activexdebugger - sprawdzenie loga

[QuaD]

Witam. Mój komputer został zarażony tym wirusem, który roznosi się przez pendrive'y. Po zarażeniu jednak Kaspersky usunął te pliki:

- C:\WINDOWS\System32\PAC.EXE
- C:\Documents and Settings\QuaD\Ustawienia lokalne\Temp\NESNELER.EXE/PAC.EXE
- C:\WINDOWS\system32\activexdebugger32.exe
- I:\activexdebugger32.exe (z pendrive'a)

Niestety dyski twarde na komputerze dalej mam udostępnione i nie da się tego zmienić na stałe (udostępniono je w celach administracyjnych i po restarcie udostępnienie wraca). Na dysku zostały te pliki, które, jak przeczytałem też są związane z tym wirusem:

C:\WINDOWS\system\ACD2.CMD
C:\WINDOWS\system\ACD.CMD
C:\WINDOWS\system32\scrrntr.dll
C:\WINDOWS\system32\Ijl11.dll

Skanowałem je Kasperskym i Spy Terminatorem, jednak oba nic nie wykryły. Proszę więc o pomoc - co zrobić, aby naprawić komputer. Jeżeli mam jeszcze jakieś inne wirusy to też prosiłbym o info. Aha - szukałem na dysku C tego activexdebugger.exe i znalazło mi jakiś ACTIVEXDEBUGGER32.EXE-34ECA1F5.pf w folderze C:\WINDOWS|Prefetch - przeskanowałem Kasperskym i Spy Term., ale nic nie wykryło - czy ten plik jest niebezpieczny?

Podaję logi i z góry dzięki za pomoc:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:37, on 2007-08-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Programy\Kaspersky\avp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Programy\Sterowniki_mysz\Amoumain.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programy\DAEMON\daemon.exe
D:\Programy\Ad-Aware 2007\aawservice.exe
D:\Programy\Strokeit\strokeit.exe
D:\Programy\BlueSoleil\BlueSoleil.exe
D:\Programy\ObjectDock\ObjectDock.exe
D:\Programy\Kaspersky\avp.exe
D:\Programy\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\Programy\Firefox\firefox.exe
D:\Programy\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Programy\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Programy\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Programy\FlashGet\getflash.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "D:\Programy\Kaspersky\avp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WheelMouse] d:\Programy\Sterowniki_mysz\Amoumain.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Programy\DAEMON\daemon.exe" -lang 1045
O4 - HKCU\..\Run: [StrokeIt] D:\Programy\Strokeit\strokeit.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = D:\Programy\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - D:\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - D:\Programy\FlashGet\jc_all.htm
O8 - Extra context menu item: Dodaj do blokowanych banerów - D:\Programy\Kaspersky\ie_banner_deny.htm
O8 - Extra context menu item: Download all links using BitComet - res://D:\Programy\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://D:\Programy\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://D:\Programy\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programy\Kaspersky\scieplugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programy\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programy\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll,D:\Programy\KASPER~1\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programy\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - D:\Programy\Kaspersky\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Programy\BlueSoleil\BTNtService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6311 bytes

Kod: Zaznacz wszystko

ComboFix 07-08-09.3 - "QuaD" 2007-08-12 19:54:49.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.658 [GMT 2:00]
* Created a new restore point


(((((((((((((((((((((((((   Files Created from 2007-07-12 to 2007-08-12  )))))))))))))))))))))))))))))))


2007-08-12 19:53   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-11 19:42   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\Spyware Terminator
2007-08-11 19:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\Lavasoft
2007-08-11 19:01   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 18:01   52   --a------   C:\WINDOWS\system\ACD2.CMD
2007-08-11 18:01   52   --a------   C:\WINDOWS\system\ACD.CMD
2007-08-11 18:01   24,626   --a------   C:\WINDOWS\system32\scrrntr.dll
2007-08-11 18:01   180,224   --a------   C:\WINDOWS\system32\Ijl11.dll
2007-08-09 14:42   <DIR>   d--------   C:\Program Files\SilverSoft Ltd
2007-08-09 14:23   8,704   --a------   C:\WINDOWS\system32\drivers\Amfilter.sys
2007-08-09 14:23   36,864   --a------   C:\WINDOWS\system32\Amhooker.dll
2007-08-09 14:23   13,824   --a------   C:\WINDOWS\system32\drivers\Amps2prt.sys
2007-08-09 14:23   13,312   --a------   C:\WINDOWS\system32\drivers\Amusbprt.sys
2007-08-08 16:19   <DIR>   d--------   C:\WINDOWS\system32\appmgmt
2007-08-07 18:23   <DIR>   d--------   C:\WINDOWS\NV2060304.TMP
2007-08-05 22:55   <DIR>   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Thunderbird
2007-08-05 22:55   <DIR>   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Talkback
2007-08-05 17:18   <DIR>   d--------   C:\WINDOWS\pss
2007-08-05 13:50   43,520   --a------   C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-04 11:13   546   --a------   C:\WINDOWS\eReg.dat
2007-07-22 16:28   <DIR>   d--------   C:\DOCUME~1\QuaD\DANEAP~1\vlc
2007-07-19 17:43   <DIR>   d--------   C:\WINDOWS\nview
2007-07-19 17:37   57,856   -ra------   C:\WINDOWS\system32\drivers\NVENETFD.sys
2007-07-19 17:37   35,840   -ra------   C:\WINDOWS\system32\nvconrm.dll
2007-07-19 17:37   261,632   -ra------   C:\WINDOWS\system32\drivers\nvsnpu.sys
2007-07-19 17:37   208,896   --a------   C:\WINDOWS\system32\nvunrm.exe
2007-07-19 17:37   201,728   -ra------   C:\WINDOWS\system32\fdco1ins.dll
2007-07-19 17:37   201,728   -ra------   C:\WINDOWS\system32\fdco1.dll
2007-07-19 17:37   20,480   -ra------   C:\WINDOWS\system32\drivers\nvnetbus.sys
2007-07-19 17:37   110,592   -ra------   C:\WINDOWS\system32\drivers\nvtcp.sys
2007-07-19 17:37   11,264   -ra------   C:\WINDOWS\system32\bdco1ins.dll
2007-07-19 17:37   11,264   -ra------   C:\WINDOWS\system32\bdco1.dll
2007-07-19 17:37   1,160,448   -ra------   C:\WINDOWS\system32\drivers\nvnrm.sys
2007-07-19 17:37   <DIR>   d--------   C:\WINDOWS\NV31523156.TMP
2007-07-19 17:34   43,520   --a------   C:\WINDOWS\system32\drivers\AmdK8.sys
2007-07-19 17:34   143,360   --a------   C:\WINDOWS\system32\RtlCPAPI.dll
2007-07-19 17:34   <DIR>   d----c---   C:\WINDOWS\system32\DRVSTORE
2007-07-19 17:34   <DIR>   d--------   C:\Program Files\DIFX
2007-07-19 17:32   69,632   --a------   C:\WINDOWS\Alcmtr.exe
2007-07-19 17:30   208,896   ---------   C:\WINDOWS\system32\nvuide.exe
2007-07-16 20:45   5,632   --a------   C:\WINDOWS\system32\ptpusb.dll
2007-07-16 20:45   159,232   --a------   C:\WINDOWS\system32\ptpusd.dll
2007-07-16 20:45   15,104   --a--c---   C:\WINDOWS\system32\dllcache\usbscan.sys
2007-07-16 20:45   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-12 18:33   81,920   --a------   C:\DOCUME~1\QuaD\DANEAP~1\ezpinst.exe
2007-07-12 18:33   719,872   --a------   C:\WINDOWS\system32\devil.dll
2007-07-12 18:33   47,360   --a------   C:\WINDOWS\system32\drivers\pcouffin.sys
2007-07-12 18:33   47,360   --a------   C:\DOCUME~1\QuaD\DANEAP~1\pcouffin.sys
2007-07-12 18:33   314,368   --a------   C:\WINDOWS\system32\avisynth.dll
2007-07-12 18:33   <DIR>   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Vso


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 19:59   8965408   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-12 19:59   241952   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-11 22:21   22832   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-11 22:21   120224   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-11 19:04   ---------   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Lavasoft
2007-08-07 17:22   108144   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2007-08-05 16:55   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-07-20 21:17   2880   --a------   C:\WINDOWS\mozver.dat
2007-07-20 17:21   82258   --a------   C:\WINDOWS\system32\drivers\klin.dat
2007-07-20 17:21   82258   --a------   C:\WINDOWS\system32\drivers\klick.dat
2007-07-19 17:39   49492   --a------   C:\WINDOWS\system32\perfc015.dat
2007-07-19 17:39   355486   --a------   C:\WINDOWS\system32\perfh015.dat
2007-07-19 17:32   ---------   d--------   C:\Program Files\Realtek
2007-06-29 00:43   8466432   --a------   C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43   81920   --a------   C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43   81920   --a------   C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43   753664   --a------   C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43   6807328   --a--c---   C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43   6807328   --a------   C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-06-29 00:43   6729728   --a------   C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43   6234112   --a------   C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43   5690624   --a------   C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43   5455872   --a------   C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43   466944   --a------   C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43   458752   --a------   C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43   45056   --a------   C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43   442368   --a------   C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43   425984   --a------   C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43   37376   --a------   C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43   37376   --a------   C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43   360448   --a------   C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43   3600384   --a------   C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43   3518464   --a------   C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43   3321856   --a------   C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43   3072000   --a------   C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43   307200   --a------   C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43   286720   --a------   C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43   2854912   --a------   C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43   2416640   --a------   C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43   2330624   --a------   C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43   229376   --a------   C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43   188416   --a------   C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43   1703936   --a------   C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43   1626112   --a------   C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43   155716   --a------   C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43   1474560   --a------   C:\WINDOWS\system32\nview.dll
2007-06-29 00:43   147456   --a------   C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43   1339392   --a------   C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43   1142784   --a------   C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43   1073152   --a------   C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43   1019904   --a------   C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43   1018772   --a------   C:\WINDOWS\system32\nvucode.bin
2007-06-21 19:04   163644   --a------   C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-15 21:12   ---------   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Ahead


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:44 C:\WINDOWS\system32\bthprops.cpl]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"AVP"="D:\Programy\Kaspersky\avp.exe" [2007-03-09 20:50]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 14:00 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"WheelMouse"="d:\Programy\Sterowniki_mysz\Amoumain.exe" [2006-02-17 17:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
"DAEMON Tools"="D:\Programy\DAEMON\daemon.exe" [2007-04-04 00:29]
"StrokeIt"="D:\Programy\Strokeit\strokeit.exe" [2005-02-17 21:13]

C:\Documents and Settings\QuaD\Menu Start\Programy\Autostart\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-30 22:58:14]
Stardock ObjectDock.lnk - D:\Programy\ObjectDock\ObjectDock.exe [2007-04-30 23:36:08]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-30 22:58:14]
BlueSoleil.lnk - D:\Programy\BlueSoleil\BlueSoleil.exe [2007-04-30 23:11:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll,D:\Programy\KASPER~1\adialhk.dll

R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 AmdK8;Sterownik procesora AMD;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys
S3 RFCOMM;Urządzenie Bluetooth (Protokół TDI RFCOMM);C:\WINDOWS\system32\DRIVERS\rfcomm.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   BthServ


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 19:59:53
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 20:01:09

   --- E O F ---

[wojtas]

Użyj WWDC :
http://www.firewallleaktester.com/wwdc.htm
Zmień opcje z disable na enable. Uruchom ponownie komputer.
Tak powinny wyglądać porty (NetBIOS może być żółty) :
http://www.firewallleaktester.com/images_site/wwdc.jpg


skasuj ten wpis:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Pobierz i uruchom narzędzie
The Avenger
Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Files to delete:

C:\WINDOWS\system\ACD2.CMD
C:\WINDOWS\system\ACD.CMD
C:\WINDOWS\system32\scrrntr.dll
C:\WINDOWS\system32\Ijl11.dll
C:\WINDOWS\Alcmtr.exe

Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK.


Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + log z combofixa oraz z silent runners

[QuaD]

Zrobiłem to wszystko, NetBIOS mam żółty.

Log z Avengera:

Kod: Zaznacz wszystko

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ycufanti

*******************

Script file located at: \??\C:\Documents and Settings\htydgkgy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system\ACD2.CMD deleted successfully.
File C:\WINDOWS\system\ACD.CMD deleted successfully.
File C:\WINDOWS\system32\scrrntr.dll deleted successfully.
File C:\WINDOWS\system32\Ijl11.dll deleted successfully.
File C:\WINDOWS\Alcmtr.exe deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Log z Combofixa (wyświetlił mi loga i się zawiesił, zresetowałem. Nie wiem czy log pełny, ale daję, bo raczej tak):

Kod: Zaznacz wszystko

ComboFix 07-08-09.3 - "QuaD" 2007-08-12 21:00:07.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.518 [GMT 2:00]


(((((((((((((((((((((((((   Files Created from 2007-07-12 to 2007-08-12  )))))))))))))))))))))))))))))))


2007-08-12 19:53   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-11 19:42   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\Spyware Terminator
2007-08-11 19:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\Lavasoft
2007-08-11 19:01   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-08-09 14:42   <DIR>   d--------   C:\Program Files\SilverSoft Ltd
2007-08-09 14:23   8,704   --a------   C:\WINDOWS\system32\drivers\Amfilter.sys
2007-08-09 14:23   36,864   --a------   C:\WINDOWS\system32\Amhooker.dll
2007-08-09 14:23   13,824   --a------   C:\WINDOWS\system32\drivers\Amps2prt.sys
2007-08-09 14:23   13,312   --a------   C:\WINDOWS\system32\drivers\Amusbprt.sys
2007-08-08 16:19   <DIR>   d--------   C:\WINDOWS\system32\appmgmt
2007-08-07 18:23   <DIR>   d--------   C:\WINDOWS\NV2060304.TMP
2007-08-05 22:55   <DIR>   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Thunderbird
2007-08-05 22:55   <DIR>   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Talkback
2007-08-05 17:18   <DIR>   d--------   C:\WINDOWS\pss
2007-08-05 13:50   43,520   --a------   C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-04 11:13   546   --a------   C:\WINDOWS\eReg.dat
2007-07-22 16:28   <DIR>   d--------   C:\DOCUME~1\QuaD\DANEAP~1\vlc
2007-07-19 17:43   <DIR>   d--------   C:\WINDOWS\nview
2007-07-19 17:37   57,856   -ra------   C:\WINDOWS\system32\drivers\NVENETFD.sys
2007-07-19 17:37   35,840   -ra------   C:\WINDOWS\system32\nvconrm.dll
2007-07-19 17:37   261,632   -ra------   C:\WINDOWS\system32\drivers\nvsnpu.sys
2007-07-19 17:37   208,896   --a------   C:\WINDOWS\system32\nvunrm.exe
2007-07-19 17:37   201,728   -ra------   C:\WINDOWS\system32\fdco1ins.dll
2007-07-19 17:37   201,728   -ra------   C:\WINDOWS\system32\fdco1.dll
2007-07-19 17:37   20,480   -ra------   C:\WINDOWS\system32\drivers\nvnetbus.sys
2007-07-19 17:37   110,592   -ra------   C:\WINDOWS\system32\drivers\nvtcp.sys
2007-07-19 17:37   11,264   -ra------   C:\WINDOWS\system32\bdco1ins.dll
2007-07-19 17:37   11,264   -ra------   C:\WINDOWS\system32\bdco1.dll
2007-07-19 17:37   1,160,448   -ra------   C:\WINDOWS\system32\drivers\nvnrm.sys
2007-07-19 17:37   <DIR>   d--------   C:\WINDOWS\NV31523156.TMP
2007-07-19 17:34   43,520   --a------   C:\WINDOWS\system32\drivers\AmdK8.sys
2007-07-19 17:34   143,360   --a------   C:\WINDOWS\system32\RtlCPAPI.dll
2007-07-19 17:34   <DIR>   d----c---   C:\WINDOWS\system32\DRVSTORE
2007-07-19 17:34   <DIR>   d--------   C:\Program Files\DIFX
2007-07-19 17:30   208,896   ---------   C:\WINDOWS\system32\nvuide.exe
2007-07-16 20:45   5,632   --a------   C:\WINDOWS\system32\ptpusb.dll
2007-07-16 20:45   159,232   --a------   C:\WINDOWS\system32\ptpusd.dll
2007-07-16 20:45   15,104   --a--c---   C:\WINDOWS\system32\dllcache\usbscan.sys
2007-07-16 20:45   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-12 18:33   81,920   --a------   C:\DOCUME~1\QuaD\DANEAP~1\ezpinst.exe
2007-07-12 18:33   719,872   --a------   C:\WINDOWS\system32\devil.dll
2007-07-12 18:33   47,360   --a------   C:\WINDOWS\system32\drivers\pcouffin.sys
2007-07-12 18:33   47,360   --a------   C:\DOCUME~1\QuaD\DANEAP~1\pcouffin.sys
2007-07-12 18:33   314,368   --a------   C:\WINDOWS\system32\avisynth.dll
2007-07-12 18:33   <DIR>   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Vso


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 20:49   8988704   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-12 20:49   242464   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-12 20:49   23000   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-12 20:49   120824   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-11 19:04   ---------   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Lavasoft
2007-08-07 17:22   108144   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2007-08-05 16:55   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-07-20 21:17   2880   --a------   C:\WINDOWS\mozver.dat
2007-07-20 17:21   82258   --a------   C:\WINDOWS\system32\drivers\klin.dat
2007-07-20 17:21   82258   --a------   C:\WINDOWS\system32\drivers\klick.dat
2007-07-19 17:39   49492   --a------   C:\WINDOWS\system32\perfc015.dat
2007-07-19 17:39   355486   --a------   C:\WINDOWS\system32\perfh015.dat
2007-07-19 17:32   ---------   d--------   C:\Program Files\Realtek
2007-06-29 00:43   8466432   --a------   C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43   81920   --a------   C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43   81920   --a------   C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43   753664   --a------   C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43   6807328   --a--c---   C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43   6807328   --a------   C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-06-29 00:43   6729728   --a------   C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43   6234112   --a------   C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43   5690624   --a------   C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43   5455872   --a------   C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43   466944   --a------   C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43   458752   --a------   C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43   45056   --a------   C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43   442368   --a------   C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43   425984   --a------   C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43   37376   --a------   C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43   37376   --a------   C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43   360448   --a------   C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43   3600384   --a------   C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43   3518464   --a------   C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43   3321856   --a------   C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43   3072000   --a------   C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43   307200   --a------   C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43   286720   --a------   C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43   2854912   --a------   C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43   2416640   --a------   C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43   2330624   --a------   C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43   229376   --a------   C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43   188416   --a------   C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43   1703936   --a------   C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43   1626112   --a------   C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43   155716   --a------   C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43   1474560   --a------   C:\WINDOWS\system32\nview.dll
2007-06-29 00:43   147456   --a------   C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43   1339392   --a------   C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43   1142784   --a------   C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43   1073152   --a------   C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43   1019904   --a------   C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43   1018772   --a------   C:\WINDOWS\system32\nvucode.bin
2007-06-21 19:04   163644   --a------   C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-15 21:12   ---------   d--------   C:\DOCUME~1\QuaD\DANEAP~1\Ahead


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:44 C:\WINDOWS\system32\bthprops.cpl]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"AVP"="D:\Programy\Kaspersky\avp.exe" [2007-03-09 20:50]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 14:00 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"WheelMouse"="d:\Programy\Sterowniki_mysz\Amoumain.exe" [2006-02-17 17:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
"DAEMON Tools"="D:\Programy\DAEMON\daemon.exe" [2007-04-04 00:29]
"StrokeIt"="D:\Programy\Strokeit\strokeit.exe" [2005-02-17 21:13]

C:\Documents and Settings\QuaD\Menu Start\Programy\Autostart\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-30 22:58:14]
Stardock ObjectDock.lnk - D:\Programy\ObjectDock\ObjectDock.exe [2007-04-30 23:36:08]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-30 22:58:14]
BlueSoleil.lnk - D:\Programy\BlueSoleil\BlueSoleil.exe [2007-04-30 23:11:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll,D:\Programy\KASPER~1\adialhk.dll

R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 AmdK8;Sterownik procesora AMD;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys
S3 RFCOMM;Urządzenie Bluetooth (Protokół TDI RFCOMM);C:\WINDOWS\system32\DRIVERS\rfcomm.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   BthServ


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 21:02:28
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 21:03:29
C:\ComboFix2.txt ... 2007-08-12 20:01

   --- E O F ---


Log z Silent Runnera:

Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"DAEMON Tools" = ""D:\Programy\DAEMON\daemon.exe" -lang 1045" ["DT Soft Ltd."]
"StrokeIt" = "D:\Programy\Strokeit\strokeit.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"AVP" = ""D:\Programy\Kaspersky\avp.exe"" ["Kaspersky Lab"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"WheelMouse" = "d:\Programy\Sterowniki_mysz\Amoumain.exe" ["A4Tech Co., Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
  -> {HKLM...CLSID} = "FGCatchUrl"
                   \InProcServer32\(Default) = "D:\Programy\FlashGet\jccatch.dll" ["www.flashget.com"]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
  -> {HKLM...CLSID} = "BitComet Helper"
                   \InProcServer32\(Default) = "D:\Programy\BitComet\tools\BitCometBHO_1.1.3.28.dll" ["BitComet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "FlashGet GetFlash Class"
                   \InProcServer32\(Default) = "D:\Programy\FlashGet\getflash.dll" ["www.flashget.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "D:\Programy\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"
  -> {HKLM...CLSID} = "Statystyki ochrony WWW"
                   \InProcServer32\(Default) = "D:\Programy\Kaspersky\scieplugin.dll" ["Kaspersky Lab"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{BD88A479-9623-4897-8546-BC62B9628F44}" = "SPTHandler"
  -> {HKLM...CLSID} = "SPTHandler"
                   \InProcServer32\(Default) = "D:\Programy\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "secuload.dll,D:\Programy\KASPER~1\adialhk.dll" [file not found]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]| [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "D:\Programy\7-Zip\7-zip.dll" ["Igor Pavlov"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "D:\Programy\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
  -> {HKLM...CLSID} = "SPTHandler"
                   \InProcServer32\(Default) = "D:\Programy\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "D:\Programy\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "D:\Programy\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
  -> {HKLM...CLSID} = "SPTHandler"
                   \InProcServer32\(Default) = "D:\Programy\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
  -> {HKLM...CLSID} = "SPTHandler"
                   \InProcServer32\(Default) = "D:\Programy\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\QuaD\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"


Startup items in "QuaD" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\QuaD\Menu Start\Programy\Autostart
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Stardock ObjectDock" -> shortcut to: "D:\Programy\ObjectDock\ObjectDock.exe" ["Stardock"]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"BlueSoleil" -> shortcut to: "D:\Programy\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
000000000005\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki ochrony WWW"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\Programy\Kaspersky\scieplugin.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statystyki ochrony WWW"

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "D:\Programy\FlashGet\FlashGet.exe" ["FlashGet.com"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""D:\Programy\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]
BlueSoleil Hid Service, BlueSoleil Hid Service, "D:\Programy\BlueSoleil\BTNtService.exe" [null data]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Kaspersky Internet Security 6.0, AVP, "D:\Programy\Kaspersky\avp.exe -r" ["Kaspersky Lab"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]


---------- (launch time: 2007-08-12 21:11:00)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 86 seconds.
---------- (total run time: 127 seconds)

Z góry dzięki.

[wojtas]

wklej do notatnika:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=-

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....


po za tym czysto

Autor postu otrzymał pochwałę

[QuaD]

OK, zrobiłem to. Dzięki wielkie za pomoc.

PS. Czy normalne jest to, że jak wpiszę w wierszu poleceń netstat -ao to wyświetlają się połączenia z internetem, które oznaczone są identyfikatorem procesu 0 czyli jest to proces bezczynności?

[wojtas]

to wyświetlają się połączenia z internetem, które oznaczone są identyfikatorem procesu 0 czyli jest to proces bezczynności?

tak sadze ale nie jestem pewien