"niewidoczne" ukryte pliki, problmy z programami itp.

[cslynx]

Witam ponownie,

Nie wiem co za świństwo tym razem złapałem...

Zauważone objawy:
- Nie mogę "odkryć" niewidocznych plików
- Przestał mi działać program transportowy "trans"
- Nie mogę uruchomić giełdy samochodowej
- Problemy ze skanerem - przestały działać przyciski na skanerze (w innym kompie działają)

Poniżej zamieszczam logi z OTL.

http://wklej.org/id/726501/

uzupełniam logi OTL extras i GMER:

Kod: Zaznacz wszystko

OTL Extras logfile created on: 2012-04-07 12:46:06 - Run 1
OTL by OldTimer - Version 3.2.39.2     Folder = C:\
Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,45 Gb Available Physical Memory | 72,45% Memory free
3,85 Gb Paging File | 3,41 Gb Available in Paging File | 88,67% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 0,35 Gb Free Space | 0,73% Space Free | Partition Type: NTFS
Drive D: | 96,68 Gb Total Space | 68,07 Gb Free Space | 70,40% Space Free | Partition Type: NTFS
Drive E: | 87,37 Gb Total Space | 87,28 Gb Free Space | 99,90% Space Free | Partition Type: NTFS
Drive F: | 580,17 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: BARTEX | User Name: Biuro | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]


[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-1454471165-2000478354-1417001333-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[color=#E56717]========== System Restore Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

[color=#E56717]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\TightVNC\WinVNC.exe" = C:\Program Files\TightVNC\WinVNC.exe:*:Enabled:Launch TightVNC Server
"C:\Program Files\TeamViewer\Version4\TeamViewer.exe" = C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Enabled:TeamViewer 4
"C:\Program Files\Gadu-Gadu\gg.exe" = C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program główny
"C:\Program Files\Tlen.pl\tlen.exe" = C:\Program Files\Tlen.pl\tlen.exe:*:Enabled:Komunikator Tlen.pl -- (o2.pl Sp. z o.o.)
"C:\SpedTransSQL3000\aktualizuj.exe" = C:\SpedTransSQL3000\aktualizuj.exe:*:Enabled:aktualizuj -- ()
"C:\Program Files\Trans\trans.exe" = C:\Program Files\Trans\trans.exe:*:Enabled:Trans instant messenger
"C:\Program Files\Gadu-Gadu 10\gg.exe" = C:\Program Files\Gadu-Gadu 10\gg.exe:*:Enabled:Gadu-Gadu 10
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Winamp\winamp.exe" = C:\Program Files\Winamp\winamp.exe:*:Enabled:Winamp -- (Nullsoft, Inc.)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Documents and Settings\Biuro\Ustawienia lokalne\Dane aplikacji\Akamai\netsession_win.exe" = C:\Documents and Settings\Biuro\Ustawienia lokalne\Dane aplikacji\Akamai\netsession_win.exe:*:Enabled:Akamai NetSession Interface -- (Akamai Technologies, Inc)


[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2413" = CanoScan LiDE 100 Scanner Driver
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{14F5121B-E4D9-4236-BB73-364CC5C0CFC8}" = OpenOffice.org 2.1
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 26
"{2767DEDE-EA9D-4FCE-A06A-40F4DD293330}" = hppusgP1000
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 6.011.00
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C9415-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{58ECE031-9AAD-4011-B34A-BC78E77527E2}" = hppMSRedist
"{59046D29-2E6B-4224-BF0D-64F3E7A93F7B}" = LightScribe System Software  1.10.19.1
"{6094AB91-4CC8-498E-9DFF-134CC0B159DE}" = PC Connectivity Solution
"{65A54DC3-5FF6-4C75-906E-3EA1A3B71045}" = Nero 8 Essentials
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7902E313-FF0F-4493-ACB1-A8147B78DCD0}" = HPSSupply
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{90120000-0010-0415-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (Polish) 12
"{90120000-001A-0415-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Polish) 2007
"{90120000-001A-0415-0000-0000000FF1CE}_OUTLOOKR_{01CC3B2D-70DB-49DC-839A-A923D2A39EA4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_OUTLOOKR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_OUTLOOKR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0415-0000-0000000FF1CE}" = Microsoft Office Proof (Polish) 2007
"{90120000-001F-0415-0000-0000000FF1CE}_OUTLOOKR_{9CC96D78-9E1D-46E0-AF4D-3EB440CD4619}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0415-0000-0000000FF1CE}" = Microsoft Office Proofing (Polish) 2007
"{90120000-006E-0415-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Polish) 2007
"{90120000-006E-0415-0000-0000000FF1CE}_OUTLOOKR_{0C8AB602-A234-45AB-B355-4C863C1D2FA8}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91120000-001A-0000-0000-0000000FF1CE}" = Microsoft Office Outlook 2007
"{91120000-001A-0000-0000-0000000FF1CE}_OUTLOOKR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A82D052A-0806-42DF-80CD-1730A1AC0ED3}" = MrvlUsgTracking
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1045-7B44-A94000000001}" = Adobe Reader 9.4.2 - Polish
"{B208806F-A231-4FA0-AB3F-5C1B8979223E}" = Microsoft ActiveSync 4.0
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}" = Skype™ 5.3
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}" = Sony Ericsson PC Companion 1.60.13
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Akamai" = Akamai NetSession Interface
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.60
"Google Chrome" = Google Chrome
"HP LaserJet P1000 series" = HP LaserJet P1000 series
"ie8" = Windows Internet Explorer 8
"ipla" = ipla 2.3.3
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox 11.0 (x86 pl)" = Mozilla Firefox 11.0 (x86 pl)
"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NOD32" = NOD32 Antivirus System
"NVIDIA Drivers" = NVIDIA Drivers
"OUTLOOKR" = Microsoft Office Outlook 2007 Trial
"Quick Search Box" = Okno szybkiego wyszukiwania Google
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Symfonia® Handel start" = Symfonia® Handel start
"Tlen.pl" = Tlen.pl
"TRANS_is1" = TRANS 4.0.17.2186
"uTorrent" = µTorrent
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Winamp" = Winamp
"Winamp Toolbar" = Winamp Toolbar
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = Archiwizator WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZTE ZXDSL852" = ZTE ZXDSL852

[color=#E56717]========== HKEY_USERS Uninstall List ==========[/color]

[HKEY_USERS\S-1-5-21-1454471165-2000478354-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{79A765E1-C399-405B-85AF-466F52E918B0}" = Ask Toolbar Updater
"Winamp Detect" = Detektor Winampa
"Winamp Toolbar" = Winamp Toolbar

[color=#E56717]========== Last 10 Event Log Errors ==========[/color]

[ System Events ]
Error - 2012-04-02 04:35:24 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7023
Description = Usługa Akamai NetSession Interface zakończyła działanie; wystąpił
następujący błąd:   %%126

Error - 2012-04-02 04:35:24 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7000
Description = Nie można uruchomić usługi Sony Ericsson OMSI download service z powodu
następującego błędu:   %%2

Error - 2012-04-02 04:35:24 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7000
Description = Nie można uruchomić usługi VNC Server z powodu następującego błędu:
   %%3

Error - 2012-04-02 12:56:26 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7023
Description = Usługa Akamai NetSession Interface zakończyła działanie; wystąpił
następujący błąd:   %%126

Error - 2012-04-02 12:56:26 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7000
Description = Nie można uruchomić usługi Sony Ericsson OMSI download service z powodu
następującego błędu:   %%2

Error - 2012-04-02 12:56:26 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7000
Description = Nie można uruchomić usługi VNC Server z powodu następującego błędu:
   %%3

Error - 2012-04-02 13:06:34 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7023
Description = Usługa Akamai NetSession Interface zakończyła działanie; wystąpił
następujący błąd:   %%126

Error - 2012-04-02 13:06:34 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7000
Description = Nie można uruchomić usługi Sony Ericsson OMSI download service z powodu
następującego błędu:   %%2

Error - 2012-04-02 13:06:34 | Computer Name = BARTEX | Source = Service Control Manager | ID = 7000
Description = Nie można uruchomić usługi VNC Server z powodu następującego błędu:
   %%3

Error - 2012-04-02 13:06:53 | Computer Name = BARTEX | Source = CnxEtP | ID = 2752517
Description = AccessRunner ADSL connection terminated


< End of report >


oraz Gmer

Kod: Zaznacz wszystko

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-07 15:45:17
Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16 ST3250410AS rev.4.AAA
Running: y3uwxl1o.exe; Driver: C:\DOCUME~1\Biuro\USTAWI~1\Temp\uxtdqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                               section is writeable [0xB6A09360, 0x3CEED5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Mozilla Firefox\plugin-container.exe[1180] USER32.dll!GetWindowInfo   7E37C49C 5 Bytes  JMP 1044FE0A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           C:\Program Files\Mozilla Firefox\plugin-container.exe[1180] USER32.dll!TrackPopupMenu  7E3B531E 5 Bytes  JMP 104503C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!LdrLoadDll                7C91632D 5 Bytes  JMP 01269720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           C:\Program Files\Mozilla Firefox\firefox.exe[2296] kernel32.dll!VirtualAlloc           7C809AF1 5 Bytes  JMP 0149E21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           C:\Program Files\Mozilla Firefox\firefox.exe[2296] kernel32.dll!MapViewOfFile          7C80B9A5 5 Bytes  JMP 0149E1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           C:\Program Files\Mozilla Firefox\firefox.exe[2296] GDI32.dll!CreateDIBSection          77F19E19 5 Bytes  JMP 0149E17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                 amon.sys (Amon monitor/Eset )

---- EOF - GMER 1.0.15 ----


[wojtas]

a gdzie log z Gmera i drugi log z OTL'a extras.txt ? uzupełnij

następnym razem logi daj w załączniki na forum

Odinstaluj Akamai NetSession Interface, winamp toolbar, ask toolbar

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
PRC - [2012-01-03 17:31:34 | 001,391,272 | ---- | M] (Ask) -- C:\Program Files\Ask.com\Updater\Updater.exe
SRV - File not found [Auto | Stopped] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)
SRV - File not found [Auto | Stopped] -- c:\program files\common files\
/netsession_win_d768ebc.dll -- (Akamai)
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
IE - HKU\S-1-5-21-1454471165-2000478354-1417001333-1003\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-1454471165-2000478354-1417001333-1003\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
IE - HKU\S-1-5-21-1454471165-2000478354-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15470&l=dis
IE - HKU\S-1-5-21-1454471165-2000478354-1417001333-1003\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=UTR&o=15467&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=HA&apn_dtid=YYYYYYUDPL&apn_uid=01C73134-B47D-47E3-A565-9AA0A52B757F&apn_sauid=22E59D99-FA9C-47E1-872A-247A83062FF6
IE - HKU\S-1-5-21-1454471165-2000478354-1417001333-1003\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20110406071306109&tb_oid=06-04-2011&tb_mrud=06-04-2011
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaulturl: "http://search.winamp.com/search/search?query={searchTerms}&invocationType=tb50-ff-winamp-chromesbox-en-us&tb_uuid=20110406071306109&tb_oid=06-04-2011&tb_mrud=06-04-2011&query="
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.11.3.15590
FF - prefs.js..extensions.enabledItems: {0b38152b-1b20-484d-a11f-5e04a9b0661f}:5.6.14.1
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=UTR&o=15467&locale=en_US&apn_uid=01C73134-B47D-47E3-A565-9AA0A52B757F&apn_ptnrs=HA&apn_sauid=22E59D99-FA9C-47E1-872A-247A83062FF6&apn_dtid=YYYYYYUDPL&&q="
FF - user.js - File not found
[2012-04-07 12:24:15 | 000,000,000 | ---D | M] ("Winamp Toolbar") -- C:\Documents and Settings\Biuro\Dane aplikacji\Mozilla\Firefox\Profiles\sdsibneq.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
[2012-01-30 14:24:02 | 000,000,000 | ---D | M] ("Ask Toolbar") -- C:\Documents and Settings\Biuro\Dane aplikacji\Mozilla\Firefox\Profiles\sdsibneq.default\extensions\toolbar@ask.com
[2011-04-06 09:37:01 | 000,002,354 | ---- | M] () -- C:\Documents and Settings\Biuro\Dane aplikacji\Mozilla\Firefox\Profiles\sdsibneq.default\searchplugins\aol-web-search.xml
[2012-04-07 12:24:20 | 000,002,572 | ---- | M] () -- C:\Documents and Settings\Biuro\Dane aplikacji\Mozilla\Firefox\Profiles\sdsibneq.default\searchplugins\askcom.xml
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe" "ZTE Corporation\ZXDSL852" File not found
O4 - HKLM..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper File not found
O4 - HKU\S-1-5-21-1454471165-2000478354-1417001333-1003..\Run: [Trans] C:\Program Files\Trans\trans.exe File not found
O32 - AutoRun File - [2011-11-12 11:36:13 | 000,000,000 | R--D | M] - F:\.autorun -- [ CDFS ]
O32 - AutoRun File - [2011-11-12 11:36:13 | 000,000,085 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{153f6ba9-a5da-11de-ad81-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{153f6ba9-a5da-11de-ad81-806d6172696f}\Shell\AutoRun\command - "" = F:\.autorun\autorun.exe -- [2011-11-12 11:36:13 | 001,756,576 | R--- | M] (Ashampoo)
O33 - MountPoints2\{3210296a-de83-11df-99c6-00d0d08af2ae}\Shell\AutoRun\command - "" = G:\wyskq6lt.exe
O33 - MountPoints2\{3210296a-de83-11df-99c6-00d0d08af2ae}\Shell\open\Command - "" = G:\wyskq6lt.exe
O33 - MountPoints2\{80a3f745-90e7-11e0-9af1-00d0d08af2ae}\Shell - "" = AutoRun
O33 - MountPoints2\{80a3f745-90e7-11e0-9af1-00d0d08af2ae}\Shell\AutoRun\command - "" = G:\Startme.exe
O33 - MountPoints2\{8e619b8b-e0e8-11df-99cc-00d0d08af2ae}\Shell\AutoRun\command - "" = G:\wyskq6lt.exe
O33 - MountPoints2\{8e619b8b-e0e8-11df-99cc-00d0d08af2ae}\Shell\open\Command - "" = G:\wyskq6lt.exe
O33 - MountPoints2\{a9d910a7-02e2-11df-97be-00d0d08af2ae}\Shell\AutoRun\command - "" = lphfa.exe
O33 - MountPoints2\{a9d910a7-02e2-11df-97be-00d0d08af2ae}\Shell\open\Command - "" = lphfa.exe
O33 - MountPoints2\{e7f589bc-e370-11df-99d3-00d0d08af2ae}\Shell\AutoRun\command - "" = G:\albkpq3.exe
O33 - MountPoints2\{e7f589bc-e370-11df-99d3-00d0d08af2ae}\Shell\open\Command - "" = G:\albkpq3.exe
[2012-04-07 12:46:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010-12-20 09:52:35 | 000,121,344 | RHS- | C] () -- C:\WINDOWS\System32\arking1.dll
[2010-12-02 13:13:31 | 000,121,344 | RHS- | C] () -- C:\WINDOWS\System32\arking0.dll
[2010-11-18 21:50:49 | 000,116,224 | RHS- | C] () -- C:\WINDOWS\System32\mgking1.dll
[2010-11-18 10:41:28 | 000,114,176 | RHS- | C] () -- C:\WINDOWS\System32\mgking0.dll

:Files
c:\WINDOWS\System32\arking1.dll
C:\WINDOWS\System32\arking0.dll
C:\WINDOWS\System32\mgking1.dll
C:\WINDOWS\System32\mgking0.dll

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""

:Commands
[emptytemp]

Kliknij wykonaj skrypt. I potwierdź reset komputera .


Użyj AdwCleaner i kliknij w nim Delete (uruchom z prawokliku "jako Administrator)
Pokaż raport z niego

Na klawiaturze znajdź przycisk z flagą Windows oraz R ( naciśnij oba) wyskoczy okienko, w którym wklej:

"C:\ComboFix.exe" /uninstall

i zatwierdź

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie). Przy podpiętym urządzeniu przenośnym (pendrive, telefon - to co jest podłączane do komputera) , uruchom USBFIX z opcji Listing i pokaż raport na forum.

[cslynx]

Niestety podczas wykonywania skryptu OTL się zawiesił, czy w związku z tym wykonywać dalsze instrukcje?

Widać już małą poprawę, pojawiły sie ukryte pliki.

pozdrawiam

[wojtas]

tak wykonaj resztę instrukcji

[cslynx]

Ok zostało mi jeszcze USBFix, ale czekam na powrót skanera od kolegi.

Skan OTL:


(pamiętaj o Gmerze i drugim logu z OTL'a)

log z gmer i otl dodałem do pierwszego postu. Przy kolejnych skanowaniach OTL dawał tylko jeden LOG.

[wojtas]

ok w takim razie czekam na log z USBFix i ADWCleaner

[cslynx]

Poniżej log z AdwCleaner, na USB jeszcze chwile musze poczekać.

Dodano Dzisiaj, 08:28:
Witam,

zamieszczam LOg z USBfix'a. Wykonałem tylko log nic wiecej nie robilem.

Dodano Dzisiaj, 08:44:

[wojtas]

czy to na pewno opcja Listing?

podepnij urządzenie pod USB:

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL

:Files
autorun.inf /alldrives
albkpq3.exe /alldrives
b9v.exe /alldrives
et3ypes.exe /alldrives
i00dvoym.exe /alldrives
r3q63rok.exe /alldrives
C:\DOCUME~1\Biuro\USTAWI~1\Temp\GUT36D.tmp
C:\WINDOWS\system32\arking0.dll
C:\WINDOWS\system32\arking1.dll
C:\WINDOWS\system32\mgking0.dll
C:\WINDOWS\system32\mgking1.dll
C:\DOCUME~1\Biuro\USTAWI~1\Temp\apiqq.exe
C:\DOCUME~1\Biuro\USTAWI~1\Temp\apiqq0.dll
C:\DOCUME~1\Biuro\USTAWI~1\Temp\apiqq1.dll
C:\DOCUME~1\Biuro\USTAWI~1\Temp\cvasds0.dll
C:\DOCUME~1\Biuro\USTAWI~1\Temp\cvasds1.dll

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\MADOWN]

:Commands
[emptytemp]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie). + nowy log z USBFix

[cslynx]

Witam,

Poniżej log z wykonania skryptu oraz logi ze skanu i USBfix'a.

Wyżej chyba faktycznie zamieściłem log z usbfix'a opcji research... ponizej jest listing.

pozdrawiam

[wojtas]

Total Files Cleaned = 15 916,00 mb

trochę tego usnęło się ( tempy)

Podepnij pendriva
Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
O2 - BHO: (IEPluginBHO Class) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Biuro\Dane aplikacji\Gadu-Gadu 10\_userdata\ggbho.2.dll File not found
O4 - HKLM..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper File not found
O4 - HKU\S-1-5-21-1454471165-2000478354-1417001333-1003..\Run: [Trans] C:\Program Files\Trans\trans.exe File not found
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u7-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
[2011-11-10 12:14:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Biuro\Ustawienia lokalne\Dane aplikacji\Akamai

:Files
9d6resf.exe /alldrives

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""

:Commands
[emptytemp]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie).

[cslynx]

Pendriva niestety juz nie mam.

Poniżej log z wykonania skryptu oraz nowe skanowanie OTL.

[wojtas]

zabezpiecz kompa przed infekcją z pendriva...
http://research.pandasecurity.com/Panda-USB-and-AutoRun-Vaccine/

*Uruchom OTL z opcji sprzątanie.
* wykonaj optymalizację Windowsa ( instrukcja dla Windowsa XP, lecz w innych systemach jest podobnie )
* zrób pełny skan Malwarebytes Anti-Malware (zaktualizuj, gdy coś znajdzie pokaż raport, i usuń wszystko za pomocą tego programu )
* Skasuj stan przywracania systemu


Zaktualizuj zabezpieczenia:
>>> Adobe Reader (bez Free McAfee® Security Scan Plus)
>>> Java™ 6



napisz jak sytuacja z komputerem

[cslynx]

no witam,

wykonałem powyższe wskazówki jednak nadal mam problem ze skanerem, jak wciskam np. przycisk SCAN na skanerze to tylko na 2 sekundy kursor zmienia się w klepsydrę i nic więcej się nie dzieje. Przed infekcją było wszystko OK, da się coś z tym zrobić?


Pozdrawiam

Dodano Dzisiaj, 11:15:
Zamieszczam jeszcze log z Anti-malware:

[wojtas]

a próbowałeś pobawić się ze sterownikami ? bo infekcji już nie widać