prosze o sprawdzenie loga (problem z pulpitem)

[evane]

Witam
Mam problem z komputerem, a dokladniej z momencie wlaczania uzytkownika na chwile pojawia sie pulpit i za chwile znikaja wszystkie ikony razem z paskiem startu. Domyslam sie ze jest to wina wirusa bo ostatnio sciagnelam plik i od razu wykrylo mi wirusa, antywirus go zlikwidowal i za chwile zniknelo mi wszystko i zostala sama tapeta. Czy moglby mi ktos sprawdzic log z hijacka?
Z gory dzieki za pomoc.


Oto log :

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 20:24:14, on 2007-12-04
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\Programy\Avast4\aswUpdSv.exe
d:\Programy\Avast4\ashServ.exe
D:\Programy\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\taskmgr.exe
d:\Programy\Avast4\ashMaiSv.exe
d:\Programy\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Programy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clk.tradedoubler.c...18&pools=101212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 - Hosts: 216.107.242.199 l2authd.lineage2.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Little Fighter 2 Toolbar - {C11483F7-D7D8-4804-98D8-6055470BB989} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll
O4 - HKLM\..\Run: [WinampAgent] d:\Programy\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SiSSoundMan] C:\WINDOWS\System32\SoundMan.exe
O4 - HKLM\..\Run: [SiSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKLM\..\Run: [CloneCDTray] "d:\Programy\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] d:\Programy\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Programy\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Microsoft Office.lnk = D:\Programy\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Programy\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Programy\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Programy\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programy\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec....n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.c...b?1173052037275
O16 - DPF: {AB8638BB-79E8-4E9D-ABF2-8F33054E3941} (Guesser Class) - http://czat.onet.pl/clien...NetPunGame1.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS2\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS3\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Programy\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Programy\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Programy\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Programy\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - d:\Programy\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - d:\Programy\Spyware Doctor\swdsvc.exe

[Dzi@dek]

Popraw post - log prosze objąć w tagi.
Wyłącz przywracanie systemu, wejdź w tryb awaryjny.
W Hijackthis usuń wpisy:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clk.tradedoubler.c...18&pools=101212
O1 - Hosts: 216.107.242.199 l2authd.lineage2.com
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Plik pogrubiony usuwasz ręcznie z dysku ( nie pomyl lokalizacji )

Zastosuj sie do tego tematu
http://forum.programosy.pl/bad-generic-host-process-for-win32-services-vt79489.html
oraz daj log z Combofix ( przed uzyciem zmień date na wczorajszą)

[evane]

Nie moge skasowac pliku svchost.exe recznie, bo nie ma go w folderze, a hijack go i tak wykrywa.
Zrobilam co pisalo w tym temacie, ktory podales.

Log z Combofixa:

Kod: Zaznacz wszystko

ComboFix 07-12-02.6 - xx 2007-12-04 11:23:32.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.401 [GMT 1:00]
Running from: C:\Documents and Settings\xx\Pulpit\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_POWERMANAGER
-------\PowerManager




(((((((((((((((((((((((((   Files Created from 2007-11-04 to 2007-12-04  )))))))))))))))))))))))))))))))
.

2007-12-04 21:44 . 2004-05-26 21:37   719,872   --a------   C:\WINDOWS\system32\devil.dll
2007-12-04 21:44 . 2006-09-16 19:44   314,368   --a------   C:\WINDOWS\system32\avisynth.dll
2007-12-03 23:50 . 2007-12-03 23:50   <DIR>   d--------   C:\Documents and Settings\Kuba\Dane aplikacji\Lavasoft
2007-12-03 23:25 . 2007-12-04 11:29   99,381   --ahs----   C:\WINDOWS\system32\ycdgh.ini
2007-12-03 23:25 . 2007-12-04 11:29   99,216   --ahs----   C:\WINDOWS\system32\ycdgh.ini2
2007-12-03 23:24 . 2007-12-03 23:25   321,120   --a------   C:\WINDOWS\system32\hgdcy.dll
2007-12-03 23:19 . 2007-12-03 23:19   37,888   --a------   C:\WINDOWS\system32\xxyvtst.dll
2007-11-12 22:50 . 2007-11-12 22:58   <DIR>   d--h-----   C:\WINDOWS\msdownld.tmp
2007-11-12 22:45 . 2007-11-12 22:45   <DIR>   d----c---   C:\WINDOWS\system32\DRVSTORE
2007-11-12 22:42 . 2007-11-12 22:42   94,064   --a------   C:\WINDOWS\system32\drivers\k510mdm.sys
2007-11-12 22:42 . 2007-11-12 22:42   85,408   --a------   C:\WINDOWS\system32\drivers\k510mgmt.sys
2007-11-12 22:42 . 2007-11-12 22:42   83,344   --a------   C:\WINDOWS\system32\drivers\k510obex.sys
2007-11-12 22:42 . 2007-11-12 22:42   58,288   --a------   C:\WINDOWS\system32\drivers\k510bus.sys
2007-11-12 22:42 . 2007-11-12 22:42   8,336   --a------   C:\WINDOWS\system32\drivers\k510mdfl.sys
2007-11-12 22:42 . 2007-11-12 22:42   6,176   --a------   C:\WINDOWS\system32\drivers\k510cmnt.sys
2007-11-12 22:42 . 2007-11-12 22:42   6,176   --a------   C:\WINDOWS\system32\drivers\k510cm.sys
2007-11-12 22:42 . 2007-11-12 22:42   5,808   --a------   C:\WINDOWS\system32\drivers\k510whnt.sys
2007-11-12 22:42 . 2007-11-12 22:42   5,808   --a------   C:\WINDOWS\system32\drivers\k510wh.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 23:58   ---------   d---a-w   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-03 19:21   49,496   -c--a-w   C:\Documents and Settings\j\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-11-01 23:48   ---------   d-----w   C:\Documents and Settings\xx\Dane aplikacji\teamspeak2
2007-11-01 23:14   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-11-01 23:08   ---------   d-----w   C:\Documents and Settings\xx\Dane aplikacji\InstallShield
2007-10-29 19:00   ---------   d-----w   C:\Documents and Settings\xx\Dane aplikacji\Skype
2007-06-11 13:49   19,944   ----a-w   C:\Documents and Settings\xx\Dane aplikacji\GDIPFONTCACHEV1.DAT
2006-07-20 12:36   56   -csh--r   C:\WINDOWS\system32\13BE995964.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09BBDCEC-5F86-4250-A87A-D52A0F1D692A}]
2007-12-03 23:25   321120   --a------   C:\WINDOWS\System32\hgdcy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FED51DF2-9644-4C58-9104-90244EDD6EEC}]
2007-12-03 23:19   37888   --a------   C:\WINDOWS\System32\xxyvtst.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 18:05]
"Gadu-Gadu"="D:\Programy\Gadu-Gadu\gg.exe" [2006-02-13 12:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="d:\Programy\Winamp\winampa.exe" [2006-11-21 18:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"SiSSoundMan"="C:\WINDOWS\System32\SoundMan.exe" [2000-12-18 06:40]
"SiSSetCDfmt"="C:\WINDOWS\System32\SetCDfmt.exe" [2001-07-26 04:52]
"nwiz"="nwiz.exe" [2006-03-09 14:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2001-10-26 16:30 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2001-10-26 16:30 C:\WINDOWS\system32\rundll32.exe]
"Gainward"="C:\Program Files\Vtune\TBPanel.exe" [2006-09-13 09:16]
"CloneCDTray"="d:\Programy\CloneCD\CloneCDTray.exe" [2004-12-27 20:14]
"avast!"="d:\Programy\Avast4\ashDisp.exe" [2007-09-06 11:06]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 18:05]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - D:\Programy\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FED51DF2-9644-4C58-9104-90244EDD6EEC}"= C:\WINDOWS\System32\xxyvtst.dll [2007-12-03 23:19 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvtst]
xxyvtst.dll 2007-12-03 23:19 37888 C:\WINDOWS\system32\xxyvtst.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 C:\WINDOWS\System32\hgdcy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\System32\DRIVERS\k510bus.sys
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\k510mdfl.sys
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\System32\DRIVERS\k510mdm.sys
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\System32\DRIVERS\k510mgmt.sys
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\System32\DRIVERS\k510obex.sys
S3 RivaTuner32;RivaTuner32;\??\d:\Programy\RivaTuner v2.0 Final Release\RivaTuner32.sys
S3 RivaTunerEx;RivaTunerEx;\??\D:\Programy\RivaTuner\RivaTunerEx.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 11:29:45
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 11:31:24 - machine was rebooted
.
   --- E O F ---



[Dzi@dek]

Pobierz program Killbox] wklej ścieżkę C:\WINDOWS\svchost.exe



i naciśnij czerwony krzyżyk - Exit.

Daj owy log z hijackthis.

[evane]

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 12:51:06, on 2007-12-04
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Programy\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] d:\Programy\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SiSSoundMan] C:\WINDOWS\System32\SoundMan.exe
O4 - HKLM\..\Run: [SiSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKLM\..\Run: [CloneCDTray] "d:\Programy\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] d:\Programy\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Programy\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Microsoft Office.lnk = D:\Programy\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Programy\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Programy\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Programy\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programy\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173052037275
O16 - DPF: {AB8638BB-79E8-4E9D-ABF2-8F33054E3941} (Guesser Class) - http://czat.onet.pl/client/kalambury/NetPunGame1.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS2\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS3\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Programy\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Programy\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Programy\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Programy\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - d:\Programy\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - d:\Programy\Spyware Doctor\swdsvc.exe



[Dzi@dek]

Jak nie grasz online w kalambury możesz usunąć ten wpis:

O16 - DPF: {AB8638BB-79E8-4E9D-ABF2-8F33054E3941} (Guesser Class) - http://czat.onet.pl/client/kalambury/NetPunGame1.dll

Reszta OK.

Problem ustąpił

[evane]

usunelam ten wpis, ale problem nie ustapil

Macie moze jeszcze jakies pomysly, co moze byc nie tak ?

[wojtas]

Otworz notatnik i wklej w nim to:

File::
C:\WINDOWS\system32\ycdgh.ini
C:\WINDOWS\system32\ycdgh.ini2
C:\WINDOWS\system32\hgdcy.dll
C:\WINDOWS\system32\xxyvtst.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FED51DF2-9644-4C58-9104-90244EDD6EEC}"=-

[-HKEY_LOCAL_MACHINE\~\BrowserHelperObjects\{09BBDCEC-5F86-4250-A87A-D52A0F1D692A}]

[-HKEY_LOCAL_MACHINE\~\BrowserHelperObjects\{FED51DF2-9644-4C58-9104-90244EDD6EEC}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\xxyvtst]

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . Potwierdz >>> zresetuje sie komputer

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER). Rozpocznie się proces usuwania

nastepnie skasnujesz ten plik:
(zeby go zobaczyc musisz :przejdz do opcji: Narzedzia>>Widok>>Pokaz ukryte pliki lub foldery oraz Ukryj chronione pliki systemu operacyjnego)

C:\WINDOWS\system32\13BE995964.sys

tu i daj raporty ze skanow, nowy log z hijacka oraz combofixa

[evane]

Zrobilam wszystko co napisales oprocz skasowania tego pliku

C:\WINDOWS\system32\13BE995964.sys

bo go nie mam.

ale juz wszystko dziala, pojawily sie ikonki i pasek startu.
Wielkie dzieki za pomoc

czy logi sa juz czyste?????

Log z hijacka:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:07:22, on 2007-12-04
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\Programy\Avast4\aswUpdSv.exe
d:\Programy\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Programy\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Vtune\TBPanel.exe
D:\Programy\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
d:\Programy\Avast4\ashWebSv.exe
d:\Programy\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\j\Moje dokumenty\My Completed Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programy\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programy\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Little Fighter 2 Toolbar Helper - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] d:\Programy\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SiSSoundMan] C:\WINDOWS\System32\SoundMan.exe
O4 - HKLM\..\Run: [SiSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKLM\..\Run: [CloneCDTray] "d:\Programy\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] d:\Programy\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1993962763-1580436667-1957994488-1012\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Programy\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Programy\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Programy\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Programy\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programy\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173052037275
O17 - HKLM\System\CCS\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS2\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O17 - HKLM\System\CS3\Services\Tcpip\..\{463FA583-F57A-4C15-A89F-7E45C4C71E12}: NameServer = 212.244.88.3,212.244.88.24
O20 - Winlogon Notify: xxyvtst - xxyvtst.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Programy\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Programy\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Programy\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Programy\Avast4\ashWebSv.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - d:\Programy\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - d:\Programy\Spyware Doctor\swdsvc.exe

--
End of file - 5895 bytes


Log z Combofixa:

Kod: Zaznacz wszystko

ComboFix 07-12-02.6 - xx 2007-12-04 17:46:24.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.344 [GMT 1:00]
Running from: C:\Documents and Settings\xx\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\xx\Pulpit\CFScript.txt

FILE
C:\WINDOWS\system32\hgdcy.dll
C:\WINDOWS\system32\xxyvtst.dll
C:\WINDOWS\system32\ycdgh.ini
C:\WINDOWS\system32\ycdgh.ini2
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hgdcy.dll
C:\WINDOWS\system32\xxyvtst.dll
C:\WINDOWS\system32\ycdgh.ini
C:\WINDOWS\system32\ycdgh.ini2

.
(((((((((((((((((((((((((   Files Created from 2007-11-04 to 2007-12-04  )))))))))))))))))))))))))))))))
.

2007-12-04 21:44 . 2004-05-26 21:37   719,872   --a------   C:\WINDOWS\system32\devil.dll
2007-12-04 21:44 . 2006-09-16 19:44   314,368   --a------   C:\WINDOWS\system32\avisynth.dll
2007-12-03 23:50 . 2007-12-03 23:50   <DIR>   d--------   C:\Documents and Settings\Kuba\Dane aplikacji\Lavasoft
2007-11-12 22:50 . 2007-11-12 22:58   <DIR>   d--h-----   C:\WINDOWS\msdownld.tmp
2007-11-12 22:45 . 2007-11-12 22:45   <DIR>   d----c---   C:\WINDOWS\system32\DRVSTORE
2007-11-12 22:42 . 2007-11-12 22:42   94,064   --a------   C:\WINDOWS\system32\drivers\k510mdm.sys
2007-11-12 22:42 . 2007-11-12 22:42   85,408   --a------   C:\WINDOWS\system32\drivers\k510mgmt.sys
2007-11-12 22:42 . 2007-11-12 22:42   83,344   --a------   C:\WINDOWS\system32\drivers\k510obex.sys
2007-11-12 22:42 . 2007-11-12 22:42   58,288   --a------   C:\WINDOWS\system32\drivers\k510bus.sys
2007-11-12 22:42 . 2007-11-12 22:42   8,336   --a------   C:\WINDOWS\system32\drivers\k510mdfl.sys
2007-11-12 22:42 . 2007-11-12 22:42   6,176   --a------   C:\WINDOWS\system32\drivers\k510cmnt.sys
2007-11-12 22:42 . 2007-11-12 22:42   6,176   --a------   C:\WINDOWS\system32\drivers\k510cm.sys
2007-11-12 22:42 . 2007-11-12 22:42   5,808   --a------   C:\WINDOWS\system32\drivers\k510whnt.sys
2007-11-12 22:42 . 2007-11-12 22:42   5,808   --a------   C:\WINDOWS\system32\drivers\k510wh.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 23:58   ---------   d---a-w   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-03 19:21   49,496   -c--a-w   C:\Documents and Settings\j\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-11-01 23:48   ---------   d-----w   C:\Documents and Settings\xx\Dane aplikacji\teamspeak2
2007-11-01 23:14   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-11-01 23:08   ---------   d-----w   C:\Documents and Settings\xx\Dane aplikacji\InstallShield
2007-10-29 19:00   ---------   d-----w   C:\Documents and Settings\xx\Dane aplikacji\Skype
2007-06-11 13:49   19,944   ----a-w   C:\Documents and Settings\xx\Dane aplikacji\GDIPFONTCACHEV1.DAT
2006-07-20 12:36   56   -csh--r   C:\WINDOWS\system32\13BE995964.sys
.

(((((((((((((((((((((((((((((   snapshot@2007-12-04_11.30.12.79   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-01 23:07:21   167,752   -c--a-w   C:\WINDOWS\system32\perfc009.dat
+ 2007-12-04 13:26:16   167,984   ----a-w   C:\WINDOWS\system32\perfc009.dat
- 2007-11-01 23:07:22   74,230   -c--a-w   C:\WINDOWS\system32\perfc015.dat
+ 2007-12-04 13:26:17   74,230   ----a-w   C:\WINDOWS\system32\perfc015.dat
- 2007-11-01 23:07:22   682,124   -c--a-w   C:\WINDOWS\system32\perfh009.dat
+ 2007-12-04 13:26:16   682,740   ----a-w   C:\WINDOWS\system32\perfh009.dat
- 2007-11-01 23:07:22   448,004   -c--a-w   C:\WINDOWS\system32\perfh015.dat
+ 2007-12-04 13:26:17   448,004   ----a-w   C:\WINDOWS\system32\perfh015.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 18:05]
"Gadu-Gadu"="D:\Programy\Gadu-Gadu\gg.exe" [2006-02-13 12:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="d:\Programy\Winamp\winampa.exe" [2006-11-21 18:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"SiSSoundMan"="C:\WINDOWS\System32\SoundMan.exe" [2000-12-18 06:40]
"SiSSetCDfmt"="C:\WINDOWS\System32\SetCDfmt.exe" [2001-07-26 04:52]
"nwiz"="nwiz.exe" [2006-03-09 14:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2001-10-26 16:30 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2001-10-26 16:30 C:\WINDOWS\system32\rundll32.exe]
"Gainward"="C:\Program Files\Vtune\TBPanel.exe" [2006-09-13 09:16]
"CloneCDTray"="d:\Programy\CloneCD\CloneCDTray.exe" [2004-12-27 20:14]
"avast!"="d:\Programy\Avast4\ashDisp.exe" [2007-09-06 11:06]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 18:05]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - D:\Programy\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvtst]
xxyvtst.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 C:\WINDOWS\System32\hgdcy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 17:50:50
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-04 17:52:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 11:31
.
   --- E O F ---



[ Dodano: Dzisiaj o 18:28 ]

[wojtas]

skasuj:

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O20 - Winlogon Notify: xxyvtst - xxyvtst.dll (file missing)

bedzie ok