Chodzi o to ze otwierajac Moj komputer nie moge za pomoca dwukrotnego klikniecia przegladac dyskow twardych.
Jesli klikne prawym klawiszem i wybiore Otworz to wszystko dziala.Wydaje mi sie ze moze byc to jakis wirus ktory znajdowal sie na pendrive
Wiecie jak to naprawić :?:
Triniti888
(Pawel Pieczyrak)
15 Październik 2007 15:32
#2
Wyświetla się jakiś komunikat ?
Przeskanuj komputer programem antywirusowym lub daj logi do odpowiedniego działu.
nic sie nie wyświetla, w procesach dodaje sie wscript.exe
daje loga
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\Explorer.EXE e:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\WINDOWS\system32\ctfmon.exe E:\Program Files\RocketDock\RocketDock.exe E:\PROGRA~1\WapSter\AQQ\AQQ.exe C:\Program Files\Sound Station\SNXUACP.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\runservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe e:\Program Files\Alwil Software\Avast4\ashWebSv.exe E:\Program Files\foobar2000\foobar2000.exe C:\WINDOWS\system32\wscript.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe e:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epuls.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file) R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {27E6FB3A-FD78-483E-852A-E487917D5E6C} - (no file) O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O2 - BHO: (no name) - {90F75E47-94D2-48AC-8D32-863356FA6578} - (no file) O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - (no file) O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file) O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll (file missing) O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [avast!] e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKLM…\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [AutoConnect] E:\Program Files\AutoConnect\AutoConnect.exe O4 - HKCU…\Run: [Odkurzacz-MCD] e:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [RocketDock] “E:\Program Files\RocketDock\RocketDock.exe” O4 - HKCU…\Run: [AQQ] E:\PROGRA~1\WapSter\AQQ\AQQ.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Sound Station.lnk = C:\Program Files\Sound Station\SNXUACP.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz używając Download &Express’a - E:\Program Files\Download Express\Add_Url.htm O8 - Extra context menu item: Pobierz z &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll (file missing) O9 - Extra ‘Tools’ menuitem: @C :\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll (file missing) O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O17 - HKLM\System\CCS\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip…{2F08FF38-2035-44E6-B172-118B7AAA34D8}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip…{E4ACCD77-04E9-4723-974E-0067CBDC692E}: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS1\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS3\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O20 - Winlogon Notify: ddcyywt - C:\WINDOWS\ O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Critical System Service BootDrv (BootDrv) - Unknown owner - C:\WINDOWS\system32\BootDSvc.exe (file missing) O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: ipfw_helper (ipfw) - Unknown owner - E:\Program Files\MCS Studios\MCS Firewall 6\system\ipfw.exe (file missing) O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Win2k3NodeDisabler - Unknown owner - C:\Documents and Settings\bili\Pulpit\omijanie_zabezpieczen\omijanie_zabezpieczen-by_Axel\do zabezpieczeniaStarforce\Win2k3NodeDisabler\Win2k3NodeDisabler.exe (file missing) O24 - Desktop Component 0: (no name) - http://myweb.tiscali.co.uk/perlus/czerw … 800s/1.jpg
MarS
(MarS)
15 Październik 2007 15:37
#4
Opcje folderów/typy plików/ikona dysku/edycja domyślnej akcji
Haz3L
(Haz3L)
15 Październik 2007 15:53
#6
Fix.
Odinstaluj MyGlobalSearch prze Dodaj/Usuń programy.
Polecam odinstalowanie BearShare
co to da?? prawdopodobnie zawsze to miałem i wszystko było ok… :?
Leon1
(Leon$)
15 Październik 2007 16:00
#8
Pobierz i przeskanuj system ComboFixem http://www.searchengines.pl/index.php?showtopic=86306&st=0&p=395642entry395642
następnie daj log ComboFixa i nowy log HijackThisa
Leon1
(Leon$)
15 Październik 2007 17:28
#10
Te wpisy usuń Hijackthisem >> Do a system scan >>zaznacz wpisy i wciśnij Fix Checked
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: (no name) - {27E6FB3A-FD78-483E-852A-E487917D5E6C} - (no file) O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - (no file) O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file) O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file) O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll (file missing) O4 - HKLM…\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll (file missing) O9 - Extra ‘Tools’ menuitem: @C :\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll (file missing) O20 - Winlogon Notify: ddcyywt - C:\WINDOWS\ O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll (file missing) O23 - Service: Critical System Service BootDrv (BootDrv) - Unknown owner - C:\WINDOWS\system32\BootDSvc.exe (file missing) O23 - Service: Win2k3NodeDisabler - Unknown owner - C:\Documents and Settings\bili\Pulpit\omijanie_zabezpieczen\omijanie_zabezpieczen-by_Axel\do zabezpieczeniaStarforce\Win2k3NodeDisabler\Win2k3NodeDisabler.exe (file missing)
Pogrubione usuń
Otwórz notatnik i wklej
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31586162-e761-11db-b0fe-000e50d69443}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad585c18-3a58-11db-afb9-000e50d69443}]
zapisz jako plik.reg wszystkie pliki >> scal z rejestrem
Pobierz http://www.bleepingcomputer.com/files/killbox.php Pocket killbox >> zaznacz opcje Delete on Reboot i w polu full patch of file to delete wklej
Klik na X reset kompa.
Nie podobają mi się jeszcze te wpisy ale to musisz sam ocenić
Ściągnij GMERa stąd: GMER (to ten sam adres: http://www.searchengines.pl/phpbb203/pl … s/gmer.zip )
Uruchom GMERa: klik gmer.exe
znajdź zakładkę >>>CMD>>>CMD
Wklej tam to:
Klik z prawej strony na Uruchom.
Potem daj jeszcze raz nowe logi
goodprogram
(Goodprogram)
15 Październik 2007 17:54
#11
tu log
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:53:12, on 2007-10-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe e:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\WINDOWS\system32\ctfmon.exe E:\Program Files\RocketDock\RocketDock.exe C:\Program Files\Sound Station\SNXUACP.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\runservice.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe e:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe E:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epuls.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file) R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file) O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [avast!] e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKLM…\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [AutoConnect] E:\Program Files\AutoConnect\AutoConnect.exe O4 - HKCU…\Run: [Odkurzacz-MCD] e:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [RocketDock] “E:\Program Files\RocketDock\RocketDock.exe” O4 - HKCU…\Run: [AQQ] E:\PROGRA~1\WapSter\AQQ\AQQ.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Sound Station.lnk = C:\Program Files\Sound Station\SNXUACP.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz używając Download &Express’a - E:\Program Files\Download Express\Add_Url.htm O8 - Extra context menu item: Pobierz z &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O17 - HKLM\System\CCS\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip…{2F08FF38-2035-44E6-B172-118B7AAA34D8}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip…{E4ACCD77-04E9-4723-974E-0067CBDC692E}: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS1\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS3\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Critical System Service BootDrv (BootDrv) - Unknown owner - C:\WINDOWS\system32\BootDSvc.exe (file missing) O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: ipfw_helper (ipfw) - Unknown owner - E:\Program Files\MCS Studios\MCS Firewall 6\system\ipfw.exe (file missing) O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O24 - Desktop Component 0: (no name) - http://myweb.tiscali.co.uk/perlus/czerw … 800s/1.jpg – End of file - 7982 bytes
tego nie szło zrobić
a jak to zrobiłem to znikneło wszystko został tylko pulpit i nic nie szło zrobić :roll:
EDIT:
Zadziałało pośrednio, jak dwa razy kliknę na dysk to włączy się dysk ale razem z “wyszukaj”
Leon1
(Leon$)
15 Październik 2007 18:17
#12
Zamiast otwórz-wyszukaj
Start >> Uruchom >> regsvr32 /i shell32
napisałeś tego nie szło zrobić moja nieuwaga brakło nagłówka
Otwórz notatnik i wklej
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31586162-e761-11db-b0fe-000e50d69443}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad585c18-3a58-11db-afb9-000e50d69443}]
zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem
wpisy usuń HijackThisem pogrubione usuń w trybie awaryjnym ręcznie
goodprogram
(Goodprogram)
15 Październik 2007 18:27
#13
http://img39.picoodle.com/img/img39/6/10/15/f_aam_5a15558.jpg
a w “normalnym” trybie nie moge tego zrobić?? wiem, głupie pytanie ale jak włączyć tryb awaryjny? :x
Leon1
(Leon$)
15 Październik 2007 18:35
#14
goodprogram
(Goodprogram)
15 Październik 2007 18:47
#15
zrobiłem tak jak napisałeś ale dalej jest
Złączono Posta : 15.10.2007 (Pon) 20:48
masz jeszcze jakieś pomysły ?
Leon1
(Leon$)
15 Październik 2007 18:50
#16
wpisz komendę
Start >> Uruchom >> regsvr32 /i shell32
goodprogram
(Goodprogram)
15 Październik 2007 18:51
#17
może źle wytłumaczyłem z tym wyszukaj…
na wszelki wypadek powiem tak:
to jest jakby “wyszukaj” i “otwórz” zamieniły się miejscami jak klikne ppm
Złączono Posta : 15.10.2007 (Pon) 20:52
i teraz restart??
Złączono Posta : 15.10.2007 (Pon) 20:56
zrobiłem restart i nie pomogłoo
arekmalek
(arekmalek)
16 Październik 2007 14:45
#18
Na początku usuń rootkita:
Użyj FixWareOut
Potem fix tych wpisów:
O17 - HKLM\System\CCS\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip…{2F08FF38-2035-44E6-B172-118B7AAA34D8}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip…{E4ACCD77-04E9-4723-974E-0067CBDC692E}: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS1\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O17 - HKLM\System\CS3\Services\Tcpip…{08240474-449B-41BE-A993-99D5AAC2E022}: NameServer = 85.255.114.76,85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.76 85.255.112.81 O4 - HKLM…\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file) O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file) R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
Folder Zaznaczony na czerwono usuń w trybie awaryjnym. Wyłącz przywracanie systemu. Daj log z Combofix , Sdfix-tryb awaryjny , i nowy hijacka
goodprogram
(Goodprogram)
16 Październik 2007 15:23
#19
arekmalek
zrobiłem wszystko tak jak napisałeś i …
log z sdfix
SDFix: Version 1.109 Run by bili on 2007-10-16 at 17:13 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “E:\Program Files\WapSter\AQQ\AQQ.exe”=“E:\Program Files\WapSter\AQQ\AQQ.exe:*:Disabled:AQQ” “E:\Program Files\uTorrent\utorrent.exe”=“E:\Program Files\uTorrent\utorrent.exe:*:Enabled:uTorrent” “E:\Program Files\Sports Interactive\Football Manager 2007\fm.exe”=“E:\Program Files\Sports Interactive\Football Manager 2007\fm.exe:*:Disabled:Football Manager 2007” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Fri 31 Aug 2007 593 A.SH. — “C:\WINDOWS\system32\mmf(2).sys” Tue 16 Oct 2007 593 A.SH. — “C:\WINDOWS\system32\mmf.sys” Thu 5 Jul 2007 928,395 …SH. — “C:\WINDOWS\system32\nnnmp.bak1” Wed 11 Jul 2007 932,555 …SH. — “C:\WINDOWS\system32\nnnmp.bak2” Thu 24 Feb 2005 16,096 A…H. — “C:\WINDOWS$hf_mig$\KB890859\spmsg.dll” Thu 24 Feb 2005 212,704 A…H. — “C:\WINDOWS$hf_mig$\KB890859\spuninst.exe” Thu 24 Feb 2005 16,096 A…H. — “C:\WINDOWS$hf_mig$\KB896423\spmsg.dll” Thu 24 Feb 2005 212,704 A…H. — “C:\WINDOWS$hf_mig$\KB896423\spuninst.exe” Fri 25 Feb 2005 16,096 A…H. — “C:\WINDOWS$hf_mig$\KB898461\spmsg.dll” Fri 25 Feb 2005 212,704 A…H. — “C:\WINDOWS$hf_mig$\KB898461\spuninst.exe” Fri 25 Feb 2005 22,752 A…H. — “C:\WINDOWS$hf_mig$\KB898461\spupdsvc.exe” Thu 13 Oct 2005 16,096 A…H. — “C:\WINDOWS$hf_mig$\KB921883\spmsg.dll” Thu 13 Oct 2005 216,288 A…H. — “C:\WINDOWS$hf_mig$\KB921883\spuninst.exe” Thu 13 Oct 2005 16,096 A…H. — “C:\WINDOWS$hf_mig$\KB922582\spmsg.dll” Thu 13 Oct 2005 216,288 A…H. — “C:\WINDOWS$hf_mig$\KB922582\spuninst.exe” Fri 31 Aug 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp” Wed 2 Mar 2005 62,464 A…H. — “C:\WINDOWS$hf_mig$\KB890859\SP2QFE\authz.dll” Wed 2 Mar 2005 2,137,088 A…H. — “C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntkrnlmp.exe” Wed 2 Mar 2005 2,058,240 A…H. — “C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe” Wed 2 Mar 2005 2,016,768 A…H. — “C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntkrpamp.exe” Wed 2 Mar 2005 2,180,864 A…H. — “C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe” Wed 2 Mar 2005 578,560 A…H. — “C:\WINDOWS$hf_mig$\KB890859\SP2QFE\user32.dll” Wed 2 Mar 2005 1,836,544 A…H. — “C:\WINDOWS$hf_mig$\KB890859\SP2QFE\win32k.sys” Wed 2 Mar 2005 291,840 A…H. — “C:\WINDOWS$hf_mig$\KB890859\SP2QFE\winsrv.dll” Thu 24 Feb 2005 22,240 A…H. — “C:\WINDOWS$hf_mig$\KB890859\update\spcustom.dll” Thu 24 Feb 2005 725,728 A…H. — “C:\WINDOWS$hf_mig$\KB890859\update\update.exe” Thu 24 Feb 2005 387,296 A…H. — “C:\WINDOWS$hf_mig$\KB890859\update\updspapi.dll” Sat 11 Jun 2005 57,856 A…H. — “C:\WINDOWS$hf_mig$\KB896423\SP2QFE\spoolsv.exe” Wed 29 Jun 2005 30,720 A…H. — “C:\WINDOWS$hf_mig$\KB896423\update\arpidfix.exe” Thu 24 Feb 2005 22,240 A…H. — “C:\WINDOWS$hf_mig$\KB896423\update\spcustom.dll” Thu 24 Feb 2005 725,728 A…H. — “C:\WINDOWS$hf_mig$\KB896423\update\update.exe” Thu 24 Feb 2005 387,296 A…H. — “C:\WINDOWS$hf_mig$\KB896423\update\updspapi.dll” Fri 25 Feb 2005 22,240 A…H. — “C:\WINDOWS$hf_mig$\KB898461\update\spcustom.dll” Fri 25 Feb 2005 725,728 A…H. — “C:\WINDOWS$hf_mig$\KB898461\update\update.exe” Fri 25 Feb 2005 387,296 A…H. — “C:\WINDOWS$hf_mig$\KB898461\update\updspapi.dll” Fri 14 Jul 2006 336,896 A…H. — “C:\WINDOWS$hf_mig$\KB921883\SP2QFE\netapi32.dll” Thu 13 Oct 2005 22,752 A…H. — “C:\WINDOWS$hf_mig$\KB921883\update\spcustom.dll” Thu 13 Oct 2005 723,680 A…H. — “C:\WINDOWS$hf_mig$\KB921883\update\update.exe” Thu 13 Oct 2005 386,784 A…H. — “C:\WINDOWS$hf_mig$\KB921883\update\updspapi.dll” Mon 21 Aug 2006 16,896 A…H. — “C:\WINDOWS$hf_mig$\KB922582\SP2QFE\fltlib.dll” Mon 21 Aug 2006 23,040 A…H. — “C:\WINDOWS$hf_mig$\KB922582\SP2QFE\fltmc.exe” Mon 21 Aug 2006 128,768 A…H. — “C:\WINDOWS$hf_mig$\KB922582\SP2QFE\fltmgr.sys” Thu 13 Oct 2005 22,752 A…H. — “C:\WINDOWS$hf_mig$\KB922582\update\spcustom.dll” Thu 13 Oct 2005 723,680 A…H. — “C:\WINDOWS$hf_mig$\KB922582\update\update.exe” Thu 13 Oct 2005 386,784 A…H. — “C:\WINDOWS$hf_mig$\KB922582\update\updspapi.dll” Sat 30 Jul 2005 483,127 A…H. — “C:\Documents and Settings\bili\Moje dokumenty\tapety\Cos_dla_facetow\Cos dla facetow\Powerful Seduction\setup.exe” Sat 30 Jul 2005 370,176 A…H. — “C:\Documents and Settings\bili\Moje dokumenty\tapety\Cos_dla_facetow\Cos dla facetow\Powerful Seduction\Zainstalowane\Powerful Seduction.exe” Finished!
z combofix
ComboFix 07-10-12.4 - bili 2007-10-16 17:20:22.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.214 [GMT 2:00] Running from: C:\Documents and Settings\bili\Moje dokumenty\GRY\Programy\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf E:\Autorun.inf F:\Autorun.inf G:\Autorun.inf H:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 ))))))))))))))))))))))))))))))) . 2007-10-16 17:03 2007-10-15 18:04 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-14 19:10 3,478 -rahsc— C:\pagefile.sys.vbs 2007-10-12 20:21 2007-10-08 16:30 2007-10-05 19:50 2007-10-05 19:50 2007-10-05 19:50 2007-09-29 14:37 2007-09-26 21:58 2007-09-23 12:05 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll 2007-09-22 23:04 2007-09-22 17:10 2007-09-22 17:05 2007-09-22 17:05 2007-09-22 17:05 2007-09-20 18:21 2007-09-18 21:23 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-16 15:19 --------- d-----w C:\Program Files\cFosSpeed 2007-10-16 14:05 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\foobar2000 2007-10-16 12:59 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\uTorrent 2007-10-13 09:51 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-10-13 09:51 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2007-10-12 18:23 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-05 17:53 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\Sports Interactive 2007-09-30 14:33 --------- dc–a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-09-22 14:59 --------- d-----w C:\Program Files\Common Files\Ahead 2007-09-22 14:59 --------- d-----w C:\Program Files\Ahead 2007-09-18 18:17 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\ppstream 2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-09-01 20:47 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\ViStart 2007-08-25 13:46 --------- d-----w C:\Program Files\Neostrada TP 2007-08-24 11:47 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-08-24 11:47 --------- dc-h–r C:\Documents and Settings\bili\Dane aplikacji\SecuROM 2007-08-22 14:47 --------- d-----w C:\Program Files\Common Files\DVDVIDEOSOFT 2007-08-22 13:32 2,320,384 ----a-w C:\WINDOWS\system32\TUKernel.exe 2007-08-22 13:26 --------- dc----w C:\Documents and Settings\All Users\Dane aplikacji\TuneUp Software 2007-08-19 19:49 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\BitTorrent 2007-08-19 19:48 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\DMCache 2007-08-19 19:48 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\DeepBurner 2007-08-19 19:48 --------- dc----w C:\Documents and Settings\bili\Dane aplikacji\Azureus 2007-08-19 18:49 221,184 ----a-w C:\WINDOWS\system32\xtbaksm.dll 2007-08-16 16:54 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe 2007-08-04 10:39 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll 2007-08-04 08:40 972,072 ----a-w C:\WINDOWS\UNRecode.exe 2007-08-04 08:10 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll 2007-08-03 10:52 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe 2007-07-29 15:51 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll 2007-07-25 13:24 1,559,040 ----a-w C:\WINDOWS\system32\xvidcore.dll 2001-11-05 07:30 165,376 ------w C:\Program Files\UNWISE.EXE 2007-07-05 20:13:56 928,395 --sh–w C:\WINDOWS\system32\nnnmp.bak1 2007-07-11 08:46:10 932,555 --sh–w C:\WINDOWS\system32\nnnmp.bak2 2007-07-11 14:29:04 932,467 --sh–w C:\WINDOWS\system32\nnnmp.ini2 . ((((((((((((((((((((((((((((( snapshot@2007-10-15_18.09.03.43 ))))))))))))))))))))))))))))))))))))))))) . + 2007-10-15 17:33:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2007-10-16 15:13:10 11,714,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2007-10-16 15:13:10 294,912 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-10-15 17:33:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2007-10-16 15:04:00 11,714,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat + 2007-10-16 15:04:01 294,912 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat + 2007-10-15 17:49:15 585,791 ----a-w C:\WINDOWS\gmer.dll + 2007-06-29 07:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe + 2007-10-15 17:49:15 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys - 2007-10-15 16:08:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6fc.dat + 2007-10-16 15:17:35 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6fc.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-01 17:22] “nwiz”=“nwiz.exe” [2006-06-01 17:22 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-06-01 17:22] “avast!”=“e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 12:06] “cFosSpeed”=“C:\Program Files\cFosSpeed\cFosSpeed.exe” [2007-07-09 17:10] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “AutoConnect”=“E:\Program Files\AutoConnect\AutoConnect.exe” [2004-08-28 20:27] “Odkurzacz-MCD”=“e:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 10:02] “RocketDock”=“E:\Program Files\RocketDock\RocketDock.exe” [2007-09-02 13:58] “AQQ”=“E:\PROGRA~1\WapSter\AQQ\AQQ.exe” [2007-02-28 14:18] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Sound Station.lnk - C:\Program Files\Sound Station\SNXUACP.exe [2007-02-19 17:10:19] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoRecentDocsHistory”=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] “System”=“lsass.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] “C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\µTorrent] “E:\Program Files\uTorrent\utorrent.exe” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s “DemonStarter”=C:\Program Files\PWN\Definicje\Bin\Starter.exe R2 ACEDRV08;ACEDRV08;??\C:\WINDOWS\system32\drivers\ACEDRV08.sys R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe R3 actser;actser;C:\WINDOWS\system32\drivers\actser.sys R3 uafilter;uafilter;C:\WINDOWS\system32\DRIVERS\uafilter.sys S2 BootDrv;Critical System Service BootDrv;C:\WINDOWS\system32\BootDSvc.exe S2 ipfw;ipfw_helper;E:\Program Files\MCS Studios\MCS Firewall 6\system\ipfw.exe S3 ip_fw;ipfw kernel-mode driver;??\E:\Program S3 siusbmod;siusbmod;C:\WINDOWS\system32\DRIVERS\siusbmod.sys S4 Win2k3NodeDisabler;Win2k3NodeDisabler;C:\Documents and Settings\bili\Pulpit\omijanie_zabezpieczen\omijanie_zabezpieczen-by_Axel\do zabezpieczeniaStarforce\Win2k3NodeDisabler\Win2k3NodeDisabler.exe . Contents of the ‘Scheduled Tasks’ folder “2007-10-12 15:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job” - E:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-16 17:21:16 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-16 17:21:54 C:\ComboFix2.txt … 2007-10-15 18:09 . — E O F —
z hijack
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:22:57, on 2007-10-16 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe e:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\runservice.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe e:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\WINDOWS\system32\ctfmon.exe E:\Program Files\Odkurzacz\odk_mcd.exe E:\Program Files\RocketDock\RocketDock.exe C:\Program Files\Sound Station\SNXUACP.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe E:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epuls.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [avast!] e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [AutoConnect] E:\Program Files\AutoConnect\AutoConnect.exe O4 - HKCU…\Run: [Odkurzacz-MCD] e:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [RocketDock] “E:\Program Files\RocketDock\RocketDock.exe” O4 - HKCU…\Run: [AQQ] E:\PROGRA~1\WapSter\AQQ\AQQ.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Sound Station.lnk = C:\Program Files\Sound Station\SNXUACP.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz używając Download &Express’a - E:\Program Files\Download Express\Add_Url.htm O8 - Extra context menu item: Pobierz z &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O17 - HKLM\System\CCS\Services\Tcpip…{E4ACCD77-04E9-4723-974E-0067CBDC692E}: NameServer = 85.255.114.76 85.255.112.81 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Critical System Service BootDrv (BootDrv) - Unknown owner - C:\WINDOWS\system32\BootDSvc.exe (file missing) O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: ipfw_helper (ipfw) - Unknown owner - E:\Program Files\MCS Studios\MCS Firewall 6\system\ipfw.exe (file missing) O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O24 - Desktop Component 0: (no name) - http://myweb.tiscali.co.uk/perlus/czerw … 800s/1.jpg – End of file - 6568 bytes
i co ty na to??