Proszę o sprawdzenie loga...
Witam! Sprawdzałem ten log na www.hijackthis.de. Wpis: O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll zostal przeznaczony do usunięcia, ale po usunięciu i restarcie wpis pojawia się z powrotem... Jak go usunąć?
Oto log:
Logfile of HijackThis v1.99.1
Scan saved at 21:26:21, on 2007-09-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRA~1\Wanadoo\EspaceWanadoo.exe
C:\PROGRA~1\Wanadoo\ComComp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{452505B0-B892-45AE-8B7C-1A113E6EE820}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: mstsc.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\system32\hcfimsl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
Z góry dzięki...
Pozdrawiam!
Odpowiedzi: 10
Wszystko już śmiga jak trzeba, dzięki za pomoc.
Pozdro
Hmm... Jakby tu zainstalować Internet Explorera bez sprawdzania oryginalności Windowsa...:mryellow: :-k
-
[quote=Berry]Hmm... Jakby tu zainstalować Internet Explorera bez sprawdzania oryginalności Windowsa...:mryellow: :-k [/quote] po pierwsze nie da się, a po drugie ten forum nie udziela pomocy piratom, zaraz będzie kłódka, lepiej usuń ten post i ładnie podziękuj Żółty-emu.
Ja tu już nic nie widzę co mogłoby być szkodliwe.
Przeistaluj internet explorera i zobaczymy czy trzeba będzie szukac głębiej.
Logi z trybu awaryjnego:
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 18:20:55, on 2007-09-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{452505B0-B892-45AE-8B7C-1A113E6EE820}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
SilentRunners:
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"avgnt" = ""C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"WOOWATCH" = "C:\PROGRA~1\Wanadoo\Watch.exe" ["France Télécom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" ["France Télécom R&D"]
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = "C:\Creative\SBLive\PROGRAM\ADGJDet.exe" [empty string]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
\InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["www.flashget.com"]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll" ["BitComet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{19741013-C829-11D1-8233-0020AF3E97A9}" = "CMCUTIL Menu Extension"
-> {HKLM...CLSID} = "Cool MP3 Converter ContextMenu"
\InProcServer32\(Default) = "C:\PROGRA~1\COOLMP~1\CMCUtil.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\System32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{46E22146-59C0-4136-9233-FB7720E777B2}" = "EzCddax extension"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 10\ezcddax10.dll" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlersCMCUTIL\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {HKLM...CLSID} = "Cool MP3 Converter ContextMenu"
\InProcServer32\(Default) = "C:\PROGRA~1\COOLMP~1\CMCUtil.dll" [null data]
EzCddax\(Default) = "{46E22146-59C0-4136-9233-FB7720E777B2}"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 10\ezcddax10.dll" [null data]
MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "/u\mksshell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlersjetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlersjetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "/u\mksshell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Default executables:
--------------------
HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Idylla.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Idylla.bmp"
Startup items in "ppp" & "All Users" startup folders:
-----------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\(Default) = (title not found)
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
Adobe LM Service, Adobe LM Service, ""C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]
AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
lxbu_device, lxbu_device, "C:\WINDOWS\system32\lxbucoms.exe -service" ["Lexmark International, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\System32\PnkBstrA.exe" [null data]
PnkBstrB, PnkBstrB, "C:\WINDOWS\system32\PnkBstrB.exe" [null data]
Usługa administracyjna Menedżera dysków logicznych, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Usługa dostarczania sieci, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mspmsnsv.dll" [MS]}
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors6200 Series Port\Driver = "lxbulmpm.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]
---------- (launch time: 2007-09-18 18:21:51)
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 99 seconds.
---------- (total run time: 145 seconds)
ComboFix:
ComboFix 07-09-17.2 - "ppp" 2007-09-18 18:41:35.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.602 [GMT 2:00]
.
((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.
2007-09-18 18:18 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat
2007-09-18 18:18 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat
2007-09-18 17:20 d-------- C:\WINDOWS\Tasks
2007-09-17 22:36 0 --a------ C:\WINDOWS\system32\ntkrpamp.exe
2007-09-17 22:36 0 --a------ C:\WINDOWS\system32\ntkrnlmp.exe
2007-09-17 20:57 77,824 --a------ C:\WINDOWS\system32\EAXAC3.DLL
2007-09-17 20:57 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE
2007-09-17 20:57 49,152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE
2007-09-17 20:57 36,864 --a------ C:\WINDOWS\system32\sfman32.dll
2007-09-17 20:57 36,864 --a------ C:\WINDOWS\system32\REGPLIB.EXE
2007-09-17 20:47 12,288 --------- C:\WINDOWS\system32\AHQCpURes.dll
2007-09-17 20:47 d-------- C:\Creative
2007-09-17 18:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 23:19 d-------- C:\VundoFix Backups
2007-09-16 21:22 dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-09-16 21:22 dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-09-16 21:22 d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-09-16 21:22 d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-08-29 13:42 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-27 01:57 d-------- C:\Program Files\Common Files\xing shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 17:30 --------- d-------- C:\Program Files\Wanadoo
2007-09-18 17:22 5504 --a------ C:\Program Files\hijackthis.log
2007-09-18 00:00 --------- d-------- C:\Program Files\eMule
2007-09-17 20:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-17 20:47 --------- d-------- C:\Program Files\Creative
2007-09-17 19:15 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-16 23:10 --------- d-------- C:\DOCUME~1\ppp\DANEAP~1\Skype
2007-09-16 21:14 --------- d-------- C:\Program Files\backups
2007-09-16 20:37 --------- d-------- C:\Program Files\SkanerOnline
2007-09-16 19:21 --------- d-------- C:\Program Files\PhotoBrush
2007-09-16 18:49 --------- d-------- C:\Program Files\Avant Browser
2007-09-16 18:35 2275322 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2007-09-16 18:35 2151162 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
2007-09-16 18:35 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-27 17:11 28400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-27 02:02 --------- d-------- C:\DOCUME~1\ppp\DANEAP~1\Real
2007-08-27 01:57 --------- d-------- C:\Program Files\Common Files\Real
2007-08-25 16:11 --------- d-------- C:\Program Files\HighGrow
2007-08-25 14:56 --------- d-------- C:\Program Files\Magix
2007-08-18 18:19 --------- d-------- C:\Program Files\vanBasco's Karaoke Player
2007-08-17 13:40 --------- d-------- C:\Program Files\Prawo Jazdy 2006
2007-08-17 13:40 --------- d-------- C:\Program Files\PCDJ Red
2007-08-14 15:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\FLEXnet
2007-08-08 23:30 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-08-08 23:30 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-08 11:02 --------- d-------- C:\Program Files\Media_Manager
2007-07-25 16:12 --------- d-------- C:\Program Files\FL Studio 6
2007-07-25 16:09 --------- d-------- C:\Program Files\VstPlugins
2007-07-23 16:01 --------- d-------- C:\Program Files\FlashGet
2007-07-22 21:22 --------- d-------- C:\Program Files\Windows Media Components
2007-07-22 21:19 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-19 22:45 --------- d-------- C:\Program Files\Riva FLV Encoder 2.0
2007-07-19 22:42 --------- d-------- C:\Program Files\Common Files\SWF Studio
2007-07-18 17:34 --------- d-------- C:\Program Files\BearShare Applications
2007-04-06 12:09 138 --a--c--- C:\Program Files\INSTALL.LOG
2007-03-31 19:28 51232 --a------ C:\Program Files\wwdc.exe
2006-02-08 03:02 73728 --a------ C:\Program Files\KillBox.exe
2005-02-16 12:06 218112 --a------ C:\Program Files\HijackThis.exe
1998-11-15 23:59 578560 --a------ C:\Program Files\Cannamp3.exe
.
((((((((((((((((((((((((((((( snapshot_2007-09-17_181812.21 )))))))))))))))))))))))))))))))))))))))))
.
------w 53,552 1994-12-05 01:11:00 C:\WINDOWS\CTCCW.DLL
----a-w 49,152 2002-06-04 05:58:12 C:\WINDOWS\CTDCRES.DLL
------w 24,976 1996-05-23 00:24:00 C:\WINDOWS\CTRES.DLL
----a-w 94,208 2002-07-19 09:08:10 C:\WINDOWS\DEVREG.DLL
----a-w 20,480 2002-06-04 05:45:38 C:\WINDOWS\INRES.DLL
----a-w 184,320 2002-07-19 09:08:02 C:\WINDOWS\PSCONV.EXE
----a-w 176,128 2002-07-19 09:07:52 C:\WINDOWS\READREG.EXE
------w 90,112 2000-05-10 23:00:00 C:\WINDOWS\Updreg.EXE
----a-w 65,536 2002-07-19 08:43:06 C:\WINDOWS\system32\a3d.dll
----a-w 53,248 2002-07-19 09:07:34 C:\WINDOWS\system32\AC3API.DLL
----a-w 110,592 2002-07-19 08:54:10 C:\WINDOWS\system32\COMMONFX.DLL
----a-w 61,440 2002-11-05 09:05:30 C:\WINDOWS\system32\CTAGENT.DLL
----a-w 106,496 2002-07-19 08:54:22 C:\WINDOWS\system32\CTASIO.DLL
----a-w 113,273 2002-07-19 09:07:26 C:\WINDOWS\system32\CTBAS2W.DAT
----a-w 113,373 2002-07-19 09:02:24 C:\WINDOWS\system32\ctbasicw.dat
----a-w 44,055 2002-07-19 08:56:50 C:\WINDOWS\system32\ctdaught.dat
----a-w 319,488 2002-07-19 09:07:42 C:\WINDOWS\system32\CTDEVCON.DLL
----a-w 164,044 2002-07-19 09:07:30 C:\WINDOWS\system32\ctdlang.dat
----a-w 106,496 2002-07-19 08:53:54 C:\WINDOWS\system32\CTDPROXY.DLL
----a-w 36,864 2002-07-19 08:54:40 C:\WINDOWS\system32\CTEMUPIA.DLL
----a-w 24,576 2002-07-02 15:56:00 C:\WINDOWS\system32\CTHELPER.EXE
------w 26,768 1995-07-13 00:01:00 C:\WINDOWS\system32\CTL3D.DLL
----a-w 155,648 2002-07-19 08:54:16 C:\WINDOWS\system32\CTOSUSER.DLL
----a-w 643,072 2002-07-19 08:55:42 C:\WINDOWS\system32\CTSBLFX.DLL
----a-w 28,672 2002-07-19 09:07:48 C:\WINDOWS\system32\CTSPKHLP.DLL
----a-w 179,669 2002-07-19 08:59:32 C:\WINDOWS\system32\ctstatic.dat
------w 82,432 1995-08-30 00:02:00 C:\WINDOWS\system32\CTWFLT32.DLL
----a-w 135,168 2002-07-19 08:54:50 C:\WINDOWS\system32\OPENAL32.DLL
------w 10,194 2002-06-14 11:49:56 C:\WINDOWS\system32\PFMODNT.SYS
----a-w 110,592 2002-07-19 08:55:00 C:\WINDOWS\system32\PIAPROXY.DLL
------w 84,992 1998-06-05 00:00:00 C:\WINDOWS\system32\SFCVRT32.DLL
------w 1,048,576 1998-01-07 23:00:00 C:\WINDOWS\system32\SFMAN.DAT
----a-w 270,336 2002-07-19 08:56:12 C:\WINDOWS\system32\SFMS32.DLL
----a-w 220,509 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CT0060W.DAT
----a-w 220,713 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP0060W.DAT
----a-w 220,713 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0061W.DAT
----a-w 220,713 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP0100W.DAT
----a-w 220,713 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0101W.DAT
----a-w 220,713 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP0102W.DAT
----a-w 220,713 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0103W.DAT
----a-w 220,713 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0105W.DAT
----a-w 221,643 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0221W.DAT
----a-w 221,643 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0222W.DAT
----a-w 219,051 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTP1140W.DAT
----a-w 218,391 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTP4620W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4670W.DAT
----a-w 218,391 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTP4760W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4780W.DAT
----a-w 217,875 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4790W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4830W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4831W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4832W.DAT
----a-w 217,875 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP4840W.DAT
----a-w 218,391 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTP4850W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4870W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4871W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4872W.DAT
----a-w 217,875 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP4890W.DAT
----a-w 217,875 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP4891W.DAT
----a-w 217,875 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP4893W.DAT
----a-w 220,509 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTPDXW.DAT
----a-w 219,051 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTPM002W.DAT
----a-w 211,126 2002-07-19 09:07:26 C:\WINDOWS\system32\Data\CTSBAS2W.DAT
----a-w 218,391 2002-07-19 09:02:22 C:\WINDOWS\system32\Data\CTSBASW.DAT
-c--a-w 65,536 2002-07-19 08:43:06 C:\WINDOWS\system32\dllcache\a3d.dll
-c--a-w 60,288 2004-08-03 21:08:00 C:\WINDOWS\system32\dllcache\drmk.sys
-c--a-w 10,624 2004-08-03 21:08:22 C:\WINDOWS\system32\dllcache\gameenum.sys
-c--a-w 140,928 2004-08-03 21:15:22 C:\WINDOWS\system32\dllcache\ks.sys
-c--a-w 4,096 2004-08-03 22:44:02 C:\WINDOWS\system32\dllcache\ksuser.dll
-c--a-w 145,792 2004-08-03 21:15:50 C:\WINDOWS\system32\dllcache\portcls.sys
-c--a-w 48,640 2004-08-03 21:08:04 C:\WINDOWS\system32\dllcache\stream.sys
----a-w 127,948 2002-07-19 08:46:28 C:\WINDOWS\system32\drivers\ctac32k.sys
----a-w 837,548 2002-07-19 08:47:52 C:\WINDOWS\system32\drivers\ctaud2k.sys
----a-w 195,432 2002-07-19 08:48:04 C:\WINDOWS\system32\drivers\ctoss2k.sys
----a-w 11,068 2002-07-19 08:48:08 C:\WINDOWS\system32\drivers\ctprxy2k.sys
----a-w 213,860 2002-07-19 08:48:22 C:\WINDOWS\system32\drivers\ctsfm2k.sys
----a-w 156,604 2002-07-19 08:48:32 C:\WINDOWS\system32\drivers\emupia2k.sys
----a-w 998,004 2002-07-24 11:52:26 C:\WINDOWS\system32\drivers\ha10kx2k.sys
----a-w 65,536 2002-07-19 08:43:06 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\a3d.dll
----a-w 837,548 2002-07-19 08:47:52 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctaud2k.sys
----a-w 113,373 2002-07-19 09:02:24 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctbasicw.dat
----a-w 44,055 2002-07-19 08:56:50 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctdaught.dat
----a-w 164,044 2002-07-19 09:07:30 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctdlang.dat
----a-w 195,432 2002-07-19 08:48:04 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctoss2k.sys
----a-w 179,669 2002-07-19 08:59:32 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctstatic.dat
----a-w 998,004 2002-07-24 11:52:26 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ha10kx2k.sys
----a-w 36,864 2001-08-17 12:35:46 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\sfman32.dll
----a-w 60,288 2004-08-03 21:08:00 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\drmk.sys
----a-w 140,928 2004-08-03 21:15:22 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\ks.sys
----a-w 4,096 2004-08-03 22:44:02 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\ksuser.dll
----a-w 145,792 2004-08-03 21:15:50 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\portcls.sys
----a-w 48,640 2004-08-03 21:08:04 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\stream.sys
----a-w 10,624 2004-08-03 21:08:22 C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\gameenum.sys
.
-c--a-w 53,552 1994-12-05 02:11:00 C:\WINDOWS\CTCCW.DLL
----a-w 36,864 2002-03-22 10:31:20 C:\WINDOWS\CTDCRES.DLL
-c--a-w 24,976 1996-05-23 01:24:00 C:\WINDOWS\CTRES.DLL
-c--a-w 77,824 2002-03-22 10:31:10 C:\WINDOWS\DEVREG.DLL
-c--a-w 20,480 2002-03-22 10:18:58 C:\WINDOWS\INRES.DLL
-c--a-w 176,128 2002-03-22 10:30:54 C:\WINDOWS\PSCONV.EXE
-c--a-w 159,744 2002-03-22 10:30:44 C:\WINDOWS\READREG.EXE
-c--a-w 90,112 2000-05-11 00:00:00 C:\WINDOWS\Updreg.EXE
----a-w 49,152 2002-03-22 10:04:24 C:\WINDOWS\system32\a3d.dll
----a-w 40,960 2002-03-22 10:30:22 C:\WINDOWS\system32\AC3API.DLL
----a-w 110,592 2002-03-22 10:16:02 C:\WINDOWS\system32\COMMONFX.DLL
----a-w 57,344 2002-03-13 13:25:36 C:\WINDOWS\system32\CTAGENT.DLL
----a-w 98,304 2002-03-22 10:16:16 C:\WINDOWS\system32\CTASIO.DLL
----a-w 112,287 2002-03-22 10:30:14 C:\WINDOWS\system32\CTBAS2W.DAT
----a-w 112,387 2002-03-22 10:24:54 C:\WINDOWS\system32\ctbasicw.dat
----a-w 44,055 2002-03-22 10:19:08 C:\WINDOWS\system32\ctdaught.dat
----a-w 307,200 2002-03-22 10:30:34 C:\WINDOWS\system32\CTDEVCON.DLL
----a-w 163,933 2002-03-22 10:30:16 C:\WINDOWS\system32\ctdlang.dat
----a-w 94,208 2002-03-22 10:15:46 C:\WINDOWS\system32\CTDPROXY.DLL
----a-w 36,864 2002-03-22 10:16:36 C:\WINDOWS\system32\CTEMUPIA.DLL
----a-w 40,960 2002-02-07 16:01:24 C:\WINDOWS\system32\CTHELPER.EXE
----a-w 26,768 1995-07-13 01:01:00 C:\WINDOWS\system32\CTL3D.DLL
----a-w 143,360 2002-03-22 10:16:10 C:\WINDOWS\system32\CTOSUSER.DLL
----a-w 643,072 2002-03-22 10:17:42 C:\WINDOWS\system32\CTSBLFX.DLL
----a-w 28,672 2002-07-19 10:07:48 C:\WINDOWS\system32\CTSPKHLP.DLL
----a-w 179,669 2002-03-22 10:22:06 C:\WINDOWS\system32\ctstatic.dat
----a-w 82,432 1995-08-30 01:02:00 C:\WINDOWS\system32\CTWFLT32.DLL
----a-w 122,880 2002-03-22 10:16:46 C:\WINDOWS\system32\OPENAL32.DLL
------w 10,194 2002-06-14 12:49:56 C:\WINDOWS\system32\PFMODNT.SYS
----a-w 98,304 2002-03-22 10:16:56 C:\WINDOWS\system32\PIAPROXY.DLL
----a-w 84,992 1998-06-05 01:00:00 C:\WINDOWS\system32\SFCVRT32.DLL
----a-w 1,048,576 1998-01-08 00:00:00 C:\WINDOWS\system32\SFMAN.DAT
----a-w 258,048 2002-03-22 10:18:12 C:\WINDOWS\system32\SFMS32.DLL
----a-w 218,823 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CT0060W.DAT
----a-w 219,027 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP0060W.DAT
----a-w 219,027 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP0061W.DAT
----a-w 219,027 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP0100W.DAT
----a-w 219,027 2002-03-22 10:24:48 C:\WINDOWS\system32\Data\CTP0101W.DAT
----a-w 219,027 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP0102W.DAT
----a-w 219,027 2002-03-22 10:24:48 C:\WINDOWS\system32\Data\CTP0103W.DAT
----a-w 219,027 2002-03-22 10:24:48 C:\WINDOWS\system32\Data\CTP0105W.DAT
----a-w 221,643 2002-07-19 10:02:20 C:\WINDOWS\system32\Data\CTP0221W.DAT
----a-w 221,643 2002-07-19 10:02:20 C:\WINDOWS\system32\Data\CTP0222W.DAT
----a-w 217,365 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP1140W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4620W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4670W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4760W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4780W.DAT
----a-w 216,189 2002-03-22 10:24:44 C:\WINDOWS\system32\Data\CTP4790W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4830W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4831W.DAT
----a-w 216,705 2002-03-22 10:24:44 C:\WINDOWS\system32\Data\CTP4832W.DAT
----a-w 216,189 2002-03-22 10:24:44 C:\WINDOWS\system32\Data\CTP4840W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4850W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4870W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4871W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4872W.DAT
----a-w 216,189 2002-03-22 10:24:44 C:\WINDOWS\system32\Data\CTP4890W.DAT
----a-w 216,189 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP4891W.DAT
----a-w 216,189 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP4893W.DAT
----a-w 218,823 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTPDXW.DAT
----a-w 217,365 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTPM002W.DAT
----a-w 210,140 2002-03-22 10:30:12 C:\WINDOWS\system32\Data\CTSBAS2W.DAT
----a-w 216,705 2002-03-22 10:24:52 C:\WINDOWS\system32\Data\CTSBASW.DAT
----a-w 114,944 2002-03-22 10:08:12 C:\WINDOWS\system32\drivers\ctac32k.sys
----a-w 835,636 2002-03-22 10:09:40 C:\WINDOWS\system32\drivers\ctaud2k.sys
----a-w 195,432 2002-03-22 10:09:52 C:\WINDOWS\system32\drivers\ctoss2k.sys
----a-w 11,068 2002-03-22 10:09:54 C:\WINDOWS\system32\drivers\ctprxy2k.sys
----a-w 211,724 2002-03-22 10:10:10 C:\WINDOWS\system32\drivers\ctsfm2k.sys
----a-w 156,604 2002-03-22 10:10:20 C:\WINDOWS\system32\drivers\emupia2k.sys
----a-w 991,656 2002-03-22 10:10:58 C:\WINDOWS\system32\drivers\ha10kx2k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-11-17 04:33 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 04:33]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-09-09 02:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 07:59 C:\WINDOWS\SOUNDMAN.EXE]
"WOOWATCH"="C:\PROGRA~1\Wanadoo\Watch.exe" [2002-12-09 18:24]
"WOOTASKBARICON"="C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" [2002-12-09 18:24]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"Jet Detection"="C:\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-10-04 01:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2004-12-28 19:02]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-02-22 21:23:20]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
"C:\Program Files\Gadu-Gadu\gg.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
R1 sdpiosys;sdpiosys;C:\WINDOWS\system32\drivers\sdpiosys.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 wdm_tridwave;PCI288-Q3DII PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\tridwave.sys
S4 Universal Printer NT Service;Universal Printer NT Service;"C:\WINDOWS\System32\dllcache\upnt.exe"
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 18:42:39
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-18 18:43:37
C:\ComboFix-quarantined-files.txt ... 2007-09-18 18:43
C:\ComboFix2.txt ... 2007-09-17 18:18
.
--- E O F ---
A więc... :
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 17:22:49, on 2007-09-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
SilentRunners:
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"avgnt" = ""C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"WOOWATCH" = "C:\PROGRA~1\Wanadoo\Watch.exe" ["France Télécom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" ["France Télécom R&D"]
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = "C:\Creative\SBLive\PROGRAM\ADGJDet.exe" [empty string]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
\InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["www.flashget.com"]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll" ["BitComet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{19741013-C829-11D1-8233-0020AF3E97A9}" = "CMCUTIL Menu Extension"
-> {HKLM...CLSID} = "Cool MP3 Converter ContextMenu"
\InProcServer32\(Default) = "C:\PROGRA~1\COOLMP~1\CMCUtil.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\System32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{46E22146-59C0-4136-9233-FB7720E777B2}" = "EzCddax extension"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 10\ezcddax10.dll" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlersCMCUTIL\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {HKLM...CLSID} = "Cool MP3 Converter ContextMenu"
\InProcServer32\(Default) = "C:\PROGRA~1\COOLMP~1\CMCUtil.dll" [null data]
EzCddax\(Default) = "{46E22146-59C0-4136-9233-FB7720E777B2}"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 10\ezcddax10.dll" [null data]
MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "/u\mksshell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlersjetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlersjetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "/u\mksshell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Default executables:
--------------------
HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Idylla.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Idylla.bmp"
Startup items in "ppp" & "All Users" startup folders:
-----------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{07B18EA9-A523-4961-B6BB-170DE4475CCA}"
-> {HKLM...CLSID} = "My Web Search"
\InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" [file not found]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\(Default) = "My Web Search Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\System32\PnkBstrA.exe" [null data]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors6200 Series Port\Driver = "lxbulmpm.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]
---------- (launch time: 2007-09-18 17:24:57)
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 88 seconds.
---------- (total run time: 140 seconds)
ComboFix:
ComboFix 07-09-17.2 - "ppp" 2007-09-18 17:27:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.526 [GMT 2:00]
.
((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.
2007-09-18 17:20 d-------- C:\WINDOWS\Tasks
2007-09-17 22:36 0 --a------ C:\WINDOWS\system32\ntkrpamp.exe
2007-09-17 22:36 0 --a------ C:\WINDOWS\system32\ntkrnlmp.exe
2007-09-17 20:58 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat
2007-09-17 20:58 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat
2007-09-17 20:57 77,824 --a------ C:\WINDOWS\system32\EAXAC3.DLL
2007-09-17 20:57 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE
2007-09-17 20:57 49,152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE
2007-09-17 20:57 36,864 --a------ C:\WINDOWS\system32\sfman32.dll
2007-09-17 20:57 36,864 --a------ C:\WINDOWS\system32\REGPLIB.EXE
2007-09-17 20:47 12,288 --------- C:\WINDOWS\system32\AHQCpURes.dll
2007-09-17 20:47 d-------- C:\Creative
2007-09-17 18:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 23:19 d-------- C:\VundoFix Backups
2007-09-16 21:22 dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-09-16 21:22 dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-09-16 21:22 d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-09-16 21:22 d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-08-29 13:42 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-27 01:57 d-------- C:\Program Files\Common Files\xing shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 17:22 5504 --a------ C:\Program Files\hijackthis.log
2007-09-18 17:21 --------- d-------- C:\Program Files\Wanadoo
2007-09-18 00:00 --------- d-------- C:\Program Files\eMule
2007-09-17 20:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-17 20:47 --------- d-------- C:\Program Files\Creative
2007-09-17 19:15 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-16 23:10 --------- d-------- C:\DOCUME~1\ppp\DANEAP~1\Skype
2007-09-16 21:14 --------- d-------- C:\Program Files\backups
2007-09-16 20:37 --------- d-------- C:\Program Files\SkanerOnline
2007-09-16 19:21 --------- d-------- C:\Program Files\PhotoBrush
2007-09-16 18:49 --------- d-------- C:\Program Files\Avant Browser
2007-09-16 18:35 2275322 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2007-09-16 18:35 2151162 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
2007-09-16 18:35 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-27 17:11 28400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-27 02:02 --------- d-------- C:\DOCUME~1\ppp\DANEAP~1\Real
2007-08-27 01:57 --------- d-------- C:\Program Files\Common Files\Real
2007-08-25 16:11 --------- d-------- C:\Program Files\HighGrow
2007-08-25 14:56 --------- d-------- C:\Program Files\Magix
2007-08-18 18:19 --------- d-------- C:\Program Files\vanBasco's Karaoke Player
2007-08-17 13:40 --------- d-------- C:\Program Files\Prawo Jazdy 2006
2007-08-17 13:40 --------- d-------- C:\Program Files\PCDJ Red
2007-08-14 15:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\FLEXnet
2007-08-08 23:30 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-08-08 23:30 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-08 11:02 --------- d-------- C:\Program Files\Media_Manager
2007-07-25 16:12 --------- d-------- C:\Program Files\FL Studio 6
2007-07-25 16:09 --------- d-------- C:\Program Files\VstPlugins
2007-07-23 16:01 --------- d-------- C:\Program Files\FlashGet
2007-07-22 21:22 --------- d-------- C:\Program Files\Windows Media Components
2007-07-22 21:19 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-19 22:45 --------- d-------- C:\Program Files\Riva FLV Encoder 2.0
2007-07-19 22:42 --------- d-------- C:\Program Files\Common Files\SWF Studio
2007-07-18 17:34 --------- d-------- C:\Program Files\BearShare Applications
2007-04-06 12:09 138 --a--c--- C:\Program Files\INSTALL.LOG
2007-03-31 19:28 51232 --a------ C:\Program Files\wwdc.exe
2006-02-08 03:02 73728 --a------ C:\Program Files\KillBox.exe
2005-02-16 12:06 218112 --a------ C:\Program Files\HijackThis.exe
1998-11-15 23:59 578560 --a------ C:\Program Files\Cannamp3.exe
.
((((((((((((((((((((((((((((( snapshot_2007-09-17_181812.21 )))))))))))))))))))))))))))))))))))))))))
.
------w 53,552 1994-12-05 01:11:00 C:\WINDOWS\CTCCW.DLL
----a-w 49,152 2002-06-04 05:58:12 C:\WINDOWS\CTDCRES.DLL
------w 24,976 1996-05-23 00:24:00 C:\WINDOWS\CTRES.DLL
----a-w 94,208 2002-07-19 09:08:10 C:\WINDOWS\DEVREG.DLL
----a-w 20,480 2002-06-04 05:45:38 C:\WINDOWS\INRES.DLL
----a-w 184,320 2002-07-19 09:08:02 C:\WINDOWS\PSCONV.EXE
----a-w 176,128 2002-07-19 09:07:52 C:\WINDOWS\READREG.EXE
------w 90,112 2000-05-10 23:00:00 C:\WINDOWS\Updreg.EXE
----a-w 65,536 2002-07-19 08:43:06 C:\WINDOWS\system32\a3d.dll
----a-w 53,248 2002-07-19 09:07:34 C:\WINDOWS\system32\AC3API.DLL
----a-w 110,592 2002-07-19 08:54:10 C:\WINDOWS\system32\COMMONFX.DLL
----a-w 61,440 2002-11-05 09:05:30 C:\WINDOWS\system32\CTAGENT.DLL
----a-w 106,496 2002-07-19 08:54:22 C:\WINDOWS\system32\CTASIO.DLL
----a-w 113,273 2002-07-19 09:07:26 C:\WINDOWS\system32\CTBAS2W.DAT
----a-w 113,373 2002-07-19 09:02:24 C:\WINDOWS\system32\ctbasicw.dat
----a-w 44,055 2002-07-19 08:56:50 C:\WINDOWS\system32\ctdaught.dat
----a-w 319,488 2002-07-19 09:07:42 C:\WINDOWS\system32\CTDEVCON.DLL
----a-w 164,044 2002-07-19 09:07:30 C:\WINDOWS\system32\ctdlang.dat
----a-w 106,496 2002-07-19 08:53:54 C:\WINDOWS\system32\CTDPROXY.DLL
----a-w 36,864 2002-07-19 08:54:40 C:\WINDOWS\system32\CTEMUPIA.DLL
----a-w 24,576 2002-07-02 15:56:00 C:\WINDOWS\system32\CTHELPER.EXE
------w 26,768 1995-07-13 00:01:00 C:\WINDOWS\system32\CTL3D.DLL
----a-w 155,648 2002-07-19 08:54:16 C:\WINDOWS\system32\CTOSUSER.DLL
----a-w 643,072 2002-07-19 08:55:42 C:\WINDOWS\system32\CTSBLFX.DLL
----a-w 28,672 2002-07-19 09:07:48 C:\WINDOWS\system32\CTSPKHLP.DLL
----a-w 179,669 2002-07-19 08:59:32 C:\WINDOWS\system32\ctstatic.dat
------w 82,432 1995-08-30 00:02:00 C:\WINDOWS\system32\CTWFLT32.DLL
----a-w 135,168 2002-07-19 08:54:50 C:\WINDOWS\system32\OPENAL32.DLL
------w 10,194 2002-06-14 11:49:56 C:\WINDOWS\system32\PFMODNT.SYS
----a-w 110,592 2002-07-19 08:55:00 C:\WINDOWS\system32\PIAPROXY.DLL
------w 84,992 1998-06-05 00:00:00 C:\WINDOWS\system32\SFCVRT32.DLL
------w 1,048,576 1998-01-07 23:00:00 C:\WINDOWS\system32\SFMAN.DAT
----a-w 270,336 2002-07-19 08:56:12 C:\WINDOWS\system32\SFMS32.DLL
----a-w 220,509 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CT0060W.DAT
----a-w 220,713 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP0060W.DAT
----a-w 220,713 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0061W.DAT
----a-w 220,713 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP0100W.DAT
----a-w 220,713 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0101W.DAT
----a-w 220,713 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP0102W.DAT
----a-w 220,713 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0103W.DAT
----a-w 220,713 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0105W.DAT
----a-w 221,643 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0221W.DAT
----a-w 221,643 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTP0222W.DAT
----a-w 219,051 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTP1140W.DAT
----a-w 218,391 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTP4620W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4670W.DAT
----a-w 218,391 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTP4760W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4780W.DAT
----a-w 217,875 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4790W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4830W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4831W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4832W.DAT
----a-w 217,875 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP4840W.DAT
----a-w 218,391 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTP4850W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4870W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4871W.DAT
----a-w 218,391 2002-07-19 09:02:16 C:\WINDOWS\system32\Data\CTP4872W.DAT
----a-w 217,875 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP4890W.DAT
----a-w 217,875 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP4891W.DAT
----a-w 217,875 2002-07-19 09:02:18 C:\WINDOWS\system32\Data\CTP4893W.DAT
----a-w 220,509 2002-07-19 09:02:20 C:\WINDOWS\system32\Data\CTPDXW.DAT
----a-w 219,051 2002-07-19 09:02:14 C:\WINDOWS\system32\Data\CTPM002W.DAT
----a-w 211,126 2002-07-19 09:07:26 C:\WINDOWS\system32\Data\CTSBAS2W.DAT
----a-w 218,391 2002-07-19 09:02:22 C:\WINDOWS\system32\Data\CTSBASW.DAT
-c--a-w 65,536 2002-07-19 08:43:06 C:\WINDOWS\system32\dllcache\a3d.dll
-c--a-w 60,288 2004-08-03 21:08:00 C:\WINDOWS\system32\dllcache\drmk.sys
-c--a-w 10,624 2004-08-03 21:08:22 C:\WINDOWS\system32\dllcache\gameenum.sys
-c--a-w 140,928 2004-08-03 21:15:22 C:\WINDOWS\system32\dllcache\ks.sys
-c--a-w 4,096 2004-08-03 22:44:02 C:\WINDOWS\system32\dllcache\ksuser.dll
-c--a-w 145,792 2004-08-03 21:15:50 C:\WINDOWS\system32\dllcache\portcls.sys
-c--a-w 48,640 2004-08-03 21:08:04 C:\WINDOWS\system32\dllcache\stream.sys
----a-w 127,948 2002-07-19 08:46:28 C:\WINDOWS\system32\drivers\ctac32k.sys
----a-w 837,548 2002-07-19 08:47:52 C:\WINDOWS\system32\drivers\ctaud2k.sys
----a-w 195,432 2002-07-19 08:48:04 C:\WINDOWS\system32\drivers\ctoss2k.sys
----a-w 11,068 2002-07-19 08:48:08 C:\WINDOWS\system32\drivers\ctprxy2k.sys
----a-w 213,860 2002-07-19 08:48:22 C:\WINDOWS\system32\drivers\ctsfm2k.sys
----a-w 156,604 2002-07-19 08:48:32 C:\WINDOWS\system32\drivers\emupia2k.sys
----a-w 998,004 2002-07-24 11:52:26 C:\WINDOWS\system32\drivers\ha10kx2k.sys
----a-w 65,536 2002-07-19 08:43:06 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\a3d.dll
----a-w 837,548 2002-07-19 08:47:52 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctaud2k.sys
----a-w 113,373 2002-07-19 09:02:24 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctbasicw.dat
----a-w 44,055 2002-07-19 08:56:50 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctdaught.dat
----a-w 164,044 2002-07-19 09:07:30 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctdlang.dat
----a-w 195,432 2002-07-19 08:48:04 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctoss2k.sys
----a-w 179,669 2002-07-19 08:59:32 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ctstatic.dat
----a-w 998,004 2002-07-24 11:52:26 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ha10kx2k.sys
----a-w 36,864 2001-08-17 12:35:46 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\sfman32.dll
----a-w 60,288 2004-08-03 21:08:00 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\drmk.sys
----a-w 140,928 2004-08-03 21:15:22 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\ks.sys
----a-w 4,096 2004-08-03 22:44:02 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\ksuser.dll
----a-w 145,792 2004-08-03 21:15:50 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\portcls.sys
----a-w 48,640 2004-08-03 21:08:04 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\stream.sys
----a-w 10,624 2004-08-03 21:08:22 C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\gameenum.sys
----atw 16,384 2007-09-18 15:23:18 C:\WINDOWS\TEMP\Perflib_Perfdata_d64.dat
.
-c--a-w 53,552 1994-12-05 02:11:00 C:\WINDOWS\CTCCW.DLL
----a-w 36,864 2002-03-22 10:31:20 C:\WINDOWS\CTDCRES.DLL
-c--a-w 24,976 1996-05-23 01:24:00 C:\WINDOWS\CTRES.DLL
-c--a-w 77,824 2002-03-22 10:31:10 C:\WINDOWS\DEVREG.DLL
-c--a-w 20,480 2002-03-22 10:18:58 C:\WINDOWS\INRES.DLL
-c--a-w 176,128 2002-03-22 10:30:54 C:\WINDOWS\PSCONV.EXE
-c--a-w 159,744 2002-03-22 10:30:44 C:\WINDOWS\READREG.EXE
-c--a-w 90,112 2000-05-11 00:00:00 C:\WINDOWS\Updreg.EXE
----a-w 49,152 2002-03-22 10:04:24 C:\WINDOWS\system32\a3d.dll
----a-w 40,960 2002-03-22 10:30:22 C:\WINDOWS\system32\AC3API.DLL
----a-w 110,592 2002-03-22 10:16:02 C:\WINDOWS\system32\COMMONFX.DLL
----a-w 57,344 2002-03-13 13:25:36 C:\WINDOWS\system32\CTAGENT.DLL
----a-w 98,304 2002-03-22 10:16:16 C:\WINDOWS\system32\CTASIO.DLL
----a-w 112,287 2002-03-22 10:30:14 C:\WINDOWS\system32\CTBAS2W.DAT
----a-w 112,387 2002-03-22 10:24:54 C:\WINDOWS\system32\ctbasicw.dat
----a-w 44,055 2002-03-22 10:19:08 C:\WINDOWS\system32\ctdaught.dat
----a-w 307,200 2002-03-22 10:30:34 C:\WINDOWS\system32\CTDEVCON.DLL
----a-w 163,933 2002-03-22 10:30:16 C:\WINDOWS\system32\ctdlang.dat
----a-w 94,208 2002-03-22 10:15:46 C:\WINDOWS\system32\CTDPROXY.DLL
----a-w 36,864 2002-03-22 10:16:36 C:\WINDOWS\system32\CTEMUPIA.DLL
----a-w 40,960 2002-02-07 16:01:24 C:\WINDOWS\system32\CTHELPER.EXE
----a-w 26,768 1995-07-13 01:01:00 C:\WINDOWS\system32\CTL3D.DLL
----a-w 143,360 2002-03-22 10:16:10 C:\WINDOWS\system32\CTOSUSER.DLL
----a-w 643,072 2002-03-22 10:17:42 C:\WINDOWS\system32\CTSBLFX.DLL
----a-w 28,672 2002-07-19 10:07:48 C:\WINDOWS\system32\CTSPKHLP.DLL
----a-w 179,669 2002-03-22 10:22:06 C:\WINDOWS\system32\ctstatic.dat
----a-w 82,432 1995-08-30 01:02:00 C:\WINDOWS\system32\CTWFLT32.DLL
----a-w 122,880 2002-03-22 10:16:46 C:\WINDOWS\system32\OPENAL32.DLL
------w 10,194 2002-06-14 12:49:56 C:\WINDOWS\system32\PFMODNT.SYS
----a-w 98,304 2002-03-22 10:16:56 C:\WINDOWS\system32\PIAPROXY.DLL
----a-w 84,992 1998-06-05 01:00:00 C:\WINDOWS\system32\SFCVRT32.DLL
----a-w 1,048,576 1998-01-08 00:00:00 C:\WINDOWS\system32\SFMAN.DAT
----a-w 258,048 2002-03-22 10:18:12 C:\WINDOWS\system32\SFMS32.DLL
----a-w 218,823 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CT0060W.DAT
----a-w 219,027 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP0060W.DAT
----a-w 219,027 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP0061W.DAT
----a-w 219,027 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP0100W.DAT
----a-w 219,027 2002-03-22 10:24:48 C:\WINDOWS\system32\Data\CTP0101W.DAT
----a-w 219,027 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP0102W.DAT
----a-w 219,027 2002-03-22 10:24:48 C:\WINDOWS\system32\Data\CTP0103W.DAT
----a-w 219,027 2002-03-22 10:24:48 C:\WINDOWS\system32\Data\CTP0105W.DAT
----a-w 221,643 2002-07-19 10:02:20 C:\WINDOWS\system32\Data\CTP0221W.DAT
----a-w 221,643 2002-07-19 10:02:20 C:\WINDOWS\system32\Data\CTP0222W.DAT
----a-w 217,365 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP1140W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4620W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4670W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4760W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4780W.DAT
----a-w 216,189 2002-03-22 10:24:44 C:\WINDOWS\system32\Data\CTP4790W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4830W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4831W.DAT
----a-w 216,705 2002-03-22 10:24:44 C:\WINDOWS\system32\Data\CTP4832W.DAT
----a-w 216,189 2002-03-22 10:24:44 C:\WINDOWS\system32\Data\CTP4840W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4850W.DAT
----a-w 216,705 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTP4870W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4871W.DAT
----a-w 216,705 2002-03-22 10:24:42 C:\WINDOWS\system32\Data\CTP4872W.DAT
----a-w 216,189 2002-03-22 10:24:44 C:\WINDOWS\system32\Data\CTP4890W.DAT
----a-w 216,189 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP4891W.DAT
----a-w 216,189 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTP4893W.DAT
----a-w 218,823 2002-03-22 10:24:46 C:\WINDOWS\system32\Data\CTPDXW.DAT
----a-w 217,365 2002-03-22 10:24:40 C:\WINDOWS\system32\Data\CTPM002W.DAT
----a-w 210,140 2002-03-22 10:30:12 C:\WINDOWS\system32\Data\CTSBAS2W.DAT
----a-w 216,705 2002-03-22 10:24:52 C:\WINDOWS\system32\Data\CTSBASW.DAT
----a-w 114,944 2002-03-22 10:08:12 C:\WINDOWS\system32\drivers\ctac32k.sys
----a-w 835,636 2002-03-22 10:09:40 C:\WINDOWS\system32\drivers\ctaud2k.sys
----a-w 195,432 2002-03-22 10:09:52 C:\WINDOWS\system32\drivers\ctoss2k.sys
----a-w 11,068 2002-03-22 10:09:54 C:\WINDOWS\system32\drivers\ctprxy2k.sys
----a-w 211,724 2002-03-22 10:10:10 C:\WINDOWS\system32\drivers\ctsfm2k.sys
----a-w 156,604 2002-03-22 10:10:20 C:\WINDOWS\system32\drivers\emupia2k.sys
----a-w 991,656 2002-03-22 10:10:58 C:\WINDOWS\system32\drivers\ha10kx2k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-11-17 04:33 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 04:33]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-09-09 02:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 07:59 C:\WINDOWS\SOUNDMAN.EXE]
"WOOWATCH"="C:\PROGRA~1\Wanadoo\Watch.exe" [2002-12-09 18:24]
"WOOTASKBARICON"="C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" [2002-12-09 18:24]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"Jet Detection"="C:\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-10-04 01:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2004-12-28 19:02]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Symantec Antivirus professional"=regedit.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Directx push"=directxpushup.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-02-22 21:23:20]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
"C:\Program Files\Gadu-Gadu\gg.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
R1 sdpiosys;sdpiosys;C:\WINDOWS\system32\drivers\sdpiosys.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 wdm_tridwave;PCI288-Q3DII PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\tridwave.sys
S4 Universal Printer NT Service;Universal Printer NT Service;"C:\WINDOWS\System32\dllcache\upnt.exe"
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 17:28:45
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-18 17:29:34
C:\ComboFix-quarantined-files.txt ... 2007-09-18 17:29
C:\ComboFix2.txt ... 2007-09-17 18:18
.
--- E O F ---
-
Widać jeszcze: [quote] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser"{07B18EA9-A523-4961-B6BB-170DE4475CCA}" -> {HKLM...CLSID} = "My Web Search" \InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" [file not found] HKLM\Software\Microsoft\Internet Explorer\Explorer BarsHKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\(Default) = "My Web Search Quick View"[/quote] Zobacz czy MyWebSearch jest w dodaj/usuń programy - jak jest to odinstaluj i skasuj resztki - folder C:\Program Files\MyWebSearch Skasuj [quote] C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat[/quote] Do kasacji z klucza HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce wpis [quote]"Symantec Antivirus professional"=regedit.exe[/quote] i z klucza HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices wpis [quote]"Microsoft Directx push"=directxpushup.exe[/quote] Następne logi jakie zrobisz i pokażesz zrobisz w trybie awaryjnym.
Dobra - z zaplanowanymi zadaniami zrób tak jak pisałem - skasuj folder Windows\Tasks i go utwórz ponownie.
A z tym dllem to go po prostu skasuj - ręsztą zajmiemy się później.
No i logi pokazuj ;)
Ok dzięki wielkie, zabieram sie do roboty :)
Edit: Częsciowo pousuwałem rzeczy zgodnie z instrukcją, natomiast:
[quote]Otwórz zaplanowane zadania i usuń zadania.[/quote]
Czy chodzi o Zaplanowane Zadania w Panelu Sterowania? Jeżeli tak to jest puste...
[quote]HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"DCOM Server 25319" = "{2C1CD3D7-86AC-4068-93BC-A02304B25319}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\hcfimsl.dll" [null data][/quote]
Nie mogę znaleść wpisu...
[quote]W start -> uruchom wpisz
Cytuj:
regsvr32 /u C:\WINDOWS\system32\hcfimsl.dll[/quote]
Wyskakuje komunikat, że funkcja nie powiodła się...
Wydawało mi się dziwne, ze proces iexplore.exe jest non stop aktywny mimo wyłączonego Internet Explorera i wyłaczonego dostępu do internetu. Procesu tego nie dało się w żaden sposób wylaczyć. Użyłem KillBoxa do usunięcia pliku C:\Program Files\Internet Esplorer\iexplore.exe i problem ustąpił. Net chodzi dobrze i nie widać żadnego podejrzanego przesyłu danych... Ale za to nie mogę uruchomiź Explorera, przypuszczam że będzie trzeba go ponownie zainstalować...?
VundoFix nie znalazł żadnych zarażonych plików.
Oto pozostałe logi:
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 18:20:09, on 2007-09-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: mstsc.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
ComboFix:
ComboFix 07-09-17.2 - "ppp" 2007-09-17 18:14:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.434 [GMT 2:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\ppp\DANEAP~1\Microsoft\25319.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\007FDA78.dat
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\exefld
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\away.exe.exe
C:\WINDOWS\system32\hcfimsl.dll
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_ASC3550U
-------\LEGACY_FCI
-------\LEGACY_FWDRV.SYS
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\LEGACY_SYSLIBRARY
-------\LEGACY_YOOV57
-------\FCI
-------\fwdrv.sys
-------\smtpdrv
((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.
2007-09-17 18:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-17 00:11 0 --a------ C:\WINDOWS\system32\ntkrpamp.exe
2007-09-17 00:11 0 --a------ C:\WINDOWS\system32\ntkrnlmp.exe
2007-09-16 23:19 d-------- C:\VundoFix Backups
2007-09-16 21:22 dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-09-16 21:22 dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-09-16 21:22 d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-09-16 21:22 d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-09-16 21:22 d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-09-16 18:35 178,176 --a------ C:\WINDOWS\system32\drivers\Yoov57.sys
2007-09-16 18:35 178,176 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2007-08-29 13:42 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-27 01:57 d-------- C:\Program Files\Common Files\xing shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 23:10 --------- d-------- C:\DOCUME~1\ppp\DANEAP~1\Skype
2007-09-16 21:25 --------- d-------- C:\Program Files\Wanadoo
2007-09-16 21:14 --------- d-------- C:\Program Files\backups
2007-09-16 20:37 --------- d-------- C:\Program Files\SkanerOnline
2007-09-16 19:21 --------- d-------- C:\Program Files\PhotoBrush
2007-09-16 18:49 --------- d-------- C:\Program Files\Avant Browser
2007-09-16 17:38 --------- d-------- C:\Program Files\eMule
2007-08-29 13:18 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-27 17:11 28400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-27 02:02 --------- d-------- C:\DOCUME~1\ppp\DANEAP~1\Real
2007-08-27 01:57 --------- d-------- C:\Program Files\Common Files\Real
2007-08-25 16:11 --------- d-------- C:\Program Files\HighGrow
2007-08-25 14:56 --------- d-------- C:\Program Files\Magix
2007-08-18 18:19 --------- d-------- C:\Program Files\vanBasco's Karaoke Player
2007-08-17 13:40 --------- d-------- C:\Program Files\Prawo Jazdy 2006
2007-08-17 13:40 --------- d-------- C:\Program Files\PCDJ Red
2007-08-14 15:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\FLEXnet
2007-08-14 15:36 --------- d-------- C:\Program Files\Bonjour
2007-08-14 15:25 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-08 23:30 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-08 11:02 --------- d-------- C:\Program Files\Media_Manager
2007-07-25 16:12 --------- d-------- C:\Program Files\FL Studio 6
2007-07-25 16:09 --------- d-------- C:\Program Files\VstPlugins
2007-07-23 16:01 --------- d-------- C:\Program Files\FlashGet
2007-07-22 21:22 --------- d-------- C:\Program Files\Windows Media Components
2007-07-22 21:19 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-19 22:45 --------- d-------- C:\Program Files\Riva FLV Encoder 2.0
2007-07-19 22:42 --------- d-------- C:\Program Files\Common Files\SWF Studio
2007-07-18 17:34 --------- d-------- C:\Program Files\BearShare Applications
2007-07-17 19:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\InstallShield
2007-06-26 22:27 6148 --a------ C:\Program Files\hijackthis.log
2007-04-06 12:09 138 --a--c--- C:\Program Files\INSTALL.LOG
2007-03-31 19:28 51232 --a------ C:\Program Files\wwdc.exe
2006-02-08 03:02 73728 --a------ C:\Program Files\KillBox.exe
2005-02-16 12:06 218112 --a------ C:\Program Files\HijackThis.exe
1998-11-15 23:59 578560 --a------ C:\Program Files\Cannamp3.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-11-17 04:33 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 04:33]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-09-09 02:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 07:59 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2004-12-28 19:02]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Symantec Antivirus professional"=regedit.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Directx push"=directxpushup.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
"Symantec Antivirus professional"=regedit.exe
"Microsoft Directx push"=directxpushup.exe
"Windows Service Update"=C:\WINDOWS\System32\crsss.exe
"Offices Monitorse"=C:\WINDOWS\System32\algose32.exe
C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-02-22 21:23:20]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]
C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll 2007-09-16 18:35 14341 C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=mstsc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
"C:\Program Files\Gadu-Gadu\gg.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
R1 sdpiosys;sdpiosys;C:\WINDOWS\system32\drivers\sdpiosys.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 msdirectxpushup;msdirectxpushup;\??\C:\Documents and Settings\ppp\msdirectxpush.sys
S3 wdm_tridwave;PCI288-Q3DII PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\tridwave.sys
S4 regsrvr2.exe;regsrvr2.exe;"C:\WINDOWS\system\regsrvr2.exe"
S4 Universal Printer NT Service;Universal Printer NT Service;"C:\WINDOWS\System32\dllcache\upnt.exe"
.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 22:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-08-29 07:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-07 08:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-07 09:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 10:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 11:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 12:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 13:00:00 C:\WINDOWS\Tasks\At16.job"
"2007-09-16 14:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 15:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 16:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-10 23:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 17:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 18:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 19:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 20:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 21:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-11 00:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-11 01:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-11 02:00:00 C:\WINDOWS\Tasks\At5.job"
"2007-09-11 03:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-16 04:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
"2007-09-11 05:00:00 C:\WINDOWS\Tasks\At8.job"
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\Ir7NLw3r.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 18:17:41
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-17 18:18:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-17 18:18
.
--- E O F ---
SilentRunners:
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"avgnt" = ""C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
\InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["www.flashget.com"]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll" ["BitComet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{19741013-C829-11D1-8233-0020AF3E97A9}" = "CMCUTIL Menu Extension"
-> {HKLM...CLSID} = "Cool MP3 Converter ContextMenu"
\InProcServer32\(Default) = "C:\PROGRA~1\COOLMP~1\CMCUtil.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\System32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{46E22146-59C0-4136-9233-FB7720E777B2}" = "EzCddax extension"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 10\ezcddax10.dll" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler<> "{2C1CD3D7-86AC-4068-93BC-A02304B25319}" = "DCOM Server 25319"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\hcfimsl.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"DCOM Server 25319" = "{2C1CD3D7-86AC-4068-93BC-A02304B25319}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\hcfimsl.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows<> "AppInit_DLLs" = "mstsc.dll " [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify<> partnershipreg\DLLName = "C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlersCMCUTIL\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {HKLM...CLSID} = "Cool MP3 Converter ContextMenu"
\InProcServer32\(Default) = "C:\PROGRA~1\COOLMP~1\CMCUtil.dll" [null data]
EzCddax\(Default) = "{46E22146-59C0-4136-9233-FB7720E777B2}"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 10\ezcddax10.dll" [null data]
MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "/u\mksshell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlersjetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlersjetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "/u\mksshell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Default executables:
--------------------
HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Idylla.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Idylla.bmp"
Startup items in "ppp" & "All Users" startup folders:
-----------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]
Enabled Scheduled Tasks:
------------------------
"At1" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At10" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At11" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At12" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At13" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At14" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At15" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At16" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At17" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At18" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At19" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At2" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At20" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At21" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At22" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At23" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At24" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At3" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At4" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At5" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At6" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At7" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At8" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
"At9" -> launches: "C:\WINDOWS\system32\Ir7NLw3r.exe" [file not found]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{07B18EA9-A523-4961-B6BB-170DE4475CCA}"
-> {HKLM...CLSID} = "My Web Search"
\InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" [file not found]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\(Default) = "My Web Search Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\System32\PnkBstrA.exe" [null data]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors6200 Series Port\Driver = "lxbulmpm.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]
---------- (launch time: 2007-09-17 18:09:34)
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 129 seconds.
---------- (total run time: 207 seconds)
Pozdrawiam!
-
[quote=Berry] Oto pozostałe logi:[/quote] No i tu kupę syfu widać. Do kasacji [quote] C:\WINDOWS\system32\drivers\Yoov57.sys C:\WINDOWS\system32\drivers\symavc32.sys[/quote] Ten drugi - [url]http://www.sophos.com/security/analyses/trojagentfzv.html[/url] - Advanced - zatem wyczyść foldery Temp. Usługę usuniemy później. Z klucza HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce usuwasz wpisy "Symantec Antivirus professional"=[b]regedit.exe[/b] Z klucza HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices wpis "Microsoft Directx push"=[b]directxpushup.exe[/b] Z klucza HKEY_USERS\.default\software\microsoft\windows\currentversion\run "Symantec Antivirus professional"=regedit.exe "Microsoft Directx push"=directxpushup.exe "Windows Service Update"=C:\WINDOWS\System32\[b]crsss.exe[/b] "Offices Monitorse"=C:\WINDOWS\System32\[b]algose32.exe[/b] Ostatni - [url]http://www.sophos.com/security/analyses/w32rbotgdd.html[/url] Usun klucz HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg ale najpierw usuń Killboxem plik C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll W kluczu HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows wyczyść wpis "appinit_dlls"=mstsc.dll Usługi do usunięcia: S3 msdirectxpushup;msdirectxpushup;\??\C:\Documents and Settings\ppp\[b]msdirectxpush.sys[/b] S4 regsrvr2.exe;regsrvr2.exe;"C:\WINDOWS\system\[b]regsrvr2.exe[/b]" W wierszu polecenia piszesz [quote] sc stop msdirectxpushup sc delete msdirectxpushup sc stop regsrvr2.exe sc delete regsrvr2.exe [/quote] Kasacja plików wyboldowanych Otwórz zaplanowane zadania i usuń zadania. Plik pogrubiony też. [quote] Contents of the 'Scheduled Tasks' folder "2007-09-11 22:00:00 C:\WINDOWS\Tasks\At1.job" - C:\WINDOWS\system32\[b]Ir7NLw3r.exe[/b] "2007-08-29 07:00:00 C:\WINDOWS\Tasks\At10.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-07 08:00:00 C:\WINDOWS\Tasks\At11.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-07 09:00:00 C:\WINDOWS\Tasks\At12.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 10:00:00 C:\WINDOWS\Tasks\At13.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 11:00:00 C:\WINDOWS\Tasks\At14.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 12:00:00 C:\WINDOWS\Tasks\At15.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 13:00:00 C:\WINDOWS\Tasks\At16.job" "2007-09-16 14:00:00 C:\WINDOWS\Tasks\At17.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 15:00:00 C:\WINDOWS\Tasks\At18.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 16:00:00 C:\WINDOWS\Tasks\At19.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-10 23:00:00 C:\WINDOWS\Tasks\At2.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 17:00:00 C:\WINDOWS\Tasks\At20.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 18:00:00 C:\WINDOWS\Tasks\At21.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 19:00:00 C:\WINDOWS\Tasks\At22.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 20:00:00 C:\WINDOWS\Tasks\At23.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 21:00:00 C:\WINDOWS\Tasks\At24.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-11 00:00:00 C:\WINDOWS\Tasks\At3.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-11 01:00:00 C:\WINDOWS\Tasks\At4.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-11 02:00:00 C:\WINDOWS\Tasks\At5.job" "2007-09-11 03:00:00 C:\WINDOWS\Tasks\At6.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-16 04:00:00 C:\WINDOWS\Tasks\At7.job" - C:\WINDOWS\system32\Ir7NLw3r.exe "2007-09-11 05:00:00 C:\WINDOWS\Tasks\At8.job" "2007-09-10 06:00:00 C:\WINDOWS\Tasks\At9.job" - C:\WINDOWS\system32\Ir7NLw3r.exe [/quote] Jak nie pójdzie normalnie to w wierszu polecenia (start -> uruchom -> cmd) wydaj polecenia [quote] rd /q /s C:\WINDOWS\Tasks mkdir C:\WINDOWS\Tasks[/quote] Tu jest jeszcze coś [quote] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"DCOM Server 25319" = "{2C1CD3D7-86AC-4068-93BC-A02304B25319}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\hcfimsl.dll" [null data][/quote] W start -> uruchom wpisz [quote]regsvr32 /u C:\WINDOWS\system32\hcfimsl.dll[/quote] a plik C:\WINDOWS\system32\hcfimsl.dll skasuj. Pliki wyboldowane usuń. Uważaj z plikami regedit.exe i crsss.exe Pierwszy - nazwa jest prawidłowa diabli wiedzą skąd sie to uruchamia, Prawidłowy regedit.exe powinien być w C:\Windows wszystko inne wystąpienia usuwaj - może też skopiuj z płyty instalacyjnej nowego regedita i podmień istniejącego. Drugi - nie pomyl z systemowym csrss.exe - inna jest kolejność dwóch literek w nazwie. Masz tak dużo tego, że mogłem cos pominąć. Wyczyść to co wskazałem i rzecz jasna nowe logi - ComboFix, Silent Runners i Hijack.
Ściągnij VundoFix -> [url]http://www.atribune.org/ccount/click.php?id=4[/url], wystartuj do trybu awaryjnego, uruchom program, klikasz :Scan for Vundo" po zakończeniu "Remove Vundo".
Po robocie nowe logi - Hijacka, SilentRunners i ComboFix
Strona 1 / 1