS\system32\4749152ld.exe gmer -del file C:\WINDOWS\system32\37285932ld.exe gmer -del file C:\WINDOWS\system32\4557502ld.exe gmer -del file C:\WINDOWS\system32\53426402ld.exe gmer -del file C:\WINDOWS\system32\716622ld.exe gmer -del file C:\WINDOWS\system32\55421402ld.exe gmer -del file C:\WINDOWS\system32\42324532ld.exe gmer -del file C:\WINDOWS\system32\26184682ld.exe gmer -del file C:\WINDOWS\system32\15417182ld.exe gmer -del file C:\WINDOWS\system32\429622ld.exe gmer -del file C:\WINDOWS\system32\5201872ld.exe gmer -del file C:\WINDOWS\system32\58143122ld.exe gmer -del file C:\WINDOWS\system32\47329532ld.exe gmer -del file C:\WINDOWS\system32\28497032ld.exe gmer -del file C:\WINDOWS\system32\30585232ld.exe gmer -del file C:\WINDOWS\system32\20423242ld.exe gmer -del file C:\WINDOWS\system32\10253432ld.exe gmer -reboot

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Pobierz Gmer’a.

W Gmerze w zakładce Procesy wybierz Gmer awaryjny. Komputer uruchomi się ponownie i zostaniesz spytany czy chcesz zabić wszystkie procesy na co oczywiście się zgadzasz. Następnie w zakładce Procesy przez … (trzy kropki) wskaż plik FIX.BAT. Po chwilce mignie ekran i komputer się zrestartuje.

Przeskanuj plik C:\WINDOWS\system32\ddff4_s.dll na stronie http://www.virustotal.com/ a jeśli okaże się szkodliwy to usuń go ręcznie.

Przeczyść kosz.

Po wykonaniu pokaż nowy log z ComboScan.

CyraX_X · 4 Marzec 2007 11:46

Nie zostałem spytany czy chcesz zabić wszystkie procesy…

Zostało ich 4 w rtyvie awaryjnym

system idle

system

C;\windows\system32\csrss.exe

c:\windows\gmer.exe

tych się nie dało zabić bo wieszał się program w trybie awaryjnym - gmer.

Zrobiłem. Wywaliło 3 błędy w kasowaniu pliku - być może dlatego że z nudów sam je wykasowałem :oops: tacz czy siak nie powinno ich być…

Przeskanowany - żaden z antywirów na podanej przez Ciebie stronie nie znalazł w tym pliku wirusa. Plik zostawiłem.

comboscan:

ComboScan v20070226.18 run by M_M_M on 2007-03-04 at 12:42:24 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as M_M_M.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 12:42:28, on 2007-03-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Trust\Trust keyboard utility\1.1\nhksrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trust\Trust keyboard utility\1.1\MMKEYB.EXE C:\Program Files\Trust\Trust keyboard utility\1.1\TrayMon.exe C:\Program Files\Trust\Trust keyboard utility\1.1\osd.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Michał_pliki\System_rec\Nowe\Combocsan\comboscan.exe D:\MICHAŁ~1\SYSTEM~1\HIJACK~1\M_M_M.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM…\Run: [soundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [jv16PT - Privacy Protector] C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb” O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Norton SystemWorks] “C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_72.cab O17 - HKLM\System\CCS\Services\Tcpip…{56830C5B-F382-43C2-AFBF-70BF881FC0DA}: NameServer = 81.219.24.1,81.219.24.221 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Trust\Trust keyboard utility\1.1\nhksrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe – Files created between 2007-02-04 and 2007-03-04 ------------------------------ 2007-03-04 12:18:17 1782 --a------ C:\fix.bat 2007-03-04 09:22:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-03-02 18:49:55 154 --a------ C:\WINDOWS\system32\imon1.dat 2007-03-02 18:41:27 80 --a------ C:\WINDOWS\gmer_uninstall.cmd 2007-02-25 12:55:48 0 d-------- C:\Program Files\Online Games 2007-02-25 12:35:32 0 d-------- C:\Program Files\GinCards 2007-02-25 12:19:06 0 d-------- C:\Program Files\Common Files\Java 2007-02-23 21:29:08 0 d-------- C:\Program Files\Media Player Classic 2007-02-23 21:29:06 0 d-------- C:\Program Files\Real Alternative 2007-02-22 11:47:32 0 d-------- C:\Program Files\VMNetSrv 2007-02-22 11:46:58 0 d-------- C:\Program Files\Steganos Internet Anonym VPN 2007-02-20 19:11:20 0 d-------- C:\Program Files\Common Files\Skype 2007-02-20 19:10:56 0 d-------- C:\Program Files\Skype 2007-02-15 18:48:14 26624 --a------ C:\WINDOWS\system32\drivers\tap0801.sys 2007-02-13 14:05:22 0 d-------- C:\Program Files\jv16 PowerTools 2006 2007-02-06 23:59:06 0 d-------- C:\Program Files\Temp 2007-02-06 23:59:06 0 d-------- C:\Program Files\GinMarbles 2007-02-06 23:59:06 0 d-------- C:\Program Files\Common 2007-02-06 23:59:06 0 d-------- C:\Program Files\Adv 2007-02-05 11:44:39 0 d-------- C:\Program Files\ATITool 2007-02-05 11:31:39 516096 -----n— C:\WINDOWS\system32\ati2sgag.exe 2007-02-05 11:26:59 0 d-------- C:\Program Files\MultiRes 2007-02-05 11:25:36 0 d-------- C:\Program Files\Radeon Omega Drivers 2007-02-05 11:23:10 0 d-------- C:\Program Files\Grafika-Stery – Find3M Report ---------------------------------------------------------------- 2007-03-03 19:17:11 0 d-------- C:\Program Files\GanymedeNet 2007-03-02 20:09:09 0 d-------- C:\Program Files\SpeedFan 2007-03-02 13:55:02 0 d-------- C:\Program Files\Mozilla Firefox 2007-02-25 12:22:32 0 d-------- C:\Program Files\Java 2007-02-24 23:15:58 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\Skype 2007-02-23 21:29:06 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\Real 2007-02-23 13:24:05 0 d-------- C:\Program Files\Norton SystemWorks 2007-02-22 11:47:29 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\Steganos VPN 2007-02-15 19:35:02 5409 --a------ C:\WINDOWS\mozver.dat 2007-02-13 14:03:41 41 --a------ C:\WINDOWS\system32\ddff4_s.dll 2007-02-09 14:18:15 0 d-------- C:\Program Files\eMule 2007-02-05 11:42:46 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\atitray 2007-02-05 11:16:49 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-02-05 11:16:49 0 d-------- C:\Program Files\ATI Technologies 2007-01-30 15:30:08 0 d-------- C:\Program Files\3DMark03 2007-01-30 15:21:02 0 d-------- C:\Program Files\Common Files\InstallShield 2007-01-29 11:22:46 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\BinarySense 2007-01-28 15:48:27 0 d-------- C:\Program Files\QuickTime 2007-01-26 14:32:42 0 d-------- C:\Program Files\ASUS 2007-01-22 12:52:32 0 d-------- C:\Program Files\Microsoft Works 2007-01-18 20:52:08 0 d—s---- C:\Documents and Settings\M_M_M\Dane aplikacji\Microsoft 2007-01-16 12:06:27 155648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-01-16 12:06:24 679936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-01-16 12:06:13 626688 --a------ C:\WINDOWS\system32\xvid.dll 2007-01-06 18:39:08 0 d-------- C:\Documents and Settings\M_M_M\Dane aplikacji\IrfanView 2007-01-05 19:08:23 0 d-------- C:\Program Files\ArcaOnline 2007-01-05 18:35:58 0 d-------- C:\Program Files\hp deskjet 930c series 2007-01-05 18:29:40 0 d-------- C:\Program Files\Hewlett-Packard – Registry Dump ---------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” “Norton SystemWorks”="“C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz" “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “ccApp”="“C:\Program Files\Common Files\Symantec Shared\ccApp.exe”" “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “FLMOFFICEKEYBOARD”=“C:\Program Files\Trust\Trust keyboard utility\1.1\OFFICEKB.exe” “SoundMAXPnP”=“C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” “SoundMAX”="“C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray" “Zone Labs Client”="“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”" “jv16PT - Privacy Protector”=“C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb”” “AtiPTA”=“atiptaxx.exe” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVKTray] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AVKTray” “hkey”=“HKLM” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“hpztsb04” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“qttask” “hkey”=“HKLM” “command”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“AdobeUpdateManager” “hkey”=“HKCU” “command”="“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_0_8 -reboot 1" “inimapping”=“0” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9f787f92-7c6f-11db-810e-000c6e85161e}] Shell\1\Command G:.\RECYCLER\RECYCLER\autorun.exe Shell\2\Command G:.\RECYCLER\RECYCLER\autorun.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d4eaaf5e-815b-11db-8122-000c6e85161e}] Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d4eaaf5f-815b-11db-8122-000c6e85161e}] Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d4eaaf61-815b-11db-8122-000c6e85161e}] Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe – End of ComboScan: finished at 2007-03-04 at 12:43:03 -------------------------

i jak :?: będzie pacjent żył

adam9870 · 4 Marzec 2007 11:56

Już jest Ok.

Możesz skasować ręcznie plik czyszczący.

Tak powinno być. Zresztą wspomniałem to w opisie Gmer’a:

(gmer awaryjny to prawie to samo co opcja Zabij wszystko tylko poprzedzona resetem ze względu na problemy występujące na niektórych komputerach)

http://forum.dobreprogramy.pl/viewtopic.php?t=101848

BTW. Masz dwa programy antyvirusowe - NOD’a oraz Nortona. Proponuję jednego z nich usunąć.

CyraX_X · 4 Marzec 2007 20:20

Nie czytałem opisu ale domyśliłem się o co chodzi.

Gdzieś o tym czytałem dlatego zarówno na swoim jak i siorki jest Nod + Norton SystemWorks ale bez Norton Antivirus 8)

WIELKI dzięki za pomoc - jesteś dobrym specem

Na drugie powinieneś mieć ‘antivirus’ - w najlepszym tego słowa znaczeniu