bv:killfiles-k [trj] jak usunac?

**Posty:** 2484 · przez **kjubus** 27 Paź 2007, 18:01

witam! niestety jestem posiadaczem matki-lamerki, ktora otwiera kazdego maila, ktorego dostanie. sytuacja wyglada tak: dostala go z e-maila znajomego (dlatego tez nie wykasowala) i MIMO tego, ze wydawal sie jej dziwny, to go otworzyla. oczywiscie jak to w takich sytuacjach bywa, mama-lamka wpuscila do mojego systemu wirusa. od razu wykryl go moj AVAST! (screen), jednakze ani funkcja KWARANTANNA ani USUN nie daja odpowiednich rezultatow (tzn, przy restarcie plik ponownie sie pojawia). nie zauwazylem poki co, aby byl w jakis sposob szkodliwy (uniemozliwienie dostepu do plikow, zwalnianie systemu, restarty, zawieszki itp.), ale jest on mimo wszystko irytujacy, a nie mam ochoty robic formata:/ czy jest jakis sposob aby usunac to paskudztwo? (najpierw usune je, potem matke);)

**Posty:** 237 · przez **Kuba1** 27 Paź 2007, 18:08

Pobierz narzędzie SDFix

*Klikamy 2 krotknie na ikonę SDFix.exe,program wypakuje się domyślnie do lokalizacji C:\SDFix

*Wchodzimy do trybu awaryjnego z obsługą sieci:
>>>>>>Jak wejść do trybu awaryjnego z obsługą sieci?

*F8 podczas bootowania systemu.
*Używamy narzędzia BootSafe.exe zaznaczamy opcje Safe Mode- Networking i klikamy reboot

*Gdy już jesteśmy w trybie awaryjnym,wchodzimy do folderu SDFix i uruchamiamy narzędzie klikająć
2-krotnie na plik RunThis.bat lewym przyciskiem myszy.

*Wciskamy Y co uruchomi proces usuwania

*Kiedy proces usuwania się zakończy wciskamy dowolny klawisz>>nastąpi restart.

*Po restarcie SDFix dokończy proces usuwania,kiedy w oknie narzędzia SDFix pojawi się napis Finished
klikamy dowolny klawisz,narzędzie zakończy swoją pracę,na pulpicie załadują się ikony.

*Wchodzimy do folderu SDFix i kopiujemy zawartość pliku tekstowego Report.txt i wklejamy go na forum

Następnie daj logi z Hijackthis, Silentrunners oraz ComboFix

Autor postu otrzymał pochwałę

**Posty:** 2484 · przez **kjubus** 27 Paź 2007, 18:37

no dobra, zrobilem tak, jak mowiles z SDFix, ale plik po uruchomieniu nadal byl (choc nie zostal od razu wykryty przez avasta! :wow:

) oto logi:

SDFix REPORT napisał(a):SDFix: Version 1.112

Run by Kuba on 2007-10-27 at 18:19

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"
"D:\\gry\\Wolfenstein - Enemy Territory\\ET.exe"="D:\\gry\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"
"D:\\gry\\Need for Speed Carbon\\NFSC.exe"="D:\\gry\\Need for Speed Carbon\\NFSC.exe:*:Enabled:NFSC"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Tlen.pl\\tlen.exe"="C:\\Program Files\\Tlen.pl\\tlen.exe:*:Enabled:Komunikator Tlen.pl"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"D:\\gry\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="D:\\gry\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\\gry\\World of Warcraft\\Repair.exe"="D:\\gry\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\\Program Files\\Steam\\steamapps\\kjubus\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\kjubus\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"D:\\gry\\Call of Duty\\CoDUOMP.exe"="D:\\gry\\Call of Duty\\CoDUOMP.exe:*:Enabled:CoDUOMP"
"D:\\gry\\Unreal Tournament\\UnrealTournament\\System\\UnrealTournament.exe"="D:\\gry\\Unreal Tournament\\UnrealTournament\\System\\UnrealTournament.exe:*:Enabled:UnrealTournament"
"D:\\gry\\Test Drive Unlimited\\TestDriveUnlimited.exe"="D:\\gry\\Test Drive Unlimited\\TestDriveUnlimited.exe:*:Enabled:Test Drive Unlimited"
"C:\\totalcmd\\TOTALCMD.EXE"="C:\\totalcmd\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\\gry\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"="D:\\gry\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe:*:Enabled:Medal of Honor Airborne"
"D:\\gry\\FEARCombat\\fpupdate.exe"="D:\\gry\\FEARCombat\\fpupdate.exe:*:Enabled:fpupdate"
"D:\\gry\\FEARCombat\\FEARMP.exe"="D:\\gry\\FEARCombat\\FEARMP.exe:*:Enabled:FEAR Combat"
"D:\\gry\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"="D:\\gry\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe:*:Enabled:Unreal Tournament 3 Demo"
"C:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"="C:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe:*:Enabled:Oprogramowanie telefonu kom˘rkowego"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"D:\\gry\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"="D:\\gry\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe:*:Enabled:Rainbow Six Vegas"
"D:\\gry\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"="D:\\gry\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe:*:Enabled:Rainbow Six Vegas Updater"
"C:\\WINDOWS\\Media\\LTaskup.exe"="C:\\WINDOWS\\Media\\LTaskup.exe:*:Enabled:RPC"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Files with Hidden Attributes:

Thu 6 Sep 2007 23 A.SH. --- "C:\WINDOWS\system32\dcac1_r.dll"
Fri 15 Dec 2006 34,304 A..H. --- "C:\Documents and Settings\Mama\Pulpit\~WRL0001.tmp"
Sun 29 Oct 2006 25,088 A..H. --- "C:\Documents and Settings\Mama\Pulpit\~WRL0003.tmp"
Tue 29 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sat 27 Oct 2007 10,200 ...HR --- "C:\Documents and Settings\Kuba\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"

Finished!

ComboFix napisał(a):ComboFix 07-10-26.4 - Kuba 2007-10-27 18:30:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.480 [GMT 2:00]
Running from: E:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mama\Pulpit\internet.lnk

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 18:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 18:19 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-27 18:13 1,205,922 --a------ C:\SDFix.exe
2007-10-27 10:36 <DIR> d-------- C:\Program Files\SkanerOnline
2007-10-27 09:25 0 --a------ C:\Documents and Settings\Mama\Emails.dat
2007-10-27 09:24 10 --a------ C:\Documents and Settings\Mama\user.dat
2007-10-26 22:09 269 --a------ C:\Documents and Settings\Kuba\Emails.dat
2007-10-26 22:08 10 --a------ C:\Documents and Settings\Kuba\user.dat
2007-10-26 20:19 3 --a------ C:\WINDOWS\lnk_dados_2.dll
2007-10-21 20:52 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-10-21 20:52 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-10-21 20:52 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-10-14 16:25 <DIR> d-------- C:\Documents and Settings\Kuba\Dane aplikacji\InstallShield Installation Information
2007-10-14 16:23 <DIR> d-------- C:\Program Files\DIFX
2007-10-14 16:23 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-14 16:23 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-14 16:23 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-10-14 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ATI
2007-10-14 12:25 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-14 12:21 <DIR> d-------- C:\Program Files\ATI Technologies
2007-10-14 12:21 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-10-14 09:09 <DIR> d-------- C:\Documents and Settings\Kuba\Dane aplikacji\Printer Info Cache
2007-10-12 18:47 <DIR> d-------- C:\Program Files\MagicISO
2007-09-29 15:49 <DIR> d-------- C:\Program Files\Audio WAV To MP3 Converter
2007-09-29 05:21 9,854,976 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-09-29 05:07 356,352 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 04:58 143,360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 04:58 122,880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 04:58 43,520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 04:58 26,112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 04:57 122,880 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 04:56 483,328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 04:55 53,248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 04:49 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 04:47 172,032 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 04:36 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-09-29 04:36 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-09-29 04:36 972,072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-09-29 04:23 5,435,392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-09-29 04:22 376,832 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-09-29 04:20 17,408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-09-29 04:19 49,152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 11:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 20:09 738,816 ----a-w C:\WINDOWS\Media\LTaskup.exe
2007-10-23 19:57 --------- d-----w C:\Program Files\Opera
2007-10-23 17:12 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Teleca
2007-10-23 16:41 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Skype
2007-10-21 18:54 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-21 18:54 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-10-21 18:53 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-10-21 18:43 --------- d-----w C:\Program Files\Avanquest update
2007-10-21 18:34 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Image Zone Express
2007-10-19 16:11 --------- d-----w C:\Program Files\Gadu-Gadu
2007-10-18 20:25 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Skype
2007-10-17 14:54 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Tlen.pl
2007-10-14 14:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 14:22 --------- d-----w C:\Program Files\AGEIA Technologies
2007-10-14 07:09 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Image Zone Express
2007-10-13 21:28 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-13 21:28 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-06 07:04 --------- d-----w C:\Program Files\Java
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-27 08:43 --------- d-----w C:\Program Files\DAEMON Tools
2007-09-24 21:20 --------- d-----w C:\Program Files\Google
2007-09-22 17:24 --------- d-----w C:\Program Files\SubtitleCreator
2007-09-22 16:17 --------- d-----w C:\Program Files\URUSoft
2007-09-22 16:17 --------- d-----w C:\Program Files\DVD Decrypter
2007-09-20 14:55 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Bioshock
2007-09-20 10:46 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Hamachi
2007-09-19 10:15 --------- d-----w C:\Program Files\BioshockTweak
2007-09-16 11:42 --------- d-----w C:\Documents and Settings\Filip\Dane aplikacji\Teleca
2007-09-16 11:42 --------- d-----w C:\Documents and Settings\Filip\Dane aplikacji\Sony Ericsson
2007-09-13 07:45 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
2007-09-11 12:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-11 12:09 22,328 ----a-w C:\Documents and Settings\Kuba\Dane aplikacji\PnkBstrK.sys
2007-09-11 07:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-09-11 07:43 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-08 10:23 --------- d-----w C:\Program Files\Common Files\DirectX
2007-09-06 17:13 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Printer Info Cache
2007-09-06 17:12 --------- d-----w C:\Program Files\HP
2007-09-06 17:12 --------- d-----w C:\Program Files\Common Files\HP
2007-09-06 14:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\QuickTime
2007-09-06 10:30 --------- d-----w C:\Program Files\jv16 PowerTools 2007
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 11:52 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\IGN_DLM
2007-09-05 08:42 --------- d-----w C:\Program Files\Download Manager
2007-08-16 07:40 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-08-14 19:37 92,064 ----a-w C:\Documents and Settings\Mama\mqdmmdm.sys
2007-08-14 19:37 9,232 ----a-w C:\Documents and Settings\Mama\mqdmmdfl.sys
2007-08-14 19:37 79,328 ----a-w C:\Documents and Settings\Mama\mqdmserd.sys
2007-08-14 19:37 66,656 ----a-w C:\Documents and Settings\Mama\mqdmbus.sys
2007-08-14 19:37 6,208 ----a-w C:\Documents and Settings\Mama\mqdmcmnt.sys
2007-08-14 19:37 5,936 ----a-w C:\Documents and Settings\Mama\mqdmwhnt.sys
2007-08-14 19:37 4,048 ----a-w C:\Documents and Settings\Mama\mqdmcr.sys
2007-08-14 19:37 25,600 ----a-w C:\Documents and Settings\Mama\usbsermptxp.sys
2007-08-14 19:37 22,768 ----a-w C:\Documents and Settings\Mama\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-15 13:03]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"wTask"="C:\WINDOWS\Media\LTaskup.exe" [2007-10-26 22:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:55]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49]
"BitComet"="C:\Program Files\BitLord\BitLord.exe" [2005-05-07 02:47]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36]
"great pop"="C:\DOCUME~1\Kuba\DANEAP~1\SLOWEX~1\Wave Bits Bash.exe" []
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 23:57]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 13:24]
"C:\Program Files\NetMeter\NetMeter.exe"="C:\Program Files\NetMeter\NetMeter.exe" [2007-06-23 13:19]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
S3 DynCal;Dynamic Calibration Service;C:\WINDOWS\system32\drivers\Dyncal.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 18:32:07
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\NetMeter\\NetMeter.exe"="C:\\Program Files\\NetMeter\\NetMeter.exe"
.
Completion time: 2007-10-27 18:32:54
.
--- E O F ---

Silentrunners napisał(a):"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
"BitComet" = ""C:\Program Files\BitLord\BitLord.exe"" ["www.BitLord.com"]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"great pop" = "C:\DOCUME~1\Kuba\DANEAP~1\SLOWEX~1\Wave Bits Bash.exe" [file not found]
"igndlm.exe" = "C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork" ["IGN Entertainment"]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"C:\Program Files\NetMeter\NetMeter.exe" = "C:\Program Files\NetMeter\NetMeter.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Onet.pl AutoUpdate" = ""C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" /updateexetsr" [file not found]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"RTBatteryMeter" = "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" ["Ruling Tec Pte Ltd"]
"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" [null data]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"" [null data]
"wTask" = "C:\WINDOWS\Media\LTaskup.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Menedżer plików firmy Sony Ericsson"
-> {HKLM...CLSID} = "Menedżer plików firmy Sony Ericsson"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Menedżer plików firmy Sony Ericsson"
-> {HKLM...CLSID} = "Menedżer plików firmy Sony Ericsson"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kuba\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Startup items in "Kuba" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]
PunkBuster, PnkBstrA, ""D:\gry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe"" [null data]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
LIDIL hpzll054\Driver = "hpzll054.dll" ["Hewlett-Packard Company"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

---------- (launch time: 2007-10-27 18:34:33)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 124 seconds, including 23 seconds for message boxes)

Hijackthis napisał(a):Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:35:54, on 2007-10-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\gry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Media\LTaskup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\WScript.exe
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Onet.pl AutoUpdate] "C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" /updateexetsr
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [wTask] C:\WINDOWS\Media\LTaskup.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitLord\BitLord.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [great pop] C:\DOCUME~1\Kuba\DANEAP~1\SLOWEX~1\Wave Bits Bash.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {631FF594-EC25-4CFF-B869-402DF294E1D6} (Instalator oprogramowania Onet.pl) - http://slimak.onet.pl/_m/kamerzysta/OnetInstalator012s.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - D:\gry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7916 bytes

**Posty:** 3854 · przez **Dzi@dek** 27 Paź 2007, 18:46

kjubus napisał(a):C:\Documents and Settings\Mama\Pulpit\internet.lnk

Skasować profil Mama.

BTW - zartowalem.

**Posty:** 237 · przez **Kuba1** 27 Paź 2007, 20:13

Wykonaj:

Usuwanie Adware LOP.

No Lop

Wyglad narzędzia:

Klikamy na Search and Destroy

Po pracy narzędzie utworzy log w lokalizacji C:\NoLop.log

Ściągnij OTMoveIt
Po uruchomieniu aplikacji do lewego okna - Paste List of Files/Folders to be Moved wklej:

C:\WINDOWS\Media\LTaskup.exe
C:\DOCUME~1\Kuba\DANEAP~1\SLOWEX~1\Wave Bits Bash.exe

Następnie naciskamy - MoveIt!. Pliki zostały przeniesione. Wynik operacji zobaczymy w prawym oknie Results.
Log po pracy programu zobaczymy w lokalizacji - C:\_OTMoveIt\MovedFiles
Po całej operacji należy zresetować komputer.

Hijackthis>> Do a system scan.>zazncz poniższe wpisy i zaznacz Fix Checked

C:\WINDOWS\Media\LTaskup.exe
O4 - HKLM\..\Run: [wTask] C:\WINDOWS\Media\LTaskup.exe
O4 - HKCU\..\Run: [great pop] C:\DOCUME~1\Kuba\DANEAP~1\SLOWEX~1\Wave Bits Bash.exe

Otwórz notatnik i wklej w nim:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wTask"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"great pop"=-

Przeskanuj ten plik na www.virustotal.com i wklej raport

C:\Program Files\Download Manager\DLM.exe
C:\WINDOWS\lnk_dados_2.dll

Wróc z logiem z ComboFix, Raport z usuwania z OTMoveIt, raport ze skanowania tych plików >>DLM.exe<< oraz >>lnk_dados_2.dll<<

**Posty:** 2484 · przez **kjubus** 28 Paź 2007, 09:26

takie pytanko... co mialem zrobic konkretniej z tm plikiem w notatniku?

a tu po kolei te wszystkie logi, reporty i wyniki:

NoLop! napisał(a):NoLop! Log by Skate_Punk_21

Fix running from: E:\zabezpieczenia
[2007-10-28]
[05:01:09]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

OTMoveIt napisał(a):C:\WINDOWS\Media\LTaskup.exe moved successfully.
File/Folder C:\DOCUME~1\Kuba\DANEAP~1\SLOWEX~1\Wave Bits Bash.exe not found.

Created on 10-28-2007 05:07:14

ComboFix napisał(a):ComboFix 07-10-26.4 - Kuba 2007-10-27 18:30:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.480 [GMT 2:00]
Running from: E:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mama\Pulpit\internet.lnk

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 18:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 18:19 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-27 18:13 1,205,922 --a------ C:\SDFix.exe
2007-10-27 10:36 <DIR> d-------- C:\Program Files\SkanerOnline
2007-10-27 09:25 0 --a------ C:\Documents and Settings\Mama\Emails.dat
2007-10-27 09:24 10 --a------ C:\Documents and Settings\Mama\user.dat
2007-10-26 22:09 269 --a------ C:\Documents and Settings\Kuba\Emails.dat
2007-10-26 22:08 10 --a------ C:\Documents and Settings\Kuba\user.dat
2007-10-26 20:19 3 --a------ C:\WINDOWS\lnk_dados_2.dll
2007-10-21 20:52 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-10-21 20:52 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-10-21 20:52 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-10-14 16:25 <DIR> d-------- C:\Documents and Settings\Kuba\Dane aplikacji\InstallShield Installation Information
2007-10-14 16:23 <DIR> d-------- C:\Program Files\DIFX
2007-10-14 16:23 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-14 16:23 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-14 16:23 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-10-14 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ATI
2007-10-14 12:25 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-14 12:21 <DIR> d-------- C:\Program Files\ATI Technologies
2007-10-14 12:21 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-10-14 09:09 <DIR> d-------- C:\Documents and Settings\Kuba\Dane aplikacji\Printer Info Cache
2007-10-12 18:47 <DIR> d-------- C:\Program Files\MagicISO
2007-09-29 15:49 <DIR> d-------- C:\Program Files\Audio WAV To MP3 Converter
2007-09-29 05:21 9,854,976 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-09-29 05:07 356,352 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 04:58 143,360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 04:58 122,880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 04:58 43,520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 04:58 26,112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 04:57 122,880 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 04:56 483,328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 04:55 53,248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 04:49 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 04:47 172,032 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 04:36 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-09-29 04:36 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-09-29 04:36 972,072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-09-29 04:23 5,435,392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-09-29 04:22 376,832 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-09-29 04:20 17,408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-09-29 04:19 49,152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 11:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 20:09 738,816 ----a-w C:\WINDOWS\Media\LTaskup.exe
2007-10-23 19:57 --------- d-----w C:\Program Files\Opera
2007-10-23 17:12 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Teleca
2007-10-23 16:41 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Skype
2007-10-21 18:54 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-21 18:54 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-10-21 18:53 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-10-21 18:43 --------- d-----w C:\Program Files\Avanquest update
2007-10-21 18:34 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Image Zone Express
2007-10-19 16:11 --------- d-----w C:\Program Files\Gadu-Gadu
2007-10-18 20:25 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Skype
2007-10-17 14:54 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Tlen.pl
2007-10-14 14:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 14:22 --------- d-----w C:\Program Files\AGEIA Technologies
2007-10-14 07:09 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Image Zone Express
2007-10-13 21:28 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-13 21:28 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-06 07:04 --------- d-----w C:\Program Files\Java
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-27 08:43 --------- d-----w C:\Program Files\DAEMON Tools
2007-09-24 21:20 --------- d-----w C:\Program Files\Google
2007-09-22 17:24 --------- d-----w C:\Program Files\SubtitleCreator
2007-09-22 16:17 --------- d-----w C:\Program Files\URUSoft
2007-09-22 16:17 --------- d-----w C:\Program Files\DVD Decrypter
2007-09-20 14:55 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Bioshock
2007-09-20 10:46 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Hamachi
2007-09-19 10:15 --------- d-----w C:\Program Files\BioshockTweak
2007-09-16 11:42 --------- d-----w C:\Documents and Settings\Filip\Dane aplikacji\Teleca
2007-09-16 11:42 --------- d-----w C:\Documents and Settings\Filip\Dane aplikacji\Sony Ericsson
2007-09-13 07:45 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
2007-09-11 12:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-11 12:09 22,328 ----a-w C:\Documents and Settings\Kuba\Dane aplikacji\PnkBstrK.sys
2007-09-11 07:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-09-11 07:43 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-08 10:23 --------- d-----w C:\Program Files\Common Files\DirectX
2007-09-06 17:13 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Printer Info Cache
2007-09-06 17:12 --------- d-----w C:\Program Files\HP
2007-09-06 17:12 --------- d-----w C:\Program Files\Common Files\HP
2007-09-06 14:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\QuickTime
2007-09-06 10:30 --------- d-----w C:\Program Files\jv16 PowerTools 2007
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 11:52 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\IGN_DLM
2007-09-05 08:42 --------- d-----w C:\Program Files\Download Manager
2007-08-16 07:40 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-08-14 19:37 92,064 ----a-w C:\Documents and Settings\Mama\mqdmmdm.sys
2007-08-14 19:37 9,232 ----a-w C:\Documents and Settings\Mama\mqdmmdfl.sys
2007-08-14 19:37 79,328 ----a-w C:\Documents and Settings\Mama\mqdmserd.sys
2007-08-14 19:37 66,656 ----a-w C:\Documents and Settings\Mama\mqdmbus.sys
2007-08-14 19:37 6,208 ----a-w C:\Documents and Settings\Mama\mqdmcmnt.sys
2007-08-14 19:37 5,936 ----a-w C:\Documents and Settings\Mama\mqdmwhnt.sys
2007-08-14 19:37 4,048 ----a-w C:\Documents and Settings\Mama\mqdmcr.sys
2007-08-14 19:37 25,600 ----a-w C:\Documents and Settings\Mama\usbsermptxp.sys
2007-08-14 19:37 22,768 ----a-w C:\Documents and Settings\Mama\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-15 13:03]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"wTask"="C:\WINDOWS\Media\LTaskup.exe" [2007-10-26 22:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:55]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49]
"BitComet"="C:\Program Files\BitLord\BitLord.exe" [2005-05-07 02:47]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36]
"great pop"="C:\DOCUME~1\Kuba\DANEAP~1\SLOWEX~1\Wave Bits Bash.exe" []
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 23:57]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 13:24]
"C:\Program Files\NetMeter\NetMeter.exe"="C:\Program Files\NetMeter\NetMeter.exe" [2007-06-23 13:19]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
S3 DynCal;Dynamic Calibration Service;C:\WINDOWS\system32\drivers\Dyncal.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 18:32:07
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\NetMeter\\NetMeter.exe"="C:\\Program Files\\NetMeter\\NetMeter.exe"
.
Completion time: 2007-10-27 18:32:54
.
--- E O F ---

OTMoveIt napisał(a):C:\WINDOWS\Media\LTaskup.exe moved successfully.
File/Folder C:\DOCUME~1\Kuba\DANEAP~1\SLOWEX~1\Wave Bits Bash.exe not found.

Created on 10-28-2007 05:07:14

www.virustotal.com, scan DLM.exe napisał(a):Plik DLM.exe otrzymany 2007.10.28 08:18:30 (CET)
Obecny status: zakończono
Wynik: 0/32 (0%)
Antywirus Wersja Ostatnia aktualizacja Wynik
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 -
Authentium 4.93.8 2007.10.26 -
Avast 4.7.1074.0 2007.10.27 -
AVG 7.5.0.503 2007.10.27 -
BitDefender 7.2 2007.10.28 -
CAT-QuickHeal 9.00 2007.10.26 -
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.27 -
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.27 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.27 -
Ikarus T3.1.1.12 2007.10.27 -
Kaspersky 7.0.0.125 2007.10.28 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2620 2007.10.27 -
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.27 -
Prevx1 V2 2007.10.28 -
Rising 19.46.52.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.27 -
Webwasher-Gateway 6.6.1 2007.10.28 -
Dodatkowe informacje
File size: 1103480 bytes
MD5: e44dc8468555b204615e4712563a5a95
SHA1: d18c8403d04001e5cc6d6a811281f4c537f9f07c

www.virustotal.com, scan lnk_dados_2.dll napisał(a):Plik lnk_dados_2.dll otrzymany 2007.10.28 08:15:04 (CET)
Obecny status: zakończono
Wynik: 0/32 (0%)
Antywirus Wersja Ostatnia aktualizacja Wynik
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 -
Authentium 4.93.8 2007.10.26 -
Avast 4.7.1074.0 2007.10.27 -
AVG 7.5.0.503 2007.10.27 -
BitDefender 7.2 2007.10.28 -
CAT-QuickHeal 9.00 2007.10.26 -
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.27 -
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.27 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.27 -
Ikarus T3.1.1.12 2007.10.27 -
Kaspersky 7.0.0.125 2007.10.28 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2620 2007.10.27 -
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.27 -
Prevx1 V2 2007.10.28 -
Rising 19.46.52.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.27 -
Webwasher-Gateway 6.6.1 2007.10.28 -

Dodatkowe informacje
File size: 3 bytes
MD5: 4b0c7ee592313eb3baf798f7e593c4c8
SHA1: 1cf16ea0e6a27a28c9de9bd8ac40ae520496099c

**Posty:** 237 · przez **Kuba1** 28 Paź 2007, 11:26

Otwórz notatnik i wklej w nim:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wTask"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"great pop"=-

Plik>>zapisz jako>>zmien rozszerzenie z txt na wszystkie pliki i zapisz pod nazwa FIX.REG uruchom powstały plik.

Po tym daj logi z Hijackthis, Silentrunners oraz ComboFix.

**Posty:** 2484 · przez **kjubus** 28 Paź 2007, 12:23

moja matka przed chwila sie zalogowala na swoje konto i jej nie wyskoczyla informacja o pliku (on przy kazdym logowaniu pojawial sie na nowo). sprawdzilem recznie, BYL tam gdzie zawsze sie pojawial. usunalem go zwyczajnie, nie przez antywirusa. zalogowalem sie do siebie i go nie ma:) ale mimo wszystko logi daje ponizej:

Silentrunners napisał(a):"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
"BitComet" = ""C:\Program Files\BitLord\BitLord.exe"" ["www.BitLord.com"]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"igndlm.exe" = "C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork" ["IGN Entertainment"]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"C:\Program Files\NetMeter\NetMeter.exe" = "C:\Program Files\NetMeter\NetMeter.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Onet.pl AutoUpdate" = ""C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" /updateexetsr" [file not found]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"RTBatteryMeter" = "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" ["Ruling Tec Pte Ltd"]
"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" [null data]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Menedżer plików firmy Sony Ericsson"
-> {HKLM...CLSID} = "Menedżer plików firmy Sony Ericsson"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Menedżer plików firmy Sony Ericsson"
-> {HKLM...CLSID} = "Menedżer plików firmy Sony Ericsson"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kuba\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Startup items in "Kuba" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]
PunkBuster, PnkBstrA, ""D:\gry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe"" [null data]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
LIDIL hpzll054\Driver = "hpzll054.dll" ["Hewlett-Packard Company"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

---------- (launch time: 2007-10-28 11:17:13)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 52 seconds, including 7 seconds for message boxes)

ComboFix napisał(a):ComboFix 07-10-26.4 - Kuba 2007-10-28 11:20:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.489 [GMT 1:00]
Running from: E:\zabezpieczenia\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-28 05:01 212 --a------ C:\delete.bat
2007-10-27 17:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 17:19 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-27 17:13 1,205,922 --a------ C:\SDFix.exe
2007-10-27 09:36 <DIR> d-------- C:\Program Files\SkanerOnline
2007-10-27 08:25 0 --a------ C:\Documents and Settings\Mama\Emails.dat
2007-10-27 08:24 10 --a------ C:\Documents and Settings\Mama\user.dat
2007-10-26 21:09 269 --a------ C:\Documents and Settings\Kuba\Emails.dat
2007-10-26 21:08 10 --a------ C:\Documents and Settings\Kuba\user.dat
2007-10-26 19:19 3 --a------ C:\WINDOWS\lnk_dados_2.dll
2007-10-21 19:52 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-10-21 19:52 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-10-21 19:52 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-10-14 15:25 <DIR> d-------- C:\Documents and Settings\Kuba\Dane aplikacji\InstallShield Installation Information
2007-10-14 15:23 <DIR> d-------- C:\Program Files\DIFX
2007-10-14 15:23 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-14 15:23 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-14 15:23 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-10-14 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ATI
2007-10-14 11:25 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-14 11:21 <DIR> d-------- C:\Program Files\ATI Technologies
2007-10-14 11:21 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-10-14 08:09 <DIR> d-------- C:\Documents and Settings\Kuba\Dane aplikacji\Printer Info Cache
2007-10-12 17:47 <DIR> d-------- C:\Program Files\MagicISO
2007-09-29 14:49 <DIR> d-------- C:\Program Files\Audio WAV To MP3 Converter
2007-09-29 04:21 9,854,976 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-09-29 04:07 356,352 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 03:58 143,360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 03:58 122,880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 03:58 43,520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 03:58 26,112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 03:57 122,880 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 03:56 483,328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 03:55 53,248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 03:49 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 03:47 172,032 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 03:36 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-09-29 03:36 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-09-29 03:36 972,072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-09-29 03:23 5,435,392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-09-29 03:22 376,832 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-09-29 03:20 17,408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-09-29 03:19 49,152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 09:40 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Tlen.pl
2007-10-27 11:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 20:09 738,816 ------w C:\WINDOWS\Media\LTaskup.exe
2007-10-23 19:57 --------- d-----w C:\Program Files\Opera
2007-10-23 17:12 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Teleca
2007-10-23 16:41 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Skype
2007-10-21 18:54 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-21 18:54 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-10-21 18:53 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-10-21 18:43 --------- d-----w C:\Program Files\Avanquest update
2007-10-21 18:34 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Image Zone Express
2007-10-19 16:11 --------- d-----w C:\Program Files\Gadu-Gadu
2007-10-18 20:25 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Skype
2007-10-14 14:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 14:22 --------- d-----w C:\Program Files\AGEIA Technologies
2007-10-14 07:09 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Image Zone Express
2007-10-13 21:28 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-13 21:28 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-06 07:04 --------- d-----w C:\Program Files\Java
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-27 08:43 --------- d-----w C:\Program Files\DAEMON Tools
2007-09-24 21:20 --------- d-----w C:\Program Files\Google
2007-09-22 17:24 --------- d-----w C:\Program Files\SubtitleCreator
2007-09-22 16:17 --------- d-----w C:\Program Files\URUSoft
2007-09-22 16:17 --------- d-----w C:\Program Files\DVD Decrypter
2007-09-20 14:55 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Bioshock
2007-09-20 10:46 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\Hamachi
2007-09-19 10:15 --------- d-----w C:\Program Files\BioshockTweak
2007-09-16 11:42 --------- d-----w C:\Documents and Settings\Filip\Dane aplikacji\Teleca
2007-09-16 11:42 --------- d-----w C:\Documents and Settings\Filip\Dane aplikacji\Sony Ericsson
2007-09-13 07:45 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
2007-09-11 12:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-11 12:09 22,328 ----a-w C:\Documents and Settings\Kuba\Dane aplikacji\PnkBstrK.sys
2007-09-11 07:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-09-11 07:43 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-08 10:23 --------- d-----w C:\Program Files\Common Files\DirectX
2007-09-06 17:13 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Printer Info Cache
2007-09-06 17:12 --------- d-----w C:\Program Files\HP
2007-09-06 17:12 --------- d-----w C:\Program Files\Common Files\HP
2007-09-06 14:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\QuickTime
2007-09-06 10:30 --------- d-----w C:\Program Files\jv16 PowerTools 2007
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 11:52 --------- d-----w C:\Documents and Settings\Kuba\Dane aplikacji\IGN_DLM
2007-09-05 08:42 --------- d-----w C:\Program Files\Download Manager
2007-08-16 07:40 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-08-14 19:37 92,064 ----a-w C:\Documents and Settings\Mama\mqdmmdm.sys
2007-08-14 19:37 9,232 ----a-w C:\Documents and Settings\Mama\mqdmmdfl.sys
2007-08-14 19:37 79,328 ----a-w C:\Documents and Settings\Mama\mqdmserd.sys
2007-08-14 19:37 66,656 ----a-w C:\Documents and Settings\Mama\mqdmbus.sys
2007-08-14 19:37 6,208 ----a-w C:\Documents and Settings\Mama\mqdmcmnt.sys
2007-08-14 19:37 5,936 ----a-w C:\Documents and Settings\Mama\mqdmwhnt.sys
2007-08-14 19:37 4,048 ----a-w C:\Documents and Settings\Mama\mqdmcr.sys
2007-08-14 19:37 25,600 ----a-w C:\Documents and Settings\Mama\usbsermptxp.sys
2007-08-14 19:37 22,768 ----a-w C:\Documents and Settings\Mama\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_18.32.16,17 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 04:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 05:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-10-27 16:19:09 4,829,184 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-10-27 16:52:51 1,024,000 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-10-27 16:19:09 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-27 16:52:51 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-06-26 09:47:49 59,440 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-28 04:13:12 59,440 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-06-26 09:47:49 75,486 ----a-w C:\WINDOWS\system32\perfc015.dat
+ 2007-10-28 04:13:12 75,486 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2007-06-26 09:47:49 395,200 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-28 04:13:12 395,200 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-06-26 09:47:49 451,220 ----a-w C:\WINDOWS\system32\perfh015.dat
+ 2007-10-28 04:13:12 451,220 ----a-w C:\WINDOWS\system32\perfh015.dat
- 2007-07-22 16:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 17:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-10-28 04:11:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 17:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 10:32]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 09:14]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 00:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-15 12:03]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 12:49]
"BitComet"="C:\Program Files\BitLord\BitLord.exe" [2005-05-07 01:47]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 15:36]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 22:57]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 12:24]
"C:\Program Files\NetMeter\NetMeter.exe"="C:\Program Files\NetMeter\NetMeter.exe" [2007-06-23 12:19]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
S3 DynCal;Dynamic Calibration Service;C:\WINDOWS\system32\drivers\Dyncal.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 11:22:00
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\NetMeter\\NetMeter.exe"="C:\\Program Files\\NetMeter\\NetMeter.exe"
.
Completion time: 2007-10-28 11:22:43
C:\ComboFix2.txt ... 2007-10-28 08:13
C:\ComboFix3.txt ... 2007-10-27 17:32
.
--- E O F ---

Hijackthis napisał(a):Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:12, on 2007-10-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\gry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
E:\zabezpieczenia\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Onet.pl AutoUpdate] "C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" /updateexetsr
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitLord\BitLord.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-21-1409082233-2147116071-725345543-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Mama')
O4 - HKUS\S-1-5-21-1409082233-2147116071-725345543-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mama')
O4 - HKUS\S-1-5-21-1409082233-2147116071-725345543-1005\..\Run: [BitComet] "C:\Program Files\BitLord\BitLord.exe" (User 'Mama')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {631FF594-EC25-4CFF-B869-402DF294E1D6} (Instalator oprogramowania Onet.pl) - http://slimak.onet.pl/_m/kamerzysta/OnetInstalator012s.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - D:\gry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8073 bytes

**Posty:** 237 · przez **Kuba1** 28 Paź 2007, 12:33

Jest ok.

**Posty:** 2484 · przez **kjubus** 28 Paź 2007, 12:54

no to cudnie! gdyby byla mozliwosc to bym dal plusik;)

**Posty:** 237 · przez **Kuba1** 28 Paź 2007, 13:31

Jeszcze jedna sprawa:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/

Co to jest?

**Posty:** 2484 · przez **kjubus** 28 Paź 2007, 13:38

ja uzywam na codzien opery. jedyne, do czego uzywam IE to wchodzic w moj router i jego ip jest ustawione jako strona startowa:) nie ma wiec powodow do niepokoju.

**Posty:** 16 · przez **Meggi** 08 Gru 2007, 13:22

Witam!
Potrzebuję małej pomocy- posiadam (jeśli można tak powiedzieć) BV: KILLFILES-K-[TRJ] takiego oto trojana. Czytałam już ten temat jak usunąć tego trojana. Pobrałan narzędzie SDFix i robilam wszystko po kolei jak kazaliście wcześniej koledze. Wyskoczył mi taki raport który wklejam na forum

SDFix: Version 1.117

Run by Madzia on 2007-12-08 at 11:46

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\antiv.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 11:53:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\totalcmd\\TOTALCMD.EXE"="C:\\totalcmd\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Gadu-Gadu\\GG.EXE"="C:\\Program Files\\Gadu-Gadu\\GG.EXE:*:Enabled:Gadu-Gadu - program gˆ˘wny"
"C:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe"="C:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe:*:Enabled:Kyodai Mahjongg"
"C:\\Program Files\\eMule\\eMule.exe"="C:\\Program Files\\eMule\\eMule.exe:*:Enabled:eMule Plus"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\WapSter\\AQQ\\AQQ.exe"="C:\\Program Files\\WapSter\\AQQ\\AQQ.exe:*:Enabled:P2P AQQ"
"C:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe"="C:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe:*:Enabled:P2P AQQ"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Electronic Arts\\Need for Speed ProStreet\\nfs.exe"="C:\\Program Files\\Electronic Arts\\Need for Speed ProStreet\\nfs.exe:*:Enabled:nfs"
"C:\\WINDOWS\\Media\\LTaskup.exe"="C:\\WINDOWS\\Media\\LTaskup.exe:*:Enabled:RPC"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 16 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Wed 16 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Wed 16 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Wed 16 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Wed 16 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Sun 4 Nov 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 16 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BITB.tmp"
Wed 14 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

avast nadal pokazuje komunikat że plik c:\start.bat zawiera trojana.

PObrałam drugi program- No Lop- ten natomiast nie wykrył nic- a komunikat w avast wyskakuje nadal.
Jeśli ktoś wie jak zlikwidować tego trojana to proszę o pomoc- prowadzę sklep internetowy, wszystkie hasła dostępowe mam na komputerze, a nie chciałabym stać się ofiarą jakiegoś hakera.

[ Dodano: Dzisiaj o 12:24 ]
Ps. używam przeglądarki mozilla firexox a tak wogóle to dopiero dziś włączylam zapore na komputerze.

Pozdrawiam
Magda

**Posty:** 3854 · przez **Dzi@dek** 08 Gru 2007, 14:36

Meggi

Przeczytaj dokładnie ten temat
http://forum.programosy.pl/hijackthis-amp-silent-runners-gtobsuga-i-umieszczanie-vt9452.html

Otwórz nowy temat i daj logi w/g powyższego opisu w tagi code lub quote.

bv:killfiles-k [trj] jak usunac?

BV:KillFiles-K [Trj] jak usunac?

trojan BV: KILLFILES-K-[TRJ]

Kto jest na forum