Ckvo.exe

[kechal]

problem jest przy uruchamianiu (komputer sie wiesza chodzi wolno), gdy w autostarcie pojawia sie kamsoft ckvo.exe, combo-fix na chwile usuwa problem lecz powraca po paru dniach, z góry dziekuje za pomoc

oto log z combo-fix:

Kod: Zaznacz wszystko

ComboFix 08-10-30.04 - Michal 2008-11-03  9:18:15.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.1694 [GMT 1:00]
Uruchomiony z: C:\Documents and Settings\Michal\Pulpit\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\xih9.cmd
D:\Autorun.inf
D:\xih9.cmd
E:\Autorun.inf
E:\xih9.cmd

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-10-03 do 2008-11-03  )))))))))))))))))))))))))))))))
.

2008-10-31 07:38 . 2008-10-31 07:38   518   --a------   C:\WINDOWS\system32\WFD_List.ini
2008-10-30 21:25 . 2000-12-28 15:45   1,600   --a------   C:\WINDOWS\system32\drivers\TVCC2000.SYS
2008-10-30 21:11 . 2008-10-30 21:11   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\ATI
2008-10-30 21:08 . 2008-10-30 21:09   <DIR>   d--------   C:\Program Files\ATI Technologies
2008-10-30 21:08 . 2008-09-23 21:05   593,920   ---------   C:\WINDOWS\system32\ati2sgag.exe
2008-10-30 19:36 . 2008-10-30 19:36   <DIR>   d--------   C:\Documents and Settings\Michal\Dane aplikacji\ATI
2008-10-30 19:20 . 2008-10-30 19:20   <DIR>   d--------   C:\ATI
2008-10-30 11:55 . 2008-10-30 21:01   10   --a------   C:\WINDOWS\WININIT.INI
2008-10-28 19:17 . 2008-10-28 19:17   <DIR>   d--------   C:\symfonia
2008-10-28 19:16 . 2008-10-28 19:16   <DIR>   d--------   C:\Program Files\Symfonia
2008-10-28 19:16 . 2008-10-28 19:16   <DIR>   d--------   C:\Program Files\Common Files\Symfonia
2008-10-24 09:10 . 2008-10-15 17:36   337,408   -----c---   C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-21 18:03 . 2008-10-28 19:16   <DIR>   d--------   C:\Program Files\Common Files\Matrix.pl
2008-10-19 08:46 . 2008-10-30 20:06   <DIR>   d--------   C:\Program Files\Alwil Software
2008-10-17 17:46 . 2008-10-17 17:46   <DIR>   d--------   C:\Program Files\SoftprojectGP
2008-10-17 17:46 . 2005-07-20 11:48   59,904   --a------   C:\WINDOWS\system32\zlib.dll
2008-10-15 09:22 . 2008-09-08 11:41   333,824   -----c---   C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 09:21 . 2008-08-14 14:26   2,190,464   -----c---   C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 09:21 . 2008-08-14 14:26   2,146,816   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 09:21 . 2008-08-14 14:26   2,067,328   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 09:21 . 2008-08-14 14:26   2,025,472   -----c---   C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 09:21 . 2008-09-15 16:27   1,846,656   -----c---   C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-12 10:58 . 2008-11-01 20:13   <DIR>   d--------   C:\Program Files\DC++
2008-10-04 22:59 . 2008-10-04 22:59   <DIR>   d--------   C:\Program Files\Real Alternative

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 14:02   ---------   d-----w   C:\Documents and Settings\Michal\Dane aplikacji\Vso
2008-10-31 06:40   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-10-31 06:40   ---------   d-----w   C:\Program Files\Common Files\ArcSoft
2008-10-31 06:39   ---------   d-----w   C:\Program Files\WinFast
2008-10-31 06:39   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\ArcSoft
2008-10-31 06:38   ---------   d-----w   C:\Documents and Settings\Michal\Dane aplikacji\ArcSoft
2008-10-17 16:54   ---------   d-----w   C:\Program Files\SopCast
2008-10-17 16:54   ---------   d-----w   C:\Program Files\DivX
2008-10-17 16:54   ---------   d-----w   C:\Program Files\Common Files\ACD Systems
2008-10-17 16:54   ---------   d-----w   C:\Program Files\7-Zip
2008-10-11 20:43   ---------   d-----w   C:\Documents and Settings\Michal\Dane aplikacji\Winamp
2008-10-08 09:00   ---------   d-----w   C:\Program Files\FreeCommander
2008-09-24 03:09   3,331,072   ----a-w   C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-09-24 02:18   425,984   ----a-w   C:\WINDOWS\system32\ATIDEMGX.dll
2008-09-24 02:17   311,296   ----a-w   C:\WINDOWS\system32\ati2dvag.dll
2008-09-24 02:09   10,772,480   ----a-w   C:\WINDOWS\system32\atioglxx.dll
2008-09-24 02:07   188,416   ----a-w   C:\WINDOWS\system32\atipdlxx.dll
2008-09-24 02:06   43,520   ----a-w   C:\WINDOWS\system32\ati2edxx.dll
2008-09-24 02:06   26,112   ----a-w   C:\WINDOWS\system32\Ati2mdxx.exe
2008-09-24 02:06   143,360   ----a-w   C:\WINDOWS\system32\Oemdspif.dll
2008-09-24 02:06   143,360   ----a-w   C:\WINDOWS\system32\ati2evxx.dll
2008-09-24 02:04   581,632   ----a-w   C:\WINDOWS\system32\ati2evxx.exe
2008-09-24 02:03   53,248   ----a-w   C:\WINDOWS\system32\ATIDDC.DLL
2008-09-24 01:56   307,200   ----a-w   C:\WINDOWS\system32\atiiiexx.dll
2008-09-24 01:54   4,008,864   ----a-w   C:\WINDOWS\system32\ati3duag.dll
2008-09-24 01:38   2,399,744   ----a-w   C:\WINDOWS\system32\ativvaxx.dll
2008-09-24 01:24   48,640   ----a-w   C:\WINDOWS\system32\amdpcom32.dll
2008-09-24 01:20   380,928   ----a-w   C:\WINDOWS\system32\atikvmag.dll
2008-09-24 01:19   39,424   ----a-w   C:\WINDOWS\system32\atiadlxx.dll
2008-09-24 01:18   53,248   ----a-w   C:\WINDOWS\system32\drivers\ati2erec.dll
2008-09-24 01:18   253,952   ----a-w   C:\WINDOWS\system32\atiok3x2.dll
2008-09-24 01:18   17,408   ----a-w   C:\WINDOWS\system32\atitvo32.dll
2008-09-24 01:12   573,440   ----a-w   C:\WINDOWS\system32\ati2cqag.dll
2008-09-18 07:30   0   ---ha-w   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-18 07:30   0   ---ha-w   C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2008-09-18 07:26   21,672   ----a-w   C:\WINDOWS\system32\drivers\ggsemc.sys
2008-09-18 07:26   13,352   ----a-w   C:\WINDOWS\system32\drivers\ggflt.sys
2008-09-18 07:26   1,419,232   ----a-w   C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-09-18 07:25   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson
2008-09-15 15:27   1,846,656   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41   333,824   ----a-w   C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 15:54   871,160   ----a-w   C:\WINDOWS\system32\wmvdmod.dll
2008-08-26 08:27   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-08-17 14:21   98,304   ----a-w   C:\WINDOWS\system32\qttask.exe
2008-08-14 13:26   2,146,816   ----a-w   C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 13:26   2,025,472   ----a-w   C:\WINDOWS\system32\ntkrnlpa.exe
2004-08-03 22:44   60,928   --sha-w   C:\WINDOWS\BricoPacks\SysFiles\80_msimn.exe
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"msacm.sl_anet"= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"msacm.msaudio1"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=

R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 59776]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 19456]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 9600]
R2 TVCC2000;TVCC2000;C:\WINDOWS\system32\Drivers\TVCC2000.SYS [2000-12-28 1600]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-09-18 13352]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 61536]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 9360]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 97088]
S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 88624]
S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 18704]
S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 86432]
S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 90800]
S3 vmfilter323;323 filter service, Normal;C:\WINDOWS\system32\drivers\vmfilter323.sys [ ]
S3 ZSMC326;CANYON USB PC Camera;C:\WINDOWS\system32\Drivers\usbvm323.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b6-e5ef-11dc-915f-0015f2ee08d1}]
\Shell\AutoRun\command - K:\xih9.cmd
\Shell\explore\Command - K:\xih9.cmd
\Shell\open\Command - K:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b7-e5ef-11dc-915f-0015f2ee08d1}]
\Shell\AutoRun\command - M:\xih9.cmd
\Shell\explore\Command - M:\xih9.cmd
\Shell\open\Command - M:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b8-e5ef-11dc-915f-0015f2ee08d1}]
\Shell\AutoRun\command - N:\xih9.cmd
\Shell\explore\Command - N:\xih9.cmd
\Shell\open\Command - N:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b9-e5ef-11dc-915f-0015f2ee08d1}]
\Shell\AutoRun\command - O:\xih9.cmd
\Shell\explore\Command - O:\xih9.cmd
\Shell\open\Command - O:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48ba-e5ef-11dc-915f-0015f2ee08d1}]
\Shell\AutoRun\command - P:\xih9.cmd
\Shell\explore\Command - P:\xih9.cmd
\Shell\open\Command - P:\xih9.cmd
.
Zawartość folderu 'Zaplanowane zadania'

2008-11-01 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job
- C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 17:36]
.
.
------- Skan uzupełniający -------
.
FireFox -: Profile - C:\Documents and Settings\Michal\Dane aplikacji\Mozilla\Firefox\Profiles\id2qx27c.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wp.pl/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 09:19:08
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...


C:\DOCUME~1\Michal\USTAWI~1\Temp\RGI1.tmp

skanowanie pomyślnie ukończone
ukryte pliki: 1

**************************************************************************
.
Czas ukończenia: 2008-11-03  9:19:39
ComboFix-quarantined-files.txt  2008-11-03 08:19:37

Przed: 5 876 436 992 bajtów wolnych
Po: 5,861,941,248 bajtów wolnych

189   --- E O F ---   2008-10-30 19:21:36




log z hijack:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:16:35, on 2008-11-03
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Lavasoft - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4661 bytes



[Okocza]

kechal, popraw log wstaw w tag code i opisz swój problem.

[Magik]

HJT czysty


wklej do notatnika

Kod: Zaznacz wszystko

Windows Registry Editor 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b6-e5ef-11dc-915f-0015f2ee08d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b7-e5ef-11dc-915f-0015f2ee08d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b8-e5ef-11dc-915f-0015f2ee08d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b9-e5ef-11dc-915f-0015f2ee08d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48ba-e5ef-11dc-915f-0015f2ee08d1}]

zapisz jako fix.reg i odpal


pozostale partycje i pendrive'a przeskanuj

http://www.programosy.pl/program,flash-desinfector.html


przeskanuj kompa http://www.kaspersky.com/virusscanner
i wklej raport

[kechal]

nie moge dodac wpisu do rejestru wyskakuje błąd "określony plik nie jest skryptem rejestru.mozna importowac tylko binarne pliki rejestru z wenwatrz edytora rejestru, a jak otwieram rejestr i biore importuj to wyskakuje: wybrany klucz jest nieprawidłowy

[Magik]

przepraszam, znowu moj blad

Kod: Zaznacz wszystko

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b6-e5ef-11dc-915f-0015f2ee08d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b7-e5ef-11dc-915f-0015f2ee08d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b8-e5ef-11dc-915f-0015f2ee08d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48b9-e5ef-11dc-915f-0015f2ee08d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ec48ba-e5ef-11dc-915f-0015f2ee08d1}]

teraz jest poprawnie//brak snu-->

[kechal]

po wprowadzeniu zmian w rejestrze 1 skanowanie:

kasperski:

Kod: Zaznacz wszystko

   KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 3, 2008
Operating System: Microsoft Windows XP Professional Dodatek Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 03, 2008 12:36:31
Records in database: 1368878
Scan settings
Scan using the following database    extended
Scan archives    yes
Scan mail databases    yes
Scan area    My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
Scan statistics
Files scanned    43058
Threat name    2
Infected objects    13
Suspicious objects    0
Duration of the scan    00:40:39

File name    Threat name    Threats count
C:\Qoobox\Quarantine\C\autorun.inf.vir   Infected: Worm.Win32.AutoRun.rja   1   
C:\Qoobox\Quarantine\C\WINDOWS\system32\ckvo.exe.vir   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
C:\Qoobox\Quarantine\C\WINDOWS\system32\ckvo0.dll.vir   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
C:\Qoobox\Quarantine\C\WINDOWS\system32\ckvo1.dll.vir   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
C:\Qoobox\Quarantine\C\xih9.cmd.vir   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
C:\Qoobox\Quarantine\D\autorun.inf.vir   Infected: Worm.Win32.AutoRun.rja   1   
C:\Qoobox\Quarantine\D\xih9.cmd.vir   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
C:\Qoobox\Quarantine\E\autorun.inf.vir   Infected: Worm.Win32.AutoRun.rja   1   
C:\Qoobox\Quarantine\E\xih9.cmd.vir   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
C:\WINDOWS\system32\ckvo.exe   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
C:\WINDOWS\system32\ckvo0.dll   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
K:\xih9.cmd   Infected: Trojan-GameThief.Win32.Magania.ajgg   1   
K:\autorun.inf   Infected: Worm.Win32.AutoRun.rja   1   
The selected area was scanned.


i jeszcze log z combo:

Kod: Zaznacz wszystko

ComboFix 08-10-30.04 - Michal 2008-11-03 16:41:52.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.1500 [GMT 1:00]
Uruchomiony z: C:\Documents and Settings\Michal\Pulpit\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-10-03 do 2008-11-03  )))))))))))))))))))))))))))))))
.

2008-11-03 11:13 . 2008-11-03 11:13   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-31 07:38 . 2008-10-31 07:38   518   --a------   C:\WINDOWS\system32\WFD_List.ini
2008-10-30 21:25 . 2000-12-28 15:45   1,600   --a------   C:\WINDOWS\system32\drivers\TVCC2000.SYS
2008-10-30 21:11 . 2008-10-30 21:11   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\ATI
2008-10-30 21:08 . 2008-10-30 21:09   <DIR>   d--------   C:\Program Files\ATI Technologies
2008-10-30 21:08 . 2008-09-23 21:05   593,920   ---------   C:\WINDOWS\system32\ati2sgag.exe
2008-10-30 19:36 . 2008-10-30 19:36   <DIR>   d--------   C:\Documents and Settings\Michal\Dane aplikacji\ATI
2008-10-30 19:20 . 2008-10-30 19:20   <DIR>   d--------   C:\ATI
2008-10-30 11:55 . 2008-10-30 21:01   10   --a------   C:\WINDOWS\WININIT.INI
2008-10-28 19:17 . 2008-10-28 19:17   <DIR>   d--------   C:\symfonia
2008-10-28 19:16 . 2008-10-28 19:16   <DIR>   d--------   C:\Program Files\Symfonia
2008-10-28 19:16 . 2008-10-28 19:16   <DIR>   d--------   C:\Program Files\Common Files\Symfonia
2008-10-24 09:10 . 2008-10-15 17:36   337,408   -----c---   C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-21 18:03 . 2008-10-28 19:16   <DIR>   d--------   C:\Program Files\Common Files\Matrix.pl
2008-10-19 08:46 . 2008-10-30 20:06   <DIR>   d--------   C:\Program Files\Alwil Software
2008-10-17 17:46 . 2008-10-17 17:46   <DIR>   d--------   C:\Program Files\SoftprojectGP
2008-10-17 17:46 . 2005-07-20 11:48   59,904   --a------   C:\WINDOWS\system32\zlib.dll
2008-10-15 09:22 . 2008-09-08 11:41   333,824   -----c---   C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 09:21 . 2008-08-14 14:26   2,190,464   -----c---   C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 09:21 . 2008-08-14 14:26   2,146,816   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 09:21 . 2008-08-14 14:26   2,067,328   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 09:21 . 2008-08-14 14:26   2,025,472   -----c---   C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 09:21 . 2008-09-15 16:27   1,846,656   -----c---   C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-12 10:58 . 2008-11-01 20:13   <DIR>   d--------   C:\Program Files\DC++
2008-10-04 22:59 . 2008-10-04 22:59   <DIR>   d--------   C:\Program Files\Real Alternative

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 14:02   ---------   d-----w   C:\Documents and Settings\Michal\Dane aplikacji\Vso
2008-10-31 06:40   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-10-31 06:40   ---------   d-----w   C:\Program Files\Common Files\ArcSoft
2008-10-31 06:39   ---------   d-----w   C:\Program Files\WinFast
2008-10-31 06:39   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\ArcSoft
2008-10-31 06:38   ---------   d-----w   C:\Documents and Settings\Michal\Dane aplikacji\ArcSoft
2008-10-17 16:54   ---------   d-----w   C:\Program Files\SopCast
2008-10-17 16:54   ---------   d-----w   C:\Program Files\DivX
2008-10-17 16:54   ---------   d-----w   C:\Program Files\Common Files\ACD Systems
2008-10-17 16:54   ---------   d-----w   C:\Program Files\7-Zip
2008-10-11 20:43   ---------   d-----w   C:\Documents and Settings\Michal\Dane aplikacji\Winamp
2008-10-08 09:00   ---------   d-----w   C:\Program Files\FreeCommander
2008-09-24 03:09   3,331,072   ----a-w   C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-09-24 02:18   425,984   ----a-w   C:\WINDOWS\system32\ATIDEMGX.dll
2008-09-24 02:17   311,296   ----a-w   C:\WINDOWS\system32\ati2dvag.dll
2008-09-24 02:09   10,772,480   ----a-w   C:\WINDOWS\system32\atioglxx.dll
2008-09-24 02:07   188,416   ----a-w   C:\WINDOWS\system32\atipdlxx.dll
2008-09-24 02:06   43,520   ----a-w   C:\WINDOWS\system32\ati2edxx.dll
2008-09-24 02:06   26,112   ----a-w   C:\WINDOWS\system32\Ati2mdxx.exe
2008-09-24 02:06   143,360   ----a-w   C:\WINDOWS\system32\Oemdspif.dll
2008-09-24 02:06   143,360   ----a-w   C:\WINDOWS\system32\ati2evxx.dll
2008-09-24 02:04   581,632   ----a-w   C:\WINDOWS\system32\ati2evxx.exe
2008-09-24 02:03   53,248   ----a-w   C:\WINDOWS\system32\ATIDDC.DLL
2008-09-24 01:56   307,200   ----a-w   C:\WINDOWS\system32\atiiiexx.dll
2008-09-24 01:54   4,008,864   ----a-w   C:\WINDOWS\system32\ati3duag.dll
2008-09-24 01:38   2,399,744   ----a-w   C:\WINDOWS\system32\ativvaxx.dll
2008-09-24 01:24   48,640   ----a-w   C:\WINDOWS\system32\amdpcom32.dll
2008-09-24 01:20   380,928   ----a-w   C:\WINDOWS\system32\atikvmag.dll
2008-09-24 01:19   39,424   ----a-w   C:\WINDOWS\system32\atiadlxx.dll
2008-09-24 01:18   53,248   ----a-w   C:\WINDOWS\system32\drivers\ati2erec.dll
2008-09-24 01:18   253,952   ----a-w   C:\WINDOWS\system32\atiok3x2.dll
2008-09-24 01:18   17,408   ----a-w   C:\WINDOWS\system32\atitvo32.dll
2008-09-24 01:12   573,440   ----a-w   C:\WINDOWS\system32\ati2cqag.dll
2008-09-18 07:30   0   ---ha-w   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-18 07:30   0   ---ha-w   C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2008-09-18 07:26   21,672   ----a-w   C:\WINDOWS\system32\drivers\ggsemc.sys
2008-09-18 07:26   13,352   ----a-w   C:\WINDOWS\system32\drivers\ggflt.sys
2008-09-18 07:26   1,419,232   ----a-w   C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-09-18 07:25   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson
2008-09-15 15:27   1,846,656   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41   333,824   ----a-w   C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 15:54   871,160   ----a-w   C:\WINDOWS\system32\wmvdmod.dll
2008-08-26 08:27   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-08-17 14:21   98,304   ----a-w   C:\WINDOWS\system32\qttask.exe
2008-08-14 13:26   2,146,816   ----a-w   C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 13:26   2,025,472   ----a-w   C:\WINDOWS\system32\ntkrnlpa.exe
2004-08-03 22:44   60,928   --sha-w   C:\WINDOWS\BricoPacks\SysFiles\80_msimn.exe
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"msacm.sl_anet"= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"msacm.msaudio1"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=

R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 59776]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 19456]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 9600]
R2 TVCC2000;TVCC2000;C:\WINDOWS\system32\Drivers\TVCC2000.SYS [2000-12-28 1600]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-09-18 13352]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 61536]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 9360]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 97088]
S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 88624]
S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 18704]
S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 86432]
S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 90800]
S3 vmfilter323;323 filter service, Normal;C:\WINDOWS\system32\drivers\vmfilter323.sys [ ]
S3 ZSMC326;CANYON USB PC Camera;C:\WINDOWS\system32\Drivers\usbvm323.sys [ ]

*Newly Created Service* - CATCHME
.
Zawartość folderu 'Zaplanowane zadania'

2008-11-03 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job
- C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 17:36]
.
.
------- Skan uzupełniający -------
.
FireFox -: Profile - C:\Documents and Settings\Michal\Dane aplikacji\Mozilla\Firefox\Profiles\id2qx27c.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wp.pl/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 16:42:39
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2008-11-03 16:43:09
ComboFix-quarantined-files.txt  2008-11-03 15:43:06

Przed: 5 809 098 752 bajtów wolnych
Po: 5,845,995,520 bajtów wolnych

163   --- E O F ---   2008-10-30 19:21:36


[Magik]

przeskanowales pozostale partycje tym FlashDesinfector?? chyba nie gdyz na pozostalych partycjach ten autorun.inf ciagle siedzi

wklej do notatnika

Kod: Zaznacz wszystko

FILE::
K:\xih9.cmd
K:\autorun.inf 

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

i odpal

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będšc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. ZatwierdŸ czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje



Potem wejdz do folderu C:\SDFix wrzuc zawartoœć pliku Report.txt


i na koniec usun folder C:\Qoobox

[kechal]

narazie pomoglo dzieki bardzo za pomoc!
a tak przy okazji (wiem ze to nie ten dzial itd)ale mam taki problem: ostatnio po podłączeniu komputera do TV (DVI-HD) myszka nie zatrzymuje mi sie na prawej stronie monitora troche to denerwujace gdyz nie mozna zamknac odruchowo okna.z gory dzieki za pomoc


to napisz w odp dziale