Antywiry nie chcą wystartować

**Posty:** 190 · przez **mirekg1963** 05 Maj 2009, 17:25

Witam szanowne koleżeństwo! Nie często tu jestem, ale za to pewnie z konkretem

. Tym razem mam następujący problem.
Po ściągnięciu darmowego anty-wirusa (w tym wypadku próbowałem z clamwin i avastem) obydwa się
pięknie ściągają a później nie chcą zadziałać. Kiedy jw próbuje uruchomić...he he uciekają!! :evil:

No, na pasku zadań jak chcę najechać na ikonkę to się chowa. Przesyłam logi z combofixa i bardzo proszę o zerknięcie

Kod: Zaznacz wszystko: ComboFix 09-05-02.4 - admin 2009-05-02 10:21.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.447.186 [GMT 2:00] Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf c:\documents and settings\admin\admin.exe C:\e2.cmd C:\ej10fkdo.bat C:\i.cmd C:\upw.bat c:\windows\system32\digiwet.dll c:\windows\system32\drivers\amd64si.sys c:\windows\system32\nmdfgds0.dll c:\windows\system32\nmdfgds1.dll c:\windows\system32\olhrwef.exe . ((((((((((((((((((((((((( Pliki utworzone od 2009-04-02 do 2009-05-02 ))))))))))))))))))))))))))))))) . 2009-05-02 07:33 . 2009-05-02 08:31 3478 ----a-w C:\pagefile.sys.vbs 2009-05-02 07:09 . 2009-05-02 07:09 108824 --sh--r C:\fbak.exe 2009-04-29 17:05 . 2009-04-29 17:06 -------- d-----w c:\program files\Nowe Gadu-Gadu 2009-04-28 14:49 . 2009-04-28 14:48 105774 --sh--r C:\ymxf2.exe 2009-04-27 12:08 . 2009-04-27 12:45 -------- d-----w c:\windows\system32\CatRoot_bak 2009-04-27 12:01 . 2008-06-14 18:01 273024 -c----w c:\windows\system32\dllcache\bthport.sys 2009-04-27 12:01 . 2008-06-14 18:01 273024 ------w c:\windows\system32\drivers\bthport.sys 2009-04-27 11:58 . 2009-02-09 11:52 2059008 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe 2009-04-27 11:58 . 2009-02-09 11:52 2017280 -c----w c:\windows\system32\dllcache\ntkrpamp.exe 2009-04-27 11:58 . 2009-02-09 11:52 2181760 -c----w c:\windows\system32\dllcache\ntoskrnl.exe 2009-04-27 11:58 . 2009-02-09 11:52 2137600 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe 2009-04-27 11:56 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys 2009-04-27 10:49 . 2009-04-27 10:49 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Boss Media 2009-04-27 10:49 . 2009-04-27 10:50 -------- d-----w c:\program files\ParadisePoker 2009-04-27 10:30 . 2009-04-27 10:34 -------- d-----w c:\program files\PokerStars.NET 2009-04-27 09:09 . 2009-04-27 09:09 -------- d-----w c:\documents and settings\LocalService\Pulpit 2009-04-27 09:00 . 2009-04-27 09:00 106709 --sh--r C:\eyt.exe 2009-04-25 08:31 . 2009-04-25 08:30 106749 --sh--r C:\npee.com 2009-04-24 10:04 . 2009-04-24 10:31 -------- d-----w c:\documents and settings\All Users\mg 2009-04-24 09:58 . 2009-04-23 18:31 109167 --sh--r C:\vwewav8.com 2009-04-21 17:47 . 2009-04-23 08:53 109601 --sh--r C:\g1ljsm.com 2009-04-20 15:34 . 2009-04-20 15:34 0 ----a-r C:\logwmemory.bin 2009-04-20 15:33 . 2009-04-20 15:33 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Soldat 2009-04-20 11:49 . 2009-05-02 08:31 3478 --sha-r c:\windows\pagefile.sys.vbs 2009-04-14 16:13 . 2009-04-14 16:13 108514 --sh--r C:\[u]0[/u]xuc.com 2009-04-14 08:54 . 2009-04-14 08:53 109163 --sh--r C:\qwtb.com 2009-04-11 07:30 . 2009-04-29 18:06 -------- d-----w c:\documents and settings\admin\Gadu-Gadu 2009-04-11 07:30 . 2009-04-11 07:30 -------- d-----w c:\program files\Gadu-Gadu 2009-04-11 07:30 . 2006-03-07 10:27 1531671 ----a-w C:\gg61(programosy.pl).exe 2009-04-11 07:30 . 2009-04-11 07:30 1529938 ----a-w C:\gg6.zip 2009-04-08 14:47 . 2009-04-08 14:57 -------- d-----w c:\documents and settings\admin\Dane aplikacji\SQL Developer 2009-04-08 14:45 . 2009-04-08 14:45 -------- d-----w C:\sqldeveloper-5783 2009-04-07 10:34 . 2009-04-07 10:34 -------- d-----w c:\documents and settings\admin\Dane aplikacji\AdobeUM 2009-04-07 09:08 . 2009-04-07 09:08 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Adobe 2009-04-07 09:07 . 2009-04-07 09:07 -------- d-----w c:\program files\Common Files\Adobe 2009-04-06 18:45 . 2009-04-09 17:47 110321 --sh--r C:\1ogf.exe 2009-04-06 16:13 . 2009-02-16 13:39 209203 --sh--r C:\qphdin.com 2009-04-04 11:23 . 2009-04-04 11:28 -------- d-s---w c:\documents and settings\admin\UserData 2009-04-03 16:11 . 2009-04-04 07:17 110157 --sh--r C:\cqxj.exe 2009-04-02 16:09 . 2009-04-27 09:03 15688 ----a-w c:\windows\system32\lsdelete.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 08:31 . 2009-03-27 11:09 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-04-27 15:30 . 2006-03-02 12:00 49492 ----a-w c:\windows\system32\perfc015.dat 2009-04-27 15:30 . 2006-03-02 12:00 355486 ----a-w c:\windows\system32\perfh015.dat 2009-04-27 12:40 . 2009-03-30 07:49 -------- d-----w c:\program files\Metin2_PL 2009-04-14 18:20 . 2009-03-31 12:50 -------- d-----w c:\program files\Tibia 2009-04-14 18:10 . 2009-03-28 10:59 -------- d-----w c:\program files\Valve 2009-03-31 12:51 . 2009-03-31 12:51 -------- d-----w c:\program files\Asprate 2009-03-31 12:40 . 2009-03-31 12:40 0 ----a-w c:\windows\nsreg.dat 2009-03-31 11:43 . 2009-03-27 11:04 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-03-30 13:22 . 2009-03-30 13:22 16504 ----a-w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-03-30 09:59 . 2009-03-30 08:23 -------- d-----w c:\program files\Odkurzacz 2009-03-30 08:37 . 2009-03-30 08:37 -------- d-----w c:\program files\OpenOffice.org 3 2009-03-30 07:48 . 2009-03-30 07:48 -------- d-----w c:\program files\ClamWin 2009-03-30 07:46 . 2009-03-30 07:46 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job 2009-03-30 07:45 . 2009-03-30 07:46 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-03-30 07:42 . 2009-03-30 07:42 -------- d-----w c:\program files\Lavasoft 2009-03-28 11:09 . 2009-03-28 11:09 -------- d-----w c:\program files\Java 2009-03-28 11:07 . 2009-03-28 11:07 -------- d-----w c:\program files\Common Files\Java 2009-03-28 10:59 . 2009-03-27 11:15 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-27 11:17 . 2009-03-27 11:11 14656 ----a-w c:\windows\gdrv.sys 2009-03-27 11:15 . 2009-03-27 11:15 -------- d-----w c:\program files\Realtek 2009-03-27 11:15 . 2009-03-27 11:15 315392 ----a-w c:\windows\HideWin.exe 2009-03-27 11:15 . 2009-03-27 11:15 -------- d-----w c:\program files\DIFX 2009-03-27 11:13 . 2009-03-27 11:13 -------- d-----w c:\program files\Common Files\InstallShield 2009-03-27 11:05 . 2009-03-27 11:05 -------- d-----w c:\program files\microsoft frontpage 2009-03-27 11:05 . 2006-03-02 12:00 67 --sha-w c:\windows\Fonts\desktop.ini 2009-03-27 11:04 . 2009-03-27 11:04 -------- d-----w c:\program files\Usługi online 2009-03-27 11:03 . 2009-03-27 11:03 21856 ----a-w c:\windows\system32\emptyregdb.dat 2009-03-06 14:47 . 2006-03-02 12:00 285184 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:32 . 2006-03-02 12:00 662016 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:32 . 2006-03-02 12:00 81920 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 14:19 . 2006-03-02 12:00 1846528 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:52 . 2006-03-02 12:00 2181760 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-09 11:52 . 2004-08-04 00:38 2059008 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-09 10:22 . 2006-03-02 12:00 725504 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:22 . 2006-03-02 12:00 686080 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:22 . 2006-03-02 12:00 399360 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:22 . 2006-03-02 12:00 722944 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 10:10 . 2006-03-02 12:00 111104 ----a-w c:\windows\system32\services.exe 2009-02-06 16:54 . 2006-03-02 12:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-03 20:11 . 2006-03-02 12:00 55808 ----a-w c:\windows\system32\secur32.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016] "ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016] "MSRegInfo"="c:\windows\pagefile.sys.vbs" [2009-05-02 3478] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-01-30 16116224] "SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^admin^Menu Start^Programy^Autostart^OpenOffice.org 3.0.lnk] path=c:\documents and settings\admin\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Valve\\hl.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Metin2_PL\\metin2.bin"= "c:\\Program Files\\Valve\\hlds.exe"= "c:\\Program Files\\Gadu-Gadu\\gg.exe"= "c:\\WINDOWS\\system32\\userinit.exe"= R2 amd64si;amd64si; [x] R2 ws2_32sik;ws2_32sik; [x] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-27 953168] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-30 64160] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00df310e-2d9c-11de-ad58-001a4d7a06ef}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0443e540-2029-11de-ad1a-001a4d7a06ef}] \Shell\AutoRun\command - d:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - d:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1377ab56-2352-11de-ad29-001a4d7a06ef}] \Shell\AutoRun\command - d:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - d:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36e871aa-25ec-11de-ad39-001a4d7a06ef}] \Shell\AutoRun\command - D:\i.cmd \Shell\open\Command - D:\i.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cabda14-2a8c-11de-ad4f-001a4d7a06ef}] \Shell\AutoRun\command - D:\[u]0[/u]xuc.com \Shell\open\Command - D:\[u]0[/u]xuc.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d917fe2-317a-11de-ad69-001a4d7a06ef}] \Shell\AutoRun\command - D:\npee.com \Shell\open\Command - D:\npee.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69fbb228-205d-11de-ad1d-001a4d7a06ef}] \Shell\AutoRun\command - D:\e.cmd \Shell\explore\Command - D:\e.cmd \Shell\open\Command - D:\e.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cb645a-1d11-11de-acfd-001a4d7a06ef}] \Shell\AutoRun\command - D:\em8tqm.cmd \Shell\open\Command - D:\em8tqm.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{872d4070-2a9f-11de-ad50-001a4d7a06ef}] \Shell\AutoRun\command - D:\husyu8n.exe \Shell\open\Command - D:\husyu8n.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4332462-22c5-11de-ad27-001a4d7a06ef}] \Shell\AutoRun\command - D:\qphdin.com \Shell\open\Command - D:\qphdin.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7327c2a-2e60-11de-ad5d-001a4d7a06ef}] \Shell\AutoRun\command - D:\[u]0[/u]xuc.com \Shell\open\Command - D:\[u]0[/u]xuc.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb117da8-1ac1-11de-acf1-001a4d7a06ef}] \Shell\AutoRun\command - D:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb117da9-1ac1-11de-acf1-001a4d7a06ef}] \Shell\AutoRun\command - e:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - e:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6a9f443-2f44-11de-ad60-001a4d7a06ef}] \Shell\AutoRun\command - D:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6a9f444-2f44-11de-ad60-001a4d7a06ef}] \Shell\AutoRun\command - E:\em8tqm.cmd \Shell\open\Command - E:\em8tqm.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edccd11a-2aa9-11de-ad52-001a4d7a06ef}] \Shell\AutoRun\command - D:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edccd11c-2aa9-11de-ad52-001a4d7a06ef}] \Shell\AutoRun\command - D:\husyu8n.exe \Shell\open\Command - D:\husyu8n.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edccd11d-2aa9-11de-ad52-001a4d7a06ef}] \Shell\AutoRun\command - E:\[u]0[/u]xuc.com \Shell\open\Command - E:\[u]0[/u]xuc.com [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}] c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe . Zawartość folderu 'Zaplanowane zadania' 2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 09:02] . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe HKCU-Run-admin - c:\documents and settings\admin\admin.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ mStart Page = hxxp://www.yahoo.com IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe FF - ProfilePath - c:\documents and settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\pofpueyg.default\ FF - prefs.js: browser.startup.homepage - www.google.pl . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-02 10:32 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\wscript.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2009-05-02 10:33 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-05-02 08:32 Przed: 71 899 295 744 bajtów wolnych Po: 71 904 780 288 bajtów wolnych 234 --- E O F --- 2009-04-27 15:16

**Posty:** 15 · przez **diorek** 05 Maj 2009, 19:09

a spróbuj ściągnąć jeszcze tą nową Pandę w wersji darmowej albo przeskanuj skanerem online. chyba skaner będzie najlepszym rozwiązaniem...

**Posty:** 18165 · przez **wojtas** 05 Maj 2009, 19:23

Wylecz pendriva lub kartę pamięci
użyj Perlovga Removal Tool lub
Flash Disinfector
lub format.

Otworz notatnik i wklej w nim to:

File::
c:\pagefile.sys.vbs
c:\windows\pagefile.sys.vbs
C:\fbak.exe
C:\ymxf2.exe
C:\eyt.exe
C:\npee.com
C:\vwewav8.com
C:\g1ljsm.com
C:\0xuc.com
C:\qwtb.com
C:\1ogf.exe
C:\qphdin.com
C:\cqxj.exe
d:\fbak.exe
d:\ymxf2.exe
d:\eyt.exe
d:\npee.com
d:\vwewav8.com
d:\g1ljsm.com
d:\0xuc.com
d:\qwtb.com
D:\1ogf.exe
d:\qphdin.com
d:\cqxj.exe
e:\fbak.exe
e:\ymxf2.exe
e:\eyt.exe
e:\npee.com
e:\vwewav8.com
e:\g1ljsm.com
e:\0xuc.com
e:\qwtb.com
e:\1ogf.exe
e:\qphdin.com
e:\cqxj.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00df310e-2d9c-11de-ad58-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0443e540-2029-11de-ad1a-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1377ab56-2352-11de-ad29-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36e871aa-25ec-11de-ad39-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cabda14-2a8c-11de-ad4f-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d917fe2-317a-11de-ad69-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69fbb228-205d-11de-ad1d-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cb645a-1d11-11de-acfd-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{872d4070-2a9f-11de-ad50-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4332462-22c5-11de-ad27-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7327c2a-2e60-11de-ad5d-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb117da9-1ac1-11de-acf1-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6a9f444-2f44-11de-ad60-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edccd11c-2aa9-11de-ad52-001a4d7a06ef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edccd11d-2aa9-11de-ad52-001a4d7a06ef}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]

Driver::
amd64si
ws2_32sik

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->

Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

**Posty:** 190 · przez **mirekg1963** 05 Maj 2009, 21:39

Wielkie dzięki, choć muszę powiedzieć że jeszcze nie znam efektu. Był tu u mnie taki jeden mądrzejszy informatyk skanował online i wydał wyrok, że 60% exe.ków zainfekowanych

A kto im tam kazał włazić!!

Po użyciu szczepionki którą mi wygenerowałeś rzecz się ma następująco

Kod: Zaznacz wszystko: ComboFix 09-05-04.A3 - admin 2009-05-05 21:28.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.447.227 [GMT 2:00] Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\admin\Pulpit\CFScript.txt FILE :: C:\[u]0[/u]xuc.com C:\1ogf.exe C:\cqxj.exe C:\eyt.exe C:\fbak.exe C:\g1ljsm.com C:\npee.com c:\pagefile.sys.vbs C:\qphdin.com C:\qwtb.com C:\vwewav8.com c:\windows\pagefile.sys.vbs C:\ymxf2.exe d:\[u]0[/u]xuc.com D:\1ogf.exe d:\cqxj.exe d:\eyt.exe d:\fbak.exe d:\g1ljsm.com d:\npee.com d:\qphdin.com d:\qwtb.com d:\vwewav8.com d:\ymxf2.exe e:\[u]0[/u]xuc.com e:\1ogf.exe e:\cqxj.exe e:\eyt.exe e:\fbak.exe e:\g1ljsm.com e:\npee.com e:\qphdin.com e:\qwtb.com e:\vwewav8.com e:\ymxf2.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\IE4 Error Log.txt . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASC3360PR -------\Service_asc3360pr ((((((((((((((((((((((((( Pliki utworzone od 2009-04-05 do 2009-05-05 ))))))))))))))))))))))))))))))) . 2009-05-05 15:53 . 2009-05-05 16:40 -------- d-----w c:\program files\SkanerOnline 2009-05-05 15:45 . 2009-05-05 15:47 -------- d-----w C:\f6ba6c511cce9f68d07ed67dd9fff0 2009-04-30 17:22 . 2009-04-30 17:22 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Cooliris 2009-04-30 17:21 . 2009-04-30 17:21 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Radical Software Ltd 2009-04-30 17:21 . 2009-04-30 17:21 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Radical Software Ltd 2009-04-30 16:35 . 2009-04-30 16:41 -------- d-----w c:\documents and settings\admin\Dane aplikacji\LimeWire 2009-04-30 16:34 . 2009-05-05 16:15 -------- d-----w c:\program files\LimeWire 2009-04-30 16:11 . 2009-05-02 07:12 -------- d-----w c:\program files\BearShare 2009-04-30 15:57 . 2009-04-30 15:57 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\28242 2009-04-30 15:57 . 2009-05-02 07:12 -------- d-----w c:\program files\BearShare Applications 2009-04-30 14:32 . 2009-04-30 14:32 410984 ----a-w c:\windows\system32\deploytk.dll 2009-04-29 17:20 . 2001-10-26 15:29 5632 ----a-w c:\windows\system32\ptpusb.dll 2009-04-29 17:20 . 2004-08-03 22:44 159232 ----a-w c:\windows\system32\ptpusd.dll 2009-04-29 17:20 . 2004-08-03 20:58 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys 2009-04-29 17:20 . 2004-08-03 20:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys 2009-04-28 11:59 . 2009-05-04 08:34 -------- d-----w c:\windows\system32\CatRoot_bak 2009-04-28 11:59 . 2009-02-09 11:52 2059008 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe 2009-04-28 11:59 . 2009-02-09 11:52 2017280 -c----w c:\windows\system32\dllcache\ntkrpamp.exe 2009-04-28 11:59 . 2009-02-09 11:52 2181760 -c----w c:\windows\system32\dllcache\ntoskrnl.exe 2009-04-28 11:59 . 2009-02-09 11:52 2137600 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe 2009-04-28 11:46 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys 2009-04-28 11:35 . 2008-06-14 18:01 273024 -c----w c:\windows\system32\dllcache\bthport.sys 2009-04-28 11:35 . 2008-06-14 18:01 273024 ------w c:\windows\system32\drivers\bthport.sys 2009-04-24 18:28 . 2009-04-24 18:28 -------- d-----w c:\documents and settings\admin\Dane aplikacji\WoDBO 2009-04-22 14:02 . 2009-05-04 17:46 -------- d-----w c:\program files\Nowe Gadu-Gadu 2009-04-20 15:33 . 2009-04-20 15:33 0 ----a-r C:\logwmemory.bin 2009-04-20 15:32 . 2009-04-20 15:32 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Soldat 2009-04-18 11:23 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd106.dll 2009-04-18 11:23 . 2001-08-18 04:36 8704 -c--a-w c:\windows\system32\dllcache\kbdjpn.dll 2009-04-18 11:23 . 2001-08-18 04:36 8192 -c--a-w c:\windows\system32\dllcache\kbdkor.dll 2009-04-18 11:23 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd106.dll 2009-04-18 11:23 . 2001-08-18 04:36 8704 ----a-w c:\windows\system32\kbdjpn.dll 2009-04-18 11:23 . 2001-08-18 04:36 8192 ----a-w c:\windows\system32\kbdkor.dll 2009-04-18 11:23 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101c.dll 2009-04-18 11:23 . 2001-08-17 20:55 5632 -c--a-w c:\windows\system32\dllcache\kbd103.dll 2009-04-18 11:23 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101c.dll 2009-04-18 11:23 . 2001-08-17 20:55 5632 ----a-w c:\windows\system32\kbd103.dll 2009-04-18 11:23 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101b.dll 2009-04-18 11:23 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101b.dll 2009-04-18 07:29 . 2009-05-02 07:13 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-18 07:28 . 2009-04-18 07:28 -------- d-----w c:\documents and settings\LocalService\Pulpit 2009-04-18 07:25 . 2009-04-27 10:10 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-04-18 07:23 . 2009-04-18 07:23 -------- dc-h--w c:\documents and settings\All Users\Dane aplikacji\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-04-17 13:25 . 2009-04-17 13:25 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Opera 2009-04-17 13:25 . 2009-04-17 13:25 -------- d-----w c:\program files\Opera 2009-04-14 17:10 . 2004-08-03 21:08 31616 -c--a-w c:\windows\system32\dllcache\usbccgp.sys 2009-04-14 17:10 . 2004-08-03 21:08 31616 ----a-w c:\windows\system32\drivers\usbccgp.sys 2009-04-10 10:10 . 2009-04-10 10:10 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Identities . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-05 16:13 . 2009-03-26 12:38 -------- d-----w c:\program files\Ganymede 2009-05-05 14:54 . 2009-03-19 17:35 -------- d-----w c:\program files\Metin2_PL 2009-05-02 07:08 . 2009-03-19 16:47 -------- d-----w c:\program files\Odkurzacz 2009-04-30 14:32 . 2009-03-27 11:29 -------- d-----w c:\program files\Java 2009-04-29 07:59 . 2006-03-02 12:00 49492 ----a-w c:\windows\system32\perfc015.dat 2009-04-29 07:59 . 2006-03-02 12:00 355486 ----a-w c:\windows\system32\perfh015.dat 2009-04-18 07:23 . 2009-03-19 16:41 -------- d-----w c:\program files\Lavasoft 2009-04-15 11:27 . 2009-03-20 13:36 -------- d-----w c:\program files\Tibia 2009-04-11 07:27 . 2009-04-03 14:55 -------- d-----w c:\program files\Gadu-Gadu 2009-04-11 07:18 . 2009-04-01 16:56 -------- d-----w c:\program files\ChomikBox 2009-04-10 18:15 . 2009-03-19 18:24 -------- d-----w c:\program files\Arjaloc 2009-03-31 09:24 . 2009-03-19 12:50 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-03-27 15:06 . 2009-03-19 18:30 16504 ----a-w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-03-27 11:27 . 2009-03-27 11:27 -------- d-----w c:\program files\Common Files\Java 2009-03-24 16:40 . 2009-03-19 17:02 -------- d-----w c:\program files\Common Files\Adobe 2009-03-23 10:14 . 2009-03-23 10:14 -------- d-----w c:\program files\Asprate 2009-03-20 10:58 . 2009-03-20 10:58 0 ----a-w c:\windows\nsreg.dat 2009-03-19 17:24 . 2009-03-19 17:23 -------- d-----w c:\program files\Valve 2009-03-19 17:23 . 2009-03-19 13:00 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-19 17:04 . 2009-03-19 17:04 -------- d-----w c:\program files\OpenOffice.org 3 2009-03-19 13:02 . 2009-03-19 12:56 14656 ----a-w c:\windows\gdrv.sys 2009-03-19 13:00 . 2009-03-19 13:00 -------- d-----w c:\program files\Realtek 2009-03-19 13:00 . 2009-03-19 13:00 315392 ----a-w c:\windows\HideWin.exe 2009-03-19 13:00 . 2009-03-19 13:00 -------- d-----w c:\program files\DIFX 2009-03-19 12:58 . 2009-03-19 12:58 -------- d-----w c:\program files\Common Files\InstallShield 2009-03-19 12:51 . 2009-03-19 12:51 -------- d-----w c:\program files\microsoft frontpage 2009-03-19 12:50 . 2006-03-02 12:00 67 --sha-w c:\windows\Fonts\desktop.ini 2009-03-19 12:49 . 2009-03-19 12:49 -------- d-----w c:\program files\Usługi online 2009-03-19 12:48 . 2009-03-19 12:48 21856 ----a-w c:\windows\system32\emptyregdb.dat 2009-03-06 14:47 . 2006-03-02 12:00 285184 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:32 . 2006-03-02 12:00 662016 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:32 . 2006-03-02 12:00 81920 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 14:19 . 2006-03-02 12:00 1846528 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:52 . 2006-03-02 12:00 2181760 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-09 11:52 . 2004-08-04 00:38 2059008 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-09 10:22 . 2006-03-02 12:00 725504 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:22 . 2006-03-02 12:00 686080 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:22 . 2006-03-02 12:00 399360 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:22 . 2006-03-02 12:00 722944 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 10:10 . 2006-03-02 12:00 111104 ----a-w c:\windows\system32\services.exe 2009-02-06 16:54 . 2006-03-02 12:00 35328 ----a-w c:\windows\system32\sc.exe . ((((((((((((((((((((((((((((( SnapShot@2009-05-02_08.05.16 ))))))))))))))))))))))))))))))))))))))))) . + 2008-04-11 19:17 . 2008-04-11 19:17 171008 c:\windows\system32\SkanerOnlineUninstall.exe + 2009-05-05 15:45 . 2009-04-06 05:57 24921544 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1695744] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-01-30 16116224] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKLM\~\startupfolder\C:^Documents and Settings^admin^Menu Start^Programy^Autostart^OpenOffice.org 3.0.lnk] path=c:\documents and settings\admin\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Lavasoft Ad-Aware Service"=3 (0x3) "JavaQuickStarterService"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Valve\\hl.exe"= "c:\\WINDOWS\\system32\\wuauclt.exe"= "c:\\WINDOWS\\system32\\nwiz.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= "c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"= "c:\\Program Files\\OpenOffice.org 3\\program\\quickstart.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\spellchecker_gg.exe"= "c:\\Program Files\\Odkurzacz\\odk_mcd.exe"= "c:\\WINDOWS\\RTHDCPL.EXE"= "c:\\WINDOWS\\system32\\userinit.exe"= "c:\\WINDOWS\\system32\\wscntfy.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"= "c:\\WINDOWS\\system32\\CF684.exe"= "c:\\ComboFix\\NirCmd.cfexe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-18 64160] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 1030992] --- Inne Usługi/Sterowniki w Pamięci --- *NewlyCreated* - ASC3360PR [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dcbd267-34e2-11de-93a8-001a4d7a077b}] \Shell\AUtOpLAY\coMMand - D:\uqyl.pif \Shell\AutoRun\command - D:\uqyl.pif \Shell\ExplORe\COMmAND - D:\uqyl.pif \Shell\open\cOmMaNd - D:\uqyl.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dcbd268-34e2-11de-93a8-001a4d7a077b}] \sHell\AutoplAy\COMMAnD - E:\xbbtho.exe \sHell\AutoRun\command - E:\xbbtho.exe \sHell\explore\coMMAnd - E:\xbbtho.exe \sHell\OPeN\COmMand - E:\xbbtho.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279a9f88-2917-11de-9374-001a4d7a077b}] \Shell\AutoRun\command - D:\[u]0[/u]xuc.com \Shell\open\Command - D:\[u]0[/u]xuc.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279a9f89-2917-11de-9374-001a4d7a077b}] \Shell\AutoRun\command - E:\[u]0[/u]xuc.com \Shell\open\Command - E:\[u]0[/u]xuc.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32a9bb18-1a2b-11de-9328-001a4d7a077b}] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32a9bb19-1a2b-11de-9328-001a4d7a077b}] \shelL\AUtopLay\comMaNd - G:\vbxybl.exe \shelL\AutoRun\command - G:\vbxybl.exe \shelL\explorE\CoMMANd - G:\vbxybl.exe \shelL\oPen\command - G:\vbxybl.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b170ee0-33f5-11de-93a5-001a4d7a077b}] \Shell\auToPLay\comMAnD - D:\eegm.exe \Shell\AutoRun\command - D:\eegm.exe \Shell\EXPlore\COmMaNd - D:\eegm.exe \Shell\oPEn\COMmand - D:\eegm.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e5a87bc-28e1-11de-9371-001a4d7a077b}] \Shell\AutoRun\command - D:\qphdin.com \Shell\open\Command - D:\qphdin.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fb29f1d-2db3-11de-9391-001a4d7a077b}] \Shell\AutoRun\command - D:\ej10fkdo.bat \Shell\open\Command - D:\ej10fkdo.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a13cddfc-29bb-11de-9377-001a4d7a077b}] \Shell\AutoRun\command - D:\ej10fkdo.bat \Shell\open\Command - D:\ej10fkdo.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{baa744ea-153d-11de-930f-001a4d7a077b}] \Shell\AutoRun\command - D:\em8tqm.cmd \Shell\open\Command - D:\em8tqm.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2994a2c-25aa-11de-9369-001a4d7a077b}] \Shell\AutoRun\command - D:\1ogf.exe \Shell\open\Command - D:\1ogf.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c71c5db8-14a7-11de-930b-001a4d7a077b}] \Shell\AutoRun\command - D:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c71c5db9-14a7-11de-930b-001a4d7a077b}] \Shell\AutoRun\command - E:\e.cmd \Shell\explore\Command - E:\e.cmd \Shell\open\Command - E:\e.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db27187e-1d4b-11de-9337-001a4d7a077b}] \Shell\AutoRun\command - D:\[u]0[/u]bcobed.exe \Shell\open\Command - D:\[u]0[/u]bcobed.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddf9b9ee-394a-11de-93b9-001a4d7a077b}] \sheLL\autOplAy\COMmaNd - F:\ymhlf.pif \sheLL\AutoRun\command - F:\ymhlf.pif \sheLL\expLOre\COmmanD - F:\ymhlf.pif \sheLL\opEn\CommanD - F:\ymhlf.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa4e8870-1edd-11de-9341-001a4d7a077b}] \Shell\AutoRun\command - D:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa4e8871-1edd-11de-9341-001a4d7a077b}] \Shell\AutoRun\command - E:\cqxj.exe \Shell\open\Command - E:\cqxj.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb3c5224-3037-11de-939e-001a4d7a077b}] \Shell\AutoRun\command - D:\vwewav8.com \Shell\open\Command - D:\vwewav8.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc4d187c-25fa-11de-936c-001a4d7a077b}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs . Zawartość folderu 'Zaplanowane zadania' 2009-05-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 07:13] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://search.bearshare.com/pl/ mStart Page = hxxp://www.yahoo.com DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab FF - ProfilePath - c:\documents and settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\y1u62846.default\ FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-05 21:30 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2009-05-05 21:32 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-05-05 19:31 Przed: 66 510 323 712 bajtów wolnych Po: 66 652 004 352 bajtów wolnych 294 --- E O F --- 2009-05-05 15:47

Z braterskim pozdrowieniem, czuwaj!!! :ok:

...I co będzie chyba trzeba format, co ??

**Posty:** 18165 · przez **wojtas** 05 Maj 2009, 22:01

wklej do notatnika

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00df310e-2d9c-11de-ad58-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0443e540-2029-11de-ad1a-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1377ab56-2352-11de-ad29-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36e871aa-25ec-11de-ad39-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2
\{4cabda14-2a8c-11de-ad4f-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d917fe2-317a-11de-ad69-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69fbb228-205d-11de-ad1d-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cb645a-1d11-11de-acfd-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{872d4070-2a9f-11de-ad50-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4332462-22c5-11de-ad27-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7327c2a-2e60-11de-ad5d-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb117da9-1ac1-11de-acf1-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6a9f444-2f44-11de-ad60-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edccd11c-2aa9-11de-ad52-001a4d7a06ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edccd11d-2aa9-11de-ad52-001a4d7a06ef}]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp

oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Wykonaj skan Dr. Web CureIt
6. Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.

**Posty:** 190 · przez **mirekg1963** 06 Maj 2009, 19:27

Ahoj! Niestety już nie mogłem Twoich rad sprawdzić bo komp był padł

Łebek wgrał program Copernik bodajże do nagrywania stron...? Nie ważne ja chciałem go wyciachać no i komp po uruchomieniu nie na żadnej ikonce ani klawiaturze tylko reset, menadżer zadań, i od tyłu z kabla

!
Ale żeby nie było tak wesoła to mam drugi komp z takim samym jak mi sie wydaje problemem. Też antywiry nie bardzo z nim korelują :wink:

. Przeskanowałem online mks_vir, znalazł tego troszke no i combofix , daje logi !Zerkniesz na nie??

Kod: Zaznacz wszystko: ComboFix 09-05-05.05 - admin 2009-05-06 19:12.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.447.237 [GMT 2:00] Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASC3360PR -------\Service_asc3360pr ((((((((((((((((((((((((( Pliki utworzone od 2009-04-06 do 2009-05-06 ))))))))))))))))))))))))))))))) . 2009-05-06 16:18 . 2009-05-06 16:26 -------- d-----w c:\program files\SkanerOnline 2009-04-27 18:21 . 2009-04-27 18:21 -------- d-----w c:\program files\Nowe Gadu-Gadu 2009-04-27 13:26 . 2009-05-05 13:17 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Nowe Gadu-Gadu 2009-04-27 12:19 . 2009-04-27 12:19 -------- d-----w c:\program files\Ashampoo 2009-04-25 08:22 . 2009-04-25 08:22 -------- d-----w c:\documents and settings\xxx 2009-04-25 08:19 . 2001-08-18 04:36 8192 -c--a-w c:\windows\system32\dllcache\kbdkor.dll 2009-04-25 08:19 . 2001-08-18 04:36 8192 ----a-w c:\windows\system32\kbdkor.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101c.dll 2009-04-25 08:19 . 2001-08-17 20:55 5632 -c--a-w c:\windows\system32\dllcache\kbd103.dll 2009-04-25 08:19 . 2001-08-18 04:36 8704 -c--a-w c:\windows\system32\dllcache\kbdjpn.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101c.dll 2009-04-25 08:19 . 2001-08-17 20:55 5632 ----a-w c:\windows\system32\kbd103.dll 2009-04-25 08:19 . 2001-08-18 04:36 8704 ----a-w c:\windows\system32\kbdjpn.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101b.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101b.dll 2009-04-25 08:19 . 2008-04-14 17:09 6144 -c--a-w c:\windows\system32\dllcache\kbd106.dll 2009-04-25 08:19 . 2008-04-14 17:09 6144 ----a-w c:\windows\system32\kbd106.dll 2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Tlen.pl 2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Tlen.pl 2009-04-24 18:28 . 2009-04-24 18:29 -------- d-----w c:\program files\Tlen.pl 2009-04-20 10:58 . 2009-04-25 08:57 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Skype 2009-04-20 10:58 . 2009-04-20 10:58 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Google 2009-04-20 10:57 . 2009-04-20 10:57 -------- d-----w c:\program files\Skype 2009-04-20 10:57 . 2009-04-20 10:57 -------- d-----w c:\program files\Common Files\Skype 2009-04-18 10:05 . 2009-04-18 10:05 -------- d-----w c:\documents and settings\admin\Dane aplikacji\.clamwin 2009-04-18 10:05 . 2009-04-27 12:58 -------- d-----w c:\program files\ClamWin 2009-04-18 10:05 . 2009-04-18 10:05 -------- d-----w c:\documents and settings\All Users\.clamwin 2009-04-15 07:41 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 07:41 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 07:41 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 07:41 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 07:41 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 07:41 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 07:41 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 07:41 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 07:41 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 07:40 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\pl-pl 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\l2schemas 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\pl 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\bits 2009-04-10 17:05 . 2009-04-10 17:08 -------- d-----w c:\windows\ServicePackFiles 2009-04-10 17:01 . 2009-04-10 17:01 -------- d-----w c:\windows\EHome 2009-04-08 08:32 . 2009-04-08 08:32 1060864 ----a-w c:\windows\system32\MFC71.dll 2009-04-08 08:32 . 2009-04-08 08:32 499712 ----a-w c:\windows\system32\msvcp71.dll 2009-04-08 08:32 . 2009-04-08 08:32 348160 ----a-w c:\windows\system32\msvcr71.dll 2009-04-07 19:08 . 2004-08-03 21:41 180360 ------w c:\windows\system32\drivers\ntmtlfax.sys 2009-04-07 19:07 . 2008-04-14 17:21 20992 ------w c:\windows\system32\faxpatch.exe 2009-04-06 19:29 . 2009-04-04 07:16 110157 --sh--r C:\cqxj.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 08:43 . 2009-03-12 19:09 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-27 16:43 . 2008-09-04 11:41 -------- d-----w c:\program files\Gadu-Gadu 2009-04-27 09:40 . 2009-03-19 12:51 -------- d-----w c:\program files\Google 2009-04-25 09:46 . 2009-03-19 12:44 -------- d-----w c:\program files\Tibia 2009-04-25 08:18 . 2009-03-17 17:06 17280 ----a-w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-04-23 11:07 . 2009-03-12 15:50 -------- d-----w c:\program files\Metin2_PL 2009-04-17 12:40 . 2006-03-02 12:00 49712 ----a-w c:\windows\system32\perfc015.dat 2009-04-17 12:40 . 2006-03-02 12:00 355830 ----a-w c:\windows\system32\perfh015.dat 2009-04-16 10:09 . 2009-03-12 15:40 -------- d-----w c:\program files\Valve 2009-04-10 17:10 . 2008-09-04 10:55 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-03-31 16:21 . 2009-03-30 07:43 108693 --sh--r C:\[u]0[/u]bcobed.exe 2009-03-30 16:21 . 2009-03-12 15:36 -------- d-----w c:\program files\Odkurzacz 2009-03-24 17:46 . 2009-03-24 17:45 -------- d-----w c:\program files\Common Files\Adobe 2009-03-13 18:05 . 2009-03-13 18:05 56 ---ha-w c:\windows\system32\ezsidmv.dat 2009-03-12 17:20 . 2009-03-12 17:21 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-12 17:20 . 2008-09-04 11:39 -------- d-----w c:\program files\Java 2009-03-12 16:00 . 2009-03-12 16:00 0 ----a-w c:\windows\nsreg.dat 2009-03-12 15:40 . 2008-09-04 11:07 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-12 15:34 . 2009-03-12 15:34 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-03-12 15:32 . 2009-03-12 15:32 -------- d-----w c:\program files\Lavasoft 2009-03-12 15:27 . 2009-03-12 15:27 -------- d-----w c:\program files\OpenOffice.org 3 2009-03-06 14:22 . 2006-03-02 12:00 285696 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:12 . 2006-03-02 12:00 668672 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:11 . 2006-03-02 12:00 81920 ----a-w c:\windows\system32\ieencode.dll 2009-02-10 17:09 . 2004-08-04 00:38 2067328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-09 14:07 . 2006-03-02 12:00 1847040 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:26 . 2006-03-02 12:00 2190336 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-09 11:25 . 2006-03-02 12:00 111104 ----a-w c:\windows\system32\services.exe 2009-02-09 10:53 . 2006-03-02 12:00 731136 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:53 . 2006-03-02 12:00 686592 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:53 . 2006-03-02 12:00 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:53 . 2006-03-02 12:00 722944 ----a-w c:\windows\system32\ntdll.dll 2009-02-06 10:39 . 2006-03-02 12:00 35328 ----a-w c:\windows\system32\sc.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 368640] "Komunikator"="c:\program files\Tlen.pl\tlen.exe" [2009-01-17 5853672] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 127068] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 214424] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [HKLM\~\startupfolder\C:^Documents and Settings^admin^Menu Start^Programy^Autostart^OpenOffice.org 3.0.lnk] path=c:\documents and settings\admin\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Valve\\hl.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-AwareAdmin.exe"= "c:\\WINDOWS\\system32\\userinit.exe"= "c:\\Program Files\\Creative\\Shared Files\\CTSched.exe"= "c:\\Program Files\\Creative\\Shared Files\\CamTray.exe"= "c:\\Program Files\\Adobe\\Acrobat 6.0 CE\\Reader\\AcroRd32.exe"= "c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"= "c:\\WINDOWS\\system32\\wuauclt.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jucheck.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Metin2_PL\\metin2.bin"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Tlen.pl\\tlen.exe"= "c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8461:TCP"= 8461:TCP:GoD High Port "8462:TCP"= 8462:TCP:GoD Low Port R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-12 64160] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 1026896] S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2008-09-04 178913] --- Inne Usługi/Sterowniki w Pamięci --- *NewlyCreated* - ASC3360PR [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{079de855-3315-11de-8ce9-001a4d80ed78}] \shell\AuTopLAy\commaNd - G:\ackxu.exe \shell\AutoRun\command - G:\ackxu.exe \shell\EXplorE\CommAND - G:\ackxu.exe \shell\OpeN\CoMmAnD - G:\ackxu.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{082740ba-19e6-11de-8c49-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{135af8e2-139b-11de-8c2a-001a4d80ed78}] \Shell\AutoRun\command - G:\e.cmd \Shell\explore\Command - G:\e.cmd \Shell\open\Command - G:\e.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{135af8e3-139b-11de-8c2a-001a4d80ed78}] \Shell\AutoRun\command - H:\e.cmd \Shell\explore\Command - H:\e.cmd \Shell\open\Command - H:\e.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b3f9a6e-22ad-11de-8c7d-001a4d80ed78}] \Shell\autoPlay\coMMaNd - G:\jujsrh.exe \Shell\AutoRun\command - G:\jujsrh.exe \Shell\eXPlORe\COmMand - G:\jujsrh.exe \Shell\opEN\coMmand - G:\jujsrh.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c08dd56-3a46-11de-8d10-001a4d80ed78}] \shEll\autoPLay\commaNd - G:\odpvpn.pif \shEll\AutoRun\command - G:\odpvpn.pif \shEll\eXpLore\CommAnd - G:\odpvpn.pif \shEll\OPEn\cOmmANd - G:\odpvpn.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56c0ce2c-2525-11de-8c99-001a4d80ed78}] \Shell\AutoRun\command - G:\ej10fkdo.bat \Shell\open\Command - G:\ej10fkdo.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f31abe-109b-11de-8c19-001a4d80ed78}] \Shell\AutoRun\command - G:\2u.com \Shell\explore\Command - G:\2u.com \Shell\open\Command - G:\2u.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d1063b5-122d-11de-8c1b-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76d32ffc-14a4-11de-8c31-001a4d80ed78}] \Shell\AUtopLAy\command - G:\aanm.exe \Shell\AutoRun\command - G:\aanm.exe \Shell\EXplOrE\cOmmanD - G:\aanm.exe \Shell\Open\CommaND - G:\aanm.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84166de0-1211-11de-8c1a-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b464230-1927-11de-8c42-001a4d80ed78}] \Shell\AutoRun\command - G:\em8tqm.cmd \Shell\open\Command - G:\em8tqm.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec43720-244b-11de-8c90-001a4d80ed78}] \sHeLL\AuToplay\cOmmaNd - G:\auvur.pif \sHeLL\AutoRun\command - G:\auvur.pif \sHeLL\expLoRE\coMmand - G:\auvur.pif \sHeLL\OpEn\CommanD - G:\auvur.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec43721-244b-11de-8c90-001a4d80ed78}] \sHeLL\AuToplay\cOmmaNd - G:\auvur.pif \sHeLL\AutoRun\command - G:\auvur.pif \sHeLL\expLoRE\coMmand - G:\auvur.pif \sHeLL\OpEn\CommanD - G:\auvur.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb72816-1854-11de-8c3d-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a02d759b-2a63-11de-8cb8-001a4d80ed78}] \shElL\autOplAY\commaNd - G:\vcmtdx.pif \shElL\AutoRun\command - G:\vcmtdx.pif \shElL\explore\ComMaNd - G:\vcmtdx.pif \shElL\opeN\CommAnD - G:\vcmtdx.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae1dd159-12d4-11de-8c1e-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - G:\ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5dcbec1-316e-11de-8ce3-001a4d80ed78}] \ShEll\AUtOPLay\COMMAnd - H:\twpi.exe \ShEll\AutoRun\command - H:\twpi.exe \ShEll\expLore\CommaNd - H:\twpi.exe \ShEll\OpEn\COmmaNd - H:\twpi.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c57ec5-0f1a-11de-8c0c-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c57ec6-0f1a-11de-8c0c-001a4d80ed78}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbe91b18-22c0-11de-8c7f-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c11b20ae-33e6-11de-8cf3-001a4d80ed78}] \shEll\AuTopLAY\COMmand - G:\ayxc.pif \shEll\AutoRun\command - G:\ayxc.pif \shEll\ExplOrE\CommANd - G:\ayxc.pif \shEll\open\Command - G:\ayxc.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacb2322-1de6-11de-8c5b-001a4d80ed78}] \Shell\AutoRun\command - I:\u.com \Shell\open\Command - I:\u.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7b85c0-1e0f-11de-8c5c-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7b85c1-1e0f-11de-8c5c-001a4d80ed78}] \Shell\AutoRun\command - H:\o3n9k.com \Shell\open\Command - H:\o3n9k.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1636-1d31-11de-8c57-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1638-1d31-11de-8c57-001a4d80ed78}] \Shell\AutoRun\command - i:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - i:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1639-1d31-11de-8c57-001a4d80ed78}] \Shell\AutoRun\command - G:\[u]0[/u]bcobed.exe \Shell\open\Command - G:\[u]0[/u]bcobed.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}] c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe . Zawartość folderu 'Zaplanowane zadania' 2009-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 08:43] . - - - - USUNIĘTO PUSTE WPISY - - - - HKLM-Run-ClamWin - c:\program files\ClamWin\bin\ClamTray.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/firefox mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = 127.0.0.1:8080 uInternet Settings,ProxyOverride = local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab FF - ProfilePath - c:\documents and settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\nv9uoa91.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-06 19:14 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Czas ukończenia: 2009-05-06 19:16 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-05-06 17:16 Przed: 24,119,484,416 bajtów wolnych Po: 24,195,534,848 bajtów wolnych 294 --- E O F --- 2009-04-15 13:12

**Posty:** 8001 · przez **Okocza** 06 Maj 2009, 19:29

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

**Posty:** 190 · przez **mirekg1963** 06 Maj 2009, 21:01

Zrobiłem co mi polecono, ale niestety komp nie chciał sie uruchomić w trybie awaryjnym także coś nie bardzo mogłem z SDFix-em podziałać. Ale dołączam log combofix

Kod: Zaznacz wszystko: ComboFix 09-05-05.05 - admin 2009-05-06 20:53.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.447.239 [GMT 2:00] Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASC3360PR -------\Service_asc3360pr ((((((((((((((((((((((((( Pliki utworzone od 2009-04-06 do 2009-05-06 ))))))))))))))))))))))))))))))) . 2009-05-06 18:46 . 2008-11-06 00:03 -------- d-----w C:\SDFix 2009-05-06 16:18 . 2009-05-06 16:26 -------- d-----w c:\program files\SkanerOnline 2009-04-27 18:21 . 2009-04-27 18:21 -------- d-----w c:\program files\Nowe Gadu-Gadu 2009-04-27 13:26 . 2009-05-05 13:17 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Nowe Gadu-Gadu 2009-04-27 12:19 . 2009-04-27 12:19 -------- d-----w c:\program files\Ashampoo 2009-04-25 08:22 . 2009-04-25 08:22 -------- d-----w c:\documents and settings\xxx 2009-04-25 08:19 . 2001-08-18 04:36 8192 -c--a-w c:\windows\system32\dllcache\kbdkor.dll 2009-04-25 08:19 . 2001-08-18 04:36 8192 ----a-w c:\windows\system32\kbdkor.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101c.dll 2009-04-25 08:19 . 2001-08-17 20:55 5632 -c--a-w c:\windows\system32\dllcache\kbd103.dll 2009-04-25 08:19 . 2001-08-18 04:36 8704 -c--a-w c:\windows\system32\dllcache\kbdjpn.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101c.dll 2009-04-25 08:19 . 2001-08-17 20:55 5632 ----a-w c:\windows\system32\kbd103.dll 2009-04-25 08:19 . 2001-08-18 04:36 8704 ----a-w c:\windows\system32\kbdjpn.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101b.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101b.dll 2009-04-25 08:19 . 2008-04-14 17:09 6144 -c--a-w c:\windows\system32\dllcache\kbd106.dll 2009-04-25 08:19 . 2008-04-14 17:09 6144 ----a-w c:\windows\system32\kbd106.dll 2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Tlen.pl 2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Tlen.pl 2009-04-24 18:28 . 2009-04-24 18:29 -------- d-----w c:\program files\Tlen.pl 2009-04-20 10:58 . 2009-04-25 08:57 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Skype 2009-04-20 10:58 . 2009-04-20 10:58 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Google 2009-04-20 10:57 . 2009-04-20 10:57 -------- d-----w c:\program files\Skype 2009-04-20 10:57 . 2009-04-20 10:57 -------- d-----w c:\program files\Common Files\Skype 2009-04-18 10:05 . 2009-04-18 10:05 -------- d-----w c:\documents and settings\admin\Dane aplikacji\.clamwin 2009-04-18 10:05 . 2009-05-06 18:40 -------- d-----w c:\program files\ClamWin 2009-04-18 10:05 . 2009-04-18 10:05 -------- d-----w c:\documents and settings\All Users\.clamwin 2009-04-15 07:41 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 07:41 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 07:41 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 07:41 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 07:41 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 07:41 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 07:41 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 07:41 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 07:41 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 07:40 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\pl-pl 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\l2schemas 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\pl 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\bits 2009-04-10 17:05 . 2009-04-10 17:08 -------- d-----w c:\windows\ServicePackFiles 2009-04-10 17:01 . 2009-04-10 17:01 -------- d-----w c:\windows\EHome 2009-04-08 08:32 . 2009-04-08 08:32 1060864 ----a-w c:\windows\system32\MFC71.dll 2009-04-08 08:32 . 2009-04-08 08:32 499712 ----a-w c:\windows\system32\msvcp71.dll 2009-04-08 08:32 . 2009-04-08 08:32 348160 ----a-w c:\windows\system32\msvcr71.dll 2009-04-07 19:08 . 2004-08-03 21:41 180360 ------w c:\windows\system32\drivers\ntmtlfax.sys 2009-04-07 19:07 . 2008-04-14 17:21 20992 ------w c:\windows\system32\faxpatch.exe 2009-04-06 19:29 . 2009-04-04 07:16 110157 --sh--r C:\cqxj.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 08:43 . 2009-03-12 19:09 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-27 16:43 . 2008-09-04 11:41 -------- d-----w c:\program files\Gadu-Gadu 2009-04-27 09:40 . 2009-03-19 12:51 -------- d-----w c:\program files\Google 2009-04-25 09:46 . 2009-03-19 12:44 -------- d-----w c:\program files\Tibia 2009-04-25 08:18 . 2009-03-17 17:06 17280 ----a-w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-04-23 11:07 . 2009-03-12 15:50 -------- d-----w c:\program files\Metin2_PL 2009-04-17 12:40 . 2006-03-02 12:00 49712 ----a-w c:\windows\system32\perfc015.dat 2009-04-17 12:40 . 2006-03-02 12:00 355830 ----a-w c:\windows\system32\perfh015.dat 2009-04-16 10:09 . 2009-03-12 15:40 -------- d-----w c:\program files\Valve 2009-04-10 17:10 . 2008-09-04 10:55 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-03-31 16:21 . 2009-03-30 07:43 108693 --sh--r C:\[u]0[/u]bcobed.exe 2009-03-30 16:21 . 2009-03-12 15:36 -------- d-----w c:\program files\Odkurzacz 2009-03-24 17:46 . 2009-03-24 17:45 -------- d-----w c:\program files\Common Files\Adobe 2009-03-13 18:05 . 2009-03-13 18:05 56 ---ha-w c:\windows\system32\ezsidmv.dat 2009-03-12 17:20 . 2009-03-12 17:21 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-12 17:20 . 2008-09-04 11:39 -------- d-----w c:\program files\Java 2009-03-12 16:00 . 2009-03-12 16:00 0 ----a-w c:\windows\nsreg.dat 2009-03-12 15:40 . 2008-09-04 11:07 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-12 15:34 . 2009-03-12 15:34 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-03-12 15:32 . 2009-03-12 15:32 -------- d-----w c:\program files\Lavasoft 2009-03-12 15:27 . 2009-03-12 15:27 -------- d-----w c:\program files\OpenOffice.org 3 2009-03-06 14:22 . 2006-03-02 12:00 285696 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:12 . 2006-03-02 12:00 668672 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:11 . 2006-03-02 12:00 81920 ----a-w c:\windows\system32\ieencode.dll 2009-02-10 17:09 . 2004-08-04 00:38 2067328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-09 14:07 . 2006-03-02 12:00 1847040 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:26 . 2006-03-02 12:00 2190336 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-09 11:25 . 2006-03-02 12:00 111104 ----a-w c:\windows\system32\services.exe 2009-02-09 10:53 . 2006-03-02 12:00 731136 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:53 . 2006-03-02 12:00 686592 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:53 . 2006-03-02 12:00 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:53 . 2006-03-02 12:00 722944 ----a-w c:\windows\system32\ntdll.dll 2009-02-06 10:39 . 2006-03-02 12:00 35328 ----a-w c:\windows\system32\sc.exe . ((((((((((((((((((((((((((((( SnapShot@2009-05-06_17.14.44 ))))))))))))))))))))))))))))))))))))))))) . + 2009-05-06 18:55 . 2009-05-06 18:55 16384 c:\windows\Temp\Perflib_Perfdata_104.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 368640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 127068] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 214424] "ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-04-14 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [HKLM\~\startupfolder\C:^Documents and Settings^admin^Menu Start^Programy^Autostart^OpenOffice.org 3.0.lnk] path=c:\documents and settings\admin\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Valve\\hl.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-AwareAdmin.exe"= "c:\\WINDOWS\\system32\\userinit.exe"= "c:\\Program Files\\Creative\\Shared Files\\CTSched.exe"= "c:\\Program Files\\Creative\\Shared Files\\CamTray.exe"= "c:\\Program Files\\Adobe\\Acrobat 6.0 CE\\Reader\\AcroRd32.exe"= "c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"= "c:\\WINDOWS\\system32\\wuauclt.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jucheck.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Metin2_PL\\metin2.bin"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Tlen.pl\\tlen.exe"= "c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8461:TCP"= 8461:TCP:GoD High Port "8462:TCP"= 8462:TCP:GoD Low Port R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-12 64160] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 1026896] S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2008-09-04 178913] --- Inne Usługi/Sterowniki w Pamięci --- *NewlyCreated* - ASC3360PR [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{079de855-3315-11de-8ce9-001a4d80ed78}] \shell\AuTopLAy\commaNd - G:\ackxu.exe \shell\AutoRun\command - G:\ackxu.exe \shell\EXplorE\CommAND - G:\ackxu.exe \shell\OpeN\CoMmAnD - G:\ackxu.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{082740ba-19e6-11de-8c49-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{135af8e2-139b-11de-8c2a-001a4d80ed78}] \Shell\AutoRun\command - G:\e.cmd \Shell\explore\Command - G:\e.cmd \Shell\open\Command - G:\e.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{135af8e3-139b-11de-8c2a-001a4d80ed78}] \Shell\AutoRun\command - H:\e.cmd \Shell\explore\Command - H:\e.cmd \Shell\open\Command - H:\e.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b3f9a6e-22ad-11de-8c7d-001a4d80ed78}] \Shell\autoPlay\coMMaNd - G:\jujsrh.exe \Shell\AutoRun\command - G:\jujsrh.exe \Shell\eXPlORe\COmMand - G:\jujsrh.exe \Shell\opEN\coMmand - G:\jujsrh.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c08dd56-3a46-11de-8d10-001a4d80ed78}] \shEll\autoPLay\commaNd - G:\odpvpn.pif \shEll\AutoRun\command - G:\odpvpn.pif \shEll\eXpLore\CommAnd - G:\odpvpn.pif \shEll\OPEn\cOmmANd - G:\odpvpn.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56c0ce2c-2525-11de-8c99-001a4d80ed78}] \Shell\AutoRun\command - G:\ej10fkdo.bat \Shell\open\Command - G:\ej10fkdo.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f31abe-109b-11de-8c19-001a4d80ed78}] \Shell\AutoRun\command - G:\2u.com \Shell\explore\Command - G:\2u.com \Shell\open\Command - G:\2u.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d1063b5-122d-11de-8c1b-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76d32ffc-14a4-11de-8c31-001a4d80ed78}] \Shell\AUtopLAy\command - G:\aanm.exe \Shell\AutoRun\command - G:\aanm.exe \Shell\EXplOrE\cOmmanD - G:\aanm.exe \Shell\Open\CommaND - G:\aanm.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84166de0-1211-11de-8c1a-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b464230-1927-11de-8c42-001a4d80ed78}] \Shell\AutoRun\command - G:\em8tqm.cmd \Shell\open\Command - G:\em8tqm.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec43720-244b-11de-8c90-001a4d80ed78}] \sHeLL\AuToplay\cOmmaNd - G:\auvur.pif \sHeLL\AutoRun\command - G:\auvur.pif \sHeLL\expLoRE\coMmand - G:\auvur.pif \sHeLL\OpEn\CommanD - G:\auvur.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec43721-244b-11de-8c90-001a4d80ed78}] \sHeLL\AuToplay\cOmmaNd - G:\auvur.pif \sHeLL\AutoRun\command - G:\auvur.pif \sHeLL\expLoRE\coMmand - G:\auvur.pif \sHeLL\OpEn\CommanD - G:\auvur.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb72816-1854-11de-8c3d-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a02d759b-2a63-11de-8cb8-001a4d80ed78}] \shElL\autOplAY\commaNd - G:\vcmtdx.pif \shElL\AutoRun\command - G:\vcmtdx.pif \shElL\explore\ComMaNd - G:\vcmtdx.pif \shElL\opeN\CommAnD - G:\vcmtdx.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae1dd159-12d4-11de-8c1e-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - G:\ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5dcbec1-316e-11de-8ce3-001a4d80ed78}] \ShEll\AUtOPLay\COMMAnd - H:\twpi.exe \ShEll\AutoRun\command - H:\twpi.exe \ShEll\expLore\CommaNd - H:\twpi.exe \ShEll\OpEn\COmmaNd - H:\twpi.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c57ec5-0f1a-11de-8c0c-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c57ec6-0f1a-11de-8c0c-001a4d80ed78}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbe91b18-22c0-11de-8c7f-001a4d80ed78}] \Shell\AutoRun\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - g:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c11b20ae-33e6-11de-8cf3-001a4d80ed78}] \shEll\AuTopLAY\COMmand - G:\ayxc.pif \shEll\AutoRun\command - G:\ayxc.pif \shEll\ExplOrE\CommANd - G:\ayxc.pif \shEll\open\Command - G:\ayxc.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacb2322-1de6-11de-8c5b-001a4d80ed78}] \Shell\AutoRun\command - I:\u.com \Shell\open\Command - I:\u.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7b85c0-1e0f-11de-8c5c-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7b85c1-1e0f-11de-8c5c-001a4d80ed78}] \Shell\AutoRun\command - H:\o3n9k.com \Shell\open\Command - H:\o3n9k.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1636-1d31-11de-8c57-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1638-1d31-11de-8c57-001a4d80ed78}] \Shell\AutoRun\command - i:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe \Shell\open\command - i:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1639-1d31-11de-8c57-001a4d80ed78}] \Shell\AutoRun\command - G:\[u]0[/u]bcobed.exe \Shell\open\Command - G:\[u]0[/u]bcobed.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}] c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe . Zawartość folderu 'Zaplanowane zadania' 2009-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 08:43] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/firefox mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = 127.0.0.1:8080 uInternet Settings,ProxyOverride = local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab FF - ProfilePath - c:\documents and settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\nv9uoa91.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-06 20:55 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Czas ukończenia: 2009-05-06 20:57 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-05-06 18:57 ComboFix2.txt 2009-05-06 17:16 Przed: 24,224,706,560 bajtów wolnych Po: 24,216,272,896 bajtów wolnych 297 --- E O F --- 2009-04-15 13:12

oraz z HiJackthis

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:43, on 2009-05-06 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\Shared Files\CTSched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Creative\Shared Files\CamTray.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\DOCUME~1\admin\USTAWI~1\Temp\hwits.exe C:\DOCUME~1\admin\USTAWI~1\Temp\jayu.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\admin\Pulpit\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/firefox R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 4434 bytes

Moja wiara jest ogromna, że coś poradzisz!? :ok:

**Posty:** 18165 · przez **wojtas** 06 Maj 2009, 23:25

Otworz notatnik i wklej w nim to:

File::
C:\cqxj.exe
d:\cqxj.exe
e:\cqxj.exe
C:\0bcobed.exe
d:\0bcobed.exe
e:\0bcobed.exe
C:\DOCUME~1\admin\USTAWI~1\Temp\hwits.exe
C:\DOCUME~1\admin\USTAWI~1\Temp\jayu.exe

Folder::
C:\DOCUME~1\admin\USTAWI~1\Temp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{079de855-3315-11de-8ce9-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{082740ba-19e6-11de-8c49-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{135af8e2-139b-11de-8c2a-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{135af8e3-139b-11de-8c2a-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b3f9a6e-22ad-11de-8c7d-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c08dd56-3a46-11de-8d10-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56c0ce2c-2525-11de-8c99-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f31abe-109b-11de-8c19-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d1063b5-122d-11de-8c1b-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76d32ffc-14a4-11de-8c31-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84166de0-1211-11de-8c1a-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b464230-1927-11de-8c42-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec43720-244b-11de-8c90-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec43721-244b-11de-8c90-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb72816-1854-11de-8c3d-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a02d759b-2a63-11de-8cb8-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae1dd159-12d4-11de-8c1e-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5dcbec1-316e-11de-8ce3-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c57ec6-0f1a-11de-8c0c-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbe91b18-22c0-11de-8c7f-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c11b20ae-33e6-11de-8cf3-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacb2322-1de6-11de-8c5b-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7b85c1-1e0f-11de-8c5c-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1638-1d31-11de-8c57-001a4d80ed78}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1639-1d31-11de-8c57-001a4d80ed78}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->

Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

**Posty:** 190 · przez **mirekg1963** 07 Maj 2009, 17:09

Witam, grzeczniutko odpowiadam na Twoje sugestie i prędziutko bez zbędnych "coś tam, coś tam" wklejam log

Kod: Zaznacz wszystko: File:: C:\cqxj.exe d:\cqxj.exe e:\cqxj.exe C:\0bcobed.exe d:\0bcobed.exe e:\0bcobed.exe C:\DOCUME~1\admin\USTAWI~1\Temp\hwits.exe C:\DOCUME~1\admin\USTAWI~1\Temp\jayu.exe Folder:: C:\DOCUME~1\admin\USTAWI~1\Temp Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{079de855-3315-11de-8ce9-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{082740ba-19e6-11de-8c49-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{135af8e2-139b-11de-8c2a-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{135af8e3-139b-11de-8c2a-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b3f9a6e-22ad-11de-8c7d-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c08dd56-3a46-11de-8d10-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56c0ce2c-2525-11de-8c99-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f31abe-109b-11de-8c19-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d1063b5-122d-11de-8c1b-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76d32ffc-14a4-11de-8c31-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84166de0-1211-11de-8c1a-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b464230-1927-11de-8c42-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec43720-244b-11de-8c90-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec43721-244b-11de-8c90-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb72816-1854-11de-8c3d-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a02d759b-2a63-11de-8cb8-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae1dd159-12d4-11de-8c1e-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5dcbec1-316e-11de-8ce3-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c57ec6-0f1a-11de-8c0c-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbe91b18-22c0-11de-8c7f-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c11b20ae-33e6-11de-8cf3-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacb2322-1de6-11de-8c5b-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7b85c1-1e0f-11de-8c5c-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1638-1d31-11de-8c57-001a4d80ed78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1639-1d31-11de-8c57-001a4d80ed78}] [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]

Jak zwykle pozdrawiam i czekam z niecierpliwością na wyrok!

Dodano Dzisiaj, 17:52:
Aloha! Mam wrażenie, że cos jest nie tak (może być to tylko wrażenie). Kiedy upuszczam CFScripta na combofixa nie następuje (tak jak mi się wydaje że kiedyś miałem) od razu jakaś reakcja tylko pokazuje sie komunikat czy uruchomić program? No ale ja taki trochę nieczytaty i niepisaty to sie może nie znam. Daje powstały log

Kod: Zaznacz wszystko: ComboFix 09-05-07.01 - admin 2009-05-07 18:42.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.447.241 [GMT 2:00] Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\admin\Pulpit\CFScript.txt FILE :: C:\[u]0[/u]bcobed.exe C:\cqxj.exe c:\docume~1\admin\USTAWI~1\Temp\hwits.exe c:\docume~1\admin\USTAWI~1\Temp\jayu.exe d:\[u]0[/u]bcobed.exe d:\cqxj.exe e:\[u]0[/u]bcobed.exe e:\cqxj.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\admin\USTAWI~1\Temp c:\docume~1\admin\USTAWI~1\Temp\Av-test.txt c:\docume~1\admin\USTAWI~1\Temp\hfvvn.exe c:\docume~1\admin\USTAWI~1\Temp\jusched.log c:\docume~1\admin\USTAWI~1\Temp\winxrbg.exe . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASC3360PR -------\Service_asc3360pr ((((((((((((((((((((((((( Pliki utworzone od 2009-04-07 do 2009-05-07 ))))))))))))))))))))))))))))))) . 2009-05-06 18:46 . 2008-11-06 00:03 -------- d-----w C:\SDFix 2009-05-06 16:18 . 2009-05-06 16:26 -------- d-----w c:\program files\SkanerOnline 2009-04-27 18:21 . 2009-04-27 18:21 -------- d-----w c:\program files\Nowe Gadu-Gadu 2009-04-27 13:26 . 2009-05-05 13:17 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Nowe Gadu-Gadu 2009-04-27 12:19 . 2009-04-27 12:19 -------- d-----w c:\program files\Ashampoo 2009-04-25 08:22 . 2009-04-25 08:22 -------- d-----w c:\documents and settings\xxx 2009-04-25 08:19 . 2001-08-18 04:36 8192 -c--a-w c:\windows\system32\dllcache\kbdkor.dll 2009-04-25 08:19 . 2001-08-18 04:36 8192 ----a-w c:\windows\system32\kbdkor.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101c.dll 2009-04-25 08:19 . 2001-08-17 20:55 5632 -c--a-w c:\windows\system32\dllcache\kbd103.dll 2009-04-25 08:19 . 2001-08-18 04:36 8704 -c--a-w c:\windows\system32\dllcache\kbdjpn.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101c.dll 2009-04-25 08:19 . 2001-08-17 20:55 5632 ----a-w c:\windows\system32\kbd103.dll 2009-04-25 08:19 . 2001-08-18 04:36 8704 ----a-w c:\windows\system32\kbdjpn.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101b.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101b.dll 2009-04-25 08:19 . 2008-04-14 17:09 6144 -c--a-w c:\windows\system32\dllcache\kbd106.dll 2009-04-25 08:19 . 2008-04-14 17:09 6144 ----a-w c:\windows\system32\kbd106.dll 2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Tlen.pl 2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Tlen.pl 2009-04-24 18:28 . 2009-04-24 18:29 -------- d-----w c:\program files\Tlen.pl 2009-04-20 10:58 . 2009-04-25 08:57 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Skype 2009-04-20 10:58 . 2009-04-20 10:58 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Google 2009-04-20 10:57 . 2009-04-20 10:57 -------- d-----w c:\program files\Skype 2009-04-20 10:57 . 2009-04-20 10:57 -------- d-----w c:\program files\Common Files\Skype 2009-04-18 10:05 . 2009-04-18 10:05 -------- d-----w c:\documents and settings\admin\Dane aplikacji\.clamwin 2009-04-18 10:05 . 2009-05-06 18:40 -------- d-----w c:\program files\ClamWin 2009-04-18 10:05 . 2009-04-18 10:05 -------- d-----w c:\documents and settings\All Users\.clamwin 2009-04-15 07:41 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 07:41 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 07:41 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 07:41 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 07:41 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 07:41 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 07:41 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 07:41 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 07:41 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 07:40 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\pl-pl 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\l2schemas 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\pl 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\bits 2009-04-10 17:05 . 2009-04-10 17:08 -------- d-----w c:\windows\ServicePackFiles 2009-04-10 17:01 . 2009-04-10 17:01 -------- d-----w c:\windows\EHome 2009-04-08 08:32 . 2009-04-08 08:32 1060864 ----a-w c:\windows\system32\MFC71.dll 2009-04-08 08:32 . 2009-04-08 08:32 499712 ----a-w c:\windows\system32\msvcp71.dll 2009-04-08 08:32 . 2009-04-08 08:32 348160 ----a-w c:\windows\system32\msvcr71.dll 2009-04-07 19:08 . 2004-08-03 21:41 180360 ------w c:\windows\system32\drivers\ntmtlfax.sys 2009-04-07 19:07 . 2008-04-14 17:21 20992 ------w c:\windows\system32\faxpatch.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 08:43 . 2009-03-12 19:09 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-27 16:43 . 2008-09-04 11:41 -------- d-----w c:\program files\Gadu-Gadu 2009-04-27 09:40 . 2009-03-19 12:51 -------- d-----w c:\program files\Google 2009-04-25 09:46 . 2009-03-19 12:44 -------- d-----w c:\program files\Tibia 2009-04-25 08:18 . 2009-03-17 17:06 17280 ----a-w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-04-23 11:07 . 2009-03-12 15:50 -------- d-----w c:\program files\Metin2_PL 2009-04-17 12:40 . 2006-03-02 12:00 49712 ----a-w c:\windows\system32\perfc015.dat 2009-04-17 12:40 . 2006-03-02 12:00 355830 ----a-w c:\windows\system32\perfh015.dat 2009-04-16 10:09 . 2009-03-12 15:40 -------- d-----w c:\program files\Valve 2009-04-10 17:10 . 2008-09-04 10:55 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-03-30 16:21 . 2009-03-12 15:36 -------- d-----w c:\program files\Odkurzacz 2009-03-24 17:46 . 2009-03-24 17:45 -------- d-----w c:\program files\Common Files\Adobe 2009-03-13 18:05 . 2009-03-13 18:05 56 ---ha-w c:\windows\system32\ezsidmv.dat 2009-03-12 17:20 . 2009-03-12 17:21 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-12 17:20 . 2008-09-04 11:39 -------- d-----w c:\program files\Java 2009-03-12 16:00 . 2009-03-12 16:00 0 ----a-w c:\windows\nsreg.dat 2009-03-12 15:40 . 2008-09-04 11:07 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-12 15:34 . 2009-03-12 15:34 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-03-12 15:32 . 2009-03-12 15:32 -------- d-----w c:\program files\Lavasoft 2009-03-12 15:27 . 2009-03-12 15:27 -------- d-----w c:\program files\OpenOffice.org 3 2009-03-06 14:22 . 2006-03-02 12:00 285696 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:12 . 2006-03-02 12:00 668672 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:11 . 2006-03-02 12:00 81920 ----a-w c:\windows\system32\ieencode.dll 2009-02-10 17:09 . 2004-08-04 00:38 2067328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-09 14:07 . 2006-03-02 12:00 1847040 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:26 . 2006-03-02 12:00 2190336 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-09 11:25 . 2006-03-02 12:00 111104 ----a-w c:\windows\system32\services.exe 2009-02-09 10:53 . 2006-03-02 12:00 731136 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:53 . 2006-03-02 12:00 686592 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:53 . 2006-03-02 12:00 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:53 . 2006-03-02 12:00 722944 ----a-w c:\windows\system32\ntdll.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-07_15.03.32 ))))))))))))))))))))))))))))))))))))))))) . + 2009-05-07 16:44 . 2009-05-07 16:44 16384 c:\windows\Temp\Perflib_Perfdata_200.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 368640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 127068] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 214424] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [HKLM\~\startupfolder\C:^Documents and Settings^admin^Menu Start^Programy^Autostart^OpenOffice.org 3.0.lnk] path=c:\documents and settings\admin\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Valve\\hl.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-AwareAdmin.exe"= "c:\\Program Files\\Creative\\Shared Files\\CTSched.exe"= "c:\\Program Files\\Creative\\Shared Files\\CamTray.exe"= "c:\\Program Files\\Adobe\\Acrobat 6.0 CE\\Reader\\AcroRd32.exe"= "c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"= "c:\\WINDOWS\\system32\\wuauclt.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jucheck.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Metin2_PL\\metin2.bin"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Tlen.pl\\tlen.exe"= "c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8461:TCP"= 8461:TCP:GoD High Port "8462:TCP"= 8462:TCP:GoD Low Port R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-12 64160] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 1026896] S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2008-09-04 178913] --- Inne Usługi/Sterowniki w Pamięci --- *NewlyCreated* - ASC3360PR [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c57ec5-0f1a-11de-8c0c-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7b85c0-1e0f-11de-8c5c-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1636-1d31-11de-8c57-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Zawartość folderu 'Zaplanowane zadania' 2009-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 08:43] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/firefox mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = 127.0.0.1:8080 uInternet Settings,ProxyOverride = local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab FF - ProfilePath - c:\documents and settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\nv9uoa91.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-07 18:44 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Czas ukończenia: 2009-05-07 18:46 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-05-07 16:46 ComboFix2.txt 2009-05-07 15:05 Przed: 24,234,569,728 bajtów wolnych Po: 24,223,760,384 bajtów wolnych 210 --- E O F --- 2009-04-15 13:12

Czuwaj!

**Posty:** 18165 · przez **wojtas** 07 Maj 2009, 19:11

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp

oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Wykonaj skan Dr. Web CureIt
6. Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.

**Posty:** 190 · przez **mirekg1963** 07 Maj 2009, 20:36

Niestety ATF_Cleaner i Dr. Web Curelt nie mogły wystartować nawet

Natomiast przeskanowałem i log wklejam

Kod: Zaznacz wszystko: ******************************************************************************** * * * FixIEDef Log * * Version 1.7.22.7514 * * * ******************************************************************************** Created at 20:30:56 on Thursday, May 07, 2009 Time Zone : Logged On User : admin Operating System : Microsoft Windows XP Home Edition Dodatek Service Pack 3 OS Architecture : X86 System Langauge : Polish Keyboard Layout : Polish Processor : X64 AMD Sempron(tm) Processor 3400+ System Drive : C:\ Windows Directory : C:\WINDOWS System Directory : C:\WINDOWS\system32 System Drive Type : Fixed System Drive Status : READY System Drive Label : System Drive Size : 30 GB System Drive Free : 23.03 GB Total Physical Memory: 447 MB Free Physical Memory : 217 MB Total Page File : 447 MB Free Page File : 876 MB Total Virtual Memory : 2048 MB Free Virtual Memory : 1965 MB Boot State : Normal boot -------------------------------------------------------------------------------- !!! userinit.exe is Clean !!! -------------------------------------------------------------------------------- !!! Files that have been deleted !!! No malicious files found -------------------------------------------------------------------------------- !!! Directories that have been removed !!! No malicious directories to be removed -------------------------------------------------------------------------------- !!! Registry entries that have been removed !!! No malicious Registry entries found ================================================================================ All Done :) ShadowPuterDude Safe Surfing!!!

Ale coś czuje że bez formatu się nie obejdzie, a miała być walka do końca sciana

**Posty:** 18165 · przez **wojtas** 07 Maj 2009, 21:46

no a kasper?

**Posty:** 190 · przez **mirekg1963** 08 Maj 2009, 17:21

nie ruszył!!

**Posty:** 8001 · przez **Okocza** 08 Maj 2009, 17:54

mirekg1963, daj log z combo nowy...

**Posty:** 190 · przez **mirekg1963** 08 Maj 2009, 18:12

Witojcie! Podaje log aktualny z combofixa

Kod: Zaznacz wszystko: ComboFix 09-05-07.A01 - admin 2009-05-08 18:03.6 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.447.220 [GMT 2:00] Uruchomiony z: c:\documents and settings\admin\Pulpit\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\m9ma.exe E:\m9ma.exe . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASC3360PR -------\Service_asc3360pr ((((((((((((((((((((((((( Pliki utworzone od 2009-04-08 do 2009-05-08 ))))))))))))))))))))))))))))))) . 2009-05-07 18:30 . 2009-05-07 18:30 -------- d-----w C:\ERDNT 2009-05-07 18:30 . 2009-05-07 18:30 -------- d-----w c:\windows\ERUNT 2009-05-07 18:30 . 2009-05-07 18:30 -------- d-----w C:\!FixIEDef 2009-05-06 16:18 . 2009-05-06 16:26 -------- d-----w c:\program files\SkanerOnline 2009-04-27 18:21 . 2009-04-27 18:21 -------- d-----w c:\program files\Nowe Gadu-Gadu 2009-04-27 13:26 . 2009-05-08 14:19 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Nowe Gadu-Gadu 2009-04-27 12:19 . 2009-04-27 12:19 -------- d-----w c:\program files\Ashampoo 2009-04-25 08:22 . 2009-04-25 08:22 -------- d-----w c:\documents and settings\xxx 2009-04-25 08:19 . 2001-08-18 04:36 8192 -c--a-w c:\windows\system32\dllcache\kbdkor.dll 2009-04-25 08:19 . 2001-08-18 04:36 8192 ----a-w c:\windows\system32\kbdkor.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101c.dll 2009-04-25 08:19 . 2001-08-17 20:55 5632 -c--a-w c:\windows\system32\dllcache\kbd103.dll 2009-04-25 08:19 . 2001-08-18 04:36 8704 -c--a-w c:\windows\system32\dllcache\kbdjpn.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101c.dll 2009-04-25 08:19 . 2001-08-17 20:55 5632 ----a-w c:\windows\system32\kbd103.dll 2009-04-25 08:19 . 2001-08-18 04:36 8704 ----a-w c:\windows\system32\kbdjpn.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 -c--a-w c:\windows\system32\dllcache\kbd101b.dll 2009-04-25 08:19 . 2001-08-17 20:55 6144 ----a-w c:\windows\system32\kbd101b.dll 2009-04-25 08:19 . 2008-04-14 17:09 6144 -c--a-w c:\windows\system32\dllcache\kbd106.dll 2009-04-25 08:19 . 2008-04-14 17:09 6144 ----a-w c:\windows\system32\kbd106.dll 2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Tlen.pl 2009-04-24 18:29 . 2009-04-24 18:29 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Tlen.pl 2009-04-24 18:28 . 2009-04-24 18:29 -------- d-----w c:\program files\Tlen.pl 2009-04-20 10:58 . 2009-05-08 13:40 -------- d-----w c:\documents and settings\admin\Dane aplikacji\Skype 2009-04-20 10:58 . 2009-04-20 10:58 -------- d-----w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\Google 2009-04-20 10:57 . 2009-04-20 10:57 -------- d-----w c:\program files\Skype 2009-04-20 10:57 . 2009-04-20 10:57 -------- d-----w c:\program files\Common Files\Skype 2009-04-18 10:05 . 2009-04-18 10:05 -------- d-----w c:\documents and settings\admin\Dane aplikacji\.clamwin 2009-04-18 10:05 . 2009-05-06 18:40 -------- d-----w c:\program files\ClamWin 2009-04-18 10:05 . 2009-04-18 10:05 -------- d-----w c:\documents and settings\All Users\.clamwin 2009-04-15 07:41 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 07:41 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 07:41 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 07:41 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 07:41 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 07:41 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 07:41 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 07:41 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 07:41 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 07:40 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\pl-pl 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\l2schemas 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\pl 2009-04-10 17:08 . 2009-04-10 17:08 -------- d-----w c:\windows\system32\bits 2009-04-10 17:05 . 2009-04-10 17:08 -------- d-----w c:\windows\ServicePackFiles 2009-04-10 17:01 . 2009-04-10 17:01 -------- d-----w c:\windows\EHome . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-06 16:48 . 2009-03-12 15:40 -------- d-----w c:\program files\Valve 2009-05-06 16:48 . 2009-03-19 12:44 -------- d-----w c:\program files\Tibia 2009-05-02 08:43 . 2009-03-12 19:09 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-27 16:43 . 2008-09-04 11:41 -------- d-----w c:\program files\Gadu-Gadu 2009-04-27 09:40 . 2009-03-19 12:51 -------- d-----w c:\program files\Google 2009-04-25 08:18 . 2009-03-17 17:06 17280 ----a-w c:\documents and settings\admin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-04-23 11:07 . 2009-03-12 15:50 -------- d-----w c:\program files\Metin2_PL 2009-04-17 12:40 . 2006-03-02 12:00 49712 ----a-w c:\windows\system32\perfc015.dat 2009-04-17 12:40 . 2006-03-02 12:00 355830 ----a-w c:\windows\system32\perfh015.dat 2009-04-10 17:10 . 2008-09-04 10:55 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-04-08 08:32 . 2009-04-08 08:32 499712 ----a-w c:\windows\system32\msvcp71.dll 2009-04-08 08:32 . 2009-04-08 08:32 348160 ----a-w c:\windows\system32\msvcr71.dll 2009-04-08 08:32 . 2009-04-08 08:32 1060864 ----a-w c:\windows\system32\MFC71.dll 2009-03-30 16:21 . 2009-03-12 15:36 -------- d-----w c:\program files\Odkurzacz 2009-03-24 17:46 . 2009-03-24 17:45 -------- d-----w c:\program files\Common Files\Adobe 2009-03-13 18:05 . 2009-03-13 18:05 56 ---ha-w c:\windows\system32\ezsidmv.dat 2009-03-12 17:20 . 2009-03-12 17:21 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-12 17:20 . 2008-09-04 11:39 -------- d-----w c:\program files\Java 2009-03-12 16:00 . 2009-03-12 16:00 0 ----a-w c:\windows\nsreg.dat 2009-03-12 15:40 . 2008-09-04 11:07 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-12 15:34 . 2009-03-12 15:34 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-03-12 15:32 . 2009-03-12 15:32 -------- d-----w c:\program files\Lavasoft 2009-03-12 15:27 . 2009-03-12 15:27 -------- d-----w c:\program files\OpenOffice.org 3 2009-03-06 14:22 . 2006-03-02 12:00 285696 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:12 . 2006-03-02 12:00 668672 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:11 . 2006-03-02 12:00 81920 ----a-w c:\windows\system32\ieencode.dll 2009-02-10 17:09 . 2004-08-04 00:38 2067328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-09 14:07 . 2006-03-02 12:00 1847040 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:26 . 2006-03-02 12:00 2190336 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-09 11:25 . 2006-03-02 12:00 111104 ----a-w c:\windows\system32\services.exe 2009-02-09 10:53 . 2006-03-02 12:00 731136 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:53 . 2006-03-02 12:00 686592 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:53 . 2006-03-02 12:00 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:53 . 2006-03-02 12:00 722944 ----a-w c:\windows\system32\ntdll.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 368640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 127068] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 214424] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [HKLM\~\startupfolder\C:^Documents and Settings^admin^Menu Start^Programy^Autostart^OpenOffice.org 3.0.lnk] path=c:\documents and settings\admin\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Valve\\hl.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-AwareAdmin.exe"= "c:\\Program Files\\Creative\\Shared Files\\CTSched.exe"= "c:\\Program Files\\Creative\\Shared Files\\CamTray.exe"= "c:\\Program Files\\Adobe\\Acrobat 6.0 CE\\Reader\\AcroRd32.exe"= "c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"= "c:\\WINDOWS\\system32\\wuauclt.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jucheck.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Metin2_PL\\metin2.bin"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Tlen.pl\\tlen.exe"= "c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8461:TCP"= 8461:TCP:GoD High Port "8462:TCP"= 8462:TCP:GoD Low Port R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-12 64160] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 1026896] S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2008-09-04 178913] --- Inne Usługi/Sterowniki w Pamięci --- *NewlyCreated* - ASC3360PR [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{685f5794-3bd6-11de-8d23-001a4d80ed78}] \shELL\auToplay\cOmmaND - G:\xidc.pif \shELL\AutoRun\command - G:\xidc.pif \shELL\explORe\commANd - G:\xidc.pif \shELL\oPEn\COmmand - G:\xidc.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c57ec5-0f1a-11de-8c0c-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea7b85c0-1e0f-11de-8c5c-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9dd1636-1d31-11de-8c57-001a4d80ed78}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Zawartość folderu 'Zaplanowane zadania' 2009-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 08:43] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/firefox mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = 127.0.0.1:8080 uInternet Settings,ProxyOverride = local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s FF - ProfilePath - c:\documents and settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\nv9uoa91.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-08 18:05 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Czas ukończenia: 2009-05-08 18:08 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-05-08 16:07 Przed: 23,054,262,272 bajtów wolnych Po: 23,026,151,424 bajtów wolnych 196 --- E O F --- 2009-04-15 13:12

Dodam, że kasper z IE nie chciał wystartować tzn strona się w ogóle nie chciała otworzyć. To coś, co siedzi w tym kompie broni się bestia. Trzeba go czymś potraktować??