Wirus, ktory sam wysyla emaile


(Tgrzebien) #1

Witam

Od wczoraj ochrona poczty avast wyswietla mi w pasku na dole ze wysylane sa emaile, nie wiem jak usunac tego wirusa... Sprawdzalem roznymi skanerami online, adaware itp ale nic to nie daje, caly czas jest ten problem dlatego wklejam log i prosze o pomoc

hjt

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:49:54, on 2008-01-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal


Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\svchost.exe

D:\Ad-Aware 2007\aawservice.exe

d:\Avast4\aswUpdSv.exe

d:\Avast4\ashServ.exe

C:\windows\explorer.exe

C:\Program Files\A4Tech\Mouse\Amoumain.exe

D:\Avast4\ashDisp.exe

D:\NetLimiter\NetLimiter.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

D:\BlueSoleil\BtTray.exe

C:\windows\RTHDCPL.EXE

D:\cfoss\cFosSpeed.exe

C:\windows\system32\brsvc01a.exe

C:\windows\system32\brss01a.exe

C:\windows\system32\spoolsv.exe

D:\KLawiaturaMaestro\KMaestro.exe

C:\windows\system32\RUNDLL32.EXE

D:\GreedyTorrent\GTor.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\windows\system32\ctfmon.exe

D:\BlueSoleil\BlueSoleilCS.exe

D:\DAEMON Tools Pro\DTProAgent.exe

D:\cfoss\spd.exe

D:\Spybot - Search & Destroy\TeaTimer.exe

D:\Nero\Nero 8\Nero BackItUp\NBService.exe

D:\ATITool\ATITool.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

d:\NVIDIA Corporation\nTune\nTuneService.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\windows\system32\nvsvc32.exe

d:\Alcohol 120\StarWind\StarWindService.exe

C:\windows\system32\svchost.exe

d:\Avast4\ashMaiSv.exe

d:\Avast4\ashWebSv.exe

D:\BlueSoleil\BsHelpCS.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\uTorrent\uTorrent.exe

d:\gadu-gadu\gg.exe

D:\Winamp\winamp.exe

E:\Clash N Slash\Clash N Slash.exe

C:\Program Files\Mozilla Firefox\firefox.exe

d:\HijackThis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=explorer.exe 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Real player\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FlashGet\getflash.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [avast!] d:\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NetLimiter] d:\NetLimiter\NetLimiter.exe /s

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [SetDefPrt] C:\Brother\Brmfl05a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [BtTray] "D:\BlueSoleil\BtTray.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [cFosSpeed] D:\cfoss\cFosSpeed.exe

O4 - HKLM\..\Run: [BtcMaestro] "d:\KLawiaturaMaestro\KMaestro.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\gadu-gadu\StrongGG.exe"

O4 - HKCU\..\Run: [GreedyTorrent] "d:\GreedyTorrent\GTor.exe" -tray

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "D:\DAEMON Tools Pro\DTProAgent.exe"

O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: ATITool.lnk = D:\ATITool\ATITool.exe

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - D:\FlashGet\jc_link.htm

O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - D:\FlashGet\jc_all.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - e:\PartyGaming\PartyCasino\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - e:\PartyGaming\PartyCasino\RunApp.exe (file missing)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194620010515

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197156251390

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: pmigrate32 - C:\windows\SYSTEM32\pmigrate32.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Ad-Aware 2007\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Avast4\ashWebSv.exe

O23 - Service: BlueSoleilCS - Unknown owner - D:\BlueSoleil\BlueSoleilCS.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\windows\system32\brsvc01a.exe

O23 - Service: BsHelpCS - Unknown owner - D:\BlueSoleil\BsHelpCS.exe

O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - D:\cfoss\spd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Nero\Nero 8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - d:\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - d:\SiSoftware Sandra Professional Business XII\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - d:\SiSoftware Sandra Professional Business XII\RpcSandraSrv.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Alcohol 120\StarWind\StarWindService.exe


--

End of file - 10447 bytes

sr

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NVIDIA nTune" = ""C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear" [file not found]

"Gadu-Gadu" = ""D:\gadu-gadu\StrongGG.exe"" [null data]

"GreedyTorrent" = ""d:\GreedyTorrent\GTor.exe" -tray" [null data]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]

"ctfmon.exe" = "C:\windows\system32\ctfmon.exe" [MS]

"DAEMON Tools Pro Agent" = ""D:\DAEMON Tools Pro\DTProAgent.exe"" ["DT Soft Ltd."]

"SpybotSD TeaTimer" = "d:\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"WheelMouse" = "C:\Program Files\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co., Ltd."]

"avast!" = "d:\Avast4\ashDisp.exe" ["ALWIL Software"]

"NetLimiter" = "d:\NetLimiter\NetLimiter.exe /s" ["LockTime"]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]

"PaperPort PTD" = "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]

"IndexSearch" = "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]

"SetDefPrt" = "C:\Brother\Brmfl05a\BrStDvPt.exe" ["Brother Industories, Ltd."]

"ControlCenter2.0" = "C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]

"BtTray" = ""D:\BlueSoleil\BtTray.exe"" [empty string]

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]

"cFosSpeed" = "D:\cfoss\cFosSpeed.exe" ["cFos Software GmbH"]

"BtcMaestro" = ""d:\KLawiaturaMaestro\KMaestro.exe"" ["Kmaestro"]

"NvCplDaemon" = "RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar BHO"

  -> {HKLM...CLSID} = "Winamp Toolbar BHO"

                   \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"

  -> {HKLM...CLSID} = "FGCatchUrl"

                   \InProcServer32\(Default) = "D:\FlashGet\jccatch.dll" ["www.flashget.com"]

{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"

                   \InProcServer32\(Default) = "D:\Real player\rpbrowserrecordplugin.dll" ["RealPlayer"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"

                   \InProcServer32\(Default) = "d:\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "FlashGet GetFlash Class"

                   \InProcServer32\(Default) = "D:\FlashGet\getflash.dll" ["www.flashget.com"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\WinRAR\rarext.dll" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "d:\Avast4\ashShell.dll" ["ALWIL Software"]

"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"

  -> {HKLM...CLSID} = "PowerISO"

                   \InProcServer32\(Default) = "d:\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

  -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

                   \InProcServer32\(Default) = "D:\Nero\Nero 8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "d:\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "D:\Real player\rpshell.dll" ["RealNetworks, Inc."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\windows\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\windows\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\windows\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\windows\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\windows\system32\nvshell.dll" ["NVIDIA Corporation"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> pmigrate32\DLLName = "pmigrate32.dll" [MS]


HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "d:\Avast4\ashShell.dll" ["ALWIL Software"]

Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

  -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

                   \InProcServer32\(Default) = "D:\Nero\Nero 8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

  -> {HKLM...CLSID} = "PowerISO"

                   \InProcServer32\(Default) = "d:\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

  -> {HKLM...CLSID} = "PowerISO"

                   \InProcServer32\(Default) = "d:\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "d:\Avast4\ashShell.dll" ["ALWIL Software"]

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

  -> {HKLM...CLSID} = "PowerISO"

                   \InProcServer32\(Default) = "d:\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\windows\web\wallpaper\Idylla.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Komp\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"



Startup items in "Komp" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"ATITool" -> shortcut to: "D:\ATITool\ATITool.exe -s" ["http://atitool.techpowerup.com"]

"Status Monitor" -> shortcut to: "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe Brother DCP-115C /STARTUP" ["Brother Industries, Ltd."]



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

d:\NetLimiter\nl_lsp.dll [null data], 01 - 05, 11

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"

  -> {HKLM...CLSID} = "Winamp Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]


HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar"

  -> {HKLM...CLSID} = "Winamp Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]


Explorer Bars


HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\


HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{B4B52284-A248-4C51-9F7C-F0A0C67FCC9D}\

"ButtonText" = "PartyCasino"

"MenuText" = "PartyCasino"

"Exec" = "e:\PartyGaming\PartyCasino\RunApp.exe" [file not found]


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "FlashGet"

"Exec" = "D:\FlashGet\FlashGet.exe" ["FlashGet.com"]


{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

"MenuText" = "Spybot - Search & Destroy Configuration"

"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"

  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"

                   \InProcServer32\(Default) = "d:\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ad-Aware 2007 Service, aawservice, ""D:\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]

avast! Antivirus, avast! Antivirus, ""d:\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""d:\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""d:\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""d:\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

BlueSoleilCS, BlueSoleilCS, "D:\BlueSoleil\BlueSoleilCS.exe" [empty string]

BrSplService, Brother XP spl Service, "C:\windows\system32\brsvc01a.exe" ["brother Industries Ltd"]

BsHelpCS, BsHelpCS, "D:\BlueSoleil\BsHelpCS.exe" [empty string]

cFosSpeed System Service, cFosSpeedS, ""D:\cfoss\spd.exe" -service" ["cFos Software GmbH"]

Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]

Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "D:\Nero\Nero 8\Nero BackItUp\NBService.exe" ["Nero AG"]

NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]

nTune Service, nTuneService, "d:\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"]

NVIDIA Display Driver Service, NVSvc, "C:\windows\system32\nvsvc32.exe" ["NVIDIA Corporation"]

StarWind iSCSI Service, StarWindService, "d:\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\windows\system32\svchost.exe -k WudfServiceGroup" {"C:\windows\System32\WUDFSvc.dll" [MS]}



Keyboard Driver Filters:

------------------------


HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

"UpperFilters" = <> "KeyMaestro" [file not found]



---------- (launch time: 2008-01-06 12:55:31)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 90 seconds.

---------- (total run time: 129 seconds)

(Gutek) #2

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Daj log z ComboFix


(Tgrzebien) #3

http://wklej.org/id/f0480bb199


(Gutek) #4

Wklej do Notatnika:

File::

C:\WINDOWS\system32\pavas.ico 

C:\WINDOWS\system32\Uninstall.ico 

C:\WINDOWS\system32\Help.ico

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo