Nie mogę pozbyć się tego wirusa.

**Posty:** 198 · przez **wilczy** 11 Mar 2009, 21:17

Win32:Kavos

Win32:Kavos is a stealing trojan horse
Summary
Type Virus/Worm
Aliases Packed.Win32.Krap.b, Packer.Malware.NSAnti
Platform Windows
Known locations *:\, %WINDIR%\system32
Description:

Win32:Kavos is a trojan horse intended to steal on-line game passwords etc. It comes along with the rootkit klif.sys (notice the similarity to the name used by the Kaspersky driver). Once infected, Kavos drops itself into the root folder of all drives (under randomly generated names) and adds an autorun.inf to ensure the loading of the malicious files. It simultaneously creates some libraries in the \system32 folder with names such as kavo0.dll, amvo0.dll etc. Older variants of this malware are detected as Win32:Oliga, Win32:Monga and Win32:Gamona

**Posty:** 1903 · przez **MichuPower** 11 Mar 2009, 21:34

to wrzucaj logi z hijacka i combofixa

**Posty:** 198 · przez **wilczy** 17 Mar 2009, 15:47

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:37:11, on 2009-03-17 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\T-Online\WLAN-Access Finder\ToWLaAcF.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Marmiko Shared\MWLaMaS.exe C:\WINDOWS\system32\agrsmsvc.exe C:\Program Files\ICQ6Toolbar\ICQ Service.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Marmiko Shared\MZCCntrl.exe C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - - (no file) R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [WebCallDirect] "C:\Program Files\WebCallDirect.com\WebCallDirect\WebCallDirect.exe" -nosplash -minimized O4 - HKCU\..\Run: [ALLUpdate] "C:\Program Files\ALLPlayer\ALLUpdate.exe" "sleep" O4 - HKCU\..\Run: [InfoCockpit] C:\Program Files\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE /nosplash O4 - HKCU\..\Run: [T-Online_Software_6\WLAN-Access Finder] C:\Program Files\T-Online\WLAN-Access Finder\ToWLaAcF.exe /StartMinimized O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKCU\..\Run: [Prec] C:\Program Files\Prec\PrecStarter.exe O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-19\..\Run: [InfoCockpit] C:\Program Files\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE /nosplash (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: CesarFTP.lnk = C:\Program Files\CesarFTP\CesarFTP.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AE5DF1EA-E152-4AA2-84F6-A82819166A9D}: NameServer = 62.179.1.62,192.168.0.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - Deutsche Telekom AG, Marmiko IT-Solutions GmbH - C:\Program Files\Common Files\Marmiko Shared\MZCCntrl.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 10142 bytes

Kod: Zaznacz wszystko: ComboFix 09-03-15.01 - Sławek 2009-03-17 14:42:47.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.1015.428 [GMT 1:00] Uruchomiony z: c:\documents and settings\Sławek\Pulpit\FIREFOX\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090316-0] *On-access scanning enabled* (Updated) * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\2.bat C:\Autorun.inf C:\dbrxubcw.com c:\documents and settings\All Users.WINDOWS\Dane aplikacji\1doc2pdf.dll c:\program files\myglobalsearch c:\program files\myglobalsearch\bar\History\search . ((((((((((((((((((((((((( Pliki utworzone od 2009-02-17 do 2009-03-17 ))))))))))))))))))))))))))))))) . 2009-03-17 14:36 . 2009-03-17 14:36 <DIR> d-------- c:\program files\Trend Micro 2009-03-13 23:14 . 2009-03-13 23:14 118 --a------ c:\windows\system32\MRT.INI 2009-03-13 23:11 . 2008-04-14 18:20 221,184 --a------ c:\windows\system32\wmpns.dll 2009-03-07 15:28 . 2009-03-07 15:30 <DIR> d-------- c:\windows\system32\XPSViewer 2009-03-07 15:28 . 2009-03-07 15:28 <DIR> d-------- c:\program files\Reference Assemblies 2009-03-07 15:28 . 2009-03-07 15:28 <DIR> d-------- c:\program files\MSBuild 2009-03-07 15:27 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll 2009-03-07 15:05 . 2009-03-07 16:46 <DIR> d-------- c:\program files\Prec 2009-03-03 13:41 . 2009-03-03 13:41 <DIR> d--hs---- c:\windows\ftpcache 2009-03-03 13:40 . 2009-03-03 13:40 <DIR> d-------- c:\program files\Longman 2009-03-02 12:47 . 2009-03-02 12:47 <DIR> d-------- c:\program files\Tibia 2009-03-02 12:47 . 2009-03-02 12:48 <DIR> d-------- c:\documents and settings\Sławek\Dane aplikacji\Tibia 2009-02-28 10:09 . 2009-02-28 10:09 <DIR> d-------- c:\program files\TibiaBot NG 2009-02-28 10:09 . 2009-02-28 10:09 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dane aplikacji\TEMP 2009-02-23 00:05 . 2009-02-23 00:06 <DIR> d-------- c:\program files\CesarFTP 2009-02-20 18:13 . 2008-04-13 20:45 26,112 --a------ c:\windows\system32\drivers\usbser.sys 2009-02-20 18:12 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll 2009-02-20 18:12 . 2009-02-20 18:12 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf 2009-02-20 18:12 . 2009-02-20 18:12 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf 2009-02-20 18:11 . 2009-02-20 18:13 <DIR> d-------- c:\documents and settings\Sławek\Dane aplikacji\PC Suite 2009-02-20 18:11 . 2009-02-20 18:13 <DIR> d-------- c:\documents and settings\Sławek\Dane aplikacji\Nokia 2009-02-20 18:11 . 2009-02-20 18:13 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dane aplikacji\PC Suite 2009-02-20 18:09 . 2009-02-20 18:09 <DIR> d-------- c:\program files\PC Connectivity Solution 2009-02-20 18:09 . 2009-02-20 18:10 <DIR> d-------- c:\program files\Nokia 2009-02-20 18:09 . 2009-02-20 18:09 <DIR> d-------- c:\program files\DIFX 2009-02-20 18:09 . 2008-09-15 07:29 1,112,288 --a------ c:\windows\system32\wdfcoinstaller01007.dll 2009-02-20 18:09 . 2008-09-15 07:56 659,968 --a------ c:\windows\system32\nmwcdcocls.dll 2009-02-20 18:09 . 2008-09-15 07:56 91,136 --a------ c:\windows\system32\nmwcdcls.dll 2009-02-20 18:09 . 2008-09-15 07:56 22,016 --a------ c:\windows\system32\drivers\ccdcmbo.sys 2009-02-20 18:09 . 2008-08-26 09:26 18,816 --a------ c:\windows\system32\drivers\pccsmcfd.sys 2009-02-20 18:09 . 2008-09-15 07:56 17,664 --a------ c:\windows\system32\drivers\ccdcmb.sys 2009-02-20 18:09 . 2008-09-15 07:56 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys 2009-02-20 18:09 . 2008-09-15 07:56 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys 2009-02-20 18:08 . 2009-02-20 18:08 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dane aplikacji\Installations . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-17 13:27 --------- d-----w c:\documents and settings\Sławek\Dane aplikacji\Skype 2009-03-17 13:26 --------- d-----w c:\documents and settings\Sławek\Dane aplikacji\skypePM 2009-03-16 22:43 --------- d-----w c:\program files\ICQ6.5 2009-03-11 22:21 --------- d-----w c:\documents and settings\Sławek\Dane aplikacji\uTorrent 2009-02-20 17:10 --------- d-----w c:\program files\Common Files\Nokia 2009-02-18 22:20 --------- d-----w c:\program files\NAPI-PROJEKT 2009-02-14 11:23 --------- d-----w c:\program files\Gadu-Gadu 2009-02-13 14:39 --------- d-----w c:\program files\Western Digital Technologies 2009-02-10 12:12 --------- d-----w c:\program files\Entertainment 2009-02-09 14:07 1,847,040 ----a-w c:\windows\system32\win32k.sys 2009-02-07 21:23 --------- d-----w c:\documents and settings\Sławek\Dane aplikacji\TransEngPol4 2009-02-07 19:15 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-07 19:14 --------- d-----w c:\program files\Total Video Converter 2009-02-07 19:12 --------- d-----w c:\program files\Common Files\LogiShrd 2009-02-07 19:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dane aplikacji\Logishrd 2009-02-07 19:11 --------- d-----w c:\program files\Google 2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr 2009-01-05 19:39 253,139 ----a-w c:\windows\PDFCreator_Toolbar_Uninstaller_390.exe 2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll 2008-11-11 19:07 81,920 ----a-w c:\documents and settings\Sławek\Dane aplikacji\ezpinst.exe 2008-11-11 19:07 47,360 ----a-w c:\documents and settings\Sławek\Dane aplikacji\pcouffin.sys . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688] "WebCallDirect"="c:\program files\WebCallDirect.com\WebCallDirect\WebCallDirect.exe" [2008-10-08 9118008] "ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2008-11-24 869888] "InfoCockpit"="c:\program files\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE" [2007-07-30 176128] "T-Online_Software_6\WLAN-Access Finder"="c:\program files\T-Online\WLAN-Access Finder\ToWLaAcF.exe" [2008-04-08 671796] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760] "ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-14 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-14 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-14 137752] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "BearShare"="c:\program files\BearShare\BearShare.exe" [2006-08-01 3313664] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "InfoCockpit"="c:\program files\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE" [2007-07-30 176128] c:\documents and settings\All Users.WINDOWS\Menu Start\Programy\Autostart\ CesarFTP.lnk - c:\program files\CesarFTP\CesarFTP.exe [2002-12-01 291328] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^Sławek^Menu Start^Programy^Autostart^OpenOffice.org 3.0.lnk] path=c:\documents and settings\Sławek\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Gadu-Gadu\\gg.exe"= "c:\\Program Files\\WebCallDirect.com\\WebCallDirect\\WebCallDirect.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\ICQ6.5\\ICQ.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21373:TCP"= 21373:TCP:BitComet 21373 TCP "21373:UDP"= 21373:UDP:BitComet 21373 UDP "18002:TCP"= 18002:TCP:BitComet 18002 TCP "18002:UDP"= 18002:UDP:BitComet 18002 UDP R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-25 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-25 20560] R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-12-25 222456] R2 MZCCntrl;T-Online WLAN Adapter Steuerungsdienst;c:\program files\Common Files\Marmiko Shared\MZCCntrl.exe [2008-12-25 61440] R3 MACNDIS5;MACNDIS5 NDIS Protocol Driver;c:\progra~1\COMMON~1\MARMIK~1\MACNDIS5.SYS [2008-12-25 17280] S3 MIINPazX;MIINPazX NDIS Protocol Driver;c:\progra~1\COMMON~1\MARMIK~1\MInfraIS\MIINPazX.SYS [2008-12-25 17152] S3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;c:\progra~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [2008-12-25 17536] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] tapisrv REG_MULTI_SZ Tapisrv [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ee8b9e1-f88e-11dd-977d-0017084a902d}] \Shell\AutoRun\command - E:\i.com \Shell\open\Command - E:\i.com . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-Prec - c:\program files\Prec\PrecStarter.exe MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://start.icq.com/ IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: {AE5DF1EA-E152-4AA2-84F6-A82819166A9D} = 62.179.1.62,192.168.0.1 DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/SignActivX.cab FF - ProfilePath - c:\documents and settings\Sławek\Dane aplikacji\Mozilla\Firefox\Profiles\oih36294.default\ FF - prefs.js: browser.search.selectedEngine - ICQ Search FF - prefs.js: browser.startup.homepage - hxxp://google.pl FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q= FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-17 14:44:31 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(948) c:\windows\system32\igfxdev.dll . Czas ukończenia: 2009-03-17 14:46:06 ComboFix-quarantined-files.txt 2009-03-17 13:45:49 Przed: 3 643 777 024 bajtów wolnych Po: 8,646,680,576 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 190 --- E O F --- 2009-03-13 22:14:33

**Posty:** 18165 · przez **wojtas** 17 Mar 2009, 20:17

wklej do notatnika

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ee8b9e1-f88e-11dd-977d-0017084a902d}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp

oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Wykonaj skan Dr. Web CureIt
6. Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.