coś złapałem...

[RufuS*]

Witam

Przed chwila wyskoczyl mi dymek w trayu ze moj komp jest "infected" chwile po tym nastapil restart kompa. I tak za kazdym razme gdy sie logowalem. Na szczescie w awaryjnym wszystko działa. Wiec przeszkanowalem sobie kompa Ewido no i coś tam powykrywał i usunął.

Teraz XP'ek dziala juz normalnie ale przy staqrcie wyskakuje komunikat ze nie moze odnalezc pliku systemowego - c:\windows\system\svchctrl.exe

Za kazdym razem gdy wejde w Moj Komputer wyskakuje ze wystapil problem z aplikacja explorer.exe i zostanie ona zamknieta...

Oto log:

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 07:47:03, on 2007-03-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\adirka.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe
C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\system32\dd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.stk.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F3 - REG:win.ini: load=,c:\windows\system\svchctrl.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{349ED~1\Bar888.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{349ED~1\Bar888.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\Telewizja Internetowa\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [adirka] C:\WINDOWS\system32\adirka.exe
O4 - Startup: SAM.lnk = C:\Program Files\Skype\SAM\SAM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O15 - Trusted Zone: *.impregnable.net
O15 - Trusted Zone: *.torrentcommander.com
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe



[Red]

usun:

C:\WINDOWS\system32\sm.exe
F3 - REG:win.ini: load=,c:\windows\system\svchctrl.exe
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{349ED~1\Bar888.dll
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKCU\..\Run: [adirka] C:\WINDOWS\system32\adirka.exe
O15 - Trusted Zone: *.impregnable.net
O15 - Trusted Zone: *.torrentcommander.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll (file missing)
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)

[RufuS*]

Hmmm no niby wszystko usunalem ale jak wchodze w Moj komputer to ciagle wywala ze wystapil blad z explorer.exe... a raz nawet wyskoczylo jakies drwtsn32.exe...
raz jeszcze logi z hijacka, dodaje tez z silent runners

Logfile of HijackThis v1.99.1
Scan saved at 08:55:40, on 2007-03-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.stk.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\Telewizja Internetowa\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SAM.lnk = C:\Program Files\Skype\SAM\SAM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{F49EDD30-05FD-1045-0710-020208080030}" = ""C:\Program Files\Common Files\{F49EDD30-05FD-1045-0710-020208080030}\Update.exe" te-110-12-0000271" [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"WatchDog" = "C:\Program Files\mobile PhoneTools\WatchDog.exe" [null data]
"pbmini" = ""C:\Program Files\Telewizja Internetowa\PodcastbarMini\PodcastBarMiniStater.exe" -hide" [file not found]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Flashget Catch Url Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "gFlash Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{00020000-0000-1011-8004-0000C06B5161}" = "WIBU-SYSTEMS Shell Extension"
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{00020000-0000-1011-8004-0000C06B5161}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"HomePage" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing home page settings}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Startup items in "Rafal" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Rafal\Menu Start\Programy\Autostart
"SAM" -> shortcut to: "C:\Program Files\Skype\SAM\SAM.exe" [file not found]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"
-> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet"
-> {HKLM...CLSID} = "FlashGet"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\fgiebar.dll" ["Amaze Soft"]
"{0D704FAD-66E9-4F0A-BFED-4F665770DDB3}" = (no title provided)
-> {HKLM...CLSID} = "&Tłumaczenie"
\InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)
-> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{175556B1-4D91-4E9A-9C4B-D6888D5DEE6C}\(Default) = "&Ramka Tłumaczenia"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]

HKLM\Software\Classes\CLSID\{D553F157-2AB0-4B46-98D2-7BA7CA418491}\(Default) = "&Słownik Podręczny"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{B46B0919-62BA-4D99-A5C4-916B57A6805C}\
"MenuText" = "@C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103"
"CLSIDExtension" = "{B46B0919-62BA-4D99-A5C4-916B57A6805C}"
-> {HKLM...CLSID} = "InternetTranslatorProperties Class"
\InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["FlashGet.com"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i320\Driver = "CNMLM47.DLL" ["CANON INC."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 69 seconds.
---------- (total run time: 131 seconds)

[Red]

Daj jeszcze log z :

http://www.techsupportforum.com/sectools/Deckard/comboscan.exe

[RufuS*]

ComboScan v20070306.20 run by Rafal on 2007-03-15 at 15:30:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-03-15 14:30:41 UTC - RP1 - Punkt kontrolny systemu


Performed disk cleanup.


-- HijackThis (run as Rafal.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 15:31:00, on 2007-03-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Konnekt\konnekt.exe
C:\Documents and Settings\Rafal\Pulpit\comboscan.exe
C:\PROGRA~1\HIJACK~1\Rafal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.stk.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\Telewizja Internetowa\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SAM.lnk = C:\Program Files\Skype\SAM\SAM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20060906-193019-318 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
backup-20061008-061706-354 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
backup-20061008-061706-795 O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
backup-20061010-171905-735 O4 - HKLM\..\RunServices: [MS Config] msdconfig.exe
backup-20061010-171905-776 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20061010-171905-933 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
backup-20070315-084947-106 O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
backup-20070315-084947-196 O15 - Trusted Zone: *.impregnable.net
backup-20070315-084947-395 O15 - Trusted Zone: *.torrentcommander.com
backup-20070315-084947-531 O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)
backup-20070315-084947-541 O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
backup-20070315-084947-769 O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{349ED~1\Bar888.dll
backup-20070315-084947-811 O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll (file missing)
backup-20070315-084947-929 O4 - HKCU\..\Run: [adirka] C:\WINDOWS\system32\adirka.exe
backup-20070315-084947-989 F3 - REG:win.ini: load=,c:\windows\system\svchctrl.exe

-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2R ACEDRV07 - C:\WINDOWS\system32\drivers\ACEDRV07.sys
3R ALCXWDM (Service for Avance AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
1R AmdK7 (Sterownik procesora AMD K7) - C:\WINDOWS\system32\drivers\amdk7.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
3S dtscsi - C:\WINDOWS\system32\Drivers\dtscsi.sys (not found)
3R ElbyCDFL - C:\WINDOWS\system32\drivers\ElbyCDFL.sys
2R ElbyCDIO (ElbyCDIO Driver) - C:\WINDOWS\system32\drivers\ElbyCDIO.sys
1R ewido anti-spyware 4.0 driver - C:\Program Files\ewido anti-spyware 4.0\guard.sys
3S GMSIPCI - G:\INSTALL\GMSIPCI.SYS (not found)
3S hamachi (Hamachi Network Interface) - C:\WINDOWS\system32\drivers\hamachi.sys
3S HidUsb (Sterownik Microsoft klasy HID) - C:\WINDOWS\system32\drivers\hidusb.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\hsfbs2s2.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
2S ntio256 (Input and output operations) - C:\WINDOWS\system32\ntio256.sys (not found)
2R NwlnkIpx (Protokół transportowy zgodny z NWLink IPX/SPX/NetBIOS) - C:\WINDOWS\system32\drivers\nwlnkipx.sys
2R NwlnkNb (System NetBIOS NWLink) - C:\WINDOWS\system32\drivers\nwlnknb.sys
2R NwlnkSpx (Protokół NWLink SPX/SPXII) - C:\WINDOWS\system32\drivers\nwlnkspx.sys
3S Pcouffin (Low level access layer for CD devices) - C:\WINDOWS\system32\Drivers\Pcouffin.sys (not found)
3S Pronaut_WBD (Pronaut WaveBridge Device (WDM)) - C:\WINDOWS\system32\drivers\pnwbd.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\PxHelp20.sys
3R rtl8139 (Sterownik NT karty Realtek RTL8139(A/B/C)-based PCI Fast Ethernet) - C:\WINDOWS\system32\drivers\rtl8139.sys
0R sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - C:\WINDOWS\system32\drivers\sfdrv01.sys
0R sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - C:\WINDOWS\system32\drivers\sfhlp02.sys
0R sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - C:\WINDOWS\system32\drivers\sfsync04.sys
0R sptd - C:\WINDOWS\system32\drivers\sptd.sys
1S SpyEmrg (Spy Emergency Driver) - C:\WINDOWS\system32\Drivers\spyemrg.sys (not found)
3S usbaudio (Sterownik audio USB (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys
3S usbccgp (Rodzajowy sterownik nadrzędny USB Microsoft) - C:\WINDOWS\system32\drivers\usbccgp.sys
3S usbprint (Klasa PRINTER USB Microsoft) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (Sterownik skanera USB) - C:\WINDOWS\system32\drivers\usbscan.sys
3S usbser (Motorola USB Modem Driver) - C:\WINDOWS\system32\drivers\usbser.sys
3S USBSTOR (Sterownik magazynu masowego USB) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3R vaxscsi - C:\WINDOWS\system32\drivers\vaxscsi.sys
0R viaagp (Filtr magistrali AGP VIA) - C:\WINDOWS\system32\drivers\viaagp.sys
2R WIBUKEY (WIBU-KEY Kernel Driver) - C:\WINDOWS\system32\drivers\Wibukey.sys
3R winachsf - C:\WINDOWS\system32\drivers\hsfcxts2.sys
2S wincom32 - C:\WINDOWS\system32\wincom32.sys (not found)
2S zntport (NTPort Library Driver) - C:\WINDOWS\system32\zntport.sys (not found)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R Ati HotKey Poller - C:\WINDOWS\System32\Ati2evxx.exe
2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe
4S Client IP-IPX - "C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271
2R ewido anti-spyware 4.0 guard - C:\Program Files\ewido anti-spyware 4.0\guard.exe
2R LightScribeService (LightScribeService Direct Disc Labeling Service) - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
2R StarWindService (StarWind iSCSI Service) - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe


-- Files created between 2007-02-15 and 2007-03-15 -----------------------------

2007-03-15 10:00:12 0 d-------- C:\Program Files\HyCam2
2007-03-15 07:42:52 7325 --a------ C:\WINDOWS\system32\lnwin.exe
2007-03-15 07:42:51 46592 --a------ C:\WINDOWS\system32\zlbw.dll
2007-03-15 07:42:51 7325 --a------ C:\WINDOWS\system32\dd.exe
2007-03-15 07:42:51 7325 --a------ C:\WINDOWS\system32\adirss.exe
2007-03-15 07:42:30 4608 --a------ C:\WINDOWS\system32\adirka.dll
2007-03-15 07:42:02 0 d-------- C:\Program Files\Common Files\{F49EDD30-05FD-1045-0710-020208080030}<{F49ED~1>
2007-03-15 07:31:12 0 d-------- C:\Program Files\ewido anti-spyware 4.0<EWIDOA~1.0>
2007-03-15 07:22:11 58525 --a------ C:\WINDOWS\system32\adirka.exe
2007-03-15 07:22:07 6813 --a------ C:\WINDOWS\system32\vexg4am1et2.exe<VEXG4A~1.EXE>
2007-03-15 07:22:05 23552 -r-hs---- C:\WINDOWS\system\svchostw.dll
2007-03-15 07:22:05 19456 -r-hs---- C:\WINDOWS\system\svchctrl.dll
2007-03-15 07:21:58 7699 --a------ C:\WINDOWS\system32\dlh9jkd1q7.exe<DL5EB3~1.EXE>
2007-03-15 07:21:58 7699 --a------ C:\WINDOWS\system32\dlh9jkd1q6.exe<DL5EB7~1.EXE>
2007-03-15 07:21:52 17 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe<DLH9JK~1.EXE>
2007-03-15 07:21:07 2560 --a------ C:\WINDOWS\system32\unsvchosts.exe<UNSVCH~1.EXE>
2007-03-15 07:21:07 36864 --a------ C:\WINDOWS\system32\svchosts.exe
2007-03-15 07:21:07 0 d-------- C:\Program Files\Common Files\{349EDD30-05FD-1045-0710-020208080030}<{349ED~1>
2007-03-07 11:17:34 0 d--h----- C:\WINDOWS\PIF
2007-03-06 21:10:07 0 d-------- C:\ppmaterecord<PPMATE~1>
2007-03-06 19:36:10 0 d-------- C:\Program Files\21CN
2007-03-04 10:06:00 573440 --a------ C:\WINDOWS\system32\pcast.dll
2007-03-04 10:01:06 0 d-------- C:\Program Files\Common Files\Synacast
2007-03-04 09:45:34 0 d-------- C:\Program Files\Telewizja Internetowa<TELEWI~1>
2007-03-04 09:45:23 0 d-------- C:\Program Files\Nowy folder<NOWYFO~1>
2007-02-25 16:12:21 0 d-------- C:\Program Files\Common Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-03-15 15:31:00 0 d-------- C:\Program Files\FlashGet
2007-03-15 09:46:33 41984 --a------ C:\WINDOWS\system32\mswsock.dll
2007-03-15 09:45:35 41984 --a------ C:\WINDOWS\system32\mswsock.bak2<MSWSOC~3.BAK>
2007-03-15 09:45:11 41984 --a------ C:\WINDOWS\system32\mswsock.bak1<MSWSOC~2.BAK>
2007-03-15 08:23:06 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\OpenOffice.ux.pl2<OPENOF~1.PL2>
2007-03-15 07:21:59 0 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\Install.dat
2007-03-14 21:10:11 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Skype
2007-03-14 08:06:20 0 d-------- C:\Program Files\English Translator XT<ENGLIS~1>
2007-03-14 07:01:27 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\The Bat!<THEBAT~1>
2007-03-13 21:31:14 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\foobar2000<FOOBAR~1>
2007-03-13 07:15:24 0 d-------- C:\Program Files\Mozilla Firefox 2<MOZILL~2>
2007-03-10 09:10:39 0 d-------- C:\Program Files\foobar2000<FOOBAR~1>
2007-03-09 17:03:10 0 d-------- C:\Program Files\DAEMON Tools<DAEMON~1>
2007-03-09 16:53:27 0 d-------- C:\Program Files\Common Files\Ahead
2007-03-07 10:24:07 0 d-------- C:\Program Files\Skype
2007-03-07 10:17:36 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SAM
2007-03-06 21:07:57 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPMate
2007-03-06 19:36:29 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\ppStream
2007-03-04 10:01:33 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPLive
2007-03-04 09:59:22 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SopCast
2007-02-20 21:11:01 0 d-------- C:\Program Files\SubEdit-Player<SUBEDI~1>
2007-02-14 09:09:01 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-14 06:59:50 0 d-------- C:\Program Files\NAPI-PROJEKT<NAPI-P~1>
2007-02-13 17:58:32 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Azureus
2007-02-13 08:13:04 0 d-------- C:\Program Files\mobile PhoneTools<MOBILE~1>
2007-02-09 18:01:46 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-09 13:56:10 0 d-------- C:\Program Files\Gadu-Gadu<GADU-G~1>
2007-02-09 13:53:21 0 d-------- C:\Program Files\Partition Manager<PARTIT~1>
2007-02-09 13:50:51 0 d-------- C:\Program Files\Smarty Uninstaller Pro<SMARTY~1>
2007-02-09 10:59:52 0 d-------- C:\Program Files\JetAudio
2007-02-09 10:59:51 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\COWON
2007-02-07 18:05:36 1667 --a------ C:\WINDOWS\unins000.dat
2007-02-07 18:04:25 0 d-------- C:\Program Files\WhatPulse<WHATPU~1>
2007-02-07 14:47:26 0 d-------- C:\Program Files\Common Files\COWON
2007-02-06 17:35:16 0 d-------- C:\Program Files\Pajaczek 5 NxG Standard<PAJACZ~1>
2007-02-03 16:10:38 0 d-------- C:\Program Files\Screamer Radio<SCREAM~1>
2007-01-29 07:44:28 314 --a------ C:\WINDOWS\LOGOKOM.REG
2007-01-29 07:44:00 0 d-------- C:\Program Files\LOGOKOM
2007-01-23 15:46:51 0 d-------- C:\Program Files\Java
2007-01-17 14:14:05 0 d-------- C:\Program Files\DevalVR
2007-01-07 21:38:20 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"WatchDog"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe"
"pbmini"="\"C:\\Program Files\\Telewizja Internetowa\\PodcastbarMini\\PodcastBarMiniStater.exe\" -hide"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Config]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msdconfig"
"hkey"="HKLM"
"command"="msdconfig.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"MS Config"="msdconfig.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"MS Config"="msdconfig.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F49EDD30-05FD-1045-0710-020208080030}"="\"C:\\Program Files\\Common Files\\{F49EDD30-05FD-1045-0710-020208080030}\\Update.exe\" te-110-12-0000271"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F49EDD30-05FD-1045-0710-020208080030}"="\"C:\\Program Files\\Common Files\\{F49EDD30-05FD-1045-0710-020208080030}\\Update.exe\" te-110-12-0000271"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F49EDD30-05FD-1045-0710-020208080030}"="\"C:\\Program Files\\Common Files\\{F49EDD30-05FD-1045-0710-020208080030}\\Update.exe\" te-110-12-0000271"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 update.111222.cn


-- End of ComboScan: finished at 2007-03-15 at 15:31:28 ------------------------

[wojtas]

Pobierz i uruchom narzędzie : The Avenger
http://swandog46.geekstogo.com/avenger.zip
Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Files to delete:

C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\dd.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\adirka.dll
C:\WINDOWS\system32\adirka.exe
C:\WINDOWS\system32\vexg4am1et2.exe
C:\WINDOWS\system\svchostw.dll
C:\WINDOWS\system\svchctrl.dll
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32\svchosts.exe


Folders to delete:

C:\Program Files\Common Files\{F49EDD30-05FD-1045-0710-020208080030}
C:\Program Files\Common Files\{349EDD30-05FD-1045-0710-020208080030}
C:\Program Files\21CN

Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK.

wklej do notatnika:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F49EDD30-05FD-1045-0710-020208080030}"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F49EDD30-05FD-1045-0710-020208080030}"=-

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....



Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + comboscan

[RufuS*]

Zrobione, oto nowy log z combo i log z avangera po usunieciu

ComboScan v20070306.20 run by Rafal on 2007-03-15 at 16:02:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rafal.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:02:50, on 2007-03-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Rafal\Pulpit\comboscan.exe
C:\PROGRA~1\HIJACK~1\Rafal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.stk.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\Telewizja Internetowa\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SAM.lnk = C:\Program Files\Skype\SAM\SAM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe


-- Files created between 2007-02-15 and 2007-03-15 -----------------------------

2007-03-15 15:57:29 0 d-------- C:\avenger
2007-03-15 10:00:12 0 d-------- C:\Program Files\HyCam2
2007-03-15 07:31:12 0 d-------- C:\Program Files\ewido anti-spyware 4.0<EWIDOA~1.0>
2007-03-15 07:21:07 2560 --a------ C:\WINDOWS\system32\unsvchosts.exe<UNSVCH~1.EXE>
2007-03-15 07:21:07 36864 --a------ C:\WINDOWS\system32\svchosts.exe
2007-03-07 11:17:34 0 d--h----- C:\WINDOWS\PIF
2007-03-06 21:10:07 0 d-------- C:\ppmaterecord<PPMATE~1>
2007-03-04 10:06:00 573440 --a------ C:\WINDOWS\system32\pcast.dll
2007-03-04 10:01:06 0 d-------- C:\Program Files\Common Files\Synacast
2007-03-04 09:45:34 0 d-------- C:\Program Files\Telewizja Internetowa<TELEWI~1>
2007-03-04 09:45:23 0 d-------- C:\Program Files\Nowy folder<NOWYFO~1>
2007-02-25 16:12:21 0 d-------- C:\Program Files\Common Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-03-15 15:59:58 0 d-------- C:\Program Files\FlashGet
2007-03-15 15:45:26 41984 --a------ C:\WINDOWS\system32\mswsock.dll
2007-03-15 15:42:25 41984 --a------ C:\WINDOWS\system32\mswsock.bak2<MSWSOC~3.BAK>
2007-03-15 15:41:57 41984 --a------ C:\WINDOWS\system32\mswsock.bak1<MSWSOC~2.BAK>
2007-03-15 15:35:24 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\The Bat!<THEBAT~1>
2007-03-15 08:23:06 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\OpenOffice.ux.pl2<OPENOF~1.PL2>
2007-03-15 07:21:59 0 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\Install.dat
2007-03-14 21:10:11 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Skype
2007-03-14 08:06:20 0 d-------- C:\Program Files\English Translator XT<ENGLIS~1>
2007-03-13 21:31:14 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\foobar2000<FOOBAR~1>
2007-03-13 07:15:24 0 d-------- C:\Program Files\Mozilla Firefox 2<MOZILL~2>
2007-03-10 09:10:39 0 d-------- C:\Program Files\foobar2000<FOOBAR~1>
2007-03-09 17:03:10 0 d-------- C:\Program Files\DAEMON Tools<DAEMON~1>
2007-03-09 16:53:27 0 d-------- C:\Program Files\Common Files\Ahead
2007-03-07 10:24:07 0 d-------- C:\Program Files\Skype
2007-03-07 10:17:36 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SAM
2007-03-06 21:07:57 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPMate
2007-03-06 19:36:29 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\ppStream
2007-03-04 10:01:33 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPLive
2007-03-04 09:59:22 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SopCast
2007-02-20 21:11:01 0 d-------- C:\Program Files\SubEdit-Player<SUBEDI~1>
2007-02-14 09:09:01 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-14 06:59:50 0 d-------- C:\Program Files\NAPI-PROJEKT<NAPI-P~1>
2007-02-13 17:58:32 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Azureus
2007-02-13 08:13:04 0 d-------- C:\Program Files\mobile PhoneTools<MOBILE~1>
2007-02-09 18:01:46 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-09 13:56:10 0 d-------- C:\Program Files\Gadu-Gadu<GADU-G~1>
2007-02-09 13:53:21 0 d-------- C:\Program Files\Partition Manager<PARTIT~1>
2007-02-09 13:50:51 0 d-------- C:\Program Files\Smarty Uninstaller Pro<SMARTY~1>
2007-02-09 10:59:52 0 d-------- C:\Program Files\JetAudio
2007-02-09 10:59:51 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\COWON
2007-02-07 18:05:36 1667 --a------ C:\WINDOWS\unins000.dat
2007-02-07 18:04:25 0 d-------- C:\Program Files\WhatPulse<WHATPU~1>
2007-02-07 14:47:26 0 d-------- C:\Program Files\Common Files\COWON
2007-02-06 17:35:16 0 d-------- C:\Program Files\Pajaczek 5 NxG Standard<PAJACZ~1>
2007-02-03 16:10:38 0 d-------- C:\Program Files\Screamer Radio<SCREAM~1>
2007-01-29 07:44:28 314 --a------ C:\WINDOWS\LOGOKOM.REG
2007-01-29 07:44:00 0 d-------- C:\Program Files\LOGOKOM
2007-01-23 15:46:51 0 d-------- C:\Program Files\Java
2007-01-17 14:14:05 0 d-------- C:\Program Files\DevalVR
2007-01-07 21:38:20 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"WatchDog"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe"
"pbmini"="\"C:\\Program Files\\Telewizja Internetowa\\PodcastbarMini\\PodcastBarMiniStater.exe\" -hide"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Config]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msdconfig"
"hkey"="HKLM"
"command"="msdconfig.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"MS Config"="msdconfig.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"MS Config"="msdconfig.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-03-15 at 16:03:23 ------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dccvheta

*******************

Script file located at: \??\C:\Documents and Settings\crpqjocf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\lnwin.exe deleted successfully.
File C:\WINDOWS\system32\zlbw.dll deleted successfully.
File C:\WINDOWS\system32\dd.exe deleted successfully.
File C:\WINDOWS\system32\adirss.exe deleted successfully.
File C:\WINDOWS\system32\adirka.dll deleted successfully.
File C:\WINDOWS\system32\adirka.exe deleted successfully.
File C:\WINDOWS\system32\vexg4am1et2.exe deleted successfully.
File C:\WINDOWS\system\svchostw.dll deleted successfully.
File C:\WINDOWS\system\svchctrl.dll deleted successfully.
File C:\WINDOWS\system32\dlh9jkd1q7.exe deleted successfully.
File C:\WINDOWS\system32\dlh9jkd1q6.exe deleted successfully.
File C:\WINDOWS\system32\dlh9jkd1q8.exe deleted successfully.


Could not open file C:\WINDOWS\system32\unsvchosts.exe C:\WINDOWS\system32\svchosts.exe for deletion
Deletion of file C:\WINDOWS\system32\unsvchosts.exe C:\WINDOWS\system32\svchosts.exe failed!

Could not process line:
C:\WINDOWS\system32\unsvchosts.exe C:\WINDOWS\system32\svchosts.exe
Status: 0xc0000033

Folder C:\Program Files\Common Files\{F49EDD30-05FD-1045-0710-020208080030} deleted successfully.
Folder C:\Program Files\Common Files\{349EDD30-05FD-1045-0710-020208080030} deleted successfully.
Folder C:\Program Files\21CN deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[ Dodano: Dzisiaj o 18:12 ]
Chcialbym jeszcze dodac ze błędy nadal wyskakuja
Bardzo prosze o pomoc

[wojtas]

Użyj WWDC :
http://www.firewallleaktester.com/wwdc.htm
Zmień opcje z disable na enable. Uruchom ponownie komputer.
Tak powinny wyglądać porty (NetBIOS może być żółty) :
http://www.firewallleaktester.com/images_site/wwdc.jpg


Poszukaj pliku

C:\WINDOWS\system32\msdconfig.exe

jesli znajdziesz to go usun:

otworz notatnik wklej w nim:

Windows Registry Editor Version 5.00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MS Config"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MS Config"=-

sciagnij killbox`a:

http://www.wiruskill.pl/forum/viewtopic.php?t=58

Odpalasz Killboxa zaznacz opcję Delete on Reboot oraz All files następnie w polu Full Path of File to Delete wklej ścieżki :

C:\WINDOWS\system32\unsvchosts.exe

oraz

C:\WINDOWS\system32\svchosts.exe

i nacisnij x
Program będzie pytał o restart (oczywiście zgadzasz się)


potem nowy log z comboscana

[RufuS*]

Ciagle wyskakuje te uciazliwy blad ze wsytapil blad z aplikacja Explorer.EXE... wydaje mi sie ze wszystko robie dobrze...
nowy log:

ComboScan v20070306.20 run by Rafal on 2007-03-15 at 19:17:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rafal.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 19:17:25, on 2007-03-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Rafal\Pulpit\comboscan.exe
C:\PROGRA~1\HIJACK~1\Rafal.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.stk.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\Telewizja Internetowa\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SAM.lnk = C:\Program Files\Skype\SAM\SAM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe


-- Files created between 2007-02-15 and 2007-03-15 -----------------------------

2007-03-15 19:14:34 0 d-------- C:\!KillBox
2007-03-15 16:41:02 0 d-------- C:\Program Files\Mp3 My Mp3 2.0<MP3MYM~1.0>
2007-03-15 16:14:22 53248 --a------ C:\Program Files\UnHyCam2.exe
2007-03-15 16:14:22 57344 --a------ C:\Program Files\MClick2.dll
2007-03-15 16:14:22 927320 --a------ C:\Program Files\HyCam2.exe
2007-03-15 16:14:22 65536 --a------ C:\Program Files\CamRes2.dll
2007-03-15 15:57:29 0 d-------- C:\avenger
2007-03-15 10:00:12 0 d-------- C:\Program Files\HyCam2
2007-03-15 07:31:12 0 d-------- C:\Program Files\ewido anti-spyware 4.0<EWIDOA~1.0>
2007-03-07 11:17:34 0 d--h----- C:\WINDOWS\PIF
2007-03-06 21:10:07 0 d-------- C:\ppmaterecord<PPMATE~1>
2007-03-04 10:06:00 573440 --a------ C:\WINDOWS\system32\pcast.dll
2007-03-04 10:01:06 0 d-------- C:\Program Files\Common Files\Synacast
2007-03-04 09:45:34 0 d-------- C:\Program Files\Telewizja Internetowa<TELEWI~1>
2007-03-04 09:45:23 0 d-------- C:\Program Files\Nowy folder<NOWYFO~1>
2007-02-25 16:12:21 0 d-------- C:\Program Files\Common Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-03-15 19:16:47 0 d-------- C:\Program Files\FlashGet
2007-03-15 18:20:07 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\foobar2000<FOOBAR~1>
2007-03-15 16:48:05 41984 --a------ C:\WINDOWS\system32\mswsock.dll
2007-03-15 16:17:29 41984 --a------ C:\WINDOWS\system32\mswsock.bak2<MSWSOC~3.BAK>
2007-03-15 16:17:04 41984 --a------ C:\WINDOWS\system32\mswsock.bak1<MSWSOC~2.BAK>
2007-03-15 15:35:24 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\The Bat!<THEBAT~1>
2007-03-15 08:23:06 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\OpenOffice.ux.pl2<OPENOF~1.PL2>
2007-03-15 07:21:59 0 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\Install.dat
2007-03-14 21:10:11 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Skype
2007-03-14 08:06:20 0 d-------- C:\Program Files\English Translator XT<ENGLIS~1>
2007-03-13 07:15:24 0 d-------- C:\Program Files\Mozilla Firefox 2<MOZILL~2>
2007-03-10 09:10:39 0 d-------- C:\Program Files\foobar2000<FOOBAR~1>
2007-03-09 17:03:10 0 d-------- C:\Program Files\DAEMON Tools<DAEMON~1>
2007-03-09 16:53:27 0 d-------- C:\Program Files\Common Files\Ahead
2007-03-07 10:24:07 0 d-------- C:\Program Files\Skype
2007-03-07 10:17:36 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SAM
2007-03-06 21:07:57 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPMate
2007-03-06 19:36:29 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\ppStream
2007-03-04 10:01:33 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPLive
2007-03-04 09:59:22 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SopCast
2007-02-20 21:11:01 0 d-------- C:\Program Files\SubEdit-Player<SUBEDI~1>
2007-02-14 09:09:01 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-14 06:59:50 0 d-------- C:\Program Files\NAPI-PROJEKT<NAPI-P~1>
2007-02-13 17:58:32 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Azureus
2007-02-13 08:13:04 0 d-------- C:\Program Files\mobile PhoneTools<MOBILE~1>
2007-02-09 18:01:46 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-09 13:56:10 0 d-------- C:\Program Files\Gadu-Gadu<GADU-G~1>
2007-02-09 13:53:21 0 d-------- C:\Program Files\Partition Manager<PARTIT~1>
2007-02-09 13:50:51 0 d-------- C:\Program Files\Smarty Uninstaller Pro<SMARTY~1>
2007-02-09 10:59:52 0 d-------- C:\Program Files\JetAudio
2007-02-09 10:59:51 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\COWON
2007-02-07 18:05:36 1667 --a------ C:\WINDOWS\unins000.dat
2007-02-07 18:04:25 0 d-------- C:\Program Files\WhatPulse<WHATPU~1>
2007-02-07 14:47:26 0 d-------- C:\Program Files\Common Files\COWON
2007-02-06 17:35:16 0 d-------- C:\Program Files\Pajaczek 5 NxG Standard<PAJACZ~1>
2007-02-03 16:10:38 0 d-------- C:\Program Files\Screamer Radio<SCREAM~1>
2007-01-29 07:44:28 314 --a------ C:\WINDOWS\LOGOKOM.REG
2007-01-29 07:44:00 0 d-------- C:\Program Files\LOGOKOM
2007-01-23 15:46:51 0 d-------- C:\Program Files\Java
2007-01-17 14:14:05 0 d-------- C:\Program Files\DevalVR
2007-01-09 11:37:29 131840 --a------ C:\Program Files\HyCam2.chm
2007-01-07 21:38:20 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"WatchDog"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe"
"pbmini"="\"C:\\Program Files\\Telewizja Internetowa\\PodcastbarMini\\PodcastBarMiniStater.exe\" -hide"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Config]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msdconfig"
"hkey"="HKLM"
"command"="msdconfig.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-03-15 at 19:17:59 ------------------------

[wojtas]

skasuj:

C:\!KillBox

wklej do notatniaka:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Config]
"command"=-

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....



najpierw przeskanuj www.ewido.com >> wywal wszystko co znajdzie
później odpal SmitfraudFix z opcji 2

http://siri.urz.free.fr/Fix/SmitfraudFix.php
opis >>

http://forum.programosy.pl/trudne-przypadki-i-metody-usuwania-vt41947.html

potem comboscan

czy masz WWDC?

[RufuS*]

czy masz WWDC?

tak mam


ok juz skanuje...

[ Dodano: Dzisiaj o 20:20 ]
aha jeszcze jedno, czy jak ewido juz przeskanuje to co wykryje mam Delete'ować czy do kwarantanny dodac?

[wojtas]

to co wykryje mam Delete'ować

[RufuS*]

zaraz mnie cos wezmie...
robie wszystko dokladnie tak jak piszesz i ciagle to samo

tutaj raport po zeskanowaniu SmitfraudFix

SmitFraudFix v2.148

Scan done at 20:43:29,64, 2007-03-15
Run from C:\Documents and Settings\Rafal\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts



127.0.0.1 localhost

127.0.0.1 update.111222.cn

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

ponownie comboscan

ComboScan v20070306.20 run by Rafal on 2007-03-15 at 20:50:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rafal.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 20:50:40, on 2007-03-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Rafal\Pulpit\comboscan.exe
C:\PROGRA~1\HIJACK~1\Rafal.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.stk.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\Telewizja Internetowa\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SAM.lnk = C:\Program Files\Skype\SAM\SAM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe


-- Files created between 2007-02-15 and 2007-03-15 -----------------------------

2007-03-15 20:48:52 0 d-------- C:\!KillBox
2007-03-15 20:36:35 1280 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-15 20:06:05 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-15 20:05:59 0 d-------- C:\Program Files\Grisoft
2007-03-15 16:41:02 0 d-------- C:\Program Files\Mp3 My Mp3 2.0<MP3MYM~1.0>
2007-03-15 16:14:22 53248 --a------ C:\Program Files\UnHyCam2.exe
2007-03-15 16:14:22 57344 --a------ C:\Program Files\MClick2.dll
2007-03-15 16:14:22 927320 --a------ C:\Program Files\HyCam2.exe
2007-03-15 16:14:22 65536 --a------ C:\Program Files\CamRes2.dll
2007-03-15 15:57:29 0 d-------- C:\avenger
2007-03-15 10:00:12 0 d-------- C:\Program Files\HyCam2
2007-03-07 11:17:34 0 d--h----- C:\WINDOWS\PIF
2007-03-06 21:10:07 0 d-------- C:\ppmaterecord<PPMATE~1>
2007-03-04 10:06:00 573440 --a------ C:\WINDOWS\system32\pcast.dll
2007-03-04 10:01:06 0 d-------- C:\Program Files\Common Files\Synacast
2007-03-04 09:45:34 0 d-------- C:\Program Files\Telewizja Internetowa<TELEWI~1>
2007-03-04 09:45:23 0 d-------- C:\Program Files\Nowy folder<NOWYFO~1>
2007-02-25 16:12:21 0 d-------- C:\Program Files\Common Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-03-15 20:49:18 0 d-------- C:\Program Files\FlashGet
2007-03-15 20:33:23 0 d-------- C:\Program Files\DAEMON Tools<DAEMON~1>
2007-03-15 20:23:06 42496 --a------ C:\WINDOWS\system32\mswsock.dll
2007-03-15 19:40:47 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\foobar2000<FOOBAR~1>
2007-03-15 16:17:29 41984 --a------ C:\WINDOWS\system32\mswsock.bak2<MSWSOC~3.BAK>
2007-03-15 15:35:24 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\The Bat!<THEBAT~1>
2007-03-15 08:23:06 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\OpenOffice.ux.pl2<OPENOF~1.PL2>
2007-03-15 07:21:59 0 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\Install.dat
2007-03-14 21:10:11 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Skype
2007-03-14 08:06:20 0 d-------- C:\Program Files\English Translator XT<ENGLIS~1>
2007-03-13 07:15:24 0 d-------- C:\Program Files\Mozilla Firefox 2<MOZILL~2>
2007-03-10 09:10:39 0 d-------- C:\Program Files\foobar2000<FOOBAR~1>
2007-03-09 16:53:27 0 d-------- C:\Program Files\Common Files\Ahead
2007-03-07 10:24:07 0 d-------- C:\Program Files\Skype
2007-03-07 10:17:36 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SAM
2007-03-06 21:07:57 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPMate
2007-03-06 19:36:29 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\ppStream
2007-03-04 10:01:33 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPLive
2007-03-04 09:59:22 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SopCast
2007-02-20 21:11:01 0 d-------- C:\Program Files\SubEdit-Player<SUBEDI~1>
2007-02-14 09:09:01 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-14 06:59:50 0 d-------- C:\Program Files\NAPI-PROJEKT<NAPI-P~1>
2007-02-13 17:58:32 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Azureus
2007-02-13 08:13:04 0 d-------- C:\Program Files\mobile PhoneTools<MOBILE~1>
2007-02-09 18:01:46 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-09 13:56:10 0 d-------- C:\Program Files\Gadu-Gadu<GADU-G~1>
2007-02-09 13:53:21 0 d-------- C:\Program Files\Partition Manager<PARTIT~1>
2007-02-09 13:50:51 0 d-------- C:\Program Files\Smarty Uninstaller Pro<SMARTY~1>
2007-02-09 10:59:52 0 d-------- C:\Program Files\JetAudio
2007-02-09 10:59:51 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\COWON
2007-02-07 18:05:36 1667 --a------ C:\WINDOWS\unins000.dat
2007-02-07 18:04:25 0 d-------- C:\Program Files\WhatPulse<WHATPU~1>
2007-02-07 14:47:26 0 d-------- C:\Program Files\Common Files\COWON
2007-02-06 17:35:16 0 d-------- C:\Program Files\Pajaczek 5 NxG Standard<PAJACZ~1>
2007-02-03 16:10:38 0 d-------- C:\Program Files\Screamer Radio<SCREAM~1>
2007-01-29 07:44:28 314 --a------ C:\WINDOWS\LOGOKOM.REG
2007-01-29 07:44:00 0 d-------- C:\Program Files\LOGOKOM
2007-01-23 15:46:51 0 d-------- C:\Program Files\Java
2007-01-17 14:14:05 0 d-------- C:\Program Files\DevalVR
2007-01-09 11:37:29 131840 --a------ C:\Program Files\HyCam2.chm
2007-01-07 21:38:20 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"WatchDog"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe"
"pbmini"="\"C:\\Program Files\\Telewizja Internetowa\\PodcastbarMini\\PodcastBarMiniStater.exe\" -hide"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Config]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msdconfig"
"hkey"="HKLM"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-03-15 at 20:51:03 ------------------------

[wojtas]

looknij tutaj;

http://www.searchengines.pl/phpbb203/index.php?showtopic=86306

uruchom comboscana recznie:

pokaz loga z combo z zaznaczonymi opcjami:

Drivers, Services ,ComboScan Log, Sheduled Task

[RufuS*]

ComboScan v20070306.20 run by Rafal on 2007-03-15 at 21:54:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rafal.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:54:39, on 2007-03-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe
C:\Program Files\Konnekt\konnekt.exe
C:\Documents and Settings\Rafal\Pulpit\comboscan.exe
C:\PROGRA~1\HIJACK~1\Rafal.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.stk.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\Telewizja Internetowa\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SAM.lnk = C:\Program Files\Skype\SAM\SAM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2R ACEDRV07 - C:\WINDOWS\system32\drivers\ACEDRV07.sys
3R ALCXWDM (Service for Avance AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
1R AmdK7 (Sterownik procesora AMD K7) - C:\WINDOWS\system32\drivers\amdk7.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
3S dtscsi - C:\WINDOWS\system32\Drivers\dtscsi.sys (not found)
3R ElbyCDFL - C:\WINDOWS\system32\drivers\ElbyCDFL.sys
2R ElbyCDIO (ElbyCDIO Driver) - C:\WINDOWS\system32\drivers\ElbyCDIO.sys
3S GMSIPCI - G:\INSTALL\GMSIPCI.SYS (not found)
3S hamachi (Hamachi Network Interface) - C:\WINDOWS\system32\drivers\hamachi.sys
3S HidUsb (Sterownik Microsoft klasy HID) - C:\WINDOWS\system32\drivers\hidusb.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\hsfbs2s2.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
2S ntio256 (Input and output operations) - C:\WINDOWS\system32\ntio256.sys (not found)
2R NwlnkIpx (Protokół transportowy zgodny z NWLink IPX/SPX/NetBIOS) - C:\WINDOWS\system32\drivers\nwlnkipx.sys
2R NwlnkNb (System NetBIOS NWLink) - C:\WINDOWS\system32\drivers\nwlnknb.sys
2R NwlnkSpx (Protokół NWLink SPX/SPXII) - C:\WINDOWS\system32\drivers\nwlnkspx.sys
3S Pcouffin (Low level access layer for CD devices) - C:\WINDOWS\system32\Drivers\Pcouffin.sys (not found)
3S Pronaut_WBD (Pronaut WaveBridge Device (WDM)) - C:\WINDOWS\system32\drivers\pnwbd.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\PxHelp20.sys
3R rtl8139 (Sterownik NT karty Realtek RTL8139(A/B/C)-based PCI Fast Ethernet) - C:\WINDOWS\system32\drivers\rtl8139.sys
0R sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - C:\WINDOWS\system32\drivers\sfdrv01.sys
0R sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - C:\WINDOWS\system32\drivers\sfhlp02.sys
0R sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - C:\WINDOWS\system32\drivers\sfsync04.sys
0R sptd - C:\WINDOWS\system32\drivers\sptd.sys
1S SpyEmrg (Spy Emergency Driver) - C:\WINDOWS\system32\Drivers\spyemrg.sys (not found)
3S usbaudio (Sterownik audio USB (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys
3S usbccgp (Rodzajowy sterownik nadrzędny USB Microsoft) - C:\WINDOWS\system32\drivers\usbccgp.sys
3S usbprint (Klasa PRINTER USB Microsoft) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (Sterownik skanera USB) - C:\WINDOWS\system32\drivers\usbscan.sys
3S usbser (Motorola USB Modem Driver) - C:\WINDOWS\system32\drivers\usbser.sys
3S USBSTOR (Sterownik magazynu masowego USB) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3R vaxscsi - C:\WINDOWS\system32\drivers\vaxscsi.sys
0R viaagp (Filtr magistrali AGP VIA) - C:\WINDOWS\system32\drivers\viaagp.sys
2R WIBUKEY (WIBU-KEY Kernel Driver) - C:\WINDOWS\system32\drivers\Wibukey.sys
3R winachsf - C:\WINDOWS\system32\drivers\hsfcxts2.sys
2S wincom32 - C:\WINDOWS\system32\wincom32.sys (not found)
2S zntport (NTPort Library Driver) - C:\WINDOWS\system32\zntport.sys (not found)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R Ati HotKey Poller - C:\WINDOWS\System32\Ati2evxx.exe
2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
4S Client IP-IPX - "C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271
2R LightScribeService (LightScribeService Direct Disc Labeling Service) - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
2R StarWindService (StarWind iSCSI Service) - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe


-- Files created between 2007-02-15 and 2007-03-15 -----------------------------

2007-03-15 20:48:52 0 d-------- C:\!KillBox
2007-03-15 20:36:35 1280 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-15 20:06:05 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-15 20:05:59 0 d-------- C:\Program Files\Grisoft
2007-03-15 16:41:02 0 d-------- C:\Program Files\Mp3 My Mp3 2.0<MP3MYM~1.0>
2007-03-15 16:14:22 53248 --a------ C:\Program Files\UnHyCam2.exe
2007-03-15 16:14:22 57344 --a------ C:\Program Files\MClick2.dll
2007-03-15 16:14:22 927320 --a------ C:\Program Files\HyCam2.exe
2007-03-15 16:14:22 65536 --a------ C:\Program Files\CamRes2.dll
2007-03-15 15:57:29 0 d-------- C:\avenger
2007-03-15 10:00:12 0 d-------- C:\Program Files\HyCam2
2007-03-07 11:17:34 0 d--h----- C:\WINDOWS\PIF
2007-03-06 21:10:07 0 d-------- C:\ppmaterecord<PPMATE~1>
2007-03-04 10:06:00 573440 --a------ C:\WINDOWS\system32\pcast.dll
2007-03-04 10:01:06 0 d-------- C:\Program Files\Common Files\Synacast
2007-03-04 09:45:34 0 d-------- C:\Program Files\Telewizja Internetowa<TELEWI~1>
2007-03-04 09:45:23 0 d-------- C:\Program Files\Nowy folder<NOWYFO~1>
2007-02-25 16:12:21 0 d-------- C:\Program Files\Common Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-03-15 21:49:29 0 d-------- C:\Program Files\FlashGet
2007-03-15 21:01:18 42496 --a------ C:\WINDOWS\system32\mswsock.dll
2007-03-15 20:33:23 0 d-------- C:\Program Files\DAEMON Tools<DAEMON~1>
2007-03-15 19:40:47 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\foobar2000<FOOBAR~1>
2007-03-15 16:17:29 41984 --a------ C:\WINDOWS\system32\mswsock.bak2<MSWSOC~3.BAK>
2007-03-15 15:35:24 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\The Bat!<THEBAT~1>
2007-03-15 08:23:06 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\OpenOffice.ux.pl2<OPENOF~1.PL2>
2007-03-15 07:21:59 0 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\Install.dat
2007-03-14 21:10:11 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Skype
2007-03-14 08:06:20 0 d-------- C:\Program Files\English Translator XT<ENGLIS~1>
2007-03-13 07:15:24 0 d-------- C:\Program Files\Mozilla Firefox 2<MOZILL~2>
2007-03-10 09:10:39 0 d-------- C:\Program Files\foobar2000<FOOBAR~1>
2007-03-09 16:53:27 0 d-------- C:\Program Files\Common Files\Ahead
2007-03-07 10:24:07 0 d-------- C:\Program Files\Skype
2007-03-07 10:17:36 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SAM
2007-03-06 21:07:57 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPMate
2007-03-06 19:36:29 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\ppStream
2007-03-04 10:01:33 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\PPLive
2007-03-04 09:59:22 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\SopCast
2007-02-20 21:11:01 0 d-------- C:\Program Files\SubEdit-Player<SUBEDI~1>
2007-02-14 09:09:01 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-14 06:59:50 0 d-------- C:\Program Files\NAPI-PROJEKT<NAPI-P~1>
2007-02-13 17:58:32 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Azureus
2007-02-13 08:13:04 0 d-------- C:\Program Files\mobile PhoneTools<MOBILE~1>
2007-02-09 18:01:46 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-09 13:56:10 0 d-------- C:\Program Files\Gadu-Gadu<GADU-G~1>
2007-02-09 13:53:21 0 d-------- C:\Program Files\Partition Manager<PARTIT~1>
2007-02-09 13:50:51 0 d-------- C:\Program Files\Smarty Uninstaller Pro<SMARTY~1>
2007-02-09 10:59:52 0 d-------- C:\Program Files\JetAudio
2007-02-09 10:59:51 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\COWON
2007-02-07 18:05:36 1667 --a------ C:\WINDOWS\unins000.dat
2007-02-07 18:04:25 0 d-------- C:\Program Files\WhatPulse<WHATPU~1>
2007-02-07 14:47:26 0 d-------- C:\Program Files\Common Files\COWON
2007-02-06 17:35:16 0 d-------- C:\Program Files\Pajaczek 5 NxG Standard<PAJACZ~1>
2007-02-03 16:10:38 0 d-------- C:\Program Files\Screamer Radio<SCREAM~1>
2007-01-29 07:44:28 314 --a------ C:\WINDOWS\LOGOKOM.REG
2007-01-29 07:44:00 0 d-------- C:\Program Files\LOGOKOM
2007-01-23 15:46:51 0 d-------- C:\Program Files\Java
2007-01-17 14:14:05 0 d-------- C:\Program Files\DevalVR
2007-01-09 11:37:29 131840 --a------ C:\Program Files\HyCam2.chm
2007-01-07 21:38:20 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"WatchDog"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe"
"pbmini"="\"C:\\Program Files\\Telewizja Internetowa\\PodcastbarMini\\PodcastBarMiniStater.exe\" -hide"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Config]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msdconfig"
"hkey"="HKLM"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-03-15 at 21:55:06 ------------------------

[wojtas]

widze ze jest rookit:

scaignij:
http://gmer.net/gmer.zip

1) Rootkit >>> zaznaczone Pokaż wszystko >>> wskazane tylko Usługi >>> Szukaj >>> Kopiuj >>> CTRL+V do posta
2) Rootkit >>> odznaczone Pokaż wszystko >>> wskazane wszystkie obiekty do skanu >>> Szukaj >>> Kopiuj >>> CTRL+V do posta

[RufuS*]

1.

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-15 22:20:31
Windows 5.1.2600 Dodatek Service Pack 2


---- Services - GMER 1.0.12 ----

Service .NET CLR Data
Service .NET CLR Networking
Service .NETFramework
Service [DISABLED] Abiosdsk
Service [DISABLED] abp480n5
Service C:\WINDOWS\system32\drivers\ACEDRV07.sys [AUTO] ACEDRV07
Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [BOOT] ACPI
Service [DISABLED] ACPIEC
Service C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [MANUAL] Adobe LM Service
Service [DISABLED] adpu160m
Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec
Service C:\WINDOWS\System32\drivers\afd.sys [SYSTEM] AFD
Service [DISABLED] Aha154x
Service [DISABLED] aic78u2
Service [DISABLED] aic78xx
Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM
Service C:\WINDOWS\System32\svchost.exe [DISABLED] Alerter
Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG
Service [DISABLED] AliIde
Service C:\WINDOWS\System32\DRIVERS\amdk7.sys [SYSTEM] AmdK7
Service [DISABLED] amsint
Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt
Service [DISABLED] asc
Service [DISABLED] asc3350p
Service [DISABLED] asc3550
Service ASP.NET
Service ASP.NET_1.1.4322
Service C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [MANUAL] aspnet_state
Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac
Service C:\WINDOWS\System32\DRIVERS\atapi.sys [BOOT] atapi
Service [DISABLED] Atdisk
Service C:\WINDOWS\System32\Ati2evxx.exe [AUTO] Ati HotKey Poller
Service C:\WINDOWS\system32\ati2sgag.exe [AUTO] ATI Smart
Service C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag
Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc
Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv
Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub
Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys [SYSTEM] AVG Anti-Spyware Driver
Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [AUTO] AVG Anti-Spyware Guard
Service C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [SYSTEM] AvgAsCln
Service BattC
Service [SYSTEM] Beep
Service C:\WINDOWS\System32\svchost.exe [AUTO] BITS
Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser
Service [DISABLED] cbidf2k
Service [DISABLED] cd20xrnt
Service [SYSTEM] Cdaudio
Service [DISABLED] Cdfs
Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [SYSTEM] Cdrom
Service [SYSTEM] Changer
Service C:\WINDOWS\System32\cisvc.exe [MANUAL] cisvc
Service C:\WINDOWS\system32\svchosts.exe [DISABLED] Client IP-IPX
Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv
Service [DISABLED] CmdIde
Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp
Service ContentFilter
Service ContentIndex
Service [DISABLED] Cpqarray
Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc
Service [DISABLED] dac2w2k
Service [DISABLED] dac960nt
Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch
Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp
Service C:\WINDOWS\System32\DRIVERS\disk.sys [BOOT] Disk
Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin
Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot
Service C:\WINDOWS\System32\drivers\dmio.sys [BOOT] dmio
Service C:\WINDOWS\System32\drivers\dmload.sys [BOOT] dmload
Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver
Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic
Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache
Service [DISABLED] dpti2o
Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud
Service System32\Drivers\dtscsi.sys [MANUAL] dtscsi
Service C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [MANUAL] ElbyCDFL
Service C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [AUTO] ElbyCDIO
Service C:\WINDOWS\System32\svchost.exe [DISABLED] ERSvc
Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog
Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem
Service [DISABLED] Fastfat
Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility
Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc
Service [SYSTEM] Fips
Service [SYSTEM] Flpydisk
Service C:\WINDOWS\system32\drivers\fltmgr.sys [BOOT] FltMgr
Service [SYSTEM] Fs_Rec
Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [BOOT] Ftdisk
Service fwdrv
Service C:\WINDOWS\System32\DRIVERS\gameenum.sys [MANUAL] gameenum
Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer
Service G:\INSTALL\GMSIPCI.SYS [MANUAL] GMSIPCI
Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc
Service C:\WINDOWS\system32\DRIVERS\hamachi.sys [MANUAL] hamachi
Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc
Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ
Service C:\WINDOWS\system32\DRIVERS\hidusb.sys [MANUAL] HidUsb
Service [DISABLED] hpn
Service [DISABLED] hpt3xx
Service C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [MANUAL] HSFHWBS2
Service C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [MANUAL] HSF_DP
Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP
Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter
Service [SYSTEM] i2omgmt
Service [DISABLED] i2omp
Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [SYSTEM] i8042prt
Service C:\WINDOWS\system32\DRIVERS\imapi.sys [SYSTEM] Imapi
Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService
Service inetaccs
Service [DISABLED] ini910u
Service Inport
Service [DISABLED] IntelIde
Service C:\WINDOWS\system32\drivers\ip6fw.sys [MANUAL] ip6fw
Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver
Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp
Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat
Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [SYSTEM] IPSec
Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM
Service ISAPISearch
Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [BOOT] isapnp
Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [SYSTEM] Kbdclass
Service khips
Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer
Service [BOOT] KSecDD
Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver
Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation
Service [SYSTEM] lbrtfdc
Service ldap
Service LicenseService
Service C:\Program Files\Common Files\LightScribe\LSSrvc.exe [AUTO] LightScribeService
Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts
Service C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [AUTO] mdmxsdk
Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger
Service [SYSTEM] mnmdd
Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc
Service [MANUAL] Modem
Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [SYSTEM] Mouclass
Service [BOOT] MountMgr
Service [DISABLED] mraid35x
Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV
Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [SYSTEM] MRxSmb
Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC
Service [SYSTEM] Msfs
Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer
Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV
Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK
Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM
Service C:\WINDOWS\System32\DRIVERS\mssmbios.sys [MANUAL] mssmbios
Service [BOOT] Mup
Service [BOOT] NDIS
Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi
Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio
Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan
Service [MANUAL] NDProxy
Service C:\WINDOWS\System32\DRIVERS\netbios.sys [SYSTEM] NetBIOS
Service C:\WINDOWS\System32\DRIVERS\netbt.sys [MANUAL] NetBT
Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE
Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm
Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon
Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman
Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla
Service nm
Service [SYSTEM] Npfs
Service [DISABLED] Ntfs
Service C:\WINDOWS\system32\ntio256.sys [AUTO] ntio256
Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp
Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc
Service [SYSTEM] Null
Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt
Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd
Service C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [AUTO] NwlnkIpx
Service C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [AUTO] NwlnkNb
Service C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [AUTO] NwlnkSpx
Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport
Service [BOOT] PartMgr
Service [AUTO] ParVdm
Service C:\WINDOWS\System32\DRIVERS\pci.sys [BOOT] PCI
Service [SYSTEM] PCIDump
Service [DISABLED] PCIIde
Service [DISABLED] Pcmcia
Service System32\Drivers\Pcouffin.sys [MANUAL] Pcouffin
Service [MANUAL] PDCOMP
Service [MANUAL] PDFRAME
Service [MANUAL] PDRELI
Service [MANUAL] PDRFRAME
Service [DISABLED] perc2
Service [DISABLED] perc2hib
Service PerfDisk
Service PerfNet
Service PerfOS
Service PerfProc
Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay
Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent
Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport
Service PQNTDrv
Service C:\WINDOWS\System32\DRIVERS\processr.sys [SYSTEM] Processor
Service C:\WINDOWS\system32\drivers\pnwbd.sys [MANUAL] Pronaut_WBD
Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage
Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched
Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink
Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [BOOT] PxHelp20
Service [DISABLED] ql1080
Service [DISABLED] Ql10wnt
Service [DISABLED] ql12160
Service [DISABLED] ql1240
Service [DISABLED] ql1280
Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [SYSTEM] RasAcd
Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto
Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp
Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan
Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe
Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti
Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [SYSTEM] Rdbss
Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [SYSTEM] RDPCDD
Service RDPDD
Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr
Service RDPNP
Service [MANUAL] RDPWD
Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr
Service C:\WINDOWS\System32\DRIVERS\redbook.sys [SYSTEM] redbook
Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess
Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry
Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator
Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs
Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP
Service C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139
Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs
Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr
Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule
Service ScsiPort
Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [AUTO] Secdrv
Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon
Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS
Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum
Service C:\WINDOWS\System32\DRIVERS\serial.sys [SYSTEM] Serial
Service C:\WINDOWS\System32\drivers\sfdrv01.sys [BOOT] sfdrv01
Service C:\WINDOWS\System32\drivers\sfhlp02.sys [BOOT] sfhlp02
Service [SYSTEM] Sfloppy
Service C:\WINDOWS\System32\drivers\sfsync04.sys [BOOT] sfsync04
Service SharedAccess
Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection
Service [DISABLED] Simbad
Service [DISABLED] Sparrow
Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter
Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler
Service C:\WINDOWS\System32\Drivers\sptd.sys [BOOT] sptd
Service System32\Drivers\spyemrg.sys [SYSTEM] SpyEmrg
Service C:\WINDOWS\System32\DRIVERS\sr.sys [BOOT] sr
Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice
Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv
Service C:\WINDOWS\System32\svchost.exe [MANUAL] SSDPSRV
Service C:\Program Files\Alcohol 120\StarWind\StarWindService.exe [AUTO] StarWindService
Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc
Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum
Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi
Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv
Service swwd
Service [DISABLED] symc810
Service [DISABLED] symc8xx
Service [DISABLED] sym_hi
Service [DISABLED] sym_u3
Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio
Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog
Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv
Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [SYSTEM] Tcpip
Service [MANUAL] TDPIPE
Service [MANUAL] TDTCP
Service C:\WINDOWS\System32\DRIVERS\termdd.sys [SYSTEM] TermDD
Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService
Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes
Service C:\WINDOWS\System32\tlntsvr.exe [MANUAL] TlntSvr
Service [DISABLED] TosIde
Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks
Service TSDDD
Service [DISABLED] Udfs
Service [DISABLED] ultra
Service C:\WINDOWS\system32\wdfmgr.exe [AUTO] UMWdf
Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update
Service C:\WINDOWS\System32\svchost.exe [MANUAL] upnphost
Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS
Service C:\WINDOWS\system32\drivers\usbaudio.sys [MANUAL] usbaudio
Service C:\WINDOWS\system32\DRIVERS\usbccgp.sys [MANUAL] usbccgp
Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub
Service C:\WINDOWS\system32\DRIVERS\usbprint.sys [MANUAL] usbprint
Service C:\WINDOWS\system32\DRIVERS\usbscan.sys [MANUAL] usbscan
Service C:\WINDOWS\system32\DRIVERS\usbser.sys [MANUAL] usbser
Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR
Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci
Service C:\WINDOWS\System32\Drivers\vaxscsi.sys [MANUAL] vaxscsi
Service C:\WINDOWS\System32\drivers\vga.sys [SYSTEM] VgaSave
Service C:\WINDOWS\System32\DRIVERS\viaagp.sys [BOOT] viaagp
Service C:\WINDOWS\System32\DRIVERS\viaide.sys [BOOT] ViaIde
Service [BOOT] VolSnap
Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS
Service VXD
Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time
Service W3SVC
Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp
Service [MANUAL] WDICA
Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud
Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient
Service C:\WINDOWS\SYSTEM32\DRIVERS\Wibukey.sys [AUTO] WIBUKEY
Service C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [MANUAL] winachsf
Service C:\WINDOWS\system32\wincom32.sys [AUTO] wincom32
Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt
Service [MANUAL] Winsock
Service WinSock2
Service WinTrust
Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN
Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi
Service WmiApRpl
Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv
Service C:\WINDOWS\System32\svchost.exe [DISABLED] wscsvc
Service C:\WINDOWS\System32\svchost.exe [DISABLED] wuauserv
Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC
Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov
Service C:\WINDOWS\system32\zntport.sys [AUTO] zntport
Service ZoomoutScope
Service {6EA1532D-AFE4-4734-A343-3F6743CF5C2A}
Service {FA78D867-62FB-47FA-A563-5672917FD99F}
Service [MANUAL] amxlg3pa

---- EOF - GMER 1.0.12 ----

2.

[quote]GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-15 22:31:08
Windows 5.1.2600 Dodatek Service Pack 2


---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.
.text USBPORT.SYS!DllUnload F6DDF62C 5 Bytes JMP 82CC7960
? C:\WINDOWS\System32\Drivers\vaxscsi.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.
? System32\Drivers\amxlg3pa.SYS Nie można odnaleźć określonego pliku.
.text ntdll.dll!NtClose 7C90D586 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 7C90D793 5 Bytes JMP 720342D8

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 82F521D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 82F521D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6EA1532D-AFE4-4734-A343-3F6743CF5C2A} IRP_MJ_CREATE 82C72980
Device \Driver\NetBT \Device\NetBT_Tcpip_{6EA1532D-AFE4-4734-A343-3F6743CF5C2A} IRP_MJ_CLOSE 82C72980
Device \Driver\NetBT \Device\NetBT_Tcpip_{6EA1532D-AFE4-4734-A343-3F6743CF5C2A} IRP_MJ_DEVICE_CONTROL 82C72980
Device \Driver\NetBT \Device\NetBT_Tcpip_{6EA1532D-AFE4-4734-A343-3F6743CF5C2A} IRP_MJ_INTERNAL_DEVICE_CONTROL 82C72980
Device \Driver\NetBT \Device\NetBT_Tcpip_{6EA1532D-AFE4-4734-A343-3F6743CF5C2A} IRP_MJ_CLEANUP 82C72980
Device \Driver\NetBT \Device\NetBT_Tcpip_{6EA1532D-AFE4-4734-A343-3F6743CF5C2A} IRP_MJ_PNP 82C72980
Device \Driver\00000050 \Device\00000051 IRP_MJ_POWER [F7446C7E] sptd.sys
Device \Driver\00000050 \Device\00000051 IRP_MJ_SYSTEM_CONTROL [F74602A2] sptd.sys
Device \Driver\00000050 \Device\00000051 IRP_MJ_PNP [F7461228] sptd.sys
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 82CCF980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 82CCF980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 82CCF980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 82CCF980
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 82FC01D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 82FC01D8
Device \Driver\00000050 \Device\00000052 IRP_MJ_POWER [F7446C7E] sptd.sys
Device \Driver\00000050 \Device\00000052 IRP_MJ_SYSTEM_CONTROL [F74602A2] sptd.sys
Device \Driver\00000050 \Device\00000052 IRP_MJ_PNP [F7461228] sptd.sys
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 82CCF980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 82CCF980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 82CCF980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 82CCF980
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 82CCF980
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 82CCF980
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 82CCF980
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 82CCF980
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 82CCF980
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 82F541D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82D0A1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 82F541D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 82F531D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 82F531D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC0B48
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 82F531D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC0B48
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 82F531D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 82F531D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 82F531D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC0B48
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 82F531D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC0B48
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CREATE 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CLOSE 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_DEVICE_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FC0B48
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_POWER 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SYSTEM_CONTROL 82F531D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_PNP 82F531D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82D0A1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_READ 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_WRITE 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FLUSH_BUFFERS 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SHUTDOWN 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLEANUP 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_POWER 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SYSTEM_CONTROL 82F541D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_PNP 82F541D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLOSE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_READ 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_WRITE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FLUSH_BUFFERS 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SHUTDOWN 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_POWER 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SYSTEM_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLOSE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_READ 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_WRITE 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FLUSH_BUFFERS 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SHUTDOWN 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_POWER 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SYSTEM_CONTROL 82D0A1D8
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_PNP 82D0A1D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82C72980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 82C72980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 82C72980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 82C72980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 82C72980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 82C72980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 82CCF980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 82CCF980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 82CCF980
Device \D

[wojtas]

odpal gmera przejdz do zakładki CMD z zaznaczoną opcją CMD i tam wklej

gmer -killall
gmer -del service ntio256
gmer -del service Client IP-IPX
gmer -del service wincom32
gmer -del service amxlg3pa
gmer -del file C:\WINDOWS\system32\ntio256.sys
gmer -del file C:\WINDOWS\system32\svchosts.exe
gmer -del file C:\WINDOWS\system32\wincom32.sys
gmer -del file C:\WINDOWS\system32\Drivers\amxlg3pa.sys
gmer -reboot

i kliknij na Uruchom z prawej strony (jesli system sie zwiesi to pomin pierwsza komende "gmer -killall")
potem nowe logi z gmera

[RufuS*]

nowe logi:

www.rufus.netarteria.pl/wersja1.txt
www.rufus.netarteria.pl/wersja2.txt

[wojtas]

odpal gmera przejdz do zakładki CMD z zaznaczoną opcją CMD i tam wklej

gmer -del file C:\WINDOWS\System32\Drivers\afw0ysx0.SYS
gmer -reboot

potem nowe logi z gmera:oraz z L2mfix z opcji 1

http://www.atribune.org/downloads/l2mfix.exe

Autor postu otrzymał pochwałę