Log z gmera - nie działają programy i strony z antywirusami.

**Posty:** 43 · przez **pasta271** 13 Kwi 2010, 12:24

Proszę o sprawdzenie Log z gmera.
Log z OTL nie umieściłem bo program kilka sekund po uruchomieniu wyłącza się.
Nie mogę zainstalować żadnego programu antywirusowego.
Strony www z programami antywirusowymi nie działają.
Combofix również się wyłącza.

Kod: Zaznacz wszystko: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-13 11:51:49 Windows 5.1.2600 Dodatek Service Pack 3 Running: GMER 1.0.15.15281.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdipow.sys ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 01D99DC4 .text C:\WINDOWS\system32\svchost.exe[1096] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 01D99D64 .text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 00699DC4 .text C:\Program Files\Mozilla Firefox\firefox.exe[2548] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) ---- Processes - GMER 1.0.15 ---- Process C:\WINDOWS\system32\CtDrvMkb.exe (*** hidden *** ) 1168 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] mrenvp <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp@DisplayName Center Helper Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp@Description Umo?liwia programom dla systemu Windows tworzenie, dost?p i modyfikowanie plik?w w Internecie. Je?li ta us?uga zostanie zatrzymana, funkcje te b?d? niedost?pne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\mrenvp\Parameters@ServiceDll C:\WINDOWS\system32\pnuelbu.dll Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp@DisplayName Center Helper Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp@Description Umo?liwia programom dla systemu Windows tworzenie, dost?p i modyfikowanie plik?w w Internecie. Je?li ta us?uga zostanie zatrzymana, funkcje te b?d? niedost?pne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\mrenvp\Parameters@ServiceDll C:\WINDOWS\system32\pnuelbu.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32@oamikgjlhamilhbpcginckjgdlpmbp 0x69 0x61 0x6A 0x66 ... Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32@namiagpnmilldeoeapeihjbnejac 0x69 0x61 0x6A 0x66 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 62: copy of MBR ---- EOF - GMER 1.0.15 ----

**Posty:** 18165 · przez **wojtas** 13 Kwi 2010, 19:47

Pobierz i uruchom narzędzie
The Avenger
Wklej do okienka programu

Files to delete:
C:\WINDOWS\system32\CtDrvMkb.exe
C:\WINDOWS\system32\pnuelbu.dll

Drivers to unload:
mrenvp
CtDrvMkb

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\mrenvp

wklejasz na forum raport: C:\avenger.txt + log z OTL + log z mbr

**Posty:** 43 · przez **pasta271** 14 Kwi 2010, 10:35

Kod: Zaznacz wszystko: Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\CtDrvMkb.exe" deleted successfully. File "C:\WINDOWS\system32\pnuelbu.dll" deleted successfully. Driver "mrenvp" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\CtDrvMkb" not found! Deletion of driver "CtDrvMkb" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\mrenvp" not found! Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\mrenvp" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.

Kod: Zaznacz wszystko: OTL logfile created on: 2010-04-14 08:11:51 - Run 1 OTL by OldTimer - Version 3.2.1.1 Folder = D:\_ Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.11) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 503,00 Mb Total Physical Memory | 282,00 Mb Available Physical Memory | 56,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 86,00% Paging File free Paging file location(s): C:\pagefile.sys 756 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 18,55 Gb Total Space | 5,93 Gb Free Space | 31,96% Space Free | Partition Type: NTFS Drive D: | 18,71 Gb Total Space | 16,06 Gb Free Space | 85,83% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: TOM Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2010-04-13 09:27:06 | 000,561,664 | ---- | M] (OldTimer Tools) -- D:\_\OTL.exe PRC - [2010-04-09 14:06:28 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2009-09-09 07:50:00 | 003,514,112 | ---- | M] (Ghisler Software GmbH) -- C:\totalcmd\TOTALCMD.EXE PRC - [2008-04-14 19:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006-11-13 16:57:16 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe PRC - [2006-11-13 16:57:06 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe [color=#E56717]========== Modules (SafeList) ==========[/color] MOD - [2010-04-13 09:27:06 | 000,561,664 | ---- | M] (OldTimer Tools) -- D:\_\OTL.exe [color=#E56717]========== Win32 Services (SafeList) ==========[/color] SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart) SRV - [2008-03-03 11:44:39 | 000,045,056 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\UTSCSI.EXE -- (UTSCSI) SRV - [2006-06-19 11:43:56 | 000,043,008 | ---- | M] () [Disabled | Stopped] -- C:\cygwin\bin\cygrunsrv.exe -- (sshd) SRV - [2005-11-14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT) SRV - [2003-08-01 18:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) [Disabled | Stopped] -- C:\Program Files\Tight\WinVNC.exe -- (winvnc) SRV - [2002-09-20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Disabled | Stopped] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default)) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV - [2009-11-11 10:44:50 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\SuperAntiSpyware\SASENUM.SYS -- (SASENUM) DRV - [2009-11-11 10:44:48 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\SuperAntiSpyware\sasdifsv.sys -- (SASDIFSV) DRV - [2007-11-02 11:09:58 | 000,039,472 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\hotcore3.sys -- (hotcore3) DRV - [2007-10-24 14:02:22 | 000,002,944 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\bbcap.sys -- (bbcap) DRV - [2002-01-12 16:30:34 | 000,003,567 | ---- | M] (Beyond Logic http://www.beyondlogic.org) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PortTalk.sys -- (PortTalk) DRV - [2001-10-05 05:54:28 | 000,035,541 | R--- | M] (In-System Design, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TPP200.SYS -- (TPP200) USB Storage Adapter V2 (TPP) [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-220523388-1303643608-839522115-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://eu.eservice.asus.com/pf/Login1.do IE - HKU\S-1-5-21-220523388-1303643608-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - prefs.js..browser.startup.homepage: "http://www.google.pl/" FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3 FF - prefs.js..extensions.enabledItems: bettergmail2@ginatrapani.org:1.1.1 FF - prefs.js..extensions.enabledItems: {04b56b3f-c4f4-48ba-9ea1-30e04fb7d829}:2.6.20091103 FF - prefs.js..extensions.enabledItems: {63df8e21-711c-4074-a257-b065cadc28d8}:1.9.3 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}:6.0.4 FF - prefs.js..extensions.enabledItems: noia2_option@kk.noia:3.76 FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1 FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7 FF - prefs.js..extensions.enabledItems: scrapbookplus@addons.mozilla.org:1.7.17.29 FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.7.4 FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.4.7amo FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.83.20100316 FF - prefs.js..extensions.enabledItems: {6E1A2A2E-AE2A-4A26-A812-46F54288379E}:3.6.0 FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-04-09 14:06:40 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-04-09 14:06:40 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010-04-01 07:07:25 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010-02-11 09:49:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Extensions [2010-02-11 09:49:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2010-04-13 08:44:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions [2009-11-24 08:03:18 | 000,000,000 | ---D | M] (Custom Download Manager) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{04b56b3f-c4f4-48ba-9ea1-30e04fb7d829} [2009-12-09 08:05:39 | 000,000,000 | ---D | M] (Session Manager) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30} [2009-01-07 08:26:20 | 000,000,000 | ---D | M] (Abstract Classic) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{2fbc1200-ad13-11db-abbd-0800200c9a66} [2009-10-21 06:59:54 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250} [2010-03-18 08:02:01 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2010-03-31 07:00:57 | 000,000,000 | ---D | M] (ScrapBook) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5} [2009-01-07 08:26:21 | 000,000,000 | ---D | M] (CuteMenus - Crystal SVG) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{63df8e21-711c-4074-a257-b065cadc28d8} [2010-03-25 08:00:17 | 000,000,000 | ---D | M] (Full Flat) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E} [2009-12-15 08:09:54 | 000,000,000 | ---D | M] (MR Tech Toolkit) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} [2010-02-24 08:01:31 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} [2010-01-08 07:58:37 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2010-03-31 07:00:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\bettergmail2@ginatrapani.org [2009-07-16 07:08:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\chromifox@altmusictv.com [2010-04-09 14:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\ietab@ip.cn [2010-02-24 08:01:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\noia2_option@kk.noia [2010-02-22 08:01:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\scrapbookplus@addons.mozilla.org [2010-03-25 08:01:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\SkipScreen@SkipScreen [2010-04-13 08:44:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010-04-09 14:06:33 | 000,002,767 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\allegro-pl.xml [2010-04-09 14:06:33 | 000,001,406 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fbc-pl.xml [2010-04-09 14:06:33 | 000,000,917 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\merlin-pl.xml [2010-04-09 14:06:33 | 000,000,858 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\pwn-pl.xml [2010-04-09 14:06:33 | 000,001,183 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-pl.xml [2010-04-09 14:06:33 | 000,001,683 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wp-pl.xml O1 HOSTS File: ([2010-04-14 08:00:47 | 003,712,485 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 168.237.34.99 msnfix.changelog.fr O1 - Hosts: 168.237.34.99 www.incodesolutions.com O1 - Hosts: 168.237.34.99 virusinfo.prevx.com O1 - Hosts: 168.237.34.99 download.bleepingcomputer.com O1 - Hosts: 168.237.34.99 www.dazhizhu.cn O1 - Hosts: 168.237.34.99 foro.noticias3d.com O1 - Hosts: 168.237.34.99 www.spybotupdates.com O1 - Hosts: 168.237.34.99 club.myce.com O1 - Hosts: 168.237.34.99 www.k7computing.com O1 - Hosts: 168.237.34.99 softwaresecuritysolutions.com O1 - Hosts: 168.237.34.99 antonbi.web.id O1 - Hosts: 168.237.34.99 www.nabble.com O1 - Hosts: 168.237.34.99 lurker.clamav.net O1 - Hosts: 168.237.34.99 lexikon.ikarus.at O1 - Hosts: 168.237.34.99 research.sunbelt-software.com O1 - Hosts: 168.237.34.99 www.virusdoctor.jp O1 - Hosts: 168.237.34.99 www.elitepvpers.de O1 - Hosts: 168.237.34.99 guru.avg.com O1 - Hosts: 168.237.34.99 downloads.sophos.com O1 - Hosts: 168.237.34.99 share.skype.com O1 - Hosts: 168.237.34.99 myantispyware.com O1 - Hosts: 168.237.34.99 www.computerhilfen.de O1 - Hosts: 168.237.34.99 fgsite.com O1 - Hosts: 168.237.34.99 www.superuser.co.kr O1 - Hosts: 168.237.34.99 ntfaq.co.kr O1 - Hosts: 12649 more lines... O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O4 - HKLM..\Run: [conime.exe] C:\WINDOWS\System32\conime.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-220523388-1303643608-839522115-500..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data] O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data] O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-220523388-1303643608-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.) O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1184741960953 (MUCatalogWebControl Class) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235036861609 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16) O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - AppInit_DLLs: (sockspy.dll) - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (C:\WINDOWS\Config\csrss.exe) - C:\WINDOWS\Config\csrss.exe File not found O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation) O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp O27 - HKLM IFEO\conime.exe: Debugger - CtDrvMkb.exe File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006-02-09 10:33:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{114dc232-370f-11df-8b1d-0015f249604e}\Shell\AutoRun\command - "" = F:\~tmpfolder\~drv21423.exe -- File not found O33 - MountPoints2\{114dc232-370f-11df-8b1d-0015f249604e}\Shell\explore\command - "" = F:\~tmpfolder\~drv21423.exe -- File not found O33 - MountPoints2\{114dc232-370f-11df-8b1d-0015f249604e}\Shell\open\command - "" = F:\~tmpfolder\~drv21423.exe -- File not found O33 - MountPoints2\{114dc232-370f-11df-8b1d-0015f249604e}\Shell\search\command - "" = F:\~tmpfolder\~drv21423.exe -- File not found O33 - MountPoints2\{47b3b088-6c15-11dc-8a86-0015f249604e}\Shell\Auto\command - "" = Ghost.pif O33 - MountPoints2\{47b3b089-6c15-11dc-8a86-0015f249604e}\Shell\Auto\command - "" = K:\Ghost.pif -- File not found O33 - MountPoints2\{85a326a1-20a2-11dc-8a37-0015f249604e}\Shell\Auto\command - "" = Ghost.pif O33 - MountPoints2\{a9478981-1ef9-11dc-8a2e-0015f249604e}\Shell\AutoRun\command - "" = K:\USBNB.exe -- File not found O33 - MountPoints2\{c1dff8cc-a7fe-11de-8aa3-0015f249604e}\Shell\AutoRun\command - "" = F:\hbcd\wintools\autorun.exe -- File not found O33 - MountPoints2\{c1dff8cc-a7fe-11de-8aa3-0015f249604e}\Shell\Option1\Command - "" = F:\hbcd\wintools\autorun.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2010-04-14 08:06:18 | 000,000,000 | ---D | C] -- C:\Avenger [2010-04-13 11:57:29 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Pulpit\OTL.exe [2010-04-13 08:50:21 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW [2010-04-13 08:14:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\ESET [2010-04-13 08:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Dane aplikacji\Auslogics [2010-04-13 08:04:21 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics [2010-04-12 12:50:52 | 000,000,000 | --SD | C] -- C:\ComboFix [2010-04-12 12:24:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010-04-12 12:24:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010-04-12 12:24:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010-04-12 12:24:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010-04-12 12:24:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010-04-12 12:23:57 | 000,000,000 | ---D | C] -- C:\Qoobox [2010-03-23 10:41:35 | 000,000,000 | ---D | C] -- C:\pendriver_3 [2008-07-17 12:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft [2007-09-14 08:50:30 | 006,422,611 | ---- | C] (FrostWire Group) -- C:\Program Files\frostwire-4.13.1.6.windows.exe [2006-02-09 10:37:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Dane aplikacji\Microsoft [2006-02-09 10:36:03 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Dane aplikacji\Microsoft [2006-02-09 10:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2010-04-14 08:09:03 | 000,007,012 | ---- | M] () -- C:\WINDOWS\wincmd.ini [2010-04-14 08:07:07 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010-04-14 08:06:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010-04-14 08:06:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010-04-14 08:05:24 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2010-04-14 08:05:20 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini [2010-04-14 08:04:36 | 000,000,412 | ---- | M] () -- C:\Documents and Settings\Administrator\Pulpit\Skrót do avenger.exe.lnk [2010-04-14 07:59:48 | 000,000,170 | ---- | M] () -- C:\Documents and Settings\Administrator\Dane aplikacji\kjw.dwq [2010-04-13 09:27:06 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Pulpit\OTL.exe [2010-04-13 08:56:19 | 000,025,019 | ---- | M] () -- C:\Documents and Settings\Administrator\Moje dokumenty\tpa_rozdawanie.ods_0.ods [2010-04-12 12:45:09 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Administrator\Pulpit\Spybot - Search & Destroy.lnk [2010-04-08 14:17:58 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010-03-29 07:00:17 | 001,011,984 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010-03-29 07:00:17 | 000,457,230 | ---- | M] () -- C:\WINDOWS\System32\perfh015.dat [2010-03-29 07:00:17 | 000,400,624 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010-03-29 07:00:17 | 000,079,386 | ---- | M] () -- C:\WINDOWS\System32\perfc015.dat [2010-03-29 07:00:17 | 000,062,286 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [color=#E56717]========== Files Created - No Company Name ==========[/color] [2010-04-14 08:04:36 | 000,000,412 | ---- | C] () -- C:\Documents and Settings\Administrator\Pulpit\Skrót do avenger.exe.lnk [2010-04-14 08:04:21 | 000,000,298 | ---- | C] () -- C:\Program Files\ojfrw.txt [2010-04-14 07:59:48 | 000,000,170 | ---- | C] () -- C:\Documents and Settings\Administrator\Dane aplikacji\kjw.dwq [2010-04-13 09:06:24 | 000,025,019 | ---- | C] () -- C:\Documents and Settings\Administrator\Moje dokumenty\tpa_rozdawanie.ods_0.ods [2010-04-12 12:45:09 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Administrator\Pulpit\Spybot - Search & Destroy.lnk [2010-04-12 12:24:17 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010-04-12 12:24:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010-04-12 12:24:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010-04-12 12:24:17 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010-04-12 12:24:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2009-09-11 07:10:22 | 000,000,474 | ---- | C] () -- C:\WINDOWS\d.ini [2009-01-19 10:51:44 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\fusioncache.dat [2008-02-07 11:30:28 | 000,247,560 | ---- | C] () -- C:\WINDOWS\System32\prgiso.dll [2008-02-07 11:30:27 | 004,244,744 | ---- | C] () -- C:\WINDOWS\System32\qtp-mt334.dll [2008-02-07 11:30:26 | 000,013,576 | ---- | C] () -- C:\WINDOWS\System32\wnaspi32.dll [2008-01-22 12:27:42 | 000,221,252 | ---- | C] () -- C:\WINDOWS\System32\maskDll.dll [2008-01-22 12:27:42 | 000,200,776 | ---- | C] () -- C:\WINDOWS\System32\unMaskDLL.dll [2007-11-22 09:21:54 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll [2007-11-08 11:06:33 | 000,007,424 | R--- | C] () -- C:\WINDOWS\System32\drivers\MMIOPORT.SYS [2007-11-07 14:20:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\11 [2007-11-07 10:16:13 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS [2007-10-23 15:56:55 | 000,000,123 | ---- | C] () -- C:\WINDOWS\Pegasus_usb_flash.ini [2007-10-09 15:27:34 | 000,000,061 | ---- | C] () -- C:\WINDOWS\System32\.sys [2007-09-14 08:50:48 | 000,000,306 | ---- | C] () -- C:\Program Files\INSTALL.LOG [2007-07-31 15:26:13 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2007-07-31 15:26:12 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2007-07-12 11:44:42 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\PUTTY.RND [2007-07-12 09:26:02 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\PUTTY.RND [2007-07-05 13:48:08 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll [2007-07-05 13:48:07 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll [2007-06-06 08:42:54 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Administrator\Dane aplikacji\$_hpcst$.hpc [2007-06-05 10:18:20 | 000,000,656 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini [2007-06-05 08:43:08 | 000,000,176 | ---- | C] () -- C:\WINDOWS\wininit.ini [2007-06-05 08:26:21 | 000,007,012 | ---- | C] () -- C:\WINDOWS\wincmd.ini [2007-05-17 16:28:38 | 000,000,048 | ---- | C] () -- C:\WINDOWS\scmate.ini [2006-11-29 15:49:36 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2006-08-30 11:01:19 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5A4F0_kds.xml [2006-08-28 14:46:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02403BF8_kds.xml [2006-08-25 15:00:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5F118_kds.xml [2006-08-24 11:52:42 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00CDD1F8_kds.xml [2006-08-24 08:52:28 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\02418C30_kds.xml [2006-08-22 15:07:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00CD7F68_kds.xml [2006-08-22 11:57:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B378_kds.xml [2006-08-22 08:56:54 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00B8B368_kds.xml [2006-08-14 14:57:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5D978_kds.xml [2006-08-14 11:57:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B640_kds.xml [2006-08-08 13:25:02 | 000,000,014 | ---- | C] () -- C:\Documents and Settings\Administrator\getfile.dat [2006-08-03 08:57:02 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B4B8_kds.xml [2006-07-27 14:53:02 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00CDD3F8_kds.xml [2006-07-21 09:11:29 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\02404D70_kds.xml [2006-07-19 08:54:18 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5C388_kds.xml [2006-07-14 08:43:39 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5C688_kds.xml [2006-07-13 18:39:41 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00CDD488_kds.xml [2006-07-12 18:15:52 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5A820_kds.xml [2006-07-10 09:05:34 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5D558_kds.xml [2006-07-06 14:57:59 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5CEE0_kds.xml [2006-07-06 08:57:20 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5EED0_kds.xml [2006-07-03 09:01:19 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5A150_kds.xml [2006-06-30 12:38:58 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5FDC8_kds.xml [2006-06-26 16:17:52 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\025201A0_kds.xml [2006-06-23 09:03:40 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D57A10_kds.xml [2006-06-22 08:58:07 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00CFEB10_kds.xml [2006-06-19 12:00:45 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5ED10_kds.xml [2006-06-09 16:17:13 | 000,000,020 | ---- | C] () -- C:\WINDOWS\naglos.INI [2006-06-09 15:07:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B3A0_kds.xml [2006-06-09 09:05:53 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00B23E40_kds.xml [2006-06-08 16:26:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D58BA0_kds.xml [2006-06-07 15:23:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02826638_kds.xml [2006-06-07 12:13:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D57DB8_kds.xml [2006-06-06 12:08:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00CDE470_kds.xml [2006-06-06 09:07:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5C6D0_kds.xml [2006-06-05 15:14:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B458_kds.xml [2006-06-01 15:17:59 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5C9F0_kds.xml [2006-05-31 12:06:52 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B618_kds.xml [2006-05-30 12:28:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5F7B8_kds.xml [2006-05-29 12:19:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00CD7E30_kds.xml [2006-05-29 09:09:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02402BD8_kds.xml [2006-05-26 12:07:14 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5F5F0_kds.xml [2006-05-25 15:09:36 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5EAE0_kds.xml [2006-05-25 09:08:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02400048_kds.xml [2006-05-23 08:50:05 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5CAF8_kds.xml [2006-05-22 15:30:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5E580_kds.xml [2006-05-22 09:30:10 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D56588_kds.xml [2006-05-19 15:08:36 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\025865C8_kds.xml [2006-05-16 12:22:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02405B28_kds.xml [2006-05-16 09:12:27 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D59E08_kds.xml [2006-05-09 12:09:37 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D54AC8_kds.xml [2006-05-08 12:10:06 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B3D0_kds.xml [2006-05-08 09:09:33 | 000,004,123 | ---- | C] () -- C:\Documents and Settings\Administrator\x_dtrace_log [2006-04-11 12:30:12 | 000,001,423 | ---- | C] () -- C:\WINDOWS\pr.ini [2006-02-14 12:47:59 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol [2006-02-09 11:41:03 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat [2006-02-09 11:41:03 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG [2006-02-09 10:46:54 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG [2006-02-09 10:46:54 | 000,000,188 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini [2006-02-09 10:46:53 | 004,718,592 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2006-02-09 10:44:33 | 000,012,288 | R--- | C] () -- C:\WINDOWS\System32\e100bmsg.dll [2006-02-09 10:43:32 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll [2006-02-09 10:41:37 | 000,002,258 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini [2006-02-09 10:41:36 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS [2004-08-04 14:00:00 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\msn38817.dll [color=#E56717]========== LOP Check ==========[/color] [2007-11-07 12:20:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Acronis [2007-06-29 10:44:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Advanced Time Synchronizer [2010-04-13 08:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Auslogics [2007-10-24 14:04:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Blueberry [2009-05-11 12:29:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Bullzip [2010-01-26 11:04:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Cream Software [2009-12-15 10:13:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\FileZilla [2008-10-07 12:56:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\GetRightToGo [2008-04-04 13:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\IEPro [2008-11-03 13:56:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\ImgBurn [2007-07-09 10:39:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\InfraRecorder [2007-09-17 09:10:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\KompoZer [2008-04-29 08:57:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\MiniDm [2010-04-13 16:00:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\OpenOffice.ux.pl2 [2008-01-15 13:00:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\PrevxCSI [2007-08-14 15:41:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\SOTI [2007-07-11 12:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Subversion [2008-04-04 14:43:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\The Bat! [2010-02-11 09:49:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Thunderbird [2010-03-24 11:13:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent [2007-11-07 12:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Acronis [2007-10-24 14:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Blueberry [2010-04-13 08:14:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\ESET [2007-12-14 13:12:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Prevx [2009-08-06 07:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\TEMP [color=#E56717]========== Purity Check ==========[/color] [color=#E56717]========== Alternate Data Streams ==========[/color] @Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:D3A1BA7A @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:D1B5B4F1 < End of report >

Kod: Zaznacz wszystko: OTL Extras logfile created on: 2010-04-14 08:11:51 - Run 1 OTL by OldTimer - Version 3.2.1.1 Folder = D:\_ Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.11) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 503,00 Mb Total Physical Memory | 282,00 Mb Available Physical Memory | 56,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 86,00% Paging File free Paging file location(s): C:\pagefile.sys 756 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 18,55 Gb Total Space | 5,93 Gb Free Space | 31,96% Space Free | Partition Type: NTFS Drive D: | 18,71 Gb Total Space | 16,06 Gb Free Space | 85,83% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: TOM Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard [color=#E56717]========== Extra Registry (SafeList) ==========[/color] [color=#E56717]========== File Associations ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found [HKEY_USERS\S-1-5-21-220523388-1303643608-839522115-500\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) [color=#E56717]========== Shell Spawning ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [color=#E56717]========== Security Center Settings ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 1 "FirewallDisableNotify" = 1 "UpdatesDisableNotify" = 1 "AntiVirusOverride" = 1 "FirewallOverride" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008 "1383:TCP" = 1383:TCP:*:Enabled:uhrml [color=#E56717]========== Authorized Applications List ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\Gadu-Gadu\gg.exe" = C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny -- (sms-express.com) "C:\Program Files\Tight\WinVNC.exe" = C:\Program Files\Tight\WinVNC.exe:*:Enabled:TightVNC Win32 Server -- (Constantin Kaplinsky) "C:\Program Files\Cerberus\Cerberus.exe" = C:\Program Files\Cerberus\Cerberus.exe:*:Enabled:Cerberus FTP Server -- (Cerberus, LLC) "C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation) "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation) "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation) "C:\WINDOWS\system32\CtDrvMkb.exe" = C:\WINDOWS\system32\CtDrvMkb.exe:*:Enabled:LAN Router -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation) "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation) "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation) "C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.) "C:\Program Files\Cerberus\Cerberus.exe" = C:\Program Files\Cerberus\Cerberus.exe:*:Enabled:Cerberus FTP Server -- (Cerberus, LLC) "F:\Symantec.Ghost.v11.5.0.2113.Corporate.Edition\GhostSrv.exe" = F:\Symantec.Ghost.v11.5.0.2113.Corporate.Edition\GhostSrv.exe:*:Enabled:GhostCastServer Network Access -- File not found "C:\WINDOWS\system32\CtDrvMkb.exe" = C:\WINDOWS\system32\CtDrvMkb.exe:*:Enabled:LAN Router -- File not found [color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool "{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16 "{350C9415-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3DA88297-8858-4525-96C9-360D1078FC3A}" = OpenOffice.ux.pl 2.0 "{590CE15B-1B8A-4B15-BA95-D717401E2714}" = Cerberus FTP Server "{5AF71003-1797-4D93-9F37-4F2125CBF539}" = Microsoft .NET Framework 2.0 Language Pack - PLK "{64CB2553-C109-4132-AA51-1F421B515FD1}" = Microsoft .NET Framework 1.1 Polish Language Pack "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{7FC65BEC-45E6-4C97-B765-58B10A574E6F}" = Link200 "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver "{8AAAECE4-BE28-41E3-A876-186323B1FA54}_is1" = Sente eSystem "{8D8024F1-2945-49A5-9B78-5AB7B11D7942}_is1" = Auslogics Registry Cleaner "{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync "{A92A4DB0-CD37-42D1-BE1D-603D53C24328}" = Intel(R) Processor ID Utility "{AC76BA86-7AD7-1045-7B44-A70500000002}" = Adobe Reader 7.0.5 - Polish "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo "{C887C75D-2636-41F6-BB7B-FD4B0314C1E1}" = Paragon Partition Manager 9.0 Professional "{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{EF1106DA-FAD0-4241-9344-B1F72F1A226E}" = ASUSTeK SIP Download Patch "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX "7-Zip" = 7-Zip 4.49 beta "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Bullzip PDF Printer_is1" = Bullzip PDF Printer 6.0.0.865 "CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only) "FBDBServer_2_0_is1" = Firebird 2.0.0 "FileZilla Client" = FileZilla Client 3.2.7.1 "Gadu-Gadu" = Gadu-Gadu 6.1 "GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.64 "HaaliMkx" = Haali Media Splitter "hkSFV" = hkSFV (remove only) "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ImgBurn" = ImgBurn "IrfanView" = IrfanView (remove only) "JDownloader" = JDownloader "Magic ISO Maker v5.4 (build 0251)" = Magic ISO Maker v5.4 (build 0251) "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0 "Microsoft .NET Framework 2.0 Language Pack - PLK" = Microsoft .NET Framework 2.0 — pakiet języka polskiego "MKVtoolnix" = MKVtoolnix 3.0.0 "Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3) "Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4) "NapiProjekt_is1" = NapiProjekt 1.0.6.7 "Nero - Burning Rom!UninstallKey" = Nero OEM "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "PROSet" = Intel(R) PRO Network Adapters and Drivers "QuicktimeAlt_is1" = QuickTime Alternative 1.90 "Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20 "Totalcmd" = Total Commander (Remove or Repair) "TPP200" = USB Storage Adapter V2 (TPP) "uTorrent" = µTorrent "Windows XP Service Pack" = Windows XP Service Pack 3 "WinRAR archiver" = Archiwizator WinRAR "Xvid_is1" = Xvid 1.1.3 final uninstall [color=#E56717]========== HKEY_USERS Uninstall List ==========[/color] [HKEY_USERS\S-1-5-21-220523388-1303643608-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "uTorrent" = µTorrent [color=#E56717]========== Last 10 Event Log Errors ==========[/color] [ Application Events ] Error - 2010-04-12 06:49:26 | Computer Name = TOM | Source = Application Error | ID = 1000 Description = Aplikacja powodująca błąd ctdrvmkb.exe, wersja 0.0.0.0, moduł powodujący błąd kernel32.dll, wersja 5.1.2600.5512, adres błędu 0x00012aeb. Error - 2010-04-12 06:49:31 | Computer Name = TOM | Source = Application Error | ID = 1000 Description = Aplikacja powodująca błąd ctdrvmkb.exe, wersja 0.0.0.0, moduł powodujący błąd kernel32.dll, wersja 5.1.2600.5512, adres błędu 0x00012aeb. Error - 2010-04-12 06:49:45 | Computer Name = TOM | Source = Application Error | ID = 1000 Description = Aplikacja powodująca błąd ctdrvmkb.exe, wersja 0.0.0.0, moduł powodujący błąd kernel32.dll, wersja 5.1.2600.5512, adres błędu 0x00012aeb. Error - 2010-04-12 06:50:42 | Computer Name = TOM | Source = Application Error | ID = 1000 Description = Aplikacja powodująca błąd ctdrvmkb.exe, wersja 0.0.0.0, moduł powodujący błąd kernel32.dll, wersja 5.1.2600.5512, adres błędu 0x00012aeb. Error - 2010-04-12 07:17:11 | Computer Name = TOM | Source = crypt32 | ID = 131080 Description = Nie można automatycznie pobrać aktualizacji numeru sekwencji głównej listy innych firm z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>, wystąpił błąd: The server name or address could not be resolved Error - 2010-04-13 02:13:34 | Computer Name = TOM | Source = crypt32 | ID = 131080 Description = Nie można automatycznie pobrać aktualizacji numeru sekwencji głównej listy innych firm z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>, wystąpił błąd: The server name or address could not be resolved Error - 2010-04-13 02:14:00 | Computer Name = TOM | Source = crypt32 | ID = 131080 Description = Nie można automatycznie pobrać aktualizacji numeru sekwencji głównej listy innych firm z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>, wystąpił błąd: The server name or address could not be resolved Error - 2010-04-13 02:14:03 | Computer Name = TOM | Source = crypt32 | ID = 131080 Description = Nie można automatycznie pobrać aktualizacji numeru sekwencji głównej listy innych firm z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>, wystąpił błąd: To połączenie sieciowe nie istnieje. Error - 2010-04-13 03:11:12 | Computer Name = TOM | Source = crypt32 | ID = 131080 Description = Nie można automatycznie pobrać aktualizacji numeru sekwencji głównej listy innych firm z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>, wystąpił błąd: The server name or address could not be resolved Error - 2010-04-13 03:11:12 | Computer Name = TOM | Source = crypt32 | ID = 131080 Description = Nie można automatycznie pobrać aktualizacji numeru sekwencji głównej listy innych firm z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>, wystąpił błąd: To połączenie sieciowe nie istnieje. [ System Events ] Error - 2010-04-14 02:04:32 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:37 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:41 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:45 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:49 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:50 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:55 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:55 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:55 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 Error - 2010-04-14 02:04:57 | Computer Name = TOM | Source = Service Control Manager | ID = 7001 Description = Usługa Menedżer połączeń usługi Dostęp zdalny zależy od usługi Telefonia, której nie można uruchomić z powodu następującego błędu: %%1058 < End of report >

Kod: Zaznacz wszystko: Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK copy of MBR has been found in sector 62 !

**Posty:** 2183 · przez **NieWiem** 14 Kwi 2010, 12:13

Zostało czyszczenie w OTL, ale chciałbym zobaczyć jeszcze nowy raport z Gmera, ponieważ infekcja była rootkitowa, więc to zostawimy na później.

Pobierz program Malwarebytes' Anti-Malware i zainstaluj.
Wersja freeware nie ma opcji automatycznych aktualizacji, dlatego pod koniec instalacji upewnij się, że zaznaczone są opcje:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Wciśnij Finish.
Przeprowadź pełne skanowanie komputera.
Raport z tego skanowania proszę wkleić na forum w tagach [code], lub na stronie http://www.wklej.org a w odpowiedzi podać tylko linka do tej strony.

**Posty:** 43 · przez **pasta271** 15 Kwi 2010, 10:45

Kod: Zaznacz wszystko: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Wersja bazy: 3989 Windows 5.1.2600 Dodatek Service Pack 3 Internet Explorer 7.0.5730.11 2010-04-15 09:05:22 mbam-log-2010-04-15 (09-05-22).txt Typ skanowania: Pełne skanowanie (C:\|D:\|) Przeskanowano obiektów: 159814 Upłynęło: 26 minut(y), 14 sekund(y) Zainfekowanych procesów w pamięci: 0 Zainfekowanych modułów w pamięci: 0 Zainfekowanych kluczy rejestru: 1 Zainfekowanych wartości rejestru: 1 Zainfekowane informacje rejestru systemowego: 4 Zainfekowanych folderów: 0 Zainfekowanych plików: 0 Zainfekowanych procesów w pamięci: (Nie znaleziono zagrożeń) Zainfekowanych modułów w pamięci: (Nie znaleziono zagrożeń) Zainfekowanych kluczy rejestru: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe (Security.Hijack) -> Quarantined and deleted successfully. Zainfekowanych wartości rejestru: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot. Zainfekowane informacje rejestru systemowego: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe C:\WINDOWS\Config\csrss.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. Zainfekowanych folderów: (Nie znaleziono zagrożeń) Zainfekowanych plików: (Nie znaleziono zagrożeń)

Kod: Zaznacz wszystko: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-15 10:41:05 Windows 5.1.2600 Dodatek Service Pack 3 Running: GMER 1.0.15.15281.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdipow.sys ---- Kernel code sections - GMER 1.0.15 ---- ? qkpuv.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[444] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 01C19DC4 .text C:\WINDOWS\system32\svchost.exe[1096] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 01C19D64 .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 00699DC4 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] blowzx <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx@DisplayName Manager Microsoft Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx@Description Zapewnia us?ugi translacji adres?w sieciowych, adresowania, rozpoznawania nazw i/lub blokowania dost?pu intruz?w wszystkim komputerom w sieci domowej lub biurowej. Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\blowzx\Parameters@ServiceDll C:\WINDOWS\system32\pnuelbu.dll Reg HKLM\SYSTEM\ControlSet003\Services\blowzx@DisplayName Manager Microsoft Reg HKLM\SYSTEM\ControlSet003\Services\blowzx@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\blowzx@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\blowzx@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\blowzx@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\blowzx@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\blowzx@Description Zapewnia us?ugi translacji adres?w sieciowych, adresowania, rozpoznawania nazw i/lub blokowania dost?pu intruz?w wszystkim komputerom w sieci domowej lub biurowej. Reg HKLM\SYSTEM\ControlSet003\Services\blowzx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\blowzx\Parameters@ServiceDll C:\WINDOWS\system32\pnuelbu.dll Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32@oamikgjlhamilhbpcginckjgdlpmbp 0x69 0x61 0x6A 0x66 ... Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32@namiagpnmilldeoeapeihjbnejac 0x69 0x61 0x6A 0x66 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 62: copy of MBR ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6T5QM0VH\rm3rdPartyCaseSearchAction[2].htm 0 bytes ---- EOF - GMER 1.0.15 ----

**Posty:** 18165 · przez **wojtas** 15 Kwi 2010, 11:10

uruchom Avenger'a

Wklej do okienka programu

Files to delete:
C:\WINDOWS\system32\drivers\qkpuv.sys
C:\WINDOWS\system32\pnuelbu.dll
C:\WINDOWS\system32\drivers\blowzx.sys

Drivers to unload:
blowzx
qkpuv

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\blowzx
HKLM\SYSTEM\ControlSet003\Services\blowzx

Klikasz Execute,

wklejasz na forum raport: C:\avenger.txt + Gmer + z combofixa

**Posty:** 43 · przez **pasta271** 15 Kwi 2010, 13:34

Kod: Zaznacz wszystko: Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\WINDOWS\system32\qkpuv.sys" not found! Deletion of file "C:\WINDOWS\system32\qkpuv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "C:\WINDOWS\system32\pnuelbu.dll" deleted successfully. Error: file "C:\WINDOWS\system32\blowzx.sys" not found! Deletion of file "C:\WINDOWS\system32\blowzx.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Driver "blowzx" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\qkpuv" not found! Deletion of driver "qkpuv" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\blowzx" not found! Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\blowzx" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Registry key "HKLM\SYSTEM\ControlSet003\Services\blowzx" deleted successfully. Completed script processing. ******************* Finished! Terminate.

Kod: Zaznacz wszystko: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-15 13:30:07 Windows 5.1.2600 Dodatek Service Pack 3 Running: GMER 1.0.15.15281.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdipow.sys ---- Kernel code sections - GMER 1.0.15 ---- ? Combo-Fix.sys Nie można odnaleźć określonego pliku. ! ? C:\ComboFix\catchme.sys System nie może odnaleźć określonej ścieżki. ! ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3996] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS@StateIndex 1 Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32@oamikgjlhamilhbpcginckjgdlpmbp 0x69 0x61 0x6A 0x66 ... Reg HKLM\SOFTWARE\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32@namiagpnmilldeoeapeihjbnejac 0x69 0x61 0x6A 0x66 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 62: copy of MBR ---- EOF - GMER 1.0.15 ----

Kod: Zaznacz wszystko: ComboFix 10-04-14.01 - Administrator 2010-04-15 11:45:37.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.503.324 [GMT 2:00] Uruchomiony z: D:\ComboFix.exe * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy\Recovery\CnsMin.zip c:\program files\INSTALL.LOG c:\windows\d.ini . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_WinDriver ((((((((((((((((((((((((( Pliki utworzone od 2010-03-15 do 2010-04-15 ))))))))))))))))))))))))))))))) . 2010-04-15 06:06 . 2010-04-07 13:28 253952 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll 2010-04-15 06:04 . 2010-04-15 06:04 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Malwarebytes 2010-04-15 06:04 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-15 06:04 . 2010-04-15 06:04 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2010-04-15 06:04 . 2010-04-15 06:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 06:04 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-14 08:29 . 2010-04-14 07:59 77312 ----a-w- C:\mbr.exe 2010-04-13 06:14 . 2010-04-13 06:14 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ESET 2010-04-13 06:05 . 2010-04-13 06:05 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Auslogics 2010-04-13 06:04 . 2010-04-13 06:04 -------- d-----w- c:\program files\Auslogics 2010-03-23 08:41 . 2010-03-23 08:46 -------- d-----w- C:\pendriver_3 . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-15 09:18 . 2007-06-19 11:21 -------- d-----w- c:\program files\Mozilla Thunderbird 2010-04-15 07:26 . 2006-02-09 09:39 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\OpenOffice.ux.pl2 2010-04-14 06:04 . 2010-04-14 06:04 298 ----a-w- c:\program files\ojfrw.txt 2010-04-13 06:49 . 2008-02-14 07:35 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com 2010-04-12 10:50 . 2007-09-03 09:40 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2010-04-12 10:45 . 2007-09-03 09:40 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-04-02 10:44 . 2009-08-06 08:32 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Download Manager 2010-03-29 05:00 . 2004-08-04 12:00 79386 ----a-w- c:\windows\system32\perfc015.dat 2010-03-29 05:00 . 2004-08-04 12:00 457230 ----a-w- c:\windows\system32\perfh015.dat 2010-03-24 09:13 . 2007-07-03 10:35 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\uTorrent 2010-03-18 06:05 . 2007-07-05 07:42 -------- d-----w- c:\program files\uTorrent 2010-02-02 12:18 . 2010-02-02 12:18 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys 2010-02-02 12:18 . 2007-11-07 10:06 570016 ----a-w- c:\windows\system32\drivers\timntr.sys 2007-03-19 19:13 . 2007-09-14 06:50 6422611 ----a-w- c:\program files\frostwire-4.13.1.6.windows.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-20 149280] "conime.exe"="conime.exe" [2008-04-14 27648] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Cerberus\\Cerberus.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "1383:TCP"= 1383:TCP:uhrml R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-07-22 39472] R1 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [2007-10-24 2944] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?] S3 cpuz130;cpuz130;\??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\cpuz130\cpuz_x32.sys [?] S3 idedrive;idedrive;\??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\_tc\idedrive.sys --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\_tc\idedrive.sys [?] S3 jgigp;jgigp;\??\c:\windows\system32\0A.tmp --> c:\windows\system32\0A.tmp [?] S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2007-11-07 3567] S3 SASENUM;SASENUM;\??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\SuperAntiSpyware\SASENUM.SYS --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\SuperAntiSpyware\SASENUM.SYS [?] S3 TPP200;USB Storage Adapter V2 (TPP);c:\windows\system32\drivers\TPP200.SYS [2007-07-23 35541] S3 wfmvrukg;wfmvrukg;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?] S4 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2007-07-12 43008] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs mrenvp blowzx . . ------- Skan uzupełniający ------- . uStart Page = hxxp://eu.eservice.asus.com/pf/Login1.do TCP: {7161D6C3-80D1-438B-9C4A-74658876F67F} = 194.204.159.1,194.204.152.34 FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - plugin: c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - USUNIĘTO PUSTE WPISY - - - - MSConfigStartUp-nod32kui - c:\program files\Eset\nod32kui.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-15 11:50 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... c:\windows\system32\wuaueng.dll.wusetup.111625.bak 1809944 bytes executable skanowanie pomyślnie ukończone ukryte pliki: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jgigp] "ImagePath"="\??\c:\windows\system32\0A.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wfmvrukg] "ImagePath"="\??\c:\windows\system32\01.tmp" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32*] "oamikgjlhamilhbpcginckjgdlpmbp"=hex:69,61,6a,66,6a,69,6a,6a,70,65,6f,67,6b,6e, 64,6b,64,65,00,00 "namiagpnmilldeoeapeihjbnejac"=hex:69,61,6a,66,6a,69,6a,6a,70,65,6f,67,6b,6e, 64,6b,64,65,00,00 [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F03\4&35f762c4&0\LogConf] @DACL=(02 0000) "BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00, 00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\ "BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00, 00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft ActiveSync\wcescomm.exe c:\progra~1\MICROS~2\rapimgr.exe . ************************************************************************** . Czas ukończenia: 2010-04-15 11:54:23 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-04-15 09:54 Przed: 6 337 945 600 bajtów wolnych Po: 6 214 295 552 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - CD45EE2CC1AA8E2FB88C4F77D1ADA0CE

**Posty:** 18165 · przez **wojtas** 15 Kwi 2010, 13:44

Otworz notatnik i wklej w nim to:

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jgigp]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wfmvrukg]

NetSvc::
mrenvp
blowzx

Driver::
jgigp
wfmvrukg

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->

Rozpocznie się usuwanie i powstanie log daj go.

**Posty:** 43 · przez **pasta271** 15 Kwi 2010, 14:12

Kod: Zaznacz wszystko: ComboFix 10-04-14.01 - Administrator 2010-04-15 14:02:25.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.503.305 [GMT 2:00] Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Administrator\Pulpit\CFScript.txt . ((((((((((((((((((((((((( Pliki utworzone od 2010-03-15 do 2010-04-15 ))))))))))))))))))))))))))))))) . 2010-04-15 09:51 . 2010-04-15 09:54 -------- d-----w- c:\windows\LastGood 2010-04-15 06:06 . 2010-04-07 13:28 253952 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll 2010-04-15 06:04 . 2010-04-15 06:04 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Malwarebytes 2010-04-15 06:04 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-15 06:04 . 2010-04-15 06:04 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2010-04-15 06:04 . 2010-04-15 06:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 06:04 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-14 08:29 . 2010-04-14 07:59 77312 ----a-w- C:\mbr.exe 2010-04-13 06:14 . 2010-04-13 06:14 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ESET 2010-04-13 06:05 . 2010-04-13 06:05 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Auslogics 2010-04-13 06:04 . 2010-04-13 06:04 -------- d-----w- c:\program files\Auslogics 2010-03-23 08:41 . 2010-03-23 08:46 -------- d-----w- C:\pendriver_3 . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-15 12:00 . 2006-02-09 09:39 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\OpenOffice.ux.pl2 2010-04-15 10:07 . 2007-06-19 11:21 -------- d-----w- c:\program files\Mozilla Thunderbird 2010-04-14 06:04 . 2010-04-14 06:04 298 ----a-w- c:\program files\ojfrw.txt 2010-04-13 06:49 . 2008-02-14 07:35 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com 2010-04-12 10:50 . 2007-09-03 09:40 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2010-04-12 10:45 . 2007-09-03 09:40 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-04-02 10:44 . 2009-08-06 08:32 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Download Manager 2010-03-29 05:00 . 2004-08-04 12:00 79386 ----a-w- c:\windows\system32\perfc015.dat 2010-03-29 05:00 . 2004-08-04 12:00 457230 ----a-w- c:\windows\system32\perfh015.dat 2010-03-24 09:13 . 2007-07-03 10:35 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\uTorrent 2010-03-18 06:05 . 2007-07-05 07:42 -------- d-----w- c:\program files\uTorrent 2010-02-02 12:18 . 2010-02-02 12:18 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys 2010-02-02 12:18 . 2007-11-07 10:06 570016 ----a-w- c:\windows\system32\drivers\timntr.sys 2007-03-19 19:13 . 2007-09-14 06:50 6422611 ----a-w- c:\program files\frostwire-4.13.1.6.windows.exe . ((((((((((((((((((((((((((((( SnapShot@2010-04-15_09.50.29 ))))))))))))))))))))))))))))))))))))))))) . + 2006-02-09 08:30 . 2009-08-06 17:24 53472 c:\windows\system32\wuauclt.exe + 2010-04-15 09:51 . 2009-08-06 17:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll + 2010-04-15 09:51 . 2009-08-06 17:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll + 2006-02-09 08:30 . 2009-08-06 17:24 53472 c:\windows\system32\dllcache\wuauclt.exe + 2004-08-04 12:00 . 2009-08-06 17:24 96480 c:\windows\system32\dllcache\cdm.dll + 2010-04-15 09:51 . 2008-10-16 13:09 43544 c:\windows\LastGood\system32\wups2.dll + 2010-04-15 09:51 . 2008-10-16 13:08 34328 c:\windows\LastGood\system32\wups.dll + 2010-04-15 09:51 . 2008-10-16 13:09 51224 c:\windows\LastGood\system32\wuauclt.exe + 2010-04-15 09:51 . 2008-10-16 13:09 92696 c:\windows\LastGood\system32\cdm.dll + 2006-02-09 08:30 . 2009-08-06 17:24 209632 c:\windows\system32\wuweb.dll + 2006-02-09 08:30 . 2009-08-06 17:24 327896 c:\windows\system32\wucltui.dll + 2006-02-09 08:30 . 2009-08-06 17:23 575704 c:\windows\system32\wuapi.dll + 2006-02-09 08:30 . 2009-08-06 17:24 209632 c:\windows\system32\dllcache\wuweb.dll + 2006-02-09 08:30 . 2009-08-06 17:24 327896 c:\windows\system32\dllcache\wucltui.dll + 2006-02-09 08:30 . 2009-08-06 17:23 575704 c:\windows\system32\dllcache\wuapi.dll + 2010-04-15 09:51 . 2008-10-16 13:12 202776 c:\windows\LastGood\system32\wuweb.dll + 2010-04-15 09:51 . 2008-10-16 13:12 323608 c:\windows\LastGood\system32\wucltui.dll + 2010-04-15 09:51 . 2008-10-16 13:12 561688 c:\windows\LastGood\system32\wuapi.dll + 2006-02-09 08:30 . 2009-08-06 17:23 1929952 c:\windows\system32\wuaueng.dll + 2006-02-09 08:30 . 2009-08-06 17:23 1929952 c:\windows\system32\dllcache\wuaueng.dll + 2010-04-15 09:51 . 2008-10-16 13:13 1809944 c:\windows\LastGood\system32\wuaueng.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-20 149280] "conime.exe"="conime.exe" [2008-04-14 27648] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Cerberus\\Cerberus.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "1383:TCP"= 1383:TCP:uhrml R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-07-22 39472] R1 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [2007-10-24 2944] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?] S3 cpuz130;cpuz130;\??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\cpuz130\cpuz_x32.sys [?] S3 idedrive;idedrive;\??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\_tc\idedrive.sys --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\_tc\idedrive.sys [?] S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2007-11-07 3567] S3 SASENUM;SASENUM;\??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\SuperAntiSpyware\SASENUM.SYS --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\SuperAntiSpyware\SASENUM.SYS [?] S3 TPP200;USB Storage Adapter V2 (TPP);c:\windows\system32\drivers\TPP200.SYS [2007-07-23 35541] S4 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2007-07-12 43008] --- Inne Usługi/Sterowniki w Pamięci --- *Deregistered* - pxtdipow . . ------- Skan uzupełniający ------- . uStart Page = hxxp://eu.eservice.asus.com/pf/Login1.do TCP: {7161D6C3-80D1-438B-9C4A-74658876F67F} = 194.204.159.1,194.204.152.34 FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - plugin: c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-15 14:06 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{255A4117-438D-1750-1B61-56F6C9A07B3E}\InProcServer32*] "oamikgjlhamilhbpcginckjgdlpmbp"=hex:69,61,6a,66,6a,69,6a,6a,70,65,6f,67,6b,6e, 64,6b,64,65,00,00 "namiagpnmilldeoeapeihjbnejac"=hex:69,61,6a,66,6a,69,6a,6a,70,65,6f,67,6b,6e, 64,6b,64,65,00,00 [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F03\4&35f762c4&0\LogConf] @DACL=(02 0000) "BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00, 00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\ "BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00, 00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff . Czas ukończenia: 2010-04-15 14:08:34 ComboFix-quarantined-files.txt 2010-04-15 12:08 ComboFix2.txt 2010-04-15 09:54 Przed: 6 010 564 608 bajtów wolnych Po: 5 994 176 512 bajtów wolnych - - End Of File - - CEACF8012E0F00379CA2A3CFD57A7D7B

**Posty:** 18165 · przez **wojtas** 15 Kwi 2010, 15:47

1.daj jeszcze loga z OTL ale po wykonaniu tych czynnośći

2. wykonaj optymalizację windowsa
3.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
4. zrób skan Malwarebytes Anti-Malware (zaktualizuj, usuń co znajdzie ) i jak coś znajdzie pokaż w następnym poście

Zaktualizuj zabezpieczenia:
>>> Adobe Reader 9.3
>>> Internet Explorer 8
>>> Java™ 6 Update 19

i jesz

**Posty:** 43 · przez **pasta271** 19 Kwi 2010, 11:38

Kod: Zaznacz wszystko: OTL logfile created on: 2010-04-19 11:31:39 - Run 2 OTL by OldTimer - Version 3.2.1.1 Folder = D:\_ Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 503,00 Mb Total Physical Memory | 158,00 Mb Available Physical Memory | 31,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 70,00% Paging File free Paging file location(s): C:\pagefile.sys 756 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 18,55 Gb Total Space | 7,18 Gb Free Space | 38,72% Space Free | Partition Type: NTFS Drive D: | 18,71 Gb Total Space | 17,69 Gb Free Space | 94,58% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: TOM Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2010-04-13 09:27:06 | 000,561,664 | ---- | M] (OldTimer Tools) -- D:\_\OTL.exe PRC - [2010-04-09 14:06:28 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2010-04-01 07:07:21 | 011,957,424 | ---- | M] (Mozilla Messaging) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe PRC - [2009-09-09 07:50:00 | 003,514,112 | ---- | M] (Ghisler Software GmbH) -- C:\totalcmd\TOTALCMD.EXE PRC - [2008-04-14 19:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006-11-13 16:57:16 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe PRC - [2006-11-13 16:57:06 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe PRC - [2005-10-28 13:49:46 | 000,565,248 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.ux.pl 2.0\program\soffice.bin PRC - [2005-10-28 13:49:46 | 000,434,176 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.ux.pl 2.0\program\soffice.exe [color=#E56717]========== Modules (SafeList) ==========[/color] MOD - [2010-04-13 09:27:06 | 000,561,664 | ---- | M] (OldTimer Tools) -- D:\_\OTL.exe [color=#E56717]========== Win32 Services (SafeList) ==========[/color] SRV - [2009-01-07 18:21:32 | 000,026,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\spupdsvc.exe -- (spupdsvc) SRV - [2008-03-03 11:44:39 | 000,045,056 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\UTSCSI.EXE -- (UTSCSI) SRV - [2006-06-19 11:43:56 | 000,043,008 | ---- | M] () [Disabled | Stopped] -- C:\cygwin\bin\cygrunsrv.exe -- (sshd) SRV - [2005-11-14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT) SRV - [2003-08-01 18:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) [Disabled | Stopped] -- C:\Program Files\Tight\WinVNC.exe -- (winvnc) SRV - [2002-09-20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Disabled | Stopped] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default)) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV - [2007-11-02 11:09:58 | 000,039,472 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\hotcore3.sys -- (hotcore3) DRV - [2007-10-24 14:02:22 | 000,002,944 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\bbcap.sys -- (bbcap) DRV - [2002-01-12 16:30:34 | 000,003,567 | ---- | M] (Beyond Logic http://www.beyondlogic.org) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PortTalk.sys -- (PortTalk) DRV - [2001-10-05 05:54:28 | 000,035,541 | R--- | M] (In-System Design, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TPP200.SYS -- (TPP200) USB Storage Adapter V2 (TPP) [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-220523388-1303643608-839522115-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://eu.eservice.asus.com/pf/Login1.do IE - HKU\S-1-5-21-220523388-1303643608-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - prefs.js..browser.startup.homepage: "http://www.google.pl/" FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3 FF - prefs.js..extensions.enabledItems: bettergmail2@ginatrapani.org:1.1.1 FF - prefs.js..extensions.enabledItems: {04b56b3f-c4f4-48ba-9ea1-30e04fb7d829}:2.6.20091103 FF - prefs.js..extensions.enabledItems: {63df8e21-711c-4074-a257-b065cadc28d8}:1.9.3 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}:6.0.4 FF - prefs.js..extensions.enabledItems: noia2_option@kk.noia:3.76 FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1 FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7 FF - prefs.js..extensions.enabledItems: scrapbookplus@addons.mozilla.org:1.8.17.30 FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.7.4 FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.4.7amo FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.85.20100407 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: chromifox@altmusictv.com:3.6.5 FF - prefs.js..extensions.enabledItems: {6E1A2A2E-AE2A-4A26-A812-46F54288379E}:3.6.0 FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-04-09 14:06:40 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-04-19 10:49:41 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010-04-01 07:07:25 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010-02-11 09:49:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Extensions [2010-02-11 09:49:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2010-04-19 10:52:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions [2009-11-24 08:03:18 | 000,000,000 | ---D | M] (Custom Download Manager) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{04b56b3f-c4f4-48ba-9ea1-30e04fb7d829} [2009-12-09 08:05:39 | 000,000,000 | ---D | M] (Session Manager) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30} [2009-01-07 08:26:20 | 000,000,000 | ---D | M] (Abstract Classic) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{2fbc1200-ad13-11db-abbd-0800200c9a66} [2009-10-21 06:59:54 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250} [2010-03-18 08:02:01 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2010-03-31 07:00:57 | 000,000,000 | ---D | M] (ScrapBook) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5} [2009-01-07 08:26:21 | 000,000,000 | ---D | M] (CuteMenus - Crystal SVG) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{63df8e21-711c-4074-a257-b065cadc28d8} [2010-03-25 08:00:17 | 000,000,000 | ---D | M] (Full Flat) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E} [2009-12-15 08:09:54 | 000,000,000 | ---D | M] (MR Tech Toolkit) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} [2010-02-24 08:01:31 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} [2010-01-08 07:58:37 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2010-03-31 07:00:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\bettergmail2@ginatrapani.org [2010-04-15 08:05:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\chromifox@altmusictv.com [2010-04-15 08:06:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\ietab@ip.cn [2010-02-24 08:01:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\noia2_option@kk.noia [2010-04-15 09:24:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\scrapbookplus@addons.mozilla.org [2010-03-25 08:01:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\17ay7ofx.default\extensions\SkipScreen@SkipScreen [2010-04-19 10:52:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010-04-19 10:49:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010-04-12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll [2010-04-09 14:06:33 | 000,002,767 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\allegro-pl.xml [2010-04-09 14:06:33 | 000,001,406 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fbc-pl.xml [2010-04-09 14:06:33 | 000,000,917 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\merlin-pl.xml [2010-04-09 14:06:33 | 000,000,858 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\pwn-pl.xml [2010-04-09 14:06:33 | 000,001,183 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-pl.xml [2010-04-09 14:06:33 | 000,001,683 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wp-pl.xml O1 HOSTS File: ([2010-04-15 11:50:16 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O4 - HKLM..\Run: [conime.exe] C:\WINDOWS\System32\conime.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-220523388-1303643608-839522115-500..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation) O4 - HKLM..\RunOnce: [KB976002-v5] C:\WINDOWS\system32\browserchoice.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-220523388-1303643608-839522115-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-220523388-1303643608-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-220523388-1303643608-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-220523388-1303643608-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.) O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1184741960953 (MUCatalogWebControl Class) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235036861609 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation) O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006-02-09 10:33:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2010-04-19 10:57:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood [2010-04-19 10:52:28 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE [2010-04-19 10:51:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache [2010-04-19 10:50:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Sun [2010-04-19 10:50:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2010-04-19 10:49:41 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll [2010-04-19 10:49:41 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010-04-19 10:49:41 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010-04-19 10:49:41 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010-04-19 09:22:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Adobe [2010-04-19 08:32:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates [2010-04-19 08:29:51 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8 [2010-04-19 08:23:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010-04-19 08:12:11 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe [2010-04-19 08:11:18 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2010-04-19 08:09:49 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys [2010-04-19 08:09:47 | 000,455,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys [2010-04-19 08:09:34 | 000,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\t2embed.dll [2010-04-19 08:09:34 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fontsub.dll [2010-04-19 08:08:51 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll [2010-04-19 08:08:14 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe [2010-04-19 08:07:02 | 002,191,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe [2010-04-19 08:07:00 | 002,147,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe [2010-04-19 08:07:00 | 002,025,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe [2010-04-19 08:06:53 | 000,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll [2010-04-19 08:06:52 | 000,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll [2010-04-15 11:57:05 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll [2010-04-15 11:57:04 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll [2010-04-15 11:44:45 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010-04-15 11:41:15 | 000,000,000 | ---D | C] -- C:\Avenger [2010-04-15 08:04:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes [2010-04-15 08:04:04 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010-04-15 08:04:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes [2010-04-15 08:04:01 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010-04-15 08:04:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010-04-13 11:57:29 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Pulpit\OTL.exe [2010-04-13 08:14:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\ESET [2010-04-13 08:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Dane aplikacji\Auslogics [2010-04-13 08:04:21 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics [2010-04-12 12:24:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010-04-12 12:24:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010-04-12 12:24:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010-04-12 12:24:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010-04-12 12:24:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010-04-12 12:23:57 | 000,000,000 | ---D | C] -- C:\Qoobox [2010-03-23 10:41:35 | 000,000,000 | ---D | C] -- C:\pendriver_3 [2008-07-17 12:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft [2007-09-14 08:50:30 | 006,422,611 | ---- | C] (FrostWire Group) -- C:\Program Files\frostwire-4.13.1.6.windows.exe [2006-02-09 10:37:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Dane aplikacji\Microsoft [2006-02-09 10:36:03 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Dane aplikacji\Microsoft [2006-02-09 10:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [25 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2010-04-19 11:10:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010-04-19 11:06:21 | 000,000,150 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf [2010-04-19 10:51:41 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010-04-19 10:51:35 | 000,007,134 | ---- | M] () -- C:\WINDOWS\wincmd.ini [2010-04-19 10:51:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010-04-19 10:50:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010-04-19 10:50:21 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2010-04-19 10:50:21 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini [2010-04-19 09:22:28 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Adobe Reader 9.lnk [2010-04-19 08:12:42 | 000,457,230 | ---- | M] () -- C:\WINDOWS\System32\perfh015.dat [2010-04-19 08:12:42 | 000,079,386 | ---- | M] () -- C:\WINDOWS\System32\perfc015.dat [2010-04-19 08:12:41 | 000,400,624 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010-04-19 08:12:41 | 000,062,286 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010-04-19 08:12:40 | 000,985,922 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010-04-15 14:06:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010-04-15 11:50:16 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010-04-15 11:44:49 | 000,000,281 | RHS- | M] () -- C:\boot.ini [2010-04-15 11:43:20 | 003,915,740 | R--- | M] () -- C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe [2010-04-15 08:04:06 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk [2010-04-14 12:07:12 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010-04-14 09:59:50 | 000,077,312 | ---- | M] () -- C:\mbr.exe [2010-04-14 08:04:36 | 000,000,412 | ---- | M] () -- C:\Documents and Settings\Administrator\Pulpit\Skrót do avenger.exe.lnk [2010-04-14 07:59:48 | 000,000,170 | ---- | M] () -- C:\Documents and Settings\Administrator\Dane aplikacji\kjw.dwq [2010-04-13 09:27:06 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Pulpit\OTL.exe [2010-04-13 08:56:19 | 000,025,019 | ---- | M] () -- C:\Documents and Settings\Administrator\Moje dokumenty\tpa_rozdawanie.ods_0.ods [2010-04-12 17:29:27 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010-04-12 17:29:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010-04-12 17:29:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010-04-12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll [2010-04-12 15:19:02 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010-04-12 12:45:09 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Administrator\Pulpit\Spybot - Search & Destroy.lnk [2010-03-30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010-03-30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [25 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [color=#E56717]========== Files Created - No Company Name ==========[/color] [2010-04-19 11:06:21 | 000,000,150 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf [2010-04-19 09:22:28 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Adobe Reader 9.lnk [2010-04-15 13:59:42 | 003,915,740 | R--- | C] () -- C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe [2010-04-15 11:44:49 | 000,000,211 | ---- | C] () -- C:\Boot.bak [2010-04-15 11:44:47 | 000,262,400 | ---- | C] () -- C:\cmldr [2010-04-15 08:04:06 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk [2010-04-14 10:29:53 | 000,077,312 | ---- | C] () -- C:\mbr.exe [2010-04-14 08:04:36 | 000,000,412 | ---- | C] () -- C:\Documents and Settings\Administrator\Pulpit\Skrót do avenger.exe.lnk [2010-04-14 08:04:21 | 000,000,298 | ---- | C] () -- C:\Program Files\ojfrw.txt [2010-04-14 07:59:48 | 000,000,170 | ---- | C] () -- C:\Documents and Settings\Administrator\Dane aplikacji\kjw.dwq [2010-04-13 09:06:24 | 000,025,019 | ---- | C] () -- C:\Documents and Settings\Administrator\Moje dokumenty\tpa_rozdawanie.ods_0.ods [2010-04-12 12:45:09 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Administrator\Pulpit\Spybot - Search & Destroy.lnk [2010-04-12 12:24:17 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010-04-12 12:24:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010-04-12 12:24:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010-04-12 12:24:17 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010-04-12 12:24:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2009-01-19 10:51:44 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\fusioncache.dat [2008-02-07 11:30:28 | 000,247,560 | ---- | C] () -- C:\WINDOWS\System32\prgiso.dll [2008-02-07 11:30:27 | 004,244,744 | ---- | C] () -- C:\WINDOWS\System32\qtp-mt334.dll [2008-02-07 11:30:26 | 000,013,576 | ---- | C] () -- C:\WINDOWS\System32\wnaspi32.dll [2008-01-22 12:27:42 | 000,221,252 | ---- | C] () -- C:\WINDOWS\System32\maskDll.dll [2008-01-22 12:27:42 | 000,200,776 | ---- | C] () -- C:\WINDOWS\System32\unMaskDLL.dll [2007-11-22 09:21:54 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll [2007-11-08 11:06:33 | 000,007,424 | R--- | C] () -- C:\WINDOWS\System32\drivers\MMIOPORT.SYS [2007-11-07 14:20:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\11 [2007-11-07 10:16:13 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS [2007-10-23 15:56:55 | 000,000,123 | ---- | C] () -- C:\WINDOWS\Pegasus_usb_flash.ini [2007-10-09 15:27:34 | 000,000,061 | ---- | C] () -- C:\WINDOWS\System32\.sys [2007-07-31 15:26:13 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2007-07-31 15:26:12 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2007-07-12 11:44:42 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\PUTTY.RND [2007-07-12 09:26:02 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\PUTTY.RND [2007-07-05 13:48:08 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll [2007-07-05 13:48:07 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll [2007-06-06 08:42:54 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Administrator\Dane aplikacji\$_hpcst$.hpc [2007-06-05 10:18:20 | 000,000,656 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini [2007-06-05 08:43:08 | 000,000,176 | ---- | C] () -- C:\WINDOWS\wininit.ini [2007-06-05 08:26:21 | 000,007,134 | ---- | C] () -- C:\WINDOWS\wincmd.ini [2007-05-17 16:28:38 | 000,000,048 | ---- | C] () -- C:\WINDOWS\scmate.ini [2006-11-29 15:49:36 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2006-08-30 11:01:19 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5A4F0_kds.xml [2006-08-28 14:46:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02403BF8_kds.xml [2006-08-25 15:00:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5F118_kds.xml [2006-08-24 11:52:42 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00CDD1F8_kds.xml [2006-08-24 08:52:28 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\02418C30_kds.xml [2006-08-22 15:07:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00CD7F68_kds.xml [2006-08-22 11:57:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B378_kds.xml [2006-08-22 08:56:54 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00B8B368_kds.xml [2006-08-14 14:57:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5D978_kds.xml [2006-08-14 11:57:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B640_kds.xml [2006-08-08 13:25:02 | 000,000,014 | ---- | C] () -- C:\Documents and Settings\Administrator\getfile.dat [2006-08-03 08:57:02 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B4B8_kds.xml [2006-07-27 14:53:02 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00CDD3F8_kds.xml [2006-07-21 09:11:29 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\02404D70_kds.xml [2006-07-19 08:54:18 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5C388_kds.xml [2006-07-14 08:43:39 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5C688_kds.xml [2006-07-13 18:39:41 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00CDD488_kds.xml [2006-07-12 18:15:52 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5A820_kds.xml [2006-07-10 09:05:34 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5D558_kds.xml [2006-07-06 14:57:59 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5CEE0_kds.xml [2006-07-06 08:57:20 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5EED0_kds.xml [2006-07-03 09:01:19 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5A150_kds.xml [2006-06-30 12:38:58 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5FDC8_kds.xml [2006-06-26 16:17:52 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\025201A0_kds.xml [2006-06-23 09:03:40 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D57A10_kds.xml [2006-06-22 08:58:07 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00CFEB10_kds.xml [2006-06-19 12:00:45 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5ED10_kds.xml [2006-06-09 16:17:13 | 000,000,020 | ---- | C] () -- C:\WINDOWS\naglos.INI [2006-06-09 15:07:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B3A0_kds.xml [2006-06-09 09:05:53 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00B23E40_kds.xml [2006-06-08 16:26:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D58BA0_kds.xml [2006-06-07 15:23:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02826638_kds.xml [2006-06-07 12:13:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D57DB8_kds.xml [2006-06-06 12:08:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00CDE470_kds.xml [2006-06-06 09:07:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5C6D0_kds.xml [2006-06-05 15:14:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B458_kds.xml [2006-06-01 15:17:59 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5C9F0_kds.xml [2006-05-31 12:06:52 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B618_kds.xml [2006-05-30 12:28:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5F7B8_kds.xml [2006-05-29 12:19:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00CD7E30_kds.xml [2006-05-29 09:09:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02402BD8_kds.xml [2006-05-26 12:07:14 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5F5F0_kds.xml [2006-05-25 15:09:36 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5EAE0_kds.xml [2006-05-25 09:08:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02400048_kds.xml [2006-05-23 08:50:05 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5CAF8_kds.xml [2006-05-22 15:30:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5E580_kds.xml [2006-05-22 09:30:10 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D56588_kds.xml [2006-05-19 15:08:36 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\025865C8_kds.xml [2006-05-16 12:22:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\02405B28_kds.xml [2006-05-16 09:12:27 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D59E08_kds.xml [2006-05-09 12:09:37 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\00D54AC8_kds.xml [2006-05-08 12:10:06 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\Administrator\00D5B3D0_kds.xml [2006-05-08 09:09:33 | 000,004,123 | ---- | C] () -- C:\Documents and Settings\Administrator\x_dtrace_log [2006-04-11 12:30:12 | 000,001,423 | ---- | C] () -- C:\WINDOWS\pr.ini [2006-02-14 12:47:59 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol [2006-02-09 11:41:03 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat [2006-02-09 11:41:03 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG [2006-02-09 10:46:54 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG [2006-02-09 10:46:54 | 000,000,188 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini [2006-02-09 10:46:53 | 004,718,592 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2006-02-09 10:44:33 | 000,012,288 | R--- | C] () -- C:\WINDOWS\System32\e100bmsg.dll [2006-02-09 10:43:32 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll [2006-02-09 10:41:37 | 000,002,258 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini [2006-02-09 10:41:36 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS [2004-08-04 14:00:00 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\msn38817.dll [color=#E56717]========== LOP Check ==========[/color] [2007-11-07 12:20:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Acronis [2007-06-29 10:44:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Advanced Time Synchronizer [2010-04-13 08:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Auslogics [2007-10-24 14:04:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Blueberry [2009-05-11 12:29:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Bullzip [2010-01-26 11:04:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Cream Software [2009-12-15 10:13:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\FileZilla [2008-10-07 12:56:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\GetRightToGo [2008-04-04 13:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\IEPro [2008-11-03 13:56:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\ImgBurn [2007-07-09 10:39:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\InfraRecorder [2007-09-17 09:10:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\KompoZer [2008-04-29 08:57:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\MiniDm [2010-04-19 11:01:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\OpenOffice.ux.pl2 [2008-01-15 13:00:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\PrevxCSI [2007-08-14 15:41:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\SOTI [2007-07-11 12:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Subversion [2008-04-04 14:43:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\The Bat! [2010-02-11 09:49:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Thunderbird [2010-03-24 11:13:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent [2007-11-07 12:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Acronis [2007-10-24 14:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Blueberry [2010-04-13 08:14:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\ESET [2007-12-14 13:12:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Prevx [2009-08-06 07:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\TEMP [color=#E56717]========== Purity Check ==========[/color] [color=#E56717]========== Alternate Data Streams ==========[/color] @Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:D3A1BA7A @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:D1B5B4F1 < End of report >

Malwarebytes Anti-Malware nic nie znalazł.

**Posty:** 18165 · przez **wojtas** 19 Kwi 2010, 20:49

skasuj te pliki do kosza i będzie ok :

C:\WINDOWS\PEV.exe
[2010-04-12 12:24:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010-04-12 12:24:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010-04-12 12:24:17 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010-04-12 12:24:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
C:\mbr.exe
[2010-04-12 12:24:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010-04-12 12:24:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010-04-12 12:24:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010-04-12 12:24:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010-04-12 12:24:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010-04-12 12:23:57 | 000,000,000 | ---D | C] -- C:\Qoobox

Kto jest na forum