nie można otworzyć programów exe

[@Marcin]

Mam problem w laptopie, nie mogę otworzyć programów z rozszerzeniem exe, ani regedit ani msconfig się nie chcą otworzyć, hijackthis też nawet w .com i nie wiem co teraz z tym zrobić

[Okocza]

podaj loga z hijacka i sillent runners.

[@Marcin]

okocza napisałem, że hijackthis nie odpala się, nawet w rozszerzeniu .com

[Okocza]

antywirus jakiś działa jak uruchamiasz w awaryjnym też nie odpala

[@Marcin]

nie odpali sie bo jest w rozsz. exe, w awaryjnym jest to samo

[Okocza]

skoro exe nie działa to spróbuj vbs

http://www.silentrunners.org/Silent%20Runners.vbs

jeśli to nie zadziała to nie mam pojęcia już

[@Marcin]

poszło

Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{1F77B17B-F531-44DB-ACA4-76ABB5010A28}" = "AIMP2: Shell Extention"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Sunbelt Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe"" ["Sunbelt Software"]
WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]


---------- (launch time: 2008-03-28 22:05:46)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 38 seconds, including 6 seconds for message boxes)


[wojtas]

sciagnij:

http://s008.wyslijto.pl/?file_id=00432310657851644398

i odpal i reset kompa i sprobuj dac logi

Uwaga: Jeśli rozszerzenie EXE jest uszkodzone może być trudność z importem plików REG i otwieraniem edytora REGEDIT. Obejście to: wywołać Menedżer zadań przez ALT+CTRL+DEL. Menu File / Plik i przytrzymując wciśnięty klawisz CTRL wybrać opcję New Task / Nowe zadanie. To automatycznie wywoła linię komend Windows, w której wpisać REGEDIT.EXE i z palca w ENTER. Otworzy się edytor rejestru, w którym z menu File / Plik wybrać opcję Importu wskazując konkretne pliki *.REG.

zrodło:

www.searchengines.pl

[@Marcin]

wojtas rozszerzenie reg też nie działa.

zobacz czy mozesz uruchomić services.msc

mogę

[wojtas]

Ściągnij i zainstaluj UnHookExec.inf (po ściągnięciu prawym na plik, wybierasz opcję "zainstaluj")
http://securityresponse.symantec.com/avcenter/UnHookExec.inf
(PPM na link i zapisz na dysk i odpal)
potem reset i sprobuj dac nowe logi

[@Marcin]

Kod: Zaznacz wszystko

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Polish

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 382.98 MiB / 137.13 MiB
Pagefile Memory (total/avail): 921.4 MiB / 682.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.77 MiB

C: is Fixed (NTFS) - 14.65 GiB total, 9.19 GiB free.
D: is Fixed (NTFS) - 41.24 GiB total, 25.5 GiB free.
E: is CDROM (Unformatted)
F: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6025GAS - 55.89 GiB - 2 partitions
  \PARTITION0 (bootable) - Instalowalny system plików - 14.65 GiB - C:
  \PARTITION1 - Rozszerzona z rozszerzonym przerwaniem 13 - 41.24 GiB - D:

\\.\PHYSICALDRIVE1 - Kingston DataTraveler 2.0 USB Device - 3.84 GiB - 1 partition
  \PARTITION0 (bootable) - Unknown - 3.84 GiB - F:



-- Security Center -------------------------------------------------------------



-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Dane aplikacji
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KOMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\KOMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
USERDOMAIN=KOMPUTER
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator [i](admin)[/i]


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0 CE --> MsiExec.exe /I{AC76BA86-7AD7-1038-7646-CE0000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems AC'97 Modem --> agrsmdel
AIMP2 --> C:\Program Files\AIMP2\UnInstall.exe
Aktualizacja dla systemu Windows XP (KB916595) -->
Aktualizacja dla systemu Windows XP (KB922120) -->
Aktualizacja dla systemu Windows XP (KB931836) -->
Aktualizacja zabezpieczeń dla Windows XP (KB923689) -->
ALLPlayer V3.X --> "C:\Program Files\MarBit\ALLPlayer\unins000.exe"
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoConnect v0.1.3.1 --> C:\Program Files\AutoConnect\uninst.exe
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Broadcom 802.11 Control Panel --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11_App\UninstallInfo
Broadcom 802.11 Driver --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
Brother MFL-Pro Suite --> "C:\Program Files\InstallShield Installation Information\{A3FEC306-FBFF-4B0D-95B9-F9C67C65079E}\Setup.exe"  -runfromtemp -l0x0015 Brunin03.dll -removeonly
BugOff 1.10 --> F:\AntyVir, Firewall, Fix\BugOff.exe /uninstall
Debugging Tools for Windows --> MsiExec.exe /I{5C741A01-05D6-4306-BA6A-DC8401285AE8}
DRUKI IPS --> "C:\Program Files\IPSPI\FORMUL.IPS\unins000.exe"
FaceFilter Studio Brother Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F59205C8-E5FB-43F5-AAB2-16C1760D4F59}\Setup.exe" -l0x9  /uninstall
Gadu-Gadu 7.7 --> C:\Program Files\Gadu-Gadu\Setup.exe
K-Lite Codec Pack 3.5.7 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Microsoft Office XP Professional z programem FrontPage --> MsiExec.exe /I{90280415-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Narzędzie Software Uninstall Utility firmy ATI --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
Odinstaluj SAGEM Wi-Fi 11g USB adapter (sterownik) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E2AA331E-E10E-438C-B1C0-24B2FFD3D9C4}\setup.exe" -l0x15
PaperPort Image Printer --> MsiExec.exe /X{332CC6BF-E6C7-48EE-BA3D-435E576AD67F}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PITy 2007 dla Windows kompilacja:1.0.1.1 --> "C:\Program Files\PITy\PITY2007NG\unins000.exe"
Poprawka dla systemu Windows XP (KB918093) -->
QuickTime Alternative 1.81 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.51 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x15 REMOVE
Region południowy, zachodni 2007 --> c:\Program Files\tp\RegionPZ2007\Usun.exe
SAGEM Wi-Fi 11g USB adapter (driver) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7421E270-0140-4F62-AE39-ECB9F1C81B35}\setup.exe" -l0x15
ScanSoft PaperPort 11 --> MsiExec.exe /I{B6C89654-A6A2-477C-873B-724EC1C56407}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SpeedTouch USB Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe"  /l0009 -Control_Panel
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Sunbelt Kerio Personal Firewall --> MsiExec.exe /X{A990EAA7-8941-4621-BC27-4F16261D3180}
The Sims 2 --> D:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
Total Commander (Remove or Repair) --> c:\totalcmd\tcuninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type930 / Error
Event Submitted/Written: 03/28/2008 07:17:41 PM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type837 / Error
Event Submitted/Written: 03/14/2008 01:03:54 PM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type814 / Error
Event Submitted/Written: 03/10/2008 02:20:56 PM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type810 / Error
Event Submitted/Written: 03/10/2008 08:25:26 AM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type779 / Error
Event Submitted/Written: 03/05/2008 09:21:38 AM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9096 / Error
Event Submitted/Written: 03/28/2008 10:40:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi EventSystem z argumentami „”
w celu uruchomienia serwera:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type9095 / Error
Event Submitted/Written: 03/28/2008 10:36:05 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi StiSvc z argumentami „”
w celu uruchomienia serwera:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type9094 / Error
Event Submitted/Written: 03/28/2008 10:32:02 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi StiSvc z argumentami „”
w celu uruchomienia serwera:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type9093 / Error
Event Submitted/Written: 03/28/2008 10:28:59 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi StiSvc z argumentami „”
w celu uruchomienia serwera:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type9092 / Error
Event Submitted/Written: 03/28/2008 10:26:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi StiSvc z argumentami „”
w celu uruchomienia serwera:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2008-03-28 22:47:43 ------------

Kod: Zaznacz wszystko

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-28 23:05:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=red]Total Physical Memory: 383 MiB (512 MiB recommended).[/color]


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:05:54, on 2008-03-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\AntyVir, Firewall, Fix\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marcin
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5039 bytes

-- Files created between 2008-02-28 and 2008-03-28 -----------------------------

2008-03-28 22:59:34      3542 --a------ C:\Start_.cmd
2008-03-28 22:59:33         0 d-------- C:\327882R2FWJFW
2008-03-28 22:46:36         0 d-------- C:\Program Files\Trend Micro
2008-03-28 22:33:41      1596 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 22:32:29     25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-28 22:32:29    289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-28 22:32:29     86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-28 22:32:29     82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-28 22:32:29     51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-28 22:32:28    288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-28 22:32:28     53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-28 21:10:19         0 d-------- C:\WINDOWS\CSC
2008-03-11 06:07:45         0 d-------- C:\Program Files\IPSPI
2008-03-05 09:24:15         0 d-------- C:\Program Files\tp
2008-03-03 11:48:21         0 d-------- C:\Program Files\PITy
2008-03-02 18:03:39         0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-03-28 22:45:15    433500 --a------ C:\WINDOWS\system32\perfh015.dat
2008-03-28 22:45:15     65682 --a------ C:\WINDOWS\system32\perfc015.dat
2008-03-23 10:00:12         0 d-------- C:\Program Files\AutoConnect
2008-03-15 22:36:02         0 d-------- C:\Program Files\AIMP2
2008-03-02 18:03:36         0 d-------- C:\Program Files\Common Files
2008-03-02 18:02:44         0 d-------- C:\Program Files\IrfanView
2008-02-17 17:07:42         0 d-------- C:\Program Files\Picasa2
2008-02-17 17:07:32         0 d-------- C:\Program Files\Google
2008-02-17 16:08:46         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ahead
2008-02-17 16:07:40         0 d-------- C:\Program Files\Common Files\Nero
2008-02-17 16:04:28         0 d-------- C:\Program Files\Ahead
2008-02-17 16:03:50         0 d-------- C:\Program Files\Common Files\Ahead
2008-02-16 19:22:38         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\AdobeUM
2008-02-16 19:02:08         0 dr------- C:\Documents and Settings\Administrator\Dane aplikacji\Brother
2008-02-16 19:00:51         0 d-------- C:\Program Files\Common Files\Adobe
2008-02-16 19:00:51         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Adobe
2008-02-16 17:27:26         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ScanSoft
2008-02-16 00:43:21         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Reallusion
2008-02-16 00:28:00         0 d-------- C:\Program Files\Brother
2008-02-16 00:27:26         0 d-------- C:\Program Files\Reallusion
2008-02-16 00:27:26         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-16 00:15:01        50 --a------ C:\WINDOWS\system32\bridf07a.dat
2008-02-16 00:12:29         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield
2008-02-16 00:11:49         0 d-------- C:\Program Files\Nuance
2008-02-16 00:10:17         0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-02-16 00:10:01         0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-16 00:09:28         0 d-------- C:\Program Files\ScanSoft
2008-02-14 22:47:21         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-02-14 22:45:45         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2008-02-09 16:49:21      3453 --a------ C:\WINDOWS\unins000.dat
2008-02-09 16:46:02    691545 --a------ C:\WINDOWS\unins000.exe
2008-02-09 16:41:54         0 d-------- C:\Program Files\Debugging Tools for Windows
2008-02-05 17:36:33         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_2"=regsvr32 /s /n /i:U shell32
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService   WebClient LmHosts upnphost SSDPSRV


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b762684-fceb-11dc-8db1-000fb00cc88c}]
Auto\command- activexdebugger32.exe f
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
explore\Command- activexdebugger32.exe f
open\Command- activexdebugger32.exe f




-- End of Deckard's System Scanner: finished at 2008-03-28 23:06:50 ------------



[wojtas]

dss generuje dwa logi Ty dałes log o nazwe extra a daj o nazwie main.txt oczwyiscie w tagach... i daj loga z combofixa

[@Marcin]

ComboFix nie uruchamia sie

Kod: Zaznacz wszystko

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Polish

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 382.98 MiB / 137.13 MiB
Pagefile Memory (total/avail): 921.4 MiB / 682.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.77 MiB

C: is Fixed (NTFS) - 14.65 GiB total, 9.19 GiB free.
D: is Fixed (NTFS) - 41.24 GiB total, 25.5 GiB free.
E: is CDROM (Unformatted)
F: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6025GAS - 55.89 GiB - 2 partitions
  \PARTITION0 (bootable) - Instalowalny system plików - 14.65 GiB - C:
  \PARTITION1 - Rozszerzona z rozszerzonym przerwaniem 13 - 41.24 GiB - D:

\\.\PHYSICALDRIVE1 - Kingston DataTraveler 2.0 USB Device - 3.84 GiB - 1 partition
  \PARTITION0 (bootable) - Unknown - 3.84 GiB - F:



-- Security Center -------------------------------------------------------------



-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Dane aplikacji
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KOMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\KOMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
USERDOMAIN=KOMPUTER
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator [I](admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0 CE --> MsiExec.exe /I{AC76BA86-7AD7-1038-7646-CE0000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems AC'97 Modem --> agrsmdel
AIMP2 --> C:\Program Files\AIMP2\UnInstall.exe
Aktualizacja dla systemu Windows XP (KB916595) -->
Aktualizacja dla systemu Windows XP (KB922120) -->
Aktualizacja dla systemu Windows XP (KB931836) -->
Aktualizacja zabezpieczeń dla Windows XP (KB923689) -->
ALLPlayer V3.X --> "C:\Program Files\MarBit\ALLPlayer\unins000.exe"
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoConnect v0.1.3.1 --> C:\Program Files\AutoConnect\uninst.exe
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Broadcom 802.11 Control Panel --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11_App\UninstallInfo
Broadcom 802.11 Driver --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
Brother MFL-Pro Suite --> "C:\Program Files\InstallShield Installation Information\{A3FEC306-FBFF-4B0D-95B9-F9C67C65079E}\Setup.exe"  -runfromtemp -l0x0015 Brunin03.dll -removeonly
BugOff 1.10 --> F:\AntyVir, Firewall, Fix\BugOff.exe /uninstall
Debugging Tools for Windows --> MsiExec.exe /I{5C741A01-05D6-4306-BA6A-DC8401285AE8}
DRUKI IPS --> "C:\Program Files\IPSPI\FORMUL.IPS\unins000.exe"
FaceFilter Studio Brother Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F59205C8-E5FB-43F5-AAB2-16C1760D4F59}\Setup.exe" -l0x9  /uninstall
Gadu-Gadu 7.7 --> C:\Program Files\Gadu-Gadu\Setup.exe
K-Lite Codec Pack 3.5.7 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Microsoft Office XP Professional z programem FrontPage --> MsiExec.exe /I{90280415-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Narzędzie Software Uninstall Utility firmy ATI --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
Odinstaluj SAGEM Wi-Fi 11g USB adapter (sterownik) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E2AA331E-E10E-438C-B1C0-24B2FFD3D9C4}\setup.exe" -l0x15
PaperPort Image Printer --> MsiExec.exe /X{332CC6BF-E6C7-48EE-BA3D-435E576AD67F}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PITy 2007 dla Windows kompilacja:1.0.1.1 --> "C:\Program Files\PITy\PITY2007NG\unins000.exe"
Poprawka dla systemu Windows XP (KB918093) -->
QuickTime Alternative 1.81 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.51 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x15 REMOVE
Region południowy, zachodni 2007 --> c:\Program Files\tp\RegionPZ2007\Usun.exe
SAGEM Wi-Fi 11g USB adapter (driver) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7421E270-0140-4F62-AE39-ECB9F1C81B35}\setup.exe" -l0x15
ScanSoft PaperPort 11 --> MsiExec.exe /I{B6C89654-A6A2-477C-873B-724EC1C56407}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SpeedTouch USB Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe"  /l0009 -Control_Panel
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Sunbelt Kerio Personal Firewall --> MsiExec.exe /X{A990EAA7-8941-4621-BC27-4F16261D3180}
The Sims 2 --> D:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
Total Commander (Remove or Repair) --> c:\totalcmd\tcuninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type930 / Error
Event Submitted/Written: 03/28/2008 07:17:41 PM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type837 / Error
Event Submitted/Written: 03/14/2008 01:03:54 PM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type814 / Error
Event Submitted/Written: 03/10/2008 02:20:56 PM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type810 / Error
Event Submitted/Written: 03/10/2008 08:25:26 AM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type779 / Error
Event Submitted/Written: 03/05/2008 09:21:38 AM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9096 / Error
Event Submitted/Written: 03/28/2008 10:40:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi EventSystem z argumentami „”
w celu uruchomienia serwera:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type9095 / Error
Event Submitted/Written: 03/28/2008 10:36:05 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi StiSvc z argumentami „”
w celu uruchomienia serwera:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type9094 / Error
Event Submitted/Written: 03/28/2008 10:32:02 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi StiSvc z argumentami „”
w celu uruchomienia serwera:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type9093 / Error
Event Submitted/Written: 03/28/2008 10:28:59 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi StiSvc z argumentami „”
w celu uruchomienia serwera:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type9092 / Error
Event Submitted/Written: 03/28/2008 10:26:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi StiSvc z argumentami „”
w celu uruchomienia serwera:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2008-03-28 22:47:43 ------------



[wojtas]

skasuj:

Kod: Zaznacz wszystko

R3 - Default URLSearchHook is missing

znasz ten plik i ten folder:

C:\Start_.cmd
C:\327882R2FWJFW

jesli nie to skasuj

wklej do notatnika

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b762684-fceb-11dc-8db1-000fb00cc88c}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

[@Marcin]

Nowy log

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:24:55, on 2008-03-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3274 bytes


[wojtas]

daj loga jeszcze z dss'a i sprawdz czy nie masz pliku:

C:\WINDOWS\svchost.exe

[@Marcin]

w folderze Windows nie ma jest w folderze C:\WINDOWS\system32\svchost.exe

Kod: Zaznacz wszystko

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-29 08:52:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=red]Total Physical Memory: 383 MiB (512 MiB recommended).[/color]


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:53:08, on 2008-03-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marcin
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4400 bytes

-- Files created between 2008-02-29 and 2008-03-29 -----------------------------

2008-03-28 23:17:22         0 d-------- C:\WINDOWS\pss
2008-03-28 22:46:36         0 d-------- C:\Program Files\Trend Micro
2008-03-28 22:33:41      1596 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 22:32:29     25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-28 22:32:29    289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-28 22:32:29     86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-28 22:32:29     82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-28 22:32:29     51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-28 22:32:28    288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-28 22:32:28     53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-28 21:10:19         0 d-------- C:\WINDOWS\CSC
2008-03-11 06:07:45         0 d-------- C:\Program Files\IPSPI
2008-03-05 09:24:15         0 d-------- C:\Program Files\tp
2008-03-03 11:48:21         0 d-------- C:\Program Files\PITy
2008-03-02 18:03:39         0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-03-29 08:50:17    433500 --a------ C:\WINDOWS\system32\perfh015.dat
2008-03-29 08:50:17     65682 --a------ C:\WINDOWS\system32\perfc015.dat
2008-03-23 10:00:12         0 d-------- C:\Program Files\AutoConnect
2008-03-15 22:36:02         0 d-------- C:\Program Files\AIMP2
2008-03-02 18:03:36         0 d-------- C:\Program Files\Common Files
2008-03-02 18:02:44         0 d-------- C:\Program Files\IrfanView
2008-02-17 17:07:42         0 d-------- C:\Program Files\Picasa2
2008-02-17 17:07:32         0 d-------- C:\Program Files\Google
2008-02-17 16:08:46         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ahead
2008-02-17 16:07:40         0 d-------- C:\Program Files\Common Files\Nero
2008-02-17 16:04:28         0 d-------- C:\Program Files\Ahead
2008-02-17 16:03:50         0 d-------- C:\Program Files\Common Files\Ahead
2008-02-16 19:22:38         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\AdobeUM
2008-02-16 19:02:08         0 dr------- C:\Documents and Settings\Administrator\Dane aplikacji\Brother
2008-02-16 19:00:51         0 d-------- C:\Program Files\Common Files\Adobe
2008-02-16 19:00:51         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Adobe
2008-02-16 17:27:26         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ScanSoft
2008-02-16 00:43:21         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Reallusion
2008-02-16 00:28:00         0 d-------- C:\Program Files\Brother
2008-02-16 00:27:26         0 d-------- C:\Program Files\Reallusion
2008-02-16 00:27:26         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-16 00:15:01        50 --a------ C:\WINDOWS\system32\bridf07a.dat
2008-02-16 00:12:29         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield
2008-02-16 00:11:49         0 d-------- C:\Program Files\Nuance
2008-02-16 00:10:17         0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-02-16 00:10:01         0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-16 00:09:28         0 d-------- C:\Program Files\ScanSoft
2008-02-14 22:47:21         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-02-14 22:45:45         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2008-02-09 16:49:21      3453 --a------ C:\WINDOWS\unins000.dat
2008-02-09 16:46:02    691545 --a------ C:\WINDOWS\unins000.exe
2008-02-09 16:41:54         0 d-------- C:\Program Files\Debugging Tools for Windows
2008-02-05 17:36:33         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_2"=regsvr32 /s /n /i:U shell32
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService   WebClient LmHosts upnphost SSDPSRV


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b762684-fceb-11dc-8db1-000fb00cc88c}]
Auto\command- activexdebugger32.exe f
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
explore\Command- activexdebugger32.exe f
open\Command- activexdebugger32.exe f




-- End of Deckard's System Scanner: finished at 2008-03-29 08:53:41 ------------



Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{1F77B17B-F531-44DB-ACA4-76ABB5010A28}" = "AIMP2: Shell Extention"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"disableregistrytools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"disablecmd" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Sunbelt Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe"" ["Sunbelt Software"]
WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]


---------- (launch time: 2008-03-29 08:59:56)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 37 seconds, including 14 seconds for message boxes)


Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:58:26, on 2008-03-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marcin
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4356 bytes


[wojtas]

Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp

wklej do notatnika:

REGEDIT 4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b762684-fceb-11dc-8db1-000fb00cc88c}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

[@Marcin]

Zrobione.
Nowe logi

Kod: Zaznacz wszystko

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-29 10:06:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=red]Total Physical Memory: 383 MiB (512 MiB recommended).[/color]


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:03, on 2008-03-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marcin
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3779 bytes

-- Files created between 2008-02-29 and 2008-03-29 -----------------------------

2008-03-29 09:23:14      3542 --a------ C:\Start_.cmd
2008-03-29 09:23:14         0 d-------- C:\327882R2FWJFW
2008-03-28 23:17:22         0 d-------- C:\WINDOWS\pss
2008-03-28 22:46:36         0 d-------- C:\Program Files\Trend Micro
2008-03-28 22:32:29    289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-28 22:32:29     86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-28 22:32:29     82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-28 22:32:29     51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-28 22:32:28    288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-28 22:32:28     53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-28 21:10:19         0 d-------- C:\WINDOWS\CSC
2008-03-11 06:07:45         0 d-------- C:\Program Files\IPSPI
2008-03-05 09:24:15         0 d-------- C:\Program Files\tp
2008-03-03 11:48:21         0 d-------- C:\Program Files\PITy
2008-03-02 18:03:39         0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-03-29 09:42:33    433500 --a------ C:\WINDOWS\system32\perfh015.dat
2008-03-29 09:42:33     65682 --a------ C:\WINDOWS\system32\perfc015.dat
2008-03-23 10:00:12         0 d-------- C:\Program Files\AutoConnect
2008-03-15 22:36:02         0 d-------- C:\Program Files\AIMP2
2008-03-02 18:03:36         0 d-------- C:\Program Files\Common Files
2008-03-02 18:02:44         0 d-------- C:\Program Files\IrfanView
2008-02-17 17:07:42         0 d-------- C:\Program Files\Picasa2
2008-02-17 17:07:32         0 d-------- C:\Program Files\Google
2008-02-17 16:08:46         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ahead
2008-02-17 16:07:40         0 d-------- C:\Program Files\Common Files\Nero
2008-02-17 16:04:28         0 d-------- C:\Program Files\Ahead
2008-02-17 16:03:50         0 d-------- C:\Program Files\Common Files\Ahead
2008-02-16 19:22:38         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\AdobeUM
2008-02-16 19:02:08         0 dr------- C:\Documents and Settings\Administrator\Dane aplikacji\Brother
2008-02-16 19:00:51         0 d-------- C:\Program Files\Common Files\Adobe
2008-02-16 19:00:51         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Adobe
2008-02-16 17:27:26         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ScanSoft
2008-02-16 00:43:21         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Reallusion
2008-02-16 00:28:00         0 d-------- C:\Program Files\Brother
2008-02-16 00:27:26         0 d-------- C:\Program Files\Reallusion
2008-02-16 00:27:26         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-16 00:15:01        50 --a------ C:\WINDOWS\system32\bridf07a.dat
2008-02-16 00:12:29         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield
2008-02-16 00:11:49         0 d-------- C:\Program Files\Nuance
2008-02-16 00:10:17         0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-02-16 00:10:01         0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-16 00:09:28         0 d-------- C:\Program Files\ScanSoft
2008-02-14 22:47:21         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-02-14 22:45:45         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2008-02-09 16:49:21      3453 --a------ C:\WINDOWS\unins000.dat
2008-02-09 16:46:02    691545 --a------ C:\WINDOWS\unins000.exe
2008-02-09 16:41:54         0 d-------- C:\Program Files\Debugging Tools for Windows
2008-02-05 17:36:33         0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_2"=regsvr32 /s /n /i:U shell32
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService   WebClient LmHosts upnphost SSDPSRV


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b762684-fceb-11dc-8db1-000fb00cc88c}]
Auto\command- activexdebugger32.exe f
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
explore\Command- activexdebugger32.exe f
open\Command- activexdebugger32.exe f




-- End of Deckard's System Scanner: finished at 2008-03-29 10:06:41 ------------


Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{1F77B17B-F531-44DB-ACA4-76ABB5010A28}" = "AIMP2: Shell Extention"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}"
  -> {HKLM...CLSID} = "AIMP2: Shell Extention"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"disableregistrytools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"disablecmd" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Sunbelt Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe"" ["Sunbelt Software"]
WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]


---------- (launch time: 2008-03-29 10:07:32)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 32 seconds, including 5 seconds for message boxes)


Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:03, on 2008-03-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marcin
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3735 bytes


[wojtas]

start>uruchom>regedit >skasuj pogrubiony wpis

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b762684-fceb-11dc-8db1-000fb00cc88c}]

jesli Ci sie nie uda

Otworz notatnik i wklej w nim to:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b762684-fceb-11dc-8db1-000fb00cc88c}]

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu )