Wirus. Programy nie chcą się otwierać

nadeo · 6 Wrzesień 2007 17:03

Witam!

Mam właściwie identyczny problem, jak w tym temacie http://forum.idg.pl/index.php?showtopic=102632. Próbowałam robić to, co proponowali w tym temacie, ale jak nic nie działa, tak nie działa. Po otworzeniu jakiegoś pliku wyłączył mi się Tlen i antivir, pliki exe zostały jakoś spaprane, w Tlenie ikona zmieniła się na jakieś klucze i nie da się tych programów uruchomić. Chciałam zainstalować ponownie antivira, niestety na kompie nie są tworzone pliki exe… Chcę za wszelką cenę uniknąć formatowania. Nie mam punktu przywracania systemu. Tryb awaryjny nie działa. Ad-Aware bodajże usunął to: C:\Documents and Settings\xxx\Application Data\m\flec006.exe, ale nie wiem, czy zostało to całkowicie usunięte. Totalny ze mnie laik, więc byłabym bardzo wdzięczna za szybką i wyczerpującą odpowiedź, co mam po kolei zrobić. Wklejam loga tylko z Hijacka, bo ComboFix mi nie działa.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:23:50, on 2007-09-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Programy\Server\Apache\bin\httpd.exe

D:\Programy\Server\MySQL\bin\mysqld-nt.exe

D:\Programy\Server\Apache\bin\httpd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

D:\Programy\Mmm+\MmmTray.exe

D:\Programy\Launchy\Launchy.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

D:\Programy\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\sol.exe

D:\Programy\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Foxit toolbar - {73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - C:\Program Files\Foxit\tbFoxi.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Programy\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: MouseGest - {112AB43D-32C4-3B21-53BA-13A46743BC34} - C:\WINDOWS\system32\mousegex.dll

O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Programy\GetRight\xx2gr.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: Foxit toolbar - {73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - C:\Program Files\Foxit\tbFoxi.dll

O2 - BHO: Web Mon - {7428F943-BC4F-4A39-3B43-AB433C523B34} - C:\WINDOWS\system32\WebMon.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programy\Java JRE\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Programy\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: Foxit toolbar - {73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - C:\Program Files\Foxit\tbFoxi.dll

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKCU\..\Run: [Komunikator] D:\Programy\Tlen.pl\tlen.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Mmm] "D:\Programy\Mmm+\MmmTray.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Global Startup: Launchy.lnk = D:\Programy\Launchy\Launchy.exe

O8 - Extra context menu item: Append to existing PDF - res://D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\Programy\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programy\Java JRE\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programy\Java JRE\bin\ssv.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Programy\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Programy\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Programy\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programy\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programy\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188722386296

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Programy\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apache2 - Apache Software Foundation - D:\Programy\Server\Apache\bin\httpd.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: MySQL - Unknown owner - D:\Programy\Server\MySQL\bin\mysqld-nt (file missing)


--

End of file - 6522 bytes

Colicab · 6 Wrzesień 2007 17:25

tu nic nie ma. Jak to nie dziala tryb awaryjny? Co sie w nim dzieje?

nadeo · 6 Wrzesień 2007 17:31

To może jeszcze wkleję loga z SilentRunnera. Nie działa, bo gdy chcę tam wejść, to mi wywala niebieski ekran.

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Komunikator" = "D:\Programy\Tlen.pl\tlen.exe" [file not found]

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Mmm" = ""D:\Programy\Mmm+\MmmTray.exe"" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]


HKLM\Software\Microsoft\Active Setup\Installed Components\

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"

                                        \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{074C1DC5-9320-4A9A-947D-C042949C6216}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "ContributeBHO Class"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\/Adobe Contribute CS3/contributeieplugin.dll" ["Adobe Systems Incorporated."]

{112AB43D-32C4-3B21-53BA-13A46743BC34}\(Default) = "MouseGest"

  -> {HKLM...CLSID} = "MouseGest"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mousegex.dll" [null data]

{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "GetRight IE Download Helper"

                   \InProcServer32\(Default) = "D:\Programy\GetRight\xx2gr.dll" ["Headlight Software, Inc."]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Groove GFS Browser Helper"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

{73c7d5b0-7b03-444a-84c7-ce1ba03b5573}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Foxit toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Foxit\tbFoxi.dll" ["Conduit Ltd."]

{7428F943-BC4F-4A39-3B43-AB433C523B34}\(Default) = "Web Mon"

  -> {HKLM...CLSID} = "Web Monitor"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WebMon.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "D:\Programy\Java JRE\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"

  -> {HKLM...CLSID} = "Groove GFS Browser Helper"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"

  -> {HKLM...CLSID} = "Groove Folder Synchronization"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"

  -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"

  -> {HKLM...CLSID} = "Groove XML Icon Handler"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Outlook File Icon Extension"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Programy\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"

  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "D:\Programy\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = "D:\Programy\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

"{72923739-5A47-40A3-9895-25AF0DFBB9E4}" = "Glary Utilities Context Menu Shell Extension"

  -> {HKLM...CLSID} = "Glary Utilities Context Menu Shell Extension"

                   \InProcServer32\(Default) = "D:\Programy\GLARYU~2\CONTEX~1.DLL" ["GlarySoft,Inc."]

"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"

  -> {HKLM...CLSID} = "UIContextMenu Class"

                   \InProcServer32\(Default) = "D:\Programy\UltraISO\isoshell.dll" ["EZB Systems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\System\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."]|"autocheck autochk *"


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

  -> {HKLM...CLSID} = "UIContextMenu Class"

                   \InProcServer32\(Default) = "D:\Programy\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

  -> {HKLM...CLSID} = "UIContextMenu Class"

                   \InProcServer32\(Default) = "D:\Programy\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoResolveTrack" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoResolveTrack" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Monika\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Monika" & "All Users" startup folders:

--------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Launchy" -> shortcut to: "D:\Programy\Launchy\Launchy.exe" ["Code Jelly"]



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]

"SyncBackSE Bookmarks" -> launches: "D:\Programy\SyncBackSE\SyncBackSE.exe -m "Bookmarks"" [file not found]

"SyncBackSE Tlen Archiwum" -> launches: "D:\Programy\SyncBackSE\SyncBackSE.exe -m "Tlen Archiwum"" [file not found]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{73C7D5B0-7B03-444A-84C7-CE1BA03B5573}"

  -> {HKLM...CLSID} = "Foxit toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Foxit\tbFoxi.dll" ["Conduit Ltd."]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

"{73C7D5B0-7B03-444A-84C7-CE1BA03B5573}"

  -> {HKLM...CLSID} = "Foxit toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Foxit\tbFoxi.dll" ["Conduit Ltd."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}" = (no title provided)

  -> {HKLM...CLSID} = "Contribute Toolbar"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\/Adobe Contribute CS3/contributeieplugin.dll" ["Adobe Systems Incorporated."]

"{73C7D5B0-7B03-444A-84C7-CE1BA03B5573}" = "Foxit Toolbar"

  -> {HKLM...CLSID} = "Foxit toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Foxit\tbFoxi.dll" ["Conduit Ltd."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "D:\Programy\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"

                   \InProcServer32\(Default) = "D:\Programy\Java JRE\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"

                   \InProcServer32\(Default) = "D:\Programy\Java JRE\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]


{2670000A-7350-4F3C-8081-5663EE0C6C49}\

"ButtonText" = "Wyślij do programu OneNote"

"MenuText" = "Wyślij &do programu OneNote"

"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"

  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"

                   \InProcServer32\(Default) = "D:\Programy\MICROS~1\Office12\ONBttnIE.dll" [MS]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"


{E59EB121-F339-4851-A3BA-FE49C35617C2}\

"ButtonText" = "ICQ6"

"MenuText" = "ICQ6"

"Exec" = "D:\Programy\ICQ6\ICQ.exe" ["ICQ, Inc."]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{73c7d5b0-7b03-444a-84c7-ce1ba03b5573}" = (no title provided)

  -> {HKLM...CLSID} = "Foxit toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Foxit\tbFoxi.dll" ["Conduit Ltd."]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Apache2, Apache2, ""D:\Programy\Server\Apache\bin\httpd.exe" -k runservice" ["Apache Software Foundation"]

MySQL, MySQL, ""D:\Programy\Server\MySQL\bin\mysqld-nt" --defaults-file="D:\Programy\Server\MySQL\my.ini" MySQL" [null data]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]

Canon MP Language Monitor MP360\Driver = "CNMLMyd.DLL" ["CANON INC."]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]



---------- (launch time: 2007-09-06 19:08:00)

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 237 seconds.

---------- (total run time: 324 seconds)

Colicab · 6 Wrzesień 2007 17:38

tu tez nic nie ma. Co jest na bluescreenie?

nadeo · 6 Wrzesień 2007 18:24

"Sprawdź czy na komputerze nie ma wirusów. Usuń wszelkie nowo zainstalowane

dyski twarde i kontrolery dysków twardych. Sprawdź dysk twardy i upewnij się

że jest on poprawnie zainstalowany i skonfigurowany następnie uruchom

program CHKDSK /F aby sprawdzić czy dysk nie jest uszkodzony a następnie

uruchom komputer.

STOP: 0x0000007B (0xF894C640, 0xC0000034,0x00000000,0x00000000)"

Dać loga z ComboFix? Poza tym uruchomił mi się przy starcie systemu flec006.exe. Jak to usunąć?

Colicab · 6 Wrzesień 2007 18:47

jak uruchomisz msconfig to tam masz zakladke “uruchamianie”. Trzeba stamtad i z dysku wywalic smieci. Tak samo w Rejestrze w kluczu Run i/lub RunOnce

Gutek · 6 Wrzesień 2007 18:57

daruj sobie logi

pliki do usunięcia

Daj log z ComboFix

nadeo · 6 Wrzesień 2007 19:04

ComboFix 07-08-30.3 - “Monika” 2007-09-06 19:55:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.199 [GMT 2:00]

ADS removed - C:\WINDOWS\system32\ntoskrnl.exe: Nie można odnaleźć określonego pliku.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Tomek\DANEAP~1\microsoft\internet explorer\quick launch\intern~1.lnk

C:\WINDOWS\exefld

C:\WINDOWS\system32\drivers\hidr.exe

C:\WINDOWS\system32\drivers\srosa.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\nm

((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))

2007-09-06 19:52

2007-09-06 18:43 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-09-06 14:31 11,776 --a–c— C:\WINDOWS\system32\dllcache\chkdsk.exe

2007-09-06 14:31 11,776 --a------ C:\WINDOWS\system32\chkdsk.exe

2007-09-06 09:16

2007-09-06 09:00

2007-09-03 13:20

2007-09-03 09:10

2007-09-03 06:58 287 --a------ C:\WINDOWS\EReg072.dat

2007-09-02 15:52

2007-09-02 10:40 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2007-09-02 10:39

2007-09-02 10:31

2007-09-01 15:45

2007-09-01 08:32

2007-09-01 08:03 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll

2007-09-01 08:03 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe

2007-09-01 08:03 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll

2007-08-31 14:07

2007-08-31 13:36

2007-08-31 12:38

2007-08-31 12:37 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll

2007-08-31 12:37 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll

2007-08-31 12:37 1,230,336 --a------ C:\WINDOWS\system32\msxml4.dll

2007-08-31 12:37

2007-08-31 07:03

2007-08-31 06:58

2007-08-31 06:57 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2007-08-31 06:57

2007-08-27 07:31 49,536 --a------ C:\WINDOWS\system32\drivers\ajqejcwx.sys

2007-08-26 16:56

2007-08-22 23:33

2007-08-21 18:37

2007-08-19 21:16 12 --a------ C:\WINDOWS\lang_e86.dll

2007-08-12 07:12

2007-08-09 21:15

2007-08-08 21:19

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 19:54 --------- d-------- C:\DOCUME~1\Monika\DANEAP~1\Launchy

2007-09-06 14:30 --------- d-------- C:\DOCUME~1\Tomek\DANEAP~1\Launchy

2007-09-06 12:33 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-09-05 13:23 --------- d-------- C:\DOCUME~1\Monika\DANEAP~1\LimeWire

2007-09-04 17:23 --------- d-------- C:\DOCUME~1\Tomek\DANEAP~1\Tlen.pl

2007-09-04 10:32 --------- d-------- C:\DOCUME~1\Monika\DANEAP~1\Skype

2007-09-02 19:38 --------- d-------- C:\DOCUME~1\Monika\DANEAP~1\Tlen.pl

2007-09-02 15:51 --------- d-------- C:\DOCUME~1\Monika\DANEAP~1\uTorrent

2007-09-01 21:51 --------- d-------- C:\DOCUME~1\Tomek\DANEAP~1\X-Chat 2

2007-09-01 10:25 2855 --a------ C:\WINDOWS\pif\NFS_DOS.PIF

2007-09-01 08:03 --------- d–h----- C:\Program Files\InstallShield Installation Information

2007-08-30 23:41 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\Tlen.pl

2007-08-30 22:05 --------- d-------- C:\DOCUME~1\Monika\DANEAP~1\Winamp

2007-08-24 06:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\FLEXnet

2007-08-23 08:16 --------- d-------- C:\DOCUME~1\Tomek\DANEAP~1\Azureus

2007-08-18 03:07 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\Skype

2007-08-08 21:19 --------- d-------- C:\Program Files\Common Files\Real

2007-08-06 13:40 --------- d-------- C:\Program Files\QuickTime

2007-08-04 10:57 --------- d-------- C:\Program Files\Foxit

2007-08-02 17:48 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2007-08-02 17:48 --------- dr-h----- C:\DOCUME~1\Monika\DANEAP~1\SecuROM

2007-08-02 17:39 --------- d-------- C:\DOCUME~1\Monika\DANEAP~1\Azureus

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 18:46 --------- d-------- C:\Program Files\Windows Media Connect 2

2007-07-17 16:05 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2007-07-14 13:27 --------- d-------- C:\Program Files\uTorrent

2007-07-13 09:36 166912 --a------ C:\WINDOWS\system32\libmcrypt.dll

2007-07-07 22:37 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\Netscape

2007-07-07 13:36 --------- d-------- C:\DOCUME~1\Tomek\DANEAP~1\Netscape

2007-07-06 21:14 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\Winamp

2007-07-06 21:14 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\Real

2007-07-06 21:14 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\PC Suite

2007-07-06 21:14 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\Nokia

2007-07-06 21:14 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\ImageBadger

2007-07-06 21:06 --------- d-------- C:\DOCUME~1\OLDSCH~1\DANEAP~1\ATI

2007-07-06 18:57 --------- d-------- C:\DOCUME~1\Tomek\DANEAP~1\FlashFXP

2007-07-06 18:38 --------- d-------- C:\DOCUME~1\Tomek\DANEAP~1\GlobalSCAPE

2007-07-06 15:56 --------- d-------- C:\DOCUME~1\Monika\DANEAP~1\Canon

2007-06-12 09:28 545280 --a------ C:\WINDOWS\flashax.exe

2007-06-12 09:28 12288 --a------ C:\WINDOWS\impborl.dll

2001-11-23 12:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{112AB43D-32C4-3B21-53BA-13A46743BC34}]

2002-03-27 14:25 48128 --a------ C:\WINDOWS\system32\mousegex.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{73c7d5b0-7b03-444a-84c7-ce1ba03b5573}]

2007-06-26 17:54 1383448 --a------ C:\Program Files\Foxit\tbFoxi.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{7428F943-BC4F-4A39-3B43-AB433C523B34}]

2002-08-15 08:23 57856 --a------ C:\WINDOWS\system32\WebMon.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{73C7D5B0-7B03-444A-84C7-CE1BA03B5573}”= C:\Program Files\Foxit\tbFoxi.dll [2007-06-26 17:54 1383448]

[HKEY_CLASSES_ROOT\CLSID{73C7D5B0-7B03-444A-84C7-CE1BA03B5573}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2006-01-02 16:41]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-06-29 06:24]

“iTunesHelper”=“D:\Programy\iTunes\iTunesHelper.exe” [2007-09-05 18:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Komunikator”=“D:\Programy\Tlen.pl\tlen.exe” []

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44]

“Mmm”=“D:\Programy\Mmm+\MmmTray.exe” [2007-05-24 13:49]

“mule_st_key”=“C:\Documents and Settings\Monika\Dane aplikacji\m\flec006.exe” []

C:\DOCUME~1\OLDSCH~1\MENUST~1\Programy\AUTOST~1\

Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - D:\Programy\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoResolveTrack”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoRecentDocsMenu”=1 (0x1)

“NoResolveTrack”=1 (0x1)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

@=“Driver Group”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]

@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}]

@=“DiskDrive”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@=“Hdc”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@=“Keyboard”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@=“Mouse”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@=“System”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@=“Volume”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Speed Launcher.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Speed Launcher.lnk

backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Monitor Apache Servers.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Monitor Apache Servers.lnk

backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Monika^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]

path=C:\Documents and Settings\Monika\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk

backup=C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]

D:\Programy\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

“D:\Programy\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]

RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

“D:\Programy\DAEMON Tools\daemon.exe” -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

“D:\Programy\DAEMON Tools\daemon.exe” -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]

“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\East-Tec Backup 2007]

“D:\Programy\East-Tec Backup 2007\etBackup.exe” /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

“D:\Programy\Microsoft Office\Office12\GrooveMonitor.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

“D:\Programy\iTunes\iTunesHelper.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]

D:\Programy\Tlen.pl\tlen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pb_scheduler_agent]

rem D:\Programy\Premium Booster\scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

D:\Programy\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

D:\Programy\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

“C:\Program Files\QuickTime\QTTask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Soundlibs]

C:\WINDOWS\soundlib.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

“D:\Programy\Java JRE\bin\jusched.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“ServiceLayer”=3 (0x3)

“ose”=3 (0x3)

“odserv”=3 (0x3)

“Microsoft Office Groove Audit Service”=3 (0x3)

“iPod Service”=3 (0x3)

“gusvc”=3 (0x3)

“FLEXnet Licensing Service”=3 (0x3)

“Bonjour Service”=2 (0x2)

“ATI Smart”=2 (0x2)

“Adobe Version Cue CS3”=3 (0x3)

“Apple Mobile Device”=2 (0x2)

“WMPNetworkSvc”=3 (0x3)

“idsvc”=3 (0x3)

“PDAgent”=2 (0x2)

“PDEngine”=3 (0x3)

“PDExchange”=3 (0x3)

“aawservice”=2 (0x2)

“MDM”=2 (0x2)

S1 srosa;Megadrv3;??\C:\WINDOWS\system32\drivers\srosa.sys

S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys

S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

S4 msvsmon80;Visual Studio 2005 Remote Debugger;“D:\Programy\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe” /service msvsmon80

S4 PDExchange;PDExchange;D:\Programy\PerfectDisk\PDExchange.exe

Contents of the ‘Scheduled Tasks’ folder

2007-09-04 15:58:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

2007-09-03 19:00:02 C:\WINDOWS\Tasks\SyncBackSE Bookmarks.job - D:\Programy\SyncBackSE\SyncBackSE.exe

2007-09-04 19:00:00 C:\WINDOWS\Tasks\SyncBackSE Tlen Archiwum.job - D:\Programy\SyncBackSE\SyncBackSE.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-06 20:01:40

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-09-06 20:02:37 - machine was rebooted

C:\ComboFix-quarantined-files.txt … 2007-09-06 20:02

— E O F —

W msconfig mam powywalane śmieci.

Gutek · 6 Wrzesień 2007 19:09

Teraz kolejny automat i po nim log z Combo i wtedy usuniemy resztki

Pobierz program SDFix

nadeo · 6 Wrzesień 2007 19:24

Automat w sensie?

Pobrałam SDFix, wypakowało się, tryb awaryjny nie działa

"Sprawdź czy na komputerze nie ma wirusów. Usuń wszelkie nowo zainstalowane

dyski twarde i kontrolery dysków twardych. Sprawdź dysk twardy i upewnij się

że jest on poprawnie zainstalowany i skonfigurowany następnie uruchom

program CHKDSK /F aby sprawdzić czy dysk nie jest uszkodzony a następnie

uruchom komputer.

STOP: 0x0000007B (0xF894C640, 0xC0000034,0x00000000,0x00000000)"

Gdy kliknęłam na SDFix nie było opcji z “Y”, a jak to wpisałam, to się wyłączył i nic O_o

jessica · 6 Wrzesień 2007 19:37

SDFix na pewno nie będzie działał u Ciebie na razie.

No tak, zgodnie z przewidywaniami: Rootkit Bagle-hidires z usługą “srosa” - to on uszkodził Tryb Awaryjny i Antivirusa.

Sfiksuj w Hijacku to, co podał @Gutek2222.

Potem:>>Start >>> Uruchom >>> wybierz (lub wpisz) cmd >> zastosować te komendy (po każdej wciśnij “ENTER”):

Potem:

Potem zajmij się naprawą Trybu Awaryjnego:

Potem przeinstaluj Antivirusa.

Potem możesz jeszcze użyć SDFix

Uwaga: Da się go uruchomić tylko w Trybie Awaryjnym.

Pokaż Report.txt znajdujący się w folderze SDFix.

O daj też nowy log z ComboFixa.

Log wklej na http://wklej.org/, a w poście daj tylko link.

jessi

nadeo · 6 Wrzesień 2007 19:54

OK, to po kolei:

Po wpisaniu tego

wyszło mi to: OpenService failed 1060.

Nie ma tego w podanym kluczu. Jest tu: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mule_st_key Usunąć?

Zaraz będę naprawiać Tryb Awaryjny.

Gutek · 6 Wrzesień 2007 20:05

Daj nowy log z Combo

jessica · 6 Wrzesień 2007 20:08

Jeśli nie zadziałało usunięcie “Megadrv3”, to spróbuj tak:

>>Start >>> Uruchom >>> wybierz (lub wpisz) cmd >> zastosować te komendy (po każdej wciśnij “ENTER”):

Jeśli zaś chodzi o “mule_st_key” w kluczu, to podałam wg ComboFixa.

Prawdopodobnie potem nastąpiło wyłączenie poprzez “msconfig”, dlatego teraz jest w innym kluczu. Oczywiście usuń tę wartość z klucza.

jessi

nadeo · 6 Wrzesień 2007 21:20

Dlaczego mam 2 x Microsoft http://www.otofotki.pl/pokaz.php?id=opqr691779958m.JPG?

SafeBootKeyRepair dał radę, tryb się włączył.

Z tym jest tak samo, wychodzi OpenService failed 1060.

Logi:

SDFix http://wklej.org/id/fbb9d5f01f

HijackThis http://www.wklej.org/id/abda5d3d85

ComboFix http://www.wklej.org/id/6425b6bdb7

Gutek · 6 Wrzesień 2007 21:29

Już jest Ok

nadeo · 8 Wrzesień 2007 14:22

W takim razie dzięki za pomoc!