problem ze stabilnością systemu

**Posty:** 69 · przez **Fingfolin** 17 Sty 2008, 13:56

Witam, po włączeniu systemu pojawiają się komunikaty o domniemanej niestabilnosci systemu, po pewnym czasie wącza się proces winodows zajmujący prawie całe użycie procesora, co za tym idzie prawdziwą niestabilnosc systemu. Pojawia się okienko przenoszące do ściągania programu, który ma byc cudownym lekiem na wszelkie zło na kompie

. Znalazłem pliki odpowiedzialne za to w system32, ale nie potrafie ich usunąc. Oto log z Hijcacka. Byłbym bardoz wdzieczny za pomoc w rozwiązaniu problemu

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:19, on 2008-01-17
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nero\Nero 7\InCD\InCD .exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui .exe
E:\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\SAGEM WiFi manager\WLANUTL.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\kaddlnua.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [dc40337d] rundll32.exe "C:\WINDOWS\System32\dudrhxoj.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "F:\ATI Tray Tools\atitray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\kaddlnua.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5412 bytes

Kod: Zaznacz wszystko: O23 - Service: DomainService - - C:\WINDOWS\System32\kaddlnua.exe

to wywaliłem, nie wiem co zrobic z :

Kod: Zaznacz wszystko: 4 - HKLM\..\Run: [dc40337d] rundll32.exe "C:\WINDOWS\System32\dudrhxoj.dll",b

**Posty:** 65 · przez **Avenger** 17 Sty 2008, 14:45

O4 - HKLM\..\Run: [dc40337d] rundll32.exe "C:\WINDOWS\System32\dudrhxoj.dll",b
O23 - Service: DomainService - - C:\WINDOWS\System32\kaddlnua.exe

Skasuj pogrubione pliki w trybie awaryjnym i wyłączonym przywracaniem systemu, wpisy skasuj w hijacku

Otwórz notatnik i wklej w nim to:

sc stop DomainService
sc del DomainService

plik>zapisz jako...>zmień rozszerzenie na: wszystkie pliki>zapisz jako FIX.BAT. Odpal plik FIX.BAT w trybie awaryjnym i wyłączonym przywracaniem systemu

Zastosuj Smitfraudfix opja na 2

Zastosuj VundoFix FixVundo VirtmundoBeGone

Po zabiegach dajesz nowy log z hijacka i log z Combofix i raport ze Smitfraudfix

Autor postu otrzymał pochwałę

**Posty:** 69 · przez **Fingfolin** 17 Sty 2008, 15:20

Kod: Zaznacz wszystko: O23 - Service: DomainService - - C:\WINDOWS\System32\kaddlnua.exe

to ja wziąłem poprostu w cmd wywaliłem komendami sc stop a potem sc delete, efekt chyba ten sam

Kod: Zaznacz wszystko: Zastosuj Smitfraudfix opja na 2 Zastosuj VundoFix FixVundo VirtmundoBeGone

Juz sie robi

[ Dodano: Dzisiaj o 15:52 ]

SmitFraudFix v2.274

Scan done at 15:26:41,10, 2008-01-17
Run from F:\fggf
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ADBEA15E-D6F4-49CC-B88D-21104EB397CE}: DhcpNameServer=192.168.1.1 0.0.0.0
HKLM\SYSTEM\CS1\Services\Tcpip\..\{ADBEA15E-D6F4-49CC-B88D-21104EB397CE}: DhcpNameServer=192.168.1.1 0.0.0.0
HKLM\SYSTEM\CS2\Services\Tcpip\..\{ADBEA15E-D6F4-49CC-B88D-21104EB397CE}: DhcpNameServer=192.168.1.1 0.0.0.0
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 0.0.0.0
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 0.0.0.0
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 0.0.0.0

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:48:36, on 2008-01-17 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe E:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe C:\Program Files\Nero\Nero 7\InCD\NBHGui .exe E:\Gadu-Gadu\gg.exe C:\Program Files\SAGEM WiFi manager\WLANUTL.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F3 - REG:win.ini: load=C:\WINDOWS\System32\gebcd.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe -hidden O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe" O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Gadu-Gadu\gg.exe" /tray O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 4834 bytes

VundoFix nie potrafi usunąc kilku plików(gebc.dll)( jest w logu z hijacka wpis w rejestrze), a VirtmundoBeGone po odpaleniu od razu włącza jakis plik txt i sie wylącza.

**Posty:** 65 · przez **Avenger** 17 Sty 2008, 18:04

F3 - REG:win.ini: load=C:\WINDOWS\System32\gebcd.exe

Usuń plik tą samą procedurą co ostatnio
Daj natychmiast log z Combofix.

**Posty:** 3854 · przez **Dzi@dek** 18 Sty 2008, 04:10

F3 - REG:win.ini: load=C:\WINDOWS\System32\gebcd.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows

usuwasz wpisy w hijackthis.
otwórz notatnik i wklej:

File::
C:\WINDOWS\System32\gebcd.exe

Service::
MSControlService

Plik

Zapisz jako... :arrow:

CFScript - najlepiej jeśli zapiszesz w
takiej lokalizacji, by ikona CFScript.txt znalazła się obok ikony ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na plik :arrow:

ComboFix.exe

Potwierdz

zresetuje sie komputer.

Jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER. Rozpocznie się proces usuwania.

Daj nowe logi z Combofix oraz Hijackthis.

**Posty:** 69 · przez **Fingfolin** 18 Sty 2008, 13:04

szit wszystko sie usuneło ale przybyło kilka niepokojących wpisów

ComboFix 08-01-18.4 - OLWE 2008-01-18 11:54:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.1520 [GMT 1:00]
Running from: C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Moje dokumenty\pos980.tmp
.
..
...
C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Moje dokumenty\pos3E7.tmp
.
..
...
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent .exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui .exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini2
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebcd.exe
C:\WINDOWS\system32\hmmfhogs.ini
C:\WINDOWS\system32\RCX1E.tmp
C:\WINDOWS\system32\vionqvkm.ini

Kod: Zaznacz wszystko
<pre> C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe ---> QooBox C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe ---> QooBox C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe ---> QooBox C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe ---> QooBox C:\Program Files\DAEMON Tools Pro\DTProAgent .exe ---> QooBox C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox C:\Program Files\Messenger\msmsgs .exe ---> QooBox C:\Program Files\Nero\Nero 7\InCD\NBHGui .exe ---> QooBox C:\WINDOWS\system32\ctfmon .exe ---> QooBox </pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 11:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-18 11:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-18 11:36 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-18 11:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-18 11:36 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-18 11:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-17 19:42 . 2008-01-17 19:43 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\Ahead
2008-01-17 14:58 . 2008-01-18 11:36 2,020 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-17 14:50 . 2008-01-17 14:50 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\Gadu-Gadu
2008-01-17 14:46 . 2008-01-17 14:50 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Gadu-Gadu
2008-01-17 14:35 . 2008-01-17 14:35 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\Talkback
2008-01-17 14:30 . 2008-01-17 15:29 <DIR> d--h----- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Ustawienia lokalne
2008-01-17 14:30 . 2008-01-17 14:30 <DIR> dr------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Ulubione
2008-01-17 14:30 . 2007-11-14 18:13 <DIR> d--h----- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Szablony
2008-01-17 14:30 . 2008-01-18 11:53 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Pulpit
2008-01-17 14:30 . 2008-01-18 11:55 <DIR> dr------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Moje dokumenty
2008-01-17 14:30 . 2007-11-14 18:09 <DIR> dr------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Menu Start
2008-01-17 14:30 . 2008-01-17 14:30 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\ATI
2008-01-17 14:30 . 2008-01-17 19:42 <DIR> dr-h----- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji
2008-01-17 14:28 . 2008-01-17 14:28 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Talkback
2008-01-13 12:50 . 2008-01-13 12:50 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-01-13 12:50 . 2008-01-13 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\{732094A9-8D45-41EB-B8CC-4EBAADD7808E}
2008-01-12 21:28 . 2006-11-07 14:58 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-01-12 21:28 . 2006-10-05 16:35 356,352 --a------ C:\WINDOWS\system32\nvuide.exe
2008-01-12 21:28 . 2006-06-07 18:49 208,896 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-01-12 21:28 . 2006-10-19 09:36 3,903 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-01-12 21:28 . 2006-06-01 14:32 1,864 --a------ C:\WINDOWS\system32\nvsmb.nvu
2008-01-12 21:28 . 2006-09-11 15:14 1,570 --a------ C:\WINDOWS\system32\nvide.nvu
2008-01-12 21:28 . 2006-10-05 13:07 1,428 --a------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-01-11 22:55 . 2008-01-11 22:55 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-01-11 22:55 . 2008-01-11 22:55 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-01-11 22:54 . 2008-01-11 22:54 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-01-11 22:54 . 2004-10-25 20:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2008-01-11 22:54 . 1999-11-02 10:01 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd
2008-01-11 22:54 . 2004-06-22 15:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2008-01-11 22:54 . 2001-11-19 19:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2008-01-10 20:01 . 2008-01-10 20:01 <DIR> d-------- C:\Program Files\SAGEM WiFi manager
2008-01-10 20:01 . 2007-01-16 13:52 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys
2008-01-10 20:01 . 2007-01-16 13:52 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys
2008-01-10 20:00 . 2007-01-10 10:14 450,560 --a------ C:\WINDOWS\system32\drivers\WlanBZXP.sys
2008-01-10 18:59 . 2008-01-10 18:59 <DIR> d-------- C:\WINDOWS\LogFiles
2008-01-09 19:10 . 2008-01-09 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Azureus
2008-01-08 20:08 . 2008-01-10 18:51 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2008-01-06 13:21 . 2008-01-12 19:50 23 --a------ C:\WINDOWS\BlendSettings.ini
2007-12-31 14:45 . 2007-12-31 14:45 <DIR> d-------- C:\Fraps
2007-12-29 19:50 . 2007-12-29 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Tages
2007-12-29 16:41 . 2007-12-29 16:41 <DIR> d-------- C:\Program Files\MagicISO
2007-12-27 14:51 . 2007-12-27 14:52 <DIR> d-------- C:\WINDOWS\speech
2007-12-27 14:51 . 2007-12-27 14:52 <DIR> d-------- C:\Program Files\ivo
2007-12-25 23:51 . 2008-01-05 10:56 278 --a------ C:\WINDOWS\system32\temp_0000_85-20.aok
2007-12-25 23:50 . 2008-01-05 10:55 128 --a------ C:\WINDOWS\system32\test.aok
2007-12-25 19:06 . 2007-12-25 19:06 <DIR> d-------- C:\Program Files\Ultra MP4 Video Converter
2007-12-25 19:06 . 2004-01-11 08:02 258,048 --a------ C:\WINDOWS\system32\GplMpgDec.ax
2007-12-25 19:06 . 2007-04-12 14:19 129,024 --a------ C:\WINDOWS\system32\AVERM.dll
2007-12-25 19:06 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll
2007-12-25 18:58 . 2007-12-25 18:58 <DIR> d-------- C:\Program Files\NCH Software
2007-12-25 18:58 . 2007-12-25 18:58 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\NCH Software
2007-12-25 15:29 . 2007-12-25 15:29 <DIR> d-------- C:\Program Files\Oxygen Software
2007-12-24 22:28 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2007-12-24 22:26 . 2007-12-24 22:26 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-12-24 22:26 . 2007-12-24 22:26 <DIR> d-------- C:\Program Files\Samsung
2007-12-24 22:26 . 2007-05-02 11:12 109,704 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys
2007-12-24 22:26 . 2007-05-02 11:12 83,592 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2007-12-24 22:26 . 2007-05-02 11:12 15,112 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys
2007-12-24 22:26 . 2007-05-02 11:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2007-12-24 22:26 . 2007-05-02 11:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
2007-12-24 22:26 . 2007-05-02 11:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys
2007-12-24 22:26 . 2007-05-02 11:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys
2007-12-24 22:26 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-12-24 22:26 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-24 22:25 . 2007-12-24 22:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-20 18:12 . 2007-12-20 18:12 <DIR> d-------- C:\Program Files\Microids
2007-12-20 17:59 . 2000-10-25 17:09 139,264 --a------ C:\WINDOWS\system32\fsgscom.dll
2007-12-19 22:52 . 2008-01-06 20:46 <DIR> d-------- C:\Program Files\ConnectionServices
2007-12-19 14:53 . 2007-12-27 19:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-19 14:53 . 2007-12-19 14:53 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 10:55 --------- d-----w C:\Program Files\QuickTime
2008-01-18 10:55 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-01-18 10:55 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-14 18:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 21:08 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-01-12 20:23 --------- d-----w C:\Program Files\Winamp
2008-01-08 19:07 --------- d-----w C:\Program Files\ATITool
2007-12-30 22:37 --------- d-----w C:\Program Files\IDoser v4
2007-12-25 23:18 --------- d-----w C:\Program Files\NAPI-PROJEKT
2007-12-16 12:23 --------- d-----w C:\Program Files\Real Alternative
2007-12-16 12:00 --------- d-----w C:\Program Files\SAGEM
2007-12-14 21:40 --------- d-----w C:\Program Files\Ape Ripper
2007-12-11 15:16 --------- d-----w C:\Program Files\Simplestutils
2007-12-06 18:35 --------- d-----w C:\Program Files\DVDVideoSoft
2007-12-06 18:35 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2007-12-06 16:42 --------- d-----w C:\Program Files\WinAVIVideoConverter
2007-12-06 16:15 --------- d-----w C:\Program Files\Xilisoft
2007-12-05 18:05 --------- d-----w C:\Program Files\NCH Swift Sound
2007-12-05 18:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\NCH Swift Sound
2007-12-04 18:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\LightScribe
2007-12-04 15:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MSN6
2007-12-03 20:18 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-12-03 16:17 --------- d-----w C:\Program Files\iPod
2007-12-03 16:17 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-12-03 16:16 --------- d-----w C:\Program Files\Apple Software Update
2007-12-03 16:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple
2007-12-01 12:50 --------- d-----w C:\Program Files\Trend Micro
2007-11-24 19:33 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-21 18:23 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-11-19 20:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\DAEMON Tools Pro
2007-11-19 20:11 --------- d-----w C:\Program Files\RarZilla Free Unrar
2007-11-19 19:51 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-19 15:04 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-19 15:04 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-14 17:22 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-14 17:15 558,142 ----a-w C:\WINDOWS\java\Packages\ZXZPN5BX.ZIP
2007-11-14 17:15 155,995 ----a-w C:\WINDOWS\java\Packages\3DN1NRVB.ZIP
.
Kod: Zaznacz wszystko
<pre> ----a-w 1,057,328 2008-01-17 13:34:54 C:\Program Files\Nero\Nero 7\InCD\InCD .exe </pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92860A02-4D69-48c1-82D7-EF6B2C609502}]
2007-10-24 18:28 73728 --a------ C:\Program Files\BitAccelerator\BitAccelerator.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c99f40d5-deeb-4f2a-bc05-a6f20ab90833}]
C:\WINDOWS\System32\vhwcjegs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-28 23:00 13312]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe" [ ]
"Gadu-Gadu"="E:\Gadu-Gadu\gg.exe" [2007-07-09 08:39 2119104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [ ]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [ ]
"dc40337d"="C:\WINDOWS\System32\mkvqnoiv.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-28 23:00 13312]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2008-01-10 20:01:39]

R1 atitray;atitray;F:\ATI Tray Tools\atitray.sys [2007-05-22 10:04]
R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;C:\WINDOWS\System32\DRIVERS\WlanBZXP.sys [2007-01-10 10:14]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Documents and Settings\OLWE\Pulpit\Everest Ultimate Edition 2007\kerneld.wnt [2007-04-05 00:00]
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\System32\ZDCndis5.SYS []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 19:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 11:57:31
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 11:58:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 10:58:07
ComboFix2.txt 2007-12-02 17:03:01

musiałem obciąc loga o tysiące plików tmp, nie wiem wogóle co to jest i skąd się wzieło :roll:

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:09:19, on 2008-01-18 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\Explorer.EXE E:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\ctfmon.exe E:\Gadu-Gadu\gg.exe C:\Program Files\SAGEM WiFi manager\WLANUTL.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: BitAccelerator module - {92860A02-4D69-48c1-82D7-EF6B2C609502} - C:\Program Files\BitAccelerator\BitAccelerator.dll O2 - BHO: {33809ba0-2f6a-50cb-a2f4-beed5d04f99c} - {c99f40d5-deeb-4f2a-bc05-a6f20ab90833} - C:\WINDOWS\System32\vhwcjegs.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe O4 - HKLM\..\Run: [dc40337d] rundll32.exe "C:\WINDOWS\System32\mkvqnoiv.dll",b O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe -hidden O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe" O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Gadu-Gadu\gg.exe" /tray O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 4664 bytes

**Posty:** 65 · przez **Avenger** 18 Sty 2008, 15:40

Do wykonania w trybie awaryjnym i wyłączonym przywracaniem systemu:

Otwórz notatnik i wklej w nim to:

file::

C:\WINDOWS\System32\vhwcjegs.dll
C:\WINDOWS\System32\mkvqnoiv.dll

folder::

C:\Program Files\BitAccelerator

registry

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92860A02-4D69-48c1-82D7-EF6B2C609502}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c99f40d5-deeb-4f2a-bc05-a6f20ab90833}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dc40337d"=-

plik>zapisz jako...>zmień rozszerzenie na: wszystkie pliki>zapisz pod nazwą CFScript. Przenieś plik CFScript na ikonkę Combofixa i rozpocznie się proces usuwania podczas którego może wystąpić reset komputera.

O2 - BHO: BitAccelerator module - {92860A02-4D69-48c1-82D7-EF6B2C609502} - C:\Program Files\BitAccelerator\BitAccelerator.dll
O2 - BHO: {33809ba0-2f6a-50cb-a2f4-beed5d04f99c} - {c99f40d5-deeb-4f2a-bc05-a6f20ab90833} - C:\WINDOWS\System32\vhwcjegs.dll (file missing)
O4 - HKLM\..\Run: [dc40337d] rundll32.exe "C:\WINDOWS\System32\mkvqnoiv.dll",b

Skasuj te wpisy hijackiem

Po zabiegach dajesz nowe logi

Autor postu otrzymał pochwałę

**Posty:** 69 · przez **Fingfolin** 18 Sty 2008, 17:33

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32:30, on 2008-01-18
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM WiFi manager\WLANUTL.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 4167 bytes

**Posty:** 65 · przez **Avenger** 18 Sty 2008, 18:13

Poproszę jeszcze o log z Combofixa

**Posty:** 3854 · przez **Dzi@dek** 18 Sty 2008, 19:59

Otwórz notatnik w wklej:

Kod: Zaznacz wszystko: Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92860A02-4D69-48c1-82D7-EF6B2C609502}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c99f40d5-deeb-4f2a-bc05-a6f20ab90833}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "dc40337d"=-

Plik

Zapisz jako... :arrow:

CFScript - najlepiej jeśli zapiszesz w
takiej lokalizacji, by ikona CFScript.txt znalazła się obok ikony ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na plik :arrow:

ComboFix.exe

Potwierdz

zresetuje sie komputer.

Jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER. Rozpocznie się proces usuwania.

Daj nowe logi z Combofix oraz Hijackthis.

Autor postu otrzymał pochwałę

**Posty:** 69 · przez **Fingfolin** 18 Sty 2008, 20:43

ComboFix 08-01-18.4 - OLWE 2008-01-18 19:45:48.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.1579 [GMT 1:00]
Running from: C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 17:52 . 2008-01-18 17:52 <DIR> d-------- C:\Program Files\Skype
2008-01-18 17:52 . 2008-01-18 17:52 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-18 17:52 . 2008-01-18 17:55 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\Skype
2008-01-18 17:52 . 2008-01-18 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-01-18 15:45 . 2008-01-18 15:45 1,443 --a------ C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Creg.dat
2008-01-18 15:45 . 2008-01-18 15:45 0 --a------ C:\Documents and Settings\OLWE.OLWE-APBH11O87F\snapshot.00.dat
2008-01-18 11:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-18 11:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-18 11:36 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-18 11:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-18 11:36 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-18 11:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-17 19:42 . 2008-01-17 19:43 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\Ahead
2008-01-17 14:58 . 2008-01-18 11:36 2,020 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-17 14:50 . 2008-01-17 14:50 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\Gadu-Gadu
2008-01-17 14:46 . 2008-01-17 14:50 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Gadu-Gadu
2008-01-17 14:35 . 2008-01-17 14:35 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\Talkback
2008-01-17 14:30 . 2008-01-18 19:42 <DIR> d--h----- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Ustawienia lokalne
2008-01-17 14:30 . 2008-01-17 14:30 <DIR> dr------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Ulubione
2008-01-17 14:30 . 2007-11-14 18:13 <DIR> d--h----- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Szablony
2008-01-17 14:30 . 2008-01-18 19:45 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Pulpit
2008-01-17 14:30 . 2008-01-18 11:55 <DIR> dr------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Moje dokumenty
2008-01-17 14:30 . 2007-11-14 18:09 <DIR> dr------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Menu Start
2008-01-17 14:30 . 2008-01-17 14:30 <DIR> d-------- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji\ATI
2008-01-17 14:30 . 2008-01-18 17:52 <DIR> dr-h----- C:\Documents and Settings\OLWE.OLWE-APBH11O87F\Dane aplikacji
2008-01-17 14:28 . 2008-01-17 14:28 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Talkback
2008-01-13 12:50 . 2008-01-13 12:50 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-01-13 12:50 . 2008-01-13 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\{732094A9-8D45-41EB-B8CC-4EBAADD7808E}
2008-01-12 21:28 . 2006-11-07 14:58 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-01-12 21:28 . 2006-10-05 16:35 356,352 --a------ C:\WINDOWS\system32\nvuide.exe
2008-01-12 21:28 . 2006-06-07 18:49 208,896 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-01-12 21:28 . 2006-10-19 09:36 3,903 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-01-12 21:28 . 2006-06-01 14:32 1,864 --a------ C:\WINDOWS\system32\nvsmb.nvu
2008-01-12 21:28 . 2006-09-11 15:14 1,570 --a------ C:\WINDOWS\system32\nvide.nvu
2008-01-12 21:28 . 2006-10-05 13:07 1,428 --a------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-01-11 22:55 . 2008-01-11 22:55 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-01-11 22:55 . 2008-01-11 22:55 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-01-11 22:54 . 2008-01-11 22:54 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-01-11 22:54 . 2004-10-25 20:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2008-01-11 22:54 . 1999-11-02 10:01 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd
2008-01-11 22:54 . 2004-06-22 15:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2008-01-11 22:54 . 2001-11-19 19:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2008-01-10 20:01 . 2008-01-10 20:01 <DIR> d-------- C:\Program Files\SAGEM WiFi manager
2008-01-10 20:01 . 2007-01-16 13:52 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys
2008-01-10 20:01 . 2007-01-16 13:52 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys
2008-01-10 20:00 . 2007-01-10 10:14 450,560 --a------ C:\WINDOWS\system32\drivers\WlanBZXP.sys
2008-01-10 18:59 . 2008-01-10 18:59 <DIR> d-------- C:\WINDOWS\LogFiles
2008-01-09 19:10 . 2008-01-09 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Azureus
2008-01-08 20:08 . 2008-01-10 18:51 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2008-01-06 13:21 . 2008-01-12 19:50 23 --a------ C:\WINDOWS\BlendSettings.ini
2007-12-31 14:45 . 2007-12-31 14:45 <DIR> d-------- C:\Fraps
2007-12-29 19:50 . 2007-12-29 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Tages
2007-12-29 16:41 . 2007-12-29 16:41 <DIR> d-------- C:\Program Files\MagicISO
2007-12-27 14:51 . 2007-12-27 14:52 <DIR> d-------- C:\WINDOWS\speech
2007-12-27 14:51 . 2007-12-27 14:52 <DIR> d-------- C:\Program Files\ivo
2007-12-25 23:51 . 2008-01-05 10:56 278 --a------ C:\WINDOWS\system32\temp_0000_85-20.aok
2007-12-25 23:50 . 2008-01-05 10:55 128 --a------ C:\WINDOWS\system32\test.aok
2007-12-25 19:06 . 2007-12-25 19:06 <DIR> d-------- C:\Program Files\Ultra MP4 Video Converter
2007-12-25 19:06 . 2004-01-11 08:02 258,048 --a------ C:\WINDOWS\system32\GplMpgDec.ax
2007-12-25 19:06 . 2007-04-12 14:19 129,024 --a------ C:\WINDOWS\system32\AVERM.dll
2007-12-25 19:06 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll
2007-12-25 18:58 . 2007-12-25 18:58 <DIR> d-------- C:\Program Files\NCH Software
2007-12-25 18:58 . 2007-12-25 18:58 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\NCH Software
2007-12-25 15:29 . 2007-12-25 15:29 <DIR> d-------- C:\Program Files\Oxygen Software
2007-12-24 22:28 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2007-12-24 22:26 . 2007-12-24 22:26 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-12-24 22:26 . 2007-12-24 22:26 <DIR> d-------- C:\Program Files\Samsung
2007-12-24 22:26 . 2007-05-02 11:12 109,704 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys
2007-12-24 22:26 . 2007-05-02 11:12 83,592 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2007-12-24 22:26 . 2007-05-02 11:12 15,112 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys
2007-12-24 22:26 . 2007-05-02 11:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2007-12-24 22:26 . 2007-05-02 11:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
2007-12-24 22:26 . 2007-05-02 11:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys
2007-12-24 22:26 . 2007-05-02 11:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys
2007-12-24 22:26 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-12-24 22:26 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-24 22:25 . 2007-12-24 22:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-20 18:12 . 2007-12-20 18:12 <DIR> d-------- C:\Program Files\Microids
2007-12-20 17:59 . 2000-10-25 17:09 139,264 --a------ C:\WINDOWS\system32\fsgscom.dll
2007-12-19 22:52 . 2008-01-06 20:46 <DIR> d-------- C:\Program Files\ConnectionServices
2007-12-19 14:53 . 2007-12-27 19:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-19 14:53 . 2007-12-19 14:53 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 10:55 --------- d-----w C:\Program Files\QuickTime
2008-01-18 10:55 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-01-18 10:55 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-14 18:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 21:08 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-01-12 20:23 --------- d-----w C:\Program Files\Winamp
2008-01-08 19:07 --------- d-----w C:\Program Files\ATITool
2007-12-30 22:37 --------- d-----w C:\Program Files\IDoser v4
2007-12-25 23:18 --------- d-----w C:\Program Files\NAPI-PROJEKT
2007-12-16 12:23 --------- d-----w C:\Program Files\Real Alternative
2007-12-16 12:00 --------- d-----w C:\Program Files\SAGEM
2007-12-14 21:40 --------- d-----w C:\Program Files\Ape Ripper
2007-12-11 15:16 --------- d-----w C:\Program Files\Simplestutils
2007-12-06 18:35 --------- d-----w C:\Program Files\DVDVideoSoft
2007-12-06 18:35 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2007-12-06 16:42 --------- d-----w C:\Program Files\WinAVIVideoConverter
2007-12-06 16:15 --------- d-----w C:\Program Files\Xilisoft
2007-12-05 18:05 --------- d-----w C:\Program Files\NCH Swift Sound
2007-12-05 18:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\NCH Swift Sound
2007-12-04 18:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\LightScribe
2007-12-04 15:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MSN6
2007-12-03 20:18 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-12-03 16:17 --------- d-----w C:\Program Files\iPod
2007-12-03 16:17 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-12-03 16:16 --------- d-----w C:\Program Files\Apple Software Update
2007-12-03 16:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple
2007-12-01 12:50 --------- d-----w C:\Program Files\Trend Micro
2007-11-24 19:33 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-21 18:23 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-11-19 20:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\DAEMON Tools Pro
2007-11-19 20:11 --------- d-----w C:\Program Files\RarZilla Free Unrar
2007-11-19 19:51 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-19 15:04 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-19 15:04 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-14 17:22 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-14 17:15 558,142 ----a-w C:\WINDOWS\java\Packages\ZXZPN5BX.ZIP
2007-11-14 17:15 155,995 ----a-w C:\WINDOWS\java\Packages\3DN1NRVB.ZIP
.
Kod: Zaznacz wszystko
<pre> ----a-w 1,057,328 2008-01-17 13:34:54 C:\Program Files\Nero\Nero 7\InCD\InCD .exe </pre>

((((((((((((((((((((((((((((( snapshot@2008-01-18_11.57.59.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 10:54:08 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 18:45:21 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 10:54:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 18:45:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 10:54:08 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 18:45:21 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 10:54:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 18:45:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 10:54:08 798,720 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 18:45:21 1,134,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 10:54:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 18:45:21 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-28 23:00 13312]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe" [ ]
"Gadu-Gadu"="E:\Gadu-Gadu\gg.exe" [2007-07-09 08:39 2119104]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:11 21803304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [ ]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-28 23:00 13312]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2008-01-10 20:01:39]

R1 atitray;atitray;F:\ATI Tray Tools\atitray.sys [2007-05-22 10:04]
R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;C:\WINDOWS\System32\DRIVERS\WlanBZXP.sys [2007-01-10 10:14]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Documents and Settings\OLWE\Pulpit\Everest Ultimate Edition 2007\kerneld.wnt [2007-04-05 00:00]
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\System32\ZDCndis5.SYS []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 19:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 19:46:02
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 19:46:12
ComboFix-quarantined-files.txt 2008-01-18 18:46:11
ComboFix2.txt 2008-01-18 18:42:31
ComboFix3.txt 2008-01-18 15:26:33
ComboFix4.txt 2008-01-18 15:25:15
ComboFix5.txt 2008-01-18 15:23:30

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:46:54, on 2008-01-18 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe E:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM WiFi manager\WLANUTL.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\Gadu-Gadu\gg.exe C:\WINDOWS\System32\dplaysvr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel .exe -hidden O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe" O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 4500 bytes

**Posty:** 18165 · przez **wojtas** 18 Sty 2008, 21:10

C:\Program Files\ConnectionServices

skasuj pogrubiony do kosza

Autor postu otrzymał pochwałę

**Posty:** 69 · przez **Fingfolin** 18 Sty 2008, 23:56

Bardzo dziekuje za pomoc, btw. fajny ten combofix

problem ze stabilnością systemu

problem ze stabilnością systemu

Kto jest na forum