kombinacja: fijiefj.exe, isass.exe

**Posty:** 14 · przez **autovidol** 03 Kwi 2008, 02:16

czytałem coś o fijiefj.exe, zdaje się, że muszę użyc combofixa, ale to dla mnie nowośc. fij się powiela i nie da się usunąc, antywirusy go nie widzą (mam avasta), firewall też go nie zauważył (kerio sunbelt) ani cała kolekcja programów antymalware (adaware, spybot, a^2, spyware doctor), więc ten fij ciągle coś aktualizuje w internecie, zawiesza, spowalnia transfer i ogólnie działa mi na nerwy. Ponadto odkryłem kilka godzin temu coś nowego - nazywa się isass.exe i też się odradza coś kilka godzin, również żaden z wymienionych programów nie może go znaleźc. Proszę uprzejmie o pomoc...

Wklejam log z hijacka:

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:08:03, on 2008-04-03 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20583) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\Avast4\aswUpdSv.exe D:\Avast4\ashServ.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\a-squared Free\a2service.exe D:\Program Files\Bonjour\mDNSResponder.exe D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe D:\Program Files\Common Files\LightScribe\LSSrvc.exe D:\Program Files\Spyware Doctor\pctsAuxs.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Spyware Doctor\pctsSvc.exe D:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe D:\Program Files\Analog Devices\Core\smax4pnp.exe D:\Program Files\Google\Gmail Notifier\gnotify.exe D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE D:\Program Files\DAEMON Tools\daemon.exe D:\Avast4\ashDisp.exe D:\Program Files\Spyware Doctor\pctsTray.exe D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\Program Files\Personal Firewall\kpf4ss.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe D:\Program Files\Google\Google Updater\GoogleUpdater.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe D:\Program Files\Personal Firewall\kpf4gui.exe D:\WINDOWS\system32\wbem\wmiprvse.exe D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe D:\Avast4\ashMaiSv.exe D:\Avast4\ashWebSv.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\System32\alg.exe D:\Program Files\Personal Firewall\kpf4gui.exe D:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE D:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe D:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [StartCCC] d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Barsaka] explorer.exe O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] D:\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') O4 - Startup: DataKeeper.lnk = D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe O4 - Global Startup: Google Updater.lnk = D:\Program Files\Google\Google Updater\GoogleUpdater.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "D:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing) O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\Program Files\Personal Firewall\kpf4ss.exe O23 - Service: SWIHPWMI - Sierra Wireless Inc. - D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe -- End of file - 8970 bytes

Wklejam log z DSS:

Kod: Zaznacz wszystko: Deckard's System Scanner v20071014.68 Run by autovidol on 2008-04-03 02:10:22 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 6: 2008-04-03 00:10:28 UTC - RP175 - Deckard's System Scanner Restore Point 5: 2008-04-01 01:42:02 UTC - RP174 - System Checkpoint 4: 2008-03-30 17:07:21 UTC - RP173 - ComboFix created restore point 3: 2008-03-30 15:22:52 UTC - RP172 - ComboFix created restore point 2: 2008-03-30 14:50:40 UTC - RP171 - ComboFix created restore point -- First Restore Point -- 1: 2008-03-30 10:12:52 UTC - RP170 - System Checkpoint Backed up registry hives. Performed disk cleanup. [color=red]System Drive D: has 10.42 GiB (less than 15%) free.[/color] -- HijackThis (run as autovidol.exe) ------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:11:11, on 2008-04-03 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20583) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\Avast4\aswUpdSv.exe D:\Avast4\ashServ.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\a-squared Free\a2service.exe D:\Program Files\Bonjour\mDNSResponder.exe D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe D:\Program Files\Common Files\LightScribe\LSSrvc.exe D:\Program Files\Spyware Doctor\pctsAuxs.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Spyware Doctor\pctsSvc.exe D:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe D:\Program Files\Analog Devices\Core\smax4pnp.exe D:\Program Files\Google\Gmail Notifier\gnotify.exe D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE D:\Program Files\DAEMON Tools\daemon.exe D:\Avast4\ashDisp.exe D:\Program Files\Spyware Doctor\pctsTray.exe D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\Program Files\Personal Firewall\kpf4ss.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe D:\Program Files\Google\Google Updater\GoogleUpdater.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe D:\Program Files\Personal Firewall\kpf4gui.exe D:\WINDOWS\system32\wbem\wmiprvse.exe D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe D:\Avast4\ashMaiSv.exe D:\Avast4\ashWebSv.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\System32\alg.exe D:\Program Files\Personal Firewall\kpf4gui.exe D:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE D:\Program Files\Mozilla Firefox\firefox.exe D:\downloady\dss.exe D:\WINDOWS\system32\wbem\wmiprvse.exe D:\PROGRA~1\TRENDM~1\HIJACK~1\autovidol.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [StartCCC] d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Barsaka] explorer.exe O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] D:\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') O4 - Startup: DataKeeper.lnk = D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe O4 - Global Startup: Google Updater.lnk = D:\Program Files\Google\Google Updater\GoogleUpdater.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "D:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing) O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\Program Files\Personal Firewall\kpf4ss.exe O23 - Service: SWIHPWMI - Sierra Wireless Inc. - D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe -- End of file - 8981 bytes -- File Associations ----------------------------------------------------------- [color=red].js - JSFile - DefaultIcon - "D:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2[/color] -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 PQNTDrv - d:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product> R2 PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B (PowerQuest File System Monitor PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B) - d:\program files\powerquest\datakeeper 5.0\pqfsmonnt.sys <Not Verified; PowerQuest Corp.; Windows NT PQ FileSystem Monitor> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "d:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour> S3 FLEXnet Licensing Service - "d:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Modem Device on High Definition Audio Bus Device ID: HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_103C1378&REV_1002\4&24DD7221&0&0101 Manufacturer: Name: Modem Device on High Definition Audio Bus PNP Device ID: HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_103C1378&REV_1002\4&24DD7221&0&0101 Service: -- Files created between 2008-03-03 and 2008-04-03 ----------------------------- 2008-03-30 16:37:30 68096 --a------ D:\WINDOWS\system32\zip.exe 2008-03-30 16:37:30 98816 --a------ D:\WINDOWS\system32\sed.exe 2008-03-30 16:37:30 80412 --a------ D:\WINDOWS\system32\grep.exe 2008-03-30 16:37:30 73728 --a------ D:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-03-30 11:49:33 0 d-------- D:\Program Files\Personal Firewall 2008-03-28 20:20:10 0 d-------- D:\Program Files\Trend Micro 2008-03-28 10:54:08 0 d-------- D:\WINDOWS\system32\dk 2008-03-19 10:30:32 0 d-------- D:\Dawn of War - Soulstorm 2008-03-17 22:33:21 0 d-------- D:\AhaView v4.01 2008-03-11 22:36:49 0 d-------- D:\WINDOWS\system32\URTTEMP 2008-03-11 21:06:41 0 d-------- D:\Medieval II Total War 2008-03-07 13:53:07 0 d-------- D:\Program Files\Lavasoft 2008-03-07 13:53:07 0 d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-07 13:52:28 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard 2008-03-04 19:05:28 0 d-------- D:\Program Files\MultiRes 2008-03-04 19:04:47 0 d-------- D:\Program Files\Radeon Omega Drivers 2008-03-04 18:03:47 0 d-------- D:\Documents and Settings\All Users\Application Data\Trymedia 2008-03-03 16:06:00 0 d-------- D:\Documents and Settings\All Users\Application Data\InstallShield -- Find3M Report --------------------------------------------------------------- 2008-04-03 00:37:32 0 d-------- D:\Program Files\a-squared Free 2008-04-02 21:32:13 0 d-------- D:\Documents and Settings\autovidol\Application Data\StarOffice8 2008-03-31 12:32:26 0 d-------- D:\Program Files\Spyware Doctor 2008-03-30 12:02:54 0 d-------- D:\Documents and Settings\autovidol\Application Data\uTorrent 2008-03-30 10:35:24 0 d-------- D:\Program Files\Soulseek 2008-03-29 10:29:02 0 d-------- D:\Program Files\Winamp 2008-03-23 02:12:43 0 d-------- D:\Documents and Settings\autovidol\Application Data\U3 2008-03-19 10:32:36 0 d--h----- D:\Program Files\InstallShield Installation Information 2008-03-18 00:14:46 0 d-------- D:\Documents and Settings\autovidol\Application Data\dvdcss 2008-03-09 04:51:11 0 d-------- D:\Program Files\Java 2008-03-07 13:52:28 0 d-------- D:\Program Files\Common Files 2008-03-07 01:46:20 0 d-------- D:\Program Files\Wiedźmin 2008-03-03 16:04:34 0 d-------- D:\Program Files\Common Files\InstallShield 2008-03-02 20:50:33 0 d-------- D:\Documents and Settings\autovidol\Application Data\ACD Systems 2008-03-02 20:48:02 0 d-------- D:\Program Files\Common Files\ACD Systems 2008-03-02 20:48:00 0 d-------- D:\Program Files\ACD Systems 2008-03-02 18:39:35 0 d-------- D:\Program Files\Bonjour 2008-03-02 18:39:31 0 d-------- D:\Program Files\Common Files\Adobe 2008-03-02 18:24:06 0 d-------- D:\Program Files\Common Files\Macrovision Shared 2008-03-01 13:13:12 0 d-------- D:\Documents and Settings\autovidol\Application Data\Real 2008-02-28 17:13:54 0 d-------- D:\Program Files\AviSynth 2.5 2008-02-27 11:36:20 0 --a------ D:\WINDOWS\PowerReg.dat 2008-02-27 11:34:14 0 d-------- D:\Program Files\Infogrames Interactive 2008-02-19 22:50:08 98304 --a------ D:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; > 2008-02-19 22:45:38 0 d-------- D:\Documents and Settings\autovidol\Application Data\GetRightToGo 2008-02-17 12:02:56 0 d-------- D:\Documents and Settings\autovidol\Application Data\PC Tools 2008-02-16 00:29:13 0 d-------- D:\Documents and Settings\autovidol\Application Data\Adobe 2008-02-14 13:02:30 0 d-------- D:\Program Files\Soulseek-Test 2008-02-13 15:43:52 0 d-------- D:\Program Files\IDoser v4 2008-02-09 20:01:33 0 d-------- D:\Program Files\BrainWave Generator 2008-02-06 18:03:55 0 d-------- D:\Documents and Settings\autovidol\Application Data\Skype 2008-02-04 21:26:34 151040 ---hs---- D:\WINDOWS\system32\VistaUltm.dll -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51] "hpWirelessAssistant"="D:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 15:13] "QlbCtrl"="D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 09:47] "SoundMAXPnP"="D:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 17:36] "SoundMAX"="D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12] "StartCCC"="d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="D:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48] "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25] "NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "Barsaka"="explorer.exe" [2007-09-20 06:48 D:\WINDOWS\explorer.exe] "DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48] "avast!"="D:\Avast4\ashDisp.exe" [2008-03-29 19:37] "ISTray"="D:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 13:55] "ISUSPM Startup"="D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [] "ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56] "SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "ShowDeskFix"=regsvr32 /s /n /i:u shell32 D:\Documents and Settings\autovidol\Start Menu\Programs\Startup\ DataKeeper.lnk - D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe [2001-11-15 00:07:22] HDDlife.lnk - D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe [2007-06-07 17:14:02] D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - D:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-20 12:12:32] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5ca72b8-7bbc-11dc-a7f4-ca3ec38d2eff}] AutoRun\command- G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe open\command- G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc4155f8-be1a-11dc-94bf-001a4b6a0d8f}] AutoRun\command- F:\Autoplay.exe *Newly Created Service* - ASWFSBLK *Newly Created Service* - ASWSP [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-90401C608512}] C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}] C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

Dziękuję za ewentualną pomoc. Bardzo mi się przyda, bo przez to wieszanie się komputera nie mogę pisac pracy licencjackiej.

**Posty:** 18165 · przez **wojtas** 03 Kwi 2008, 17:20

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

**Posty:** 14 · przez **autovidol** 04 Kwi 2008, 00:06

Ok, zrobiłem co trzeba:) Zamieszczam poniżej logi z trzech programów:

hijack

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:20:34, on 2008-04-04 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20583) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\Avast4\aswUpdSv.exe D:\Avast4\ashServ.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\a-squared Free\a2service.exe D:\Program Files\Bonjour\mDNSResponder.exe D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe D:\Program Files\Common Files\LightScribe\LSSrvc.exe D:\Program Files\Spyware Doctor\pctsAuxs.exe D:\Program Files\Spyware Doctor\pctsSvc.exe D:\Program Files\Personal Firewall\kpf4ss.exe D:\Program Files\Spyware Doctor\pctsTray.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe D:\Program Files\Personal Firewall\kpf4gui.exe D:\WINDOWS\system32\wbem\wmiprvse.exe D:\Avast4\ashMaiSv.exe D:\Avast4\ashWebSv.exe D:\WINDOWS\System32\alg.exe D:\WINDOWS\system32\wscntfy.exe D:\Program Files\Personal Firewall\kpf4gui.exe D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe D:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe D:\Program Files\Analog Devices\Core\smax4pnp.exe D:\Program Files\Google\Gmail Notifier\gnotify.exe D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE D:\Program Files\DAEMON Tools\daemon.exe D:\Avast4\ashDisp.exe D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\Google\Google Updater\GoogleUpdater.exe D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe D:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE D:\WINDOWS\system32\wbem\wmiprvse.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [StartCCC] d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Barsaka] explorer.exe O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] D:\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') O4 - Startup: DataKeeper.lnk = D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe O4 - Global Startup: Google Updater.lnk = D:\Program Files\Google\Google Updater\GoogleUpdater.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "D:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing) O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\Program Files\Personal Firewall\kpf4ss.exe O23 - Service: SWIHPWMI - Sierra Wireless Inc. - D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe -- End of file - 8923 bytes

COMBOfix

Kod: Zaznacz wszystko: ComboFix 08-04-02.1 - autovidol 2008-04-04 9:25:08.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1443 [GMT 2:00] Running from: D:\downloady\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 ))))))))))))))))))))))))))))))) . 2008-04-04 08:39 . 2008-04-04 09:18 <DIR> d-------- D:\SDFix 2008-04-04 08:25 . 2006-10-11 23:44 55,296 --a------ D:\Seconfig XP.exe 2008-04-03 17:46 . 2008-04-03 17:46 <DIR> d-------- D:\WINDOWS\ERUNT 2008-04-03 17:43 . 2004-08-04 00:56 21,504 --a------ D:\WINDOWS\system32\hidserv.dll 2008-04-03 02:09 . 2008-04-03 02:09 <DIR> d-------- D:\Deckard 2008-04-02 20:44 . 2008-03-29 19:31 75,856 --a------ D:\WINDOWS\system32\drivers\aswSP.sys 2008-04-02 20:44 . 2008-03-29 19:35 20,560 --a------ D:\WINDOWS\system32\drivers\aswFsBlk.sys 2008-03-30 19:21 . 2008-03-30 19:21 <DIR> d-------- D:\_OTMoveIt 2008-03-30 19:12 . 2008-03-30 19:16 754 --a------ D:\WINDOWS\WORDPAD.INI 2008-03-30 19:03 . 2008-04-04 08:41 4,336 --a------ D:\WINDOWS\system32\drivers\fwdrv.err 2008-03-30 11:49 . 2008-04-04 09:23 <DIR> d-------- D:\Program Files\Personal Firewall 2008-03-28 20:20 . 2008-03-28 20:20 <DIR> d-------- D:\Program Files\Trend Micro 2008-03-28 16:09 . 2008-03-28 16:09 <DIR> d-------- D:\WINDOWS\system32\config\systemprofile\Application Data\PC Tools 2008-03-28 10:54 . 2008-03-28 19:17 <DIR> d-------- D:\WINDOWS\system32\dk 2008-03-19 20:16 . 2004-08-04 00:01 25,856 --a------ D:\WINDOWS\system32\drivers\usbprint.sys 2008-03-19 20:16 . 2004-08-04 00:01 25,856 --a--c--- D:\WINDOWS\system32\dllcache\usbprint.sys 2008-03-19 10:30 . 2008-03-30 21:39 <DIR> d-------- D:\Dawn of War - Soulstorm 2008-03-19 02:16 . 2008-03-29 23:47 54,156 --ah----- D:\WINDOWS\QTFont.qfn 2008-03-19 02:16 . 2008-03-19 02:16 1,409 --a------ D:\WINDOWS\QTFont.for 2008-03-11 22:36 . 2008-03-11 22:36 <DIR> d-------- D:\WINDOWS\system32\URTTEMP 2008-03-11 21:06 . 2008-04-03 11:34 <DIR> d-------- D:\Medieval II Total War 2008-03-07 13:53 . 2008-03-07 13:53 <DIR> d-------- D:\Program Files\Lavasoft 2008-03-07 13:53 . 2008-03-07 13:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-07 13:52 . 2008-03-07 13:52 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard 2008-03-04 19:05 . 2008-03-04 19:05 <DIR> d-------- D:\Program Files\MultiRes 2008-03-04 19:04 . 2008-03-04 19:04 <DIR> d-------- D:\Program Files\Radeon Omega Drivers 2008-03-04 19:04 . 2008-03-04 19:04 451,072 --a------ D:\WINDOWS\Radeon Omega Drivers v3.8.421 Uninstall.exe 2008-03-04 18:03 . 2008-03-04 18:03 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Trymedia . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-04 07:22 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP 2008-04-04 00:51 --------- d-----w D:\Program Files\a-squared Free 2008-04-03 14:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\Google Updater 2008-04-03 08:44 --------- d-----w D:\Program Files\Spyware Doctor 2008-04-03 05:30 --------- d-----w D:\Documents and Settings\autovidol\Application Data\StarOffice8 2008-03-30 10:02 --------- d-----w D:\Documents and Settings\autovidol\Application Data\uTorrent 2008-03-30 08:35 --------- d-----w D:\Program Files\Soulseek 2008-03-29 17:45 1,146,232 ----a-w D:\WINDOWS\system32\aswBoot.exe 2008-03-29 17:35 94,544 ----a-w D:\WINDOWS\system32\drivers\aswmon2.sys 2008-03-29 17:29 23,152 ----a-w D:\WINDOWS\system32\drivers\aswRdr.sys 2008-03-29 17:27 42,912 ----a-w D:\WINDOWS\system32\drivers\aswTdi.sys 2008-03-29 17:26 26,944 ----a-w D:\WINDOWS\system32\drivers\aavmker4.sys 2008-03-29 17:23 95,608 ----a-w D:\WINDOWS\system32\AvastSS.scr 2008-03-29 08:29 --------- d-----w D:\Program Files\Winamp 2008-03-23 00:12 --------- d-----w D:\Documents and Settings\autovidol\Application Data\U3 2008-03-19 08:32 --------- d--h--w D:\Program Files\InstallShield Installation Information 2008-03-17 22:14 --------- d-----w D:\Documents and Settings\autovidol\Application Data\dvdcss 2008-03-09 02:51 --------- d-----w D:\Program Files\Java 2008-03-06 23:46 --------- d-----w D:\Program Files\Wiedźmin 2008-03-03 14:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\InstallShield 2008-03-03 14:04 --------- d-----w D:\Program Files\Common Files\InstallShield 2008-03-02 18:50 --------- d-----w D:\Documents and Settings\autovidol\Application Data\ACD Systems 2008-03-02 18:48 --------- d-----w D:\Program Files\Common Files\ACD Systems 2008-03-02 18:48 --------- d-----w D:\Program Files\ACD Systems 2008-03-02 18:47 --------- d-----w D:\Documents and Settings\All Users\Application Data\ACD Systems 2008-03-02 16:39 --------- d-----w D:\Program Files\Common Files\Adobe 2008-03-02 16:39 --------- d-----w D:\Program Files\Bonjour 2008-03-02 16:24 --------- d-----w D:\Program Files\Common Files\Macrovision Shared 2008-02-28 15:13 --------- d-----w D:\Program Files\AviSynth 2.5 2008-02-27 09:34 --------- d-----w D:\Program Files\Infogrames Interactive 2008-02-19 20:50 98,304 ----a-w D:\WINDOWS\system32\CmdLineExt.dll 2008-02-19 20:45 --------- d-----w D:\Documents and Settings\autovidol\Application Data\GetRightToGo 2008-02-17 20:38 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-17 20:03 --------- d-----w D:\Program Files\Spybot - Search & Destroy 2008-02-17 10:02 --------- d-----w D:\Documents and Settings\autovidol\Application Data\PC Tools 2008-02-14 11:02 --------- d-----w D:\Program Files\Soulseek-Test 2008-02-13 13:43 --------- d-----w D:\Program Files\IDoser v4 2008-02-09 18:01 --------- d-----w D:\Program Files\BrainWave Generator 2008-02-06 16:03 --------- d-----w D:\Documents and Settings\autovidol\Application Data\Skype 2008-02-04 19:26 151,040 --sh--w D:\WINDOWS\system32\VistaUltm.dll 2007-11-20 19:46 0 ----a-w D:\Program Files\izWrTe2842.tmp 2006-05-03 10:06 163,328 --sh--r D:\WINDOWS\system32\flvDX.dll 2007-02-21 11:47 31,232 --sh--r D:\WINDOWS\system32\msfDX.dll 2007-12-17 13:43 27,648 --sh--w D:\WINDOWS\system32\Smab0.dll 2007-10-16 08:59 32,768 --sha-w D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007101620071017\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] "SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792] "hpWirelessAssistant"="D:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 15:13 472776] "QlbCtrl"="D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 09:47 159744] "SoundMAXPnP"="D:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 17:36 872448] "SoundMAX"="D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088] "StartCCC"="d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="D:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232] "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "Barsaka"="explorer.exe" [2007-09-20 06:48 1033216 D:\WINDOWS\explorer.exe] "DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592] "avast!"="D:\Avast4\ashDisp.exe" [2008-03-29 19:37 79224] "ISUSPM Startup"="D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "ShowDeskFix"="regsvr32 /s /n /i:u shell32" [] D:\Documents and Settings\autovidol\Start Menu\Programs\Startup\ DataKeeper.lnk - D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe [2001-11-15 00:07:22 831488] HDDlife.lnk - D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe [2007-06-07 17:14:02 722306] D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - D:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-20 12:12:32 126136] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "D:\\Program Files\\uTorrent\\uTorrent.exe"= "D:\\Program Files\\Bonjour\\mDNSResponder.exe"= "D:\\Program Files\\Sierra\\FEAR\\FEAR.exe"= "D:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"= "D:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"= "D:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31] R1 fwdrv;Firewall Driver;D:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;D:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35] R2 HDDlife HDD Access service;HDDlife HDD Access service;"D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe" [2007-06-07 17:09] R2 PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;PowerQuest File System Monitor PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;D:\Program Files\PowerQuest\DataKeeper 5.0\PqFsmonNt.sys [2002-07-12 15:31] R2 SPF4;Sunbelt Personal Firewall 4;"D:\Program Files\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] R2 SWIHPWMI;SWIHPWMI;D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 16:13] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-90401C608512}] C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}] C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-04 09:29:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-04-04 9:30:59 ComboFix-quarantined-files.txt 2008-04-04 07:30:53 ComboFix2.txt 2008-04-03 21:51:50 Pre-Run: 19,121,463,296 bytes free Post-Run: 19,111,215,104 bytes free

SDfix

Kod: Zaznacz wszystko: [b]SDFix: Version 1.165 [/b] Run by autovidol on 2008-04-04 at 08:55 Microsoft Windows XP [Version 5.1.2600] Running From: D:\SDFix [b]Checking Services [/b]: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting [b]Checking Files [/b]: No Trojan Files Found Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-04 09:14:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... IPC error: 2 The system cannot find the file specified. scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "h0"=dword:00000000 "hdf12"=hex:be,d6,23,8f,c9,b5,04,ee,9d,08,af,41,f3,e0,b4,95,10,ad,8e,be,ba,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="D:\Program Files\DAEMON Tools\" "h0"=dword:00000001 "khjeh"=hex:44,36,9c,2b,42,aa,c1,d3,09,cf,a1,dd,c3,c5,e6,56,0b,e0,0d,31,d7,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,25,e4,79,cc,12,4d,1c,8e,6d,6e,bb,bb,e3,cd,62,02,db,.. "khjeh"=hex:69,8d,4f,cb,b5,18,68,c5,05,d3,a2,ee,99,91,ac,b3,96,f8,19,8f,d8,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:62,a8,e5,0a,47,db,c9,53,6e,7b,c7,90,e6,85,a2,32,b7,cb,03,de,c1,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "h0"=dword:00000000 "hdf12"=hex:be,d6,23,8f,c9,b5,04,ee,9d,08,af,41,f3,e0,b4,95,10,ad,8e,be,ba,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="D:\Program Files\DAEMON Tools\" "h0"=dword:00000001 "khjeh"=hex:44,36,9c,2b,42,aa,c1,d3,09,cf,a1,dd,c3,c5,e6,56,0b,e0,0d,31,d7,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,25,e4,79,cc,12,4d,1c,8e,6d,6e,bb,bb,e3,cd,62,02,db,.. "khjeh"=hex:69,8d,4f,cb,b5,18,68,c5,05,d3,a2,ee,99,91,ac,b3,96,f8,19,8f,d8,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:62,a8,e5,0a,47,db,c9,53,6e,7b,c7,90,e6,85,a2,32,b7,cb,03,de,c1,.. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher] "TracesProcessed"=dword:00000073 "TracesSuccessful"=dword:0000004f scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "D:\\Program Files\\uTorrent\\uTorrent.exe"="D:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent" "D:\\Program Files\\Bonjour\\mDNSResponder.exe"="D:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "D:\\Program Files\\Sierra\\FEAR\\FEAR.exe"="D:\\Program Files\\Sierra\\FEAR\\FEAR.exe:*:Enabled:FEAR" "D:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"="D:\\Program Files\\Sierra\\FEAR\\FEARMP.exe:*:Enabled:FEAR" "D:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"="D:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe:*:Enabled:FEARXP" "D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [b]Remaining Files [/b]: File Backups: - D:\SDFix\backups\backups.zip [b]Files with Hidden Attributes [/b]: Sun 26 Jun 2005 616,448 ..SHR --- "D:\SUPERencoder\cygwin1.dll" Tue 21 Jun 2005 45,568 ..SHR --- "D:\SUPERencoder\cygz.dll" Thu 28 Feb 2008 72,704 ..SHR --- "D:\SUPERencoder\Setup.exe" Fri 27 Oct 2006 16,384 A.SHR --- "D:\SUPERencoder\_Setup.dll" Mon 28 Jan 2008 1,404,240 A.SHR --- "D:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Tue 4 Jun 2002 84,992 ...HR --- "D:\SUPERencoder\mencoder\14_43260.dll" Tue 4 Jun 2002 44,032 ...HR --- "D:\SUPERencoder\mencoder\28_83260.dll" Tue 10 Dec 2002 73,766 ...HR --- "D:\SUPERencoder\mencoder\atrc3260.dll" Tue 10 Dec 2002 65,575 ...HR --- "D:\SUPERencoder\mencoder\cook3260.dll" Sun 9 Jun 2002 36,864 ...HR --- "D:\SUPERencoder\mencoder\ddnt3260.dll" Tue 4 Jun 2002 20,480 ...HR --- "D:\SUPERencoder\mencoder\dnet3260.dll" Tue 10 Dec 2002 102,437 ...HR --- "D:\SUPERencoder\mencoder\drv13260.dll" Tue 10 Dec 2002 176,165 ...HR --- "D:\SUPERencoder\mencoder\drv23260.dll" Tue 10 Dec 2002 208,935 ...HR --- "D:\SUPERencoder\mencoder\drv33260.dll" Tue 10 Dec 2002 217,127 ...HR --- "D:\SUPERencoder\mencoder\drv43260.dll" Sun 9 Jun 2002 40,448 ...HR --- "D:\SUPERencoder\mencoder\dspr3260.dll" Sun 4 Nov 2001 225,280 ...HR --- "D:\SUPERencoder\mencoder\ivvideo.dll" Tue 10 Apr 2001 225,280 ...HR --- "D:\SUPERencoder\mencoder\qtmlClient.dll" Fri 20 Feb 2004 232,960 ...HR --- "D:\SUPERencoder\mencoder\raac.dll" Sun 9 Jun 2002 525,824 ...HR --- "D:\SUPERencoder\mencoder\rnco3260.dll" Tue 10 Dec 2002 245,805 ...HR --- "D:\SUPERencoder\mencoder\rnlt3260.dll" Tue 10 Dec 2002 45,093 ...HR --- "D:\SUPERencoder\mencoder\rv103260.dll" Tue 10 Dec 2002 98,341 ...HR --- "D:\SUPERencoder\mencoder\rv203260.dll" Tue 10 Dec 2002 94,247 ...HR --- "D:\SUPERencoder\mencoder\rv303260.dll" Tue 10 Dec 2002 90,151 ...HR --- "D:\SUPERencoder\mencoder\rv403260.dll" Tue 10 Dec 2002 102,439 ...HR --- "D:\SUPERencoder\mencoder\sipr3260.dll" Sun 9 Jun 2002 49,152 ...HR --- "D:\SUPERencoder\mencoder\tokr3260.dll" Wed 3 May 2006 163,328 ..SHR --- "D:\WINDOWS\system32\flvDX.dll" Wed 21 Feb 2007 31,232 ..SHR --- "D:\WINDOWS\system32\msfDX.dll" Mon 17 Dec 2007 27,648 ..SH. --- "D:\WINDOWS\system32\Smab0.dll" Mon 4 Feb 2008 151,040 ..SH. --- "D:\WINDOWS\system32\VistaUltm.dll" [b]Finished![/b]

Z tego co zrozumiałem sdfix nie wykrył żadnego spyware, ale ciągle pokazuje się co jakieś pięc minut okienko aktualizacji jakiegoś programu do folderu C:\RECYCLERS (w tym wypadku C nie jest moim dyskiem systemowym, ale małą partycją na której przez pomyłkę umieściłem starą wersję xpka, z której nie korzystam).

Jeśli chodzi o fijiefj.exe to od zamknięcia portów, albo sdfixa już się nie pokazał. dwie godziny temu na C zagnieździł się jeszcze sfsf.exe, który jak wyczytałem również jest groźnym spywarem, ale po przeleceniu skanerami i fizycznym skasowaniu już się nie pojawił.

[ Dodano: Dzisiaj o 10:38 ]
To tak, ciągle (teraz nawet częściej, mniej więcej co 15 sekund) wyskakuje okienko "Setting up personal settings. aktualizacja do C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013"

Programy tego nie wykrywają, w powyższym folderze nic nie ma, ukrytego też. Internet spowolnił do tempa ślimaczego, mam problemy z wysłaniem tego posta.

[ Dodano: Dzisiaj o 11:18 ]
komputer w tej chwili praktycznie wyrwał się spod kontroli. Okienko personalized settings for c:\recycler... wyskakuje co chwilę, strony otwierają się przez trzy cztery minuty, niektóre w ogóle się nie otwierają. Poza tym chciałem ściągnac windows malicious software removal tool w nadziei że to coś pomoże, ale ściąganie zatrzymało się w połowie i nie chce ruszyc. Anty-malware'y wykrywają po kilka wpisów w rejestrze ale problemu z c:\recycler nic nie rusza. Na dodatek na komputerze współlokatorki podobnie internet się zepsił, podejrzewam że też ma nieźle zawirusiony. pomocy!!!!

**Posty:** 18165 · przez **wojtas** 04 Kwi 2008, 17:24

Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach) po chwili włacz

skasuj wpis:

O4 - HKLM\..\Run: [Barsaka] explorer.exe

te plik/i :

D:\WINDOWS\system32\VistaUltm.dll
D:\Program Files\izWrTe2842.tmp
D:\WINDOWS\system32\flvDX.dll
D:\WINDOWS\system32\msfDX.dll
D:\WINDOWS\system32\Smab0.dll

Jeśli nie będą widoczne, to najpierw usuń atrybuty ochronne:
>>Start>>Panel Sterowania>>Opcje Folderów>>Widok>>usuń zaznaczenie przy "Ukryj chronione pliki systemowe">
>zaznacz przy "Pokaż ukryte pliki">>Zastosuj>>OK.

przesaknuj tu

http://virusscan.jotti.org/
http://www.virustotal.com/

i zapisz sobie raporty ze skanów

Otworz notatnik i wklej w nim to:

Folder::
C:\WINDOWS\system32\dk

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-90401C608512}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . odczekaj az wygeneruje sie nowy log i go daj na forum oraz tamte raporty ; jesli sie nie zmiesci na forum wrzuc na jakis serwer

**Posty:** 14 · przez **autovidol** 05 Kwi 2008, 17:03

Miałem problem ze skanerami online, które podałeś: one skanują wyłącznie pojedyncze pliki, ale uruchomiłem symantec online scanner, który niestety nie generuje raportu, ale podał że mam dwie infekcje wirusowe:

D:\WINDOWS\system32\dk\lmz2.bmp is infected with IRC Trojan
D:\WINDOWS\system32\dk\lmz3.bmp is infected with IRC Trojan

ponadto zamieszczam loga z combofix:

Kod: Zaznacz wszystko: ComboFix 08-04-02.1 - autovidol 2008-04-05 16:45:24.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1369 [GMT 2:00] Running from: D:\ComboFix.exe Command switches used :: D:\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 ))))))))))))))))))))))))))))))) . 2008-04-04 20:50 . 2008-04-04 20:51 <DIR> d-------- D:\WINDOWS\LastGood 2008-04-04 18:53 . 2008-04-04 19:13 <DIR> d-------- D:\Documents and Settings\autovidol\.housecall6.6 2008-04-04 08:39 . 2008-04-04 09:18 <DIR> d-------- D:\SDFix 2008-04-04 08:25 . 2006-10-11 23:44 55,296 --a------ D:\Seconfig XP.exe 2008-04-03 17:46 . 2008-04-03 17:46 <DIR> d-------- D:\WINDOWS\ERUNT 2008-04-03 17:43 . 2004-08-04 00:56 21,504 --a------ D:\WINDOWS\system32\hidserv.dll 2008-04-03 17:24 . 2008-04-03 17:24 1,607,387 --a------ D:\ComboFix.exe 2008-04-03 02:09 . 2008-04-03 02:09 <DIR> d-------- D:\Deckard 2008-04-02 20:44 . 2008-03-29 19:31 75,856 --a------ D:\WINDOWS\system32\drivers\aswSP.sys 2008-04-02 20:44 . 2008-03-29 19:35 20,560 --a------ D:\WINDOWS\system32\drivers\aswFsBlk.sys 2008-03-30 19:21 . 2008-03-30 19:21 <DIR> d-------- D:\_OTMoveIt 2008-03-30 19:12 . 2008-03-30 19:16 754 --a------ D:\WINDOWS\WORDPAD.INI 2008-03-30 19:03 . 2008-04-04 18:31 4,757 --a------ D:\WINDOWS\system32\drivers\fwdrv.err 2008-03-30 11:49 . 2008-04-04 09:23 <DIR> d-------- D:\Program Files\Personal Firewall 2008-03-28 20:20 . 2008-03-28 20:20 <DIR> d-------- D:\Program Files\Trend Micro 2008-03-28 10:54 . 2008-03-28 19:17 <DIR> d-------- D:\WINDOWS\system32\dk 2008-03-19 20:16 . 2004-08-04 00:01 25,856 --a------ D:\WINDOWS\system32\drivers\usbprint.sys 2008-03-19 20:16 . 2004-08-04 00:01 25,856 --a--c--- D:\WINDOWS\system32\dllcache\usbprint.sys 2008-03-19 10:30 . 2008-03-30 21:39 <DIR> d-------- D:\Dawn of War - Soulstorm 2008-03-19 02:16 . 2008-03-29 23:47 54,156 --ah----- D:\WINDOWS\QTFont.qfn 2008-03-19 02:16 . 2008-03-19 02:16 1,409 --a------ D:\WINDOWS\QTFont.for 2008-03-17 22:33 . 2008-03-17 22:33 <DIR> d-------- D:\AhaView v4.01 2008-03-11 22:36 . 2008-03-11 22:36 <DIR> d-------- D:\WINDOWS\system32\URTTEMP 2008-03-11 21:06 . 2008-04-03 11:34 <DIR> d-------- D:\Medieval II Total War 2008-03-07 13:53 . 2008-03-07 13:53 <DIR> d-------- D:\Program Files\Lavasoft 2008-03-07 13:53 . 2008-03-07 13:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-07 13:52 . 2008-03-07 13:52 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-05 14:43 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP 2008-04-05 14:35 --------- d-----w D:\Documents and Settings\autovidol\Application Data\StarOffice8 2008-04-04 16:22 --------- d-----w D:\Documents and Settings\All Users\Application Data\Google Updater 2008-04-04 10:32 --------- d-----w D:\Program Files\Windows Media Connect 2 2008-04-04 00:51 --------- d-----w D:\Program Files\a-squared Free 2008-04-03 08:44 --------- d-----w D:\Program Files\Spyware Doctor 2008-03-30 10:02 --------- d-----w D:\Documents and Settings\autovidol\Application Data\uTorrent 2008-03-30 08:35 --------- d-----w D:\Program Files\Soulseek 2008-03-29 17:45 1,146,232 ----a-w D:\WINDOWS\system32\aswBoot.exe 2008-03-29 17:35 94,544 ----a-w D:\WINDOWS\system32\drivers\aswmon2.sys 2008-03-29 17:29 23,152 ----a-w D:\WINDOWS\system32\drivers\aswRdr.sys 2008-03-29 17:27 42,912 ----a-w D:\WINDOWS\system32\drivers\aswTdi.sys 2008-03-29 17:26 26,944 ----a-w D:\WINDOWS\system32\drivers\aavmker4.sys 2008-03-29 17:23 95,608 ----a-w D:\WINDOWS\system32\AvastSS.scr 2008-03-29 08:29 --------- d-----w D:\Program Files\Winamp 2008-03-23 00:12 --------- d-----w D:\Documents and Settings\autovidol\Application Data\U3 2008-03-19 08:32 --------- d--h--w D:\Program Files\InstallShield Installation Information 2008-03-17 22:14 --------- d-----w D:\Documents and Settings\autovidol\Application Data\dvdcss 2008-03-09 02:51 --------- d-----w D:\Program Files\Java 2008-03-06 23:46 --------- d-----w D:\Program Files\Wiedźmin 2008-03-04 17:05 --------- d-----w D:\Program Files\MultiRes 2008-03-04 17:04 451,072 ----a-w D:\WINDOWS\Radeon Omega Drivers v3.8.421 Uninstall.exe 2008-03-04 17:04 --------- d-----w D:\Program Files\Radeon Omega Drivers 2008-03-04 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\Trymedia 2008-03-03 14:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\InstallShield 2008-03-03 14:04 --------- d-----w D:\Program Files\Common Files\InstallShield 2008-03-02 18:50 --------- d-----w D:\Documents and Settings\autovidol\Application Data\ACD Systems 2008-03-02 18:48 --------- d-----w D:\Program Files\Common Files\ACD Systems 2008-03-02 18:48 --------- d-----w D:\Program Files\ACD Systems 2008-03-02 18:47 --------- d-----w D:\Documents and Settings\All Users\Application Data\ACD Systems 2008-03-02 16:39 --------- d-----w D:\Program Files\Common Files\Adobe 2008-03-02 16:24 --------- d-----w D:\Program Files\Common Files\Macrovision Shared 2008-02-28 15:13 --------- d-----w D:\Program Files\AviSynth 2.5 2008-02-27 09:34 --------- d-----w D:\Program Files\Infogrames Interactive 2008-02-19 20:50 98,304 ----a-w D:\WINDOWS\system32\CmdLineExt.dll 2008-02-17 20:38 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-17 20:03 --------- d-----w D:\Program Files\Spybot - Search & Destroy 2008-02-17 10:02 --------- d-----w D:\Documents and Settings\autovidol\Application Data\PC Tools 2008-02-14 11:02 --------- d-----w D:\Program Files\Soulseek-Test 2008-02-13 13:43 --------- d-----w D:\Program Files\IDoser v4 2008-02-09 18:01 --------- d-----w D:\Program Files\BrainWave Generator 2008-02-06 16:03 --------- d-----w D:\Documents and Settings\autovidol\Application Data\Skype 2007-10-16 08:59 32,768 --sha-w D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007101620071017\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792] "hpWirelessAssistant"="D:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 15:13 472776] "QlbCtrl"="D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 09:47 159744] "SoundMAXPnP"="D:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 17:36 872448] "SoundMAX"="D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088] "StartCCC"="d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="D:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232] "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592] "avast!"="D:\Avast4\ashDisp.exe" [2008-03-29 19:37 79224] "ISUSPM Startup"="D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "ShowDeskFix"="regsvr32 /s /n /i:u shell32" [] D:\Documents and Settings\autovidol\Start Menu\Programs\Startup\ DataKeeper.lnk - D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe [2001-11-15 00:07:22 831488] HDDlife.lnk - D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe [2007-06-07 17:14:02 722306] D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - D:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-20 12:12:32 126136] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "D:\\Program Files\\uTorrent\\uTorrent.exe"= "D:\\Program Files\\Sierra\\FEAR\\FEAR.exe"= "D:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"= "D:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"= "D:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31] R1 fwdrv;Firewall Driver;D:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;D:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35] R2 HDDlife HDD Access service;HDDlife HDD Access service;"D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe" [2007-06-07 17:09] R2 PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;PowerQuest File System Monitor PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;D:\Program Files\PowerQuest\DataKeeper 5.0\PqFsmonNt.sys [2002-07-12 15:31] R2 SPF4;Sunbelt Personal Firewall 4;"D:\Program Files\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] R2 SWIHPWMI;SWIHPWMI;D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 16:13] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-05 16:49:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-04-05 16:50:58 ComboFix-quarantined-files.txt 2008-04-05 14:50:52 ComboFix2.txt 2008-04-04 07:31:02 Pre-Run: 16,969,089,024 bytes free Post-Run: 16,958,738,432 bytes free

[/code]

[ Dodano: Dzisiaj o 17:19 ]
w przypadku tych dwóch zainfekowanych plików otrzymałem takie rezultaty w jotti:

File: lmz2.bmp
Status:
POSSIBLY INFECTED/MALWARE
MD5: ad17e3e94faa42e068b0882118279fb6
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 05 Apr 2008 15:04:56 (GMT)
AntiVir
Found IRC/LowJones.4
BitDefender
Found Backdoor.IRC.Zapchast.JG
Ikarus
Found Net-Worm.Win32.Randon.AR

File: lmz3.bmp
Status:
INFECTED/MALWARE
MD5: 5ba286dd989807163b99ebde935e17dc
Packers detected:
MIME.BROKEN
Bit9 reports: File not found
AntiVir
Found IRC/ColdLife.30.B
ClamAV
Found Trojan.IRC-Script-61
CPsecure
Found BackDoor.IRC.Netz

Virustotal pokazał takie wyniki dla kolejno pierwszego i drugiego pliku:

lmz2.bmp
AntiVir 7.6.0.81 2008.04.04 IRC/LowJones.4
BitDefender 7.2 2008.04.05 Backdoor.IRC.Zapchast.JG
eTrust-Vet 31.3.5672 2008.04.04 MIRC/IRCFlood

File size: 15734 bytes
MD5...: ad17e3e94faa42e068b0882118279fb6
SHA1..: 799245c30e05a9b83b16e06e862c20fdc4e09160
SHA256: beaac6409a78c31e1d9f0d2842c56fa7ab8be6482cdd9c890bc22307be1f366d
SHA512: a1a74a48d795f98ea6edc060b75be9d98114d0117db8526da84795cc78b6aceb
e76aff8ef6874b5b78d08c0f24a50b649a025469921eddaec15cedbcf65bec19
PEiD..: -
PEInfo: -

lmz3.bmp
AntiVir 7.6.0.81 2008.04.04 IRC/ColdLife.30.B
ClamAV 0.92.1 2008.04.05 Trojan.IRC-Script-61

File size: 42512 bytes
MD5...: 5ba286dd989807163b99ebde935e17dc
SHA1..: e2a4445cbf02085c5c957852f306eaf31a10834e
SHA256: 7295f862dfecc2e43bcd39a449eba0107956c2d9a2285c7509973a95fa17f2d4
SHA512: ad85875aabee098e0de62ff93532d4b53832e398ff055903c79888255b9db44f
1b627f0d18776bcb0a31b353794bbf2a59c42e47263f016bdb4eeb8240a52af9
PEiD..: -
PEInfo: -

**Posty:** 18165 · przez **wojtas** 05 Kwi 2008, 20:20

Ściągnij OTMoveIt W okienko po lewej Paste List of Files/Folders to be Moved wklej

D:\WINDOWS\system32\dk

Następnie naciskamy - MoveIt!. Pliki zostały przeniesione. Wynik operacji zobaczymy w prawym oknie Results.
Po całej operacji należy zresetować komputer

autovidol napisał(a):one skanują wyłącznie pojedyncze pliki

musisz pojedynczo skanowac

jak to wykonasz daj nowy log i wszystkie raporty

**Posty:** 14 · przez **autovidol** 05 Kwi 2008, 22:42

musisz pojedynczo skanowac Smile jak to wykonasz daj nowy log i wszystkie raporty

pojedynczo, ale które? Bo jeśli wszystkie (kilka(naście) tysięcy) to będę musiał zatrudnić dziesięciu studentów, którzy będą skanowali je przez rok....

Użyłem moveit, poszło bezboleśnie. Dzięki bardzo za pomoc. Była nieoceniona. pozdrawiam ciepło.

**Posty:** 18165 · przez **wojtas** 05 Kwi 2008, 22:44

te :

D:\WINDOWS\system32\VistaUltm.dll
D:\Program Files\izWrTe2842.tmp
D:\WINDOWS\system32\flvDX.dll
D:\WINDOWS\system32\msfDX.dll
D:\WINDOWS\system32\Smab0.dll

**Posty:** 14 · przez **autovidol** 06 Kwi 2008, 15:13

Hm. co do tych plików które miałem przeskanować - nie ma ich już.

skasuj wpis:

Cytat:
O4 - HKLM\..\Run: [Barsaka] explorer.exe

te plik/i :

Cytat:

D:\WINDOWS\system32\VistaUltm.dll
D:\Program Files\izWrTe2842.tmp
D:\WINDOWS\system32\flvDX.dll
D:\WINDOWS\system32\msfDX.dll
D:\WINDOWS\system32\Smab0.dll

i skasowałem je. nie ma już ich fizycznie na dysku

**Posty:** 8001 · przez **Okocza** 06 Kwi 2008, 15:15

podaj teraz log z hijacka i powiedz czy jest poprawa jakaś

**Posty:** 14 · przez **autovidol** 06 Kwi 2008, 20:40

log z hijacka

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:38:18, on 2008-04-06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20583) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\Avast4\aswUpdSv.exe D:\Avast4\ashServ.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\a-squared Free\a2service.exe D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe D:\Program Files\Common Files\LightScribe\LSSrvc.exe D:\Program Files\Spyware Doctor\pctsAuxs.exe D:\Program Files\Spyware Doctor\pctsSvc.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe D:\WINDOWS\system32\wbem\wmiprvse.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe D:\Program Files\Analog Devices\Core\smax4pnp.exe D:\Program Files\Google\Gmail Notifier\gnotify.exe D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE D:\Program Files\DAEMON Tools\daemon.exe D:\Avast4\ashDisp.exe D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\Program Files\Spyware Doctor\pctsTray.exe D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\Program Files\Google\Google Updater\GoogleUpdater.exe D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe D:\Avast4\ashMaiSv.exe D:\Avast4\ashWebSv.exe D:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\System32\alg.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe D:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [StartCCC] d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] D:\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') O4 - Startup: DataKeeper.lnk = D:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe O4 - Global Startup: Google Updater.lnk = D:\Program Files\Google\Google Updater\GoogleUpdater.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "D:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing) O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - D:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - D:\Program Files\BinarySense\HDDlife 3\hldasvc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\Program Files\Personal Firewall\kpf4ss.exe O23 - Service: SWIHPWMI - Sierra Wireless Inc. - D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe -- End of file - 8958 bytes

**Posty:** 18165 · przez **wojtas** 06 Kwi 2008, 22:07

czysto

**Posty:** 14 · przez **autovidol** 07 Kwi 2008, 09:54

Wielkie dzięki za pomoc jeszcze raz. pozdrawiam.

kombinacja: fijiefj.exe, isass.exe

kombinacja: fijiefj.exe, isass.exe

Kto jest na forum