Witam. Mam małego problema, a mianowicie podczas włączania kompa (po wybraniu urzytkownika) na dzień dobry wita mnie informacja:
RUNDLL
Wystąpił błąd podczas ładowania C:\WINDOWS\system32\gzmrt.dll
Nie można odnaleźć określonego modułu.
Za jakie kolwiek podpowiedzi/porady będę wdzięczny 
Proszę nazwać temat konkretnie. Sugeruję lekturę regulaminu forum.
Komp się uruchamia? Daj loga.
Z czego ??? z ComboFix`a?? Bo tyle co doczytałem to na bazie tego programu sie opieracie jak nie to proszę o podpowiedź, bo aż tak bardzo nie jestem w tych tematach na czasie (ale szybko się uczę…)…
Aaaa… tak komp się włącza poprawnie, dźwięk przy włączeniu i wyłączeniu jest OK.
Witaj.
Podaj loga z programu HijackThis, a wtedy pomyslimy miałem coś podobnego i musiałem skasować jeden wpis.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:27:07, on 2007-12-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\Edbud3.12\Eksplorator.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\adssite_sidebar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: trafficninja.biz extension - {266A3562-AB67-480E-9F09-D54604FD817B} - C:\WINDOWS\system32\ninjaext.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\2.bin\MGSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - F:\Expressivo Demo\integr\ih-iexplorer\IH_iexplorer.dll
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINDOWS\system32\AClient.dll (file missing)
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nso1B.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\2.bin\MGSBAR.DLL
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - F:\Expressivo Demo\integr\ih-iexplorer\IH_iexplorer.dll
O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM…\Run: [skyTel] SkyTel.EXE
O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM…\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\gzmrt.dll” DllStart
O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”
O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe”
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-19…\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Anti-Spyware Blocker.lnk = C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Eksplorator.lnk = E:\Edbud3.12\Eksplorator.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho … wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winexz32 - C:\WINDOWS\SYSTEM32\winexz32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
–
End of file - 9538 bytes
A co jeszcze - co może być problemem bardzo powolnego (przypominającego 0,5 Mbit złącze) otwierania stron przez Internet Explorer. Mam zainstalowany drugą przeglądarkę MYIE2 (My Internet Explorer 2) - czy on może utrudniać ???
Test z przed chwili:
Rychlost připojení k internetu: 1,948 Mbit/s
Rychlost stahování dat: 249,3 kByte/s
Rychlost odezvy (ping): min 123,497 ms
max 125,350 ms
Ø 124,454 ms
Przy okazji proszę o informację o programach niepożądanych dla prawidłowego funkcjonowania sprzętu.
Mój sprzęt: Płyta - Gigabyte GA-945P-S3-Intel 945P Socket 775, Procesor - Core 2 Duo E6300 1,86GHz, Pamięc - 2 x Kingston DDR 2 (512), Grafika - Gigabyte GF 7600GT -PX256.
O i jeszcze z przed chwili: nie mogę uruchomić żadnego programu Microsoft Office (coś tam że aplikacja nie została zainstalowana dla bieżącego użytkownika )
Ciekawe co jeszcze…
Nadmieniam, iż Avast ani AVG nic nowego nie wykrywają - mają parę plików w kwarantrannie (np: c:\a)i nic nowego nie wykrywa.
Oooo i cos nowego: na dysku c mam nowy folder o nazwie “vcs5BGEffects” a w nim: 17 plików tekstowych o nazwach np: gg.exe, gg.exe_MN, gg.exe_MAIN, iexplore.exe, sndrec32.exe, Vcs6Core.exe, itp po otwarciu np: gg.exe mam:
[20] [10761578] [0396] [MAIN] DLL_PROCESS_ATTACH: Base:0x58b0000
[20] [10762296] [0396] [MAIN] DLL_PROCESS_DETACH: Base:0x58b0000
gg.exe_MN
[19] [8097343] [0396] ProcessStreamEnd 2c11fb8
:evil: :evil: :evil: :evil: :evil: :evil: :evil: :evil: :evil:
oooo i nowy plik na “C:\svcipa” ???
co się dzieje???
A to myk znalazlem ten plik mam go w kwarantannie w Avascie ale ma wirusa ??? co teraz???
O2 - BHO: trafficninja.biz extension - {266A3562-AB67-480E-9F09-D54604FD817B} - C:\WINDOWS\system32\ninjaext.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\2.bin\MGSBAR.DLL
do fixu jeżeli cos będzie nie tak backup a idź na strone mks forum w dział logi z HijackThis tam pomoga profesjonalnie.
A przeskanuj na stronie virustotal ten plik wklepaj lokalizacje tego pliku na stronie
C:\WINDOWS\system32\gzmrt.dll
W logu:
Ustawiałeś to sam?
Znasz to?
Stosujesz VundoFix do tąd, aż nic nie znajdzie!
Następnie ComboFix i wklejasz log (wyłącz antywirusy na czas pracy narzędzia).
Dwa antywiry to nie jest najlepsze rozwiązanie - odinstaluj jeden.
Anti-Spyware Blocker - to fałszywy program anty.
Porchekarera - co do programu virustotal to nie mam mozliwości skanu bo pliku tam nie ma ( albo go nie widzi ) bo jest wkwarantannie.
Barnaba - ip sam ustawiłem łącząc 2 kompy do cs`a na lanie, co do “O4 - Global Startup: Eksplorator.lnk = E:\Edbud3.12\Eksplorator.exe” to program edbud jest programem do kosztorysowania.
co do ip czy on cos zmienia???
zaraz biorę się do VundoFix…
Co do antywirusów Co polecasz AVG czy Avast ???
VundoFix V6.7.7
Checking Java version…
Scan started at 13:10:51 2007-12-26
Listing files found while scanning…
C:\WINDOWS\system32\winexz32.dll
Beginning removal…
VundoFix V6.7.7
Checking Java version…
Scan started at 13:21:01 2007-12-26
Listing files found while scanning…
C:\WINDOWS\system32\winexz32.dll
Beginning removal…
Attempting to delete C:\WINDOWS\system32\winexz32.dll
C:\WINDOWS\system32\winexz32.dll Has been deleted!
Performing Repairs to the registry.
Done!
Ico spróbowałem wyrzucić pliki .dll z kwarantanny i przerobiłem VundoFix i nic nie zrobiło. To może spróbuje je ręcznie wklikać do Vundo i zobaczymy…
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:36, on 2007-12-26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Edbud3.12\Eksplorator.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\2.bin\MGSBAR.DLL
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - F:\Expressivo Demo\integr\ih-iexplorer\IH_iexplorer.dll
O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM…\Run: [skyTel] SkyTel.EXE
O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM…\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\gzmrt.dll” DllStart
O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”
O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe”
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-19…\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Anti-Spyware Blocker.lnk = C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Eksplorator.lnk = E:\Edbud3.12\Eksplorator.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho … wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
–
End of file - 7903 bytes
Vundo nic nie znalazł…
a to z combo…
ComboFix 07-12-21.4 - ja 2007-12-26 14:36:25.1 - FAT32 x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511 [GMT 1:00]
Running from: C:\Documents and Settings\ja\Pulpit\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\2.bin\M9FFXTBR.JAR
C:\Program Files\myglobalsearch\bar\2.bin\M9FFXTBR.MANIFEST
C:\Program Files\myglobalsearch\bar\2.bin\M9NTSTBR.JAR
C:\Program Files\myglobalsearch\bar\2.bin\M9NTSTBR.MANIFEST
C:\Program Files\myglobalsearch\bar\2.bin\M9PLUGIN.DLL
C:\Program Files\myglobalsearch\bar\2.bin\MGSBAR.DLL
C:\Program Files\myglobalsearch\bar\2.bin\NPMYGLSH.DLL
C:\Program Files\myglobalsearch\bar\Cache\009E8B18
C:\Program Files\myglobalsearch\bar\Cache\00AA9F71.bin
C:\Program Files\myglobalsearch\bar\Cache\00AAA6E3.bin
C:\Program Files\myglobalsearch\bar\Cache\00AAA8A8.bin
C:\Program Files\myglobalsearch\bar\Cache\files.ini
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\nso1B.dll
C:\WINDOWS\system32\vx.tll
.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.
2007-12-26 13:10 . 2007-12-26 13:10
2007-12-25 20:23 . 2007-12-25 20:23
2007-12-24 20:26 . 2007-12-24 20:26
2007-12-24 14:39 . 2007-12-24 14:39
2007-12-24 14:39 . 2007-12-24 14:39
2007-12-24 14:37 . 2007-12-24 14:37 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-20 15:25 . 2007-12-20 15:25
2007-12-17 10:00 . 2007-12-17 10:00
2007-12-17 10:00 . 2007-12-17 10:00
2007-12-17 10:00 . 2007-12-17 10:00
2007-12-17 09:30 . 2007-12-17 09:30
2007-12-17 09:30 . 2007-12-17 09:30 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2007-12-17 09:28 . 2007-12-17 09:28
2007-12-11 06:35 . 2007-12-11 06:35
2007-12-09 13:04 . 2007-12-09 13:04
2007-12-08 19:49 . 2007-12-08 19:49
2007-12-05 12:49 . 2007-12-20 14:07 77,353 --a------ C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
2007-12-05 06:22 . 2007-12-05 06:22
2007-12-05 06:18 . 2007-12-05 06:18
2007-12-05 06:18 . 2007-12-05 06:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-05 06:18 . 2007-12-05 06:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-05 06:18 . 2007-12-05 06:19 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-03 18:12 . 2007-12-03 18:12 282,624 --a------ C:\WINDOWS\system32\adssite_sidebar.dll
2007-12-03 07:27 . 2007-12-03 07:27
2007-11-28 09:30 . 2007-11-28 09:30
2007-11-27 20:56 . 2007-11-27 20:56
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-30 22:54 79,868 ----a-w C:\WINDOWS\system32\adssite-remove.exe
2007-11-28 15:33 40,737 ----a-w C:\WINDOWS\system32\rightonadz-uninst.exe
2007-11-27 19:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-02 23:31 --------- d-----w C:\Program Files\Java
2007-11-02 23:25 --------- d-----w C:\Program Files\Common Files\Java
2007-10-02 15:17 33,511 ----a-w C:\WINDOWS\system32\ninjaext-uninstall.exe
2007-04-19 14:53 25,024 ----a-w C:\Documents and Settings\ja\Dane aplikacji\GDIPFONTCACHEV1.DAT
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sceclbm]
@={93C8EE68-E5DC-35BF-41FF-5704F5F420A2}
[HKEY_CLASSES_ROOT\CLSID{93C8EE68-E5DC-35BF-41FF-5704F5F420A2}]
2004-08-03 22:44 71168 --a------ C:\WINDOWS\system32\sceclbm.dIl
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44]
“PowerBar”="" []
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-05-04 20:21]
“NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-10-11 18:25]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-12-07 15:08]
“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2007-12-19 21:13]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“RTHDCPL”=“RTHDCPL.EXE” [2006-05-18 07:27 C:\WINDOWS\RTHDCPL.exe]
“SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
“NvCplDaemon”=“RUNDLL32.exe” [2004-08-03 22:44 C:\WINDOWS\system32\rundll32.exe]
“NvMediaCenter”=“RunDLL32.exe” [2004-08-03 22:44 C:\WINDOWS\system32\rundll32.exe]
“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-12-21 09:45]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-10-25 18:58]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-06 23:46]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]
“postSetupCheck”=“C:\WINDOWS\System32\Rundll32.exe” [2004-08-03 22:44]
“WinampAgent”=“C:\Program Files\Winamp\wianmpa.exe” []
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44]
“AVG7_Run”=“C:\PROGRA~1\Grisoft\AVG7\avgw.exe” [2007-10-24 09:46]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26]
Anti-Spyware Blocker.lnk - C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe [2005-03-28 22:59:20]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]
Eksplorator.lnk - E:\Edbud3.12\Eksplorator.exe [2007-03-23 17:18:10]
S3 sony_ssm.sys;sony_ssm.sys;C:\DOCUME~1\ja\USTAWI~1\Temp\sony_ssm.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{adb128b8-b225-11dc-ad77-0016e633a4d2}]
\Shell\AutoRun\command - G:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{adb128b9-b225-11dc-ad77-0016e633a4d2}]
\Shell\AutoRun\command - H:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{adb128ba-b225-11dc-ad77-0016e633a4d2}]
\Shell\AutoRun\command - I:\autorun.exe
\Shell\directx\command - I:\DirectX9\dxsetup.exe
\Shell\setup\command - I:\setup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the ‘Scheduled Tasks’ folder
“2007-12-22 11:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 14:37:32
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes …
scanning hidden autostart entries …
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ???l?@?l?@?D???w???wl?@?l?@??? ???w???w???w?m?wx???m?w??? ???|x???0??? nt???w??? ???M???l?@?l?@???w???t?@???l?@?8?@?l?@?3??s???8?@?_??s8?@?8?@
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-26 14:37:51
No mam i co dalej???
Jak to nic, spójrz na log VundoFix, przecież widać usunięty plik winexz32.dll trojana.
Wklej do Notatnika:
File::
C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
C:\WINDOWS\system32\adssite_sidebar.dll
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\ninjaext-uninstall.exe
C:\WINDOWS\system32\ninjaext.dll
Folder::
C:\VundoFix Backups
Plik zapisz pod nazwą CFScript.txt. Przeciągnij go i upuść na ikonę ComboFixa. Z klawiatury potwierdź przez wpisanie 1 i ENTER. Narzędzie rozpocznie czyszczenie, a na końcu poda log. Prezentujesz ten log. Za pomocą HijackThis usuń ten wpis:
O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
Nadal masz zainstalowane dwa antywirusy i to może być przyczyną niemożliwości opróżnienia kwarantanny. Jak widzisz żaden z nich nie ustrzegł Cię infekcją.
Anti-Spyware Blocker - to fałszywy program anty, odinstaluj go!
ComboFix 07-12-21.4 - ja 2007-12-27 6:25:28.2 - FAT32 x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.580 [GMT 1:00]
Running from: C:\Documents and Settings\ja\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\ja\Pulpit\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\adssite_sidebar.dll
C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
C:\WINDOWS\system32\ninjaext-uninstall.exe
C:\WINDOWS\system32\ninjaext.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\winexz32.dll.bad
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\adssite_sidebar.dll
C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
C:\WINDOWS\system32\ninjaext-uninstall.exe
C:\WINDOWS\system32\ninjaext.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.
2007-12-25 20:23 . 2007-12-25 20:23
2007-12-24 20:26 . 2007-12-24 20:26
2007-12-24 14:39 . 2007-12-24 14:39
2007-12-24 14:39 . 2007-12-24 14:39
2007-12-24 14:37 . 2007-12-24 14:37 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-20 15:25 . 2007-12-20 15:25
2007-12-17 10:00 . 2007-12-17 10:00
2007-12-17 10:00 . 2007-12-17 10:00
2007-12-17 10:00 . 2007-12-17 10:00
2007-12-17 09:30 . 2007-12-17 09:30
2007-12-17 09:30 . 2007-12-17 09:30 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2007-12-17 09:28 . 2007-12-17 09:28
2007-12-11 06:35 . 2007-12-11 06:35
2007-12-09 13:04 . 2007-12-09 13:04
2007-12-08 19:49 . 2007-12-08 19:49
2007-12-05 06:22 . 2007-12-05 06:22
2007-12-05 06:18 . 2007-12-05 06:18
2007-12-05 06:18 . 2007-12-05 06:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-05 06:18 . 2007-12-05 06:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-05 06:18 . 2007-12-05 06:19 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-03 07:27 . 2007-12-03 07:27
2007-11-28 09:30 . 2007-11-28 09:30
2007-11-27 20:56 . 2007-11-27 20:56
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-27 19:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-02 23:31 --------- d-----w C:\Program Files\Java
2007-11-02 23:25 --------- d-----w C:\Program Files\Common Files\Java
2007-04-19 14:53 25,024 ----a-w C:\Documents and Settings\ja\Dane aplikacji\GDIPFONTCACHEV1.DAT
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( snapshot@2007-12-26_14.37.34,48 )))))))))))))))))))))))))))))))))))))))))
.
2007-03-13 09:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
2007-12-27 05:21:48 8,036 ----a-w C:\WINDOWS\system32\crypgext.dat
2007-12-27 05:21:48 288,605 ----a-w C:\WINDOWS\system32\rdpwssuy.dat
2007-12-27 05:15:12 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_570.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sceclbm]
@={93C8EE68-E5DC-35BF-41FF-5704F5F420A2}
[HKEY_CLASSES_ROOT\CLSID{93C8EE68-E5DC-35BF-41FF-5704F5F420A2}]
2004-08-03 22:44 71168 --a------ C:\WINDOWS\system32\sceclbm.dIl
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44]
“PowerBar”="" []
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-05-04 20:21]
“NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-10-11 18:25]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-12-07 15:08]
“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2007-12-19 21:13]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“RTHDCPL”=“RTHDCPL.EXE” [2006-05-18 07:27 C:\WINDOWS\RTHDCPL.exe]
“SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
“NvCplDaemon”=“RUNDLL32.exe” [2004-08-03 22:44 C:\WINDOWS\system32\rundll32.exe]
“NvMediaCenter”=“RunDLL32.exe” [2004-08-03 22:44 C:\WINDOWS\system32\rundll32.exe]
“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-12-21 09:45]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-10-25 18:58]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-06 23:46]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]
“postSetupCheck”=“C:\WINDOWS\System32\Rundll32.exe” [2004-08-03 22:44]
“WinampAgent”=“C:\Program Files\Winamp\wianmpa.exe” []
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44]
“AVG7_Run”=“C:\PROGRA~1\Grisoft\AVG7\avgw.exe” [2007-10-24 09:46]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26]
Anti-Spyware Blocker.lnk - C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe [2005-03-28 22:59:20]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]
Eksplorator.lnk - E:\Edbud3.12\Eksplorator.exe [2007-03-23 17:18:10]
S3 sony_ssm.sys;sony_ssm.sys;C:\DOCUME~1\ja\USTAWI~1\Temp\sony_ssm.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{adb128b8-b225-11dc-ad77-0016e633a4d2}]
\Shell\AutoRun\command - G:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{adb128b9-b225-11dc-ad77-0016e633a4d2}]
\Shell\AutoRun\command - H:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{adb128ba-b225-11dc-ad77-0016e633a4d2}]
\Shell\AutoRun\command - I:\autorun.exe
\Shell\directx\command - I:\DirectX9\dxsetup.exe
\Shell\setup\command - I:\setup.exe
.
Contents of the ‘Scheduled Tasks’ folder
“2007-12-22 11:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 06:26:29
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes …
scanning hidden autostart entries …
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ???l?@?l?@?D???w???wl?@?l?@??? ???w???w???w?m?wx???m?w??? ???|x???0??? nt???w??? ???M???l?@?l?@???w???t?@???l?@?8?@?l?@?3??s???8?@?_??s8?@?8?@
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-27 6:26:48
C:\ComboFix2.txt … 2007-12-26 14:37
_________________________________________________________________________________________
Jest… zrobiłem del Avasta i Anty… a nastepnie podłączyłem scan AVG. AVG przeszedł bez przeszkód. Skasowałem wpis w HiJackThis. Zrobiłem restart i… problemu NIEma 
A teraz pyt.:
Co się stało z “chrymi” plikami z kwarantanny z Avast.
To są pliki z kwarantanny AVG
C:\WINDOWS\system32\ipv6monr.dll
C:\System Volume Information_restore{1D46A4W2-7188-4872-A8E0-F3F3FF39FE4E}\RP150\A0130295.dll
C:\WINDOWS\Installer.exe
C:\System Volume Information_restore{1D46A4W2-7188-4872-A8E0-F3F3FF39FE4E}\RP151\A0131418.dll
C:\System Volume Information_restore{1D46A4W2-7188-4872-A8E0-F3F3FF39FE4E}\RP151\A0131431.exe
C:\System Volume Information_restore{1D46A4W2-7188-4872-A8E0-F3F3FF39FE4E}\RP152\A0131486.dll
C:\WINDOWS\System32\AClient.dll
C:\System Volume Information_restore{1D46A4W2-7188-4872-A8E0-F3F3FF39FE4E}\RP152\A0133778.dll
!C:\WINDOWS\System32\gzmrt.dll
C:\System Volume Information_restore{1D46A4W2-7188-4872-A8E0-F3F3FF39FE4E}\RP267\A0200677.DLL
!C:\WINDOWS\System32\advvpi32.dll
!- W “object type” zaznaczone są czerwonym wykrzyknikiem co oznacza “Moved object”
Co z nimi???
W avascie tych system Volume… było ok 15 
- Co to za pliki i jak z nimi postępować.
A tak w ogóle to dziękuje Ci za pomoc - dla mnie to czarna magia, a dla Ciebie poświęcenie Twojego czasu na bezinteresowna pomoc - Dzięki. 
mam ten sam problem i proszę o pomoc. nie znam się zbytnio na komputerze, więc to jest moje jedyne wyjście. oto mój log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02:00, on 2007-12-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NAPI-PROJEKT\napisy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://1-digital-media.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: rightonads optimizer - {10F3E8BD-257A-4702-A2F5-DC02055B068C} - C:\WINDOWS\system32\gzmrt.dll (file missing)
O2 - BHO: Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\adssite_sidebar.dll
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nse42.dll
O2 - BHO: Little Fighter 2 Toolbar Helper - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Little Fighter 2 Toolbar - {C11483F7-D7D8-4804-98D8-6055470BB989} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sys02853659373] C:\WINDOWS\sys02853659373.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [List Multi Knob Inside] C:\Documents and Settings\All Users\Dane aplikacji\64 01 list multi\dash grid.exe
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\UZYTKO~1\USTAWI~1\Temp\{2F181519-8B04-4A74-B430-507A04F1BCF9}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0015"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [win default] C:\DOCUME~1\UZYTKO~1\DANEAP~1\SLOWPE~1\Boob show.exe
O4 - HKCU\..\Run: [Videos] "C:\Program Files\laughnetwork\update.exe" /background
O4 - HKCU\..\Policies\Explorer\Run: [{2C052C91-068B-1045-0820-020911020030}] "C:\Program Files\Common Files\{2C052C91-068B-1045-0820-020911020030}\Update.exe" mc-110-12-0000140
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2C052C91-068B-1045-0820-020911020030}] "C:\Program Files\Common Files\{2C052C91-068B-1045-0820-020911020030}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2C052C91-068B-1045-0820-020911020030}] "C:\Program Files\Common Files\{2C052C91-068B-1045-0820-020911020030}\Update.exe" mc-110-12-0000140 (User 'Default user')
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BlackMoon FTP Service (BMFTP-RELEASE) - Unknown owner - C:\Program Files\Selom Ofori\BlackMoon FTP Server\FTPService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 8429 bytesWidzę, że n ie ma chętnych do pomocy , a szkoda bo jest to dla mnie bardzo ważne. Czekam dalej…