prosze o sprawdzenie loga

**Posty:** 68 · przez **Kajtek** 04 Cze 2007, 15:17

Witam, mam drobny kłopot z przegladaniem www mianowicie jakis wirus czy cos (nie wiem nie znam sie ) blokuje mi strony, musze otwierac menadzera zadan i zamykac proces iexplorer.exe (z tego co wiem to tak przedstawia sie internet explorer) wtedy mam jakies 5sek na otwarcie strony i znow musze zamykac ten sam proces

Kod: Zaznacz wszystko: Logfile of HijackThis v1.99.1 Scan saved at 14:56:59, on 2007-07-05 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\System32\svchost.exe D:\WINNT\Explorer.EXE D:\WINNT\system32\spoolsv.exe D:\WINNT\system32\RUNDLL32.EXE D:\WINNT\system32\CTHELPER.EXE D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe D:\WINNT\system32\ctfmon.exe C:\Program Files\RivChat2\RivChat.exe D:\WINNT\system32\nvsvc32.exe D:\WINNT\System32\PAStiSvc.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\wscntfy.exe C:\Program Files\INTERIAPL\Stefan\Stefan.exe D:\Program Files\Winamp\winamp.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINNT\iexplore.exe D:\WINNT\system32\taskmgr.exe D:\Documents and Settings\Kajtek\Pulpit\hijackthis_199\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://miasto.interia.pl/pa.html?srv=java_download.w.interia.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] D:\WINNT\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [RivChat] C:\Program Files\RivChat2\RivChat.exe O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177883632031 O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Microsoft Internet Explorer - Unknown owner - D:\WINNT\iexplore.exe O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe O23 - Service: STI Simulator - Unknown owner - D:\WINNT\System32\PAStiSvc.exe

**Posty:** 18165 · przez **wojtas** 04 Cze 2007, 16:47

Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach)
Start do awaryjnego ( F8 ) przy starcie komputera.

Kod: Zaznacz wszystko: start -> uruchom -> services.msc -> zatrzymaj i wyłącz usługe Microsoft Internet Explorer

O23 - Service: Microsoft Internet Explorer - Unknown owner - D:\WINNT\iexplore.exe

Odpalasz hijackthis i zaznaczasz ptaszkami powyższe wpisy i dajesz Fix checked.
Pogrubione pliki usuwasz ręcznie z dysku
potem nowe logi z Hijack This oraz Silent runners

**Posty:** 68 · przez **Kajtek** 04 Cze 2007, 18:38

a więc zrobiłem jak chciałes i juz nie blokuje

wielkie dzieki :mrgreen:

tylko... napisałes

Pogrubione pliki usuwasz ręcznie z dysku

tego nie zrobiłem gdyz w podanej lokalizacji

Kod: Zaznacz wszystko: O23 - Service: Microsoft Internet Explorer - Unknown owner - D:\WINNT\iexplore.exe

nie moglem znalesc tego pliku... w kazdym razie wazne ze juz nie blokuje

a jeszcze mam pytanie, czy ponizszy proces jest istotny?

Kod: Zaznacz wszystko: D:\WINNT\System32\PAStiSvc.exe

chcialem go usunac ale w sumie nie wiem co to wiec zostawilem...

ponizej wklejam log z Silent Runners

Kod: Zaznacz wszystko: "Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "D:\WINNT\system32\ctfmon.exe" [MS] "RivChat" = "C:\Program Files\RivChat2\RivChat.exe" [null data] "DAEMON Tools" = ""D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS] "WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"] "UpdReg" = "D:\WINNT\UpdReg.EXE" ["Creative Technology Ltd."] "Jet Detection" = ""D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string] "SunJavaUpdateSched" = ""D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided) -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "D:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."] "{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete" -> {HKLM...CLSID} = "IE Microsoft AutoComplete" \InProcServer32\(Default) = "D:\WINNT\system32\browseui.dll" [MS] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "D:\WINNT\system32\shdocvw.dll" [MS] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "D:\WINNT\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "D:\WINNT\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "D:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "D:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "D:\WINNT\web\wallpaper\Idylla.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "D:\WINNT\web\wallpaper\Idylla.bmp" Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided) -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01" \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01" \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NVIDIA Display Driver Service, NVSvc, "D:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"] STI Simulator, STI Simulator, "D:\WINNT\System32\PAStiSvc.exe" [null data] Windows User Mode Driver Framework, UMWdf, "D:\WINNT\system32\wdfmgr.exe" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 67 seconds. ---------- (total run time: 126 seconds)

oraz HiJackThis

Kod: Zaznacz wszystko: Logfile of HijackThis v1.99.1 Scan saved at 18:18:10, on 2007-06-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\System32\svchost.exe D:\WINNT\Explorer.EXE D:\WINNT\system32\spoolsv.exe D:\WINNT\system32\RUNDLL32.EXE D:\WINNT\system32\CTHELPER.EXE D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe D:\WINNT\system32\ctfmon.exe C:\Program Files\RivChat2\RivChat.exe D:\WINNT\system32\nvsvc32.exe D:\WINNT\System32\PAStiSvc.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\wscntfy.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINNT\system32\wuauclt.exe D:\WINNT\system32\wuauclt.exe D:\Documents and Settings\Kajtek\Pulpit\hijackthis_199\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://miasto.interia.pl/pa.html?srv=java_download.w.interia.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] D:\WINNT\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [RivChat] C:\Program Files\RivChat2\RivChat.exe O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177883632031 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe O23 - Service: STI Simulator - Unknown owner - D:\WINNT\System32\PAStiSvc.exe

edit:// a bylbym zapomnial... tak z czystej ciekawosci chcialbym wiedziec czym sa procesy svchost.exe obecnie mam ich 5 ale czasem jest ich wiecej.. wczesniej mnie to tak nie interesowalo bo zjadaly niewiele pamieci wirtualnej ale kilka dni temu zaczely pozerac jej znacznie wiecej i tak np svchost.exe z dopiskiem SYSTEM sprawia ze uzycie procesora wzrasta o kilka procent... troche mnie to denerwuje bo juz sam w sobie komputer wolno dziala a to jeszcze pogarsza sprawa

**Posty:** 3854 · przez **Dzi@dek** 04 Cze 2007, 20:14

Kajtek napisał(a):D:\WINNT\System32\PAStiSvc.exe

Process Name: STI Simulator

**Posty:** 68 · przez **Kajtek** 04 Cze 2007, 21:03

no tyle to sam wyczytałem - ale czy to cos potrzebnego? sama nazwa mi nic nie mowi poza tym ze to jakis symulator :roll:

**Posty:** 18165 · przez **wojtas** 04 Cze 2007, 21:37

Kajtek napisał(a):tak z czystej ciekawosci chcialbym wiedziec czym sa procesy svchost.exe

sa poprawne nie ruszaj

sciagnij killbox`a:

http://www.wiruskill.pl/forum/viewtopic.php?t=58

Odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżkę :

D:\WINNT\iexplore.exe

i nacisnij x
Program będzie pytał o restart (oczywiście zgadzasz się)

D:\WINNT\System32\PAStiSvc.exe

tu masz opis wpis jest ok nie ruszaj go :arrow:

http://www.exedb.com/PAStiSvc.html

Autor postu otrzymał pochwałę

**Posty:** 68 · przez **Kajtek** 04 Cze 2007, 22:49

coś mi nie dziala ten killbox :roll:

wyskakuje blad ze brakuje jakiś plikow :-|

no ale trudno ;] wazne ze juz dziad stron nie blokuje

jeszcze raz dzieki

**Posty:** 18165 · przez **wojtas** 04 Cze 2007, 22:49

daj loga z:

http://deckard.geekstogo.com/dss.exe

**Posty:** 68 · przez **Kajtek** 04 Cze 2007, 22:53

prosze

Deckard's System Scanner v20070603.47
Run by Kajtek on 2007-06-04 at 22:32:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-06-04 20:32:09 UTC - RP1 - Punkt kontrolny systemu

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Kajtek.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:32:35, on 2007-06-04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\WINNT\system32\CTHELPER.EXE
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINNT\system32\ctfmon.exe
C:\Program Files\RivChat2\RivChat.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\System32\PAStiSvc.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\wscntfy.exe
D:\WINNT\system32\wuauclt.exe
C:\Program Files\INTERIAPL\Stefan\Stefan.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Kajtek\Pulpit\dss.exe
D:\DOCUME~1\Kajtek\Pulpit\HIJACK~1\Kajtek.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://miasto.interia.pl/pa.html?srv=java_download.w.interia.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [RivChat] C:\Program Files\RivChat2\RivChat.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177883632031
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner - D:\WINNT\System32\PAStiSvc.exe

-- HijackThis Fixed Entries (D:\DOCUME~1\Kajtek\Pulpit\HIJACK~1\backups\) ------

backup-20070604-180332-802 O23 - Service: Microsoft Internet Explorer - Unknown owner - D:\WINNT\iexplore.exe
backup-20070604-180721-361 O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe (file missing)
backup-20070604-180721-444 O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 PAC207 (SoC PC-Camer@) - d:\winnt\system32\drivers\pfc027.sys

S3 AME (PC Camera(6029 CIF)) - d:\winnt\system32\drivers\pfc027.sys
S3 hamachi (Hamachi Network Interface) - d:\winnt\system32\drivers\hamachi.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 STI Simulator - d:\winnt\system32\pastisvc.exe

S4 Apache - "c:\appserv\apache\apache.exe" --ntservice (file missing)
S4 Microsoft Internet Explorer - "d:\winnt\iexplore.exe"
S4 MySQL - c:\appserv\mysql\bin\mysqld-nt.exe mysql (file missing)

-- Files created between 2007-05-04 and 2007-06-04 -----------------------------

2007-06-30 12:52:30 0 d--h----- D:\Program Files\Common Files\delsim
2007-06-30 12:32:48 505344 -r-hs---- D:\WINNT\iexplore.exe
2007-06-29 12:39:47 192569 --a------ D:\WINNT\system32\msrpjt40.dll <Not Verified; Microsoft Corporation; Microsoft (R) Jet>
2007-06-29 12:39:01 97552 --a------ D:\WINNT\system32\rdocurs.dll <Not Verified; Microsoft Corporation; Microsoft RDO Client Cursor Library>
2007-06-29 12:39:01 376592 --a------ D:\WINNT\system32\msrdo20.dll <Not Verified; Microsoft Corporation; Microsoft Corporation Remote Data Object>
2007-06-29 12:39:00 32830 --a------ D:\WINNT\system32\dbmsshrn.dll <Not Verified; Microsoft Corporation; Microsoft SQL Server>
2007-06-29 12:38:35 0 d-------- D:\Program Files\Microsoft SQL Server
2007-06-29 12:31:39 306688 --a------ D:\WINNT\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-06-04 18:10:41 0 d-------- D:\WINNT\LastGood
2007-06-04 18:01:36 0 d--hs---- D:\WINNT\CSC
2007-05-24 17:26:51 0 d-------- D:\WINNT\system32\appmgmt
2007-05-21 18:11:46 0 d-------- D:\Program Files\Azureus
2007-05-21 02:56:14 0 d-------- D:\Program Files\uTorrent
2007-05-19 00:02:26 0 d-------- D:\Program Files\UnH Solutions
2007-05-15 21:51:59 10345 --a------ D:\WINNT\system32\drivers\hamachi.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver>
2007-05-15 21:17:03 0 d-------- D:\Program Files\Alcohol Soft
2007-05-08 01:20:42 0 d-------- D:\Program Files\MegauploadToolbar

-- Find3M Report ---------------------------------------------------------------

2007-06-30 14:54:03 355486 --a------ D:\WINNT\system32\perfh015.dat
2007-06-30 14:54:03 49492 --a------ D:\WINNT\system32\perfc015.dat
2007-06-29 14:06:00 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\Hamachi
2007-06-29 11:31:20 0 d--h----- D:\Program Files\InstallShield Installation Information
2007-06-04 18:00:27 24 --a------ D:\WINNT\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat
2007-06-04 18:00:27 24 --a------ D:\WINNT\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat
2007-06-04 17:58:27 16896 --a------ D:\WINNT\system32\tftp.exe
2007-06-04 17:58:27 44544 --a------ D:\WINNT\system32\ftp.exe
2007-05-25 22:38:14 0 d-------- D:\Program Files\DC++
2007-05-23 00:20:14 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\Azureus
2007-05-21 18:05:11 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\uTorrent
2007-05-09 17:53:51 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\MegauploadToolbar
2007-04-30 06:32:44 0 d-------- D:\Program Files\PC Camer@
2007-04-30 06:32:44 0 d-------- D:\Program Files\Common Files\PCCamera
2007-04-30 03:56:20 4096 --a------ D:\WINNT\d3dx.dat
2007-04-30 03:51:31 0 d-------- D:\Program Files\DAEMON Tools
2007-04-30 01:48:38 0 d-------- D:\Program Files\XP Codec Pack
2007-04-29 18:18:01 0 d-------- D:\Program Files\MarBit
2007-04-29 17:10:09 0 d-------- D:\Program Files\Common Files\ODBC
2007-04-29 17:10:05 0 d-------- D:\Program Files\Common Files\SpeechEngines
2007-04-29 17:09:26 62 --ahs---- D:\Documents and Settings\Kajtek\Dane aplikacji\desktop.ini
2007-04-29 16:42:08 0 d-------- D:\Program Files\Winamp
2007-04-29 16:16:37 1156 --a------ D:\WINNT\mozver.dat
2007-04-29 16:05:08 0 d-------- D:\Program Files\Common Files\InstallShield
2007-04-29 15:57:24 0 d-------- D:\Program Files\INTERIAPL
2007-04-29 15:55:22 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\Sun
2007-04-29 15:55:03 0 d-------- D:\Program Files\Java
2007-04-29 15:53:19 0 d-------- D:\Program Files\Common Files\Java
2007-04-29 15:52:02 0 --a------ D:\WINNT\nsreg.dat
2007-04-29 15:51:58 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\Mozilla
2007-04-29 15:44:56 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\Macromedia
2007-04-29 15:43:16 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\INTERIAPL
2007-04-29 15:39:52 0 d-------- D:\Program Files\Creative
2007-04-29 15:26:17 0 d-------- D:\Documents and Settings\Kajtek\Dane aplikacji\Identities
2007-04-29 15:20:20 0 d--h----- D:\Program Files\WindowsUpdate
2007-04-29 15:20:15 0 d-------- D:\Program Files\Usługi online
2007-04-29 15:19:24 0 d-------- D:\Program Files\Common Files\MSSoap
2007-04-29 15:19:16 0 d-------- D:\Program Files\Movie Maker
2007-04-29 15:18:14 21856 --a------ D:\WINNT\system32\emptyregdb.dat
2007-04-29 15:17:33 0 d-------- D:\Program Files\Messenger
2007-04-29 15:17:28 0 d-------- D:\Program Files\MSN Gaming Zone
2007-04-29 15:17:16 0 d-------- D:\Program Files\Windows NT
2007-03-27 03:39:14 20480 --a------ D:\WINNT\system32\ac3config.exe

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE D:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE D:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="D:\\WINNT\\UpdReg.EXE"
"Jet Detection"="\"D:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"SunJavaUpdateSched"="\"D:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINNT\\system32\\ctfmon.exe"
"RivChat"="C:\\Program Files\\RivChat2\\RivChat.exe"
"DAEMON Tools"="\"D:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=hex(2):63,6d,64,2e,65,78,65,20,2f,43,20,6d,6f,76,65,20,2f,59,20,22,25,\
53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,79,73,73,\
65,74,75,62,2e,64,6c,6c,22,20,22,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,\
79,73,74,65,6d,33,32,5c,73,79,73,73,65,74,75,70,2e,64,6c,6c,22,00
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINNT\\system32\\CTFMON.EXE"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-06-04 at 22:32:56 ---------

[ Dodano: Dzisiaj o 10:03 ]
znow mi sie jakies paskudztwo wryło... :evil:

dam jeszcze raz log z hijack...

Kod: Zaznacz wszystko: Logfile of HijackThis v1.99.1 Scan saved at 09:42:00, on 2007-06-05 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\System32\svchost.exe D:\WINNT\Explorer.EXE D:\WINNT\system32\spoolsv.exe D:\WINNT\system32\RUNDLL32.EXE D:\WINNT\system32\CTHELPER.EXE D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe D:\WINNT\system32\ctfmon.exe C:\Program Files\RivChat2\RivChat.exe D:\WINNT\system32\nvsvc32.exe D:\WINNT\System32\PAStiSvc.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\wscntfy.exe D:\WINNT\system32\wuauclt.exe C:\Program Files\INTERIAPL\Stefan\Stefan.exe D:\Program Files\Winamp\winamp.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Documents and Settings\Kajtek\Pulpit\killbox\KillBox.exe D:\Documents and Settings\Kajtek\Pulpit\hijackthis_199\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://miasto.interia.pl/pa.html?srv=java_download.w.interia.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] D:\WINNT\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [RivChat] C:\Program Files\RivChat2\RivChat.exe O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177883632031 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe O23 - Service: STI Simulator - Unknown owner - D:\WINNT\System32\PAStiSvc.exe

**Posty:** 18165 · przez **wojtas** 05 Cze 2007, 18:05

Pobierz i uruchom narzędzie : The Avenger
http://swandog46.geekstogo.com/avenger.zip
Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Files to delete:

D:\WINNT\iexplore.exe

Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + log z
combofixa
:arrow:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Posty:** 68 · przez **Kajtek** 06 Cze 2007, 12:40

Kod: Zaznacz wszystko: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\hrxfkhjj ******************* Script file located at: \??\D:\WINNT\system32\dehmvsvj.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at D:\Avenger ******************* Beginning to process script file: File D:\WINNT\iexplore.exe not found! Deletion of file D:\WINNT\iexplore.exe failed! Could not process line: D:\WINNT\iexplore.exe Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate.

i combofix

Kod: Zaznacz wszystko: "Kajtek" - 2007-06-06 12:14:47 Dodatek Service Pack 2 NTFS ComboFix 07-06-3B - Running from: "D:\Documents and Settings\Kajtek\Pulpit\" ((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 ))))))))))))))))))))))))))))))) 2007-06-30 12:52 <DIR> d--h----- D:\Program Files\Common Files\delsim 2007-06-29 12:39 97,552 --a------ D:\WINNT\system32\rdocurs.dll 2007-06-29 12:39 376,592 --a------ D:\WINNT\system32\msrdo20.dll 2007-06-29 12:39 32,830 --a------ D:\WINNT\system32\dbmsshrn.dll 2007-06-29 12:39 192,569 --a------ D:\WINNT\system32\msrpjt40.dll 2007-06-29 12:38 <DIR> d-------- D:\Program Files\Microsoft SQL Server 2007-06-29 12:31 306,688 --a------ D:\WINNT\IsUninst.exe 2007-06-06 12:12 <DIR> d-------- D:\avenger 2007-06-05 09:40 <DIR> d-------- D:\!KillBox 2007-06-05 07:33 <DIR> d-------- D:\Program Files\Hamachi 2007-06-04 22:31 <DIR> d-------- D:\Deckard 2007-06-04 18:01 524,288 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-04 18:01 <DIR> dr-h----- D:\DOCUME~1\ADMINI~1\Dane aplikacji 2007-06-04 18:01 <DIR> dr------- D:\DOCUME~1\ADMINI~1\Menu Start 2007-06-04 18:01 <DIR> d--hs---- D:\WINNT\CSC 2007-06-04 18:01 <DIR> d--h----- D:\DOCUME~1\ADMINI~1\Ustawienia lokalne 2007-06-04 18:01 <DIR> d--h----- D:\DOCUME~1\ADMINI~1\Szablony 2007-06-04 18:01 <DIR> d-------- D:\DOCUME~1\ADMINI~1\Ulubione 2007-06-04 18:01 <DIR> d-------- D:\DOCUME~1\ADMINI~1\Pulpit 2007-06-04 18:01 <DIR> d-------- D:\DOCUME~1\ADMINI~1\Moje dokumenty 2007-05-24 20:07 31,616 --a------ D:\WINNT\system32\drivers\usbccgp.sys 2007-05-24 17:26 <DIR> d-------- D:\WINNT\system32\appmgmt 2007-05-21 18:11 <DIR> d-------- D:\Program Files\Azureus 2007-05-21 02:56 <DIR> d-------- D:\Program Files\uTorrent 2007-05-21 02:56 <DIR> d-------- D:\DOCUME~1\Kajtek\DANEAP~1\uTorrent 2007-05-20 12:43 <DIR> d-------- D:\DOCUME~1\Kajtek\DANEAP~1\Hamachi 2007-05-19 00:02 <DIR> d-------- D:\Program Files\UnH Solutions 2007-05-18 18:00 2,297,552 --a------ D:\WINNT\system32\d3dx9_26.dll 2007-05-15 23:07 <DIR> d-------- D:\DOCUME~1\Kajtek\DANEAP~1\Azureus 2007-05-15 23:07 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\DANEAP~1\Azureus 2007-05-15 21:51 16,224 --a------ D:\WINNT\system32\drivers\hamachi.sys 2007-05-15 21:17 <DIR> d-------- D:\Program Files\Alcohol Soft 2007-05-08 01:20 <DIR> d-------- D:\Program Files\MegauploadToolbar 2007-05-08 01:20 <DIR> d-------- D:\DOCUME~1\Kajtek\DANEAP~1\MegauploadToolbar (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-29 09:31:20 -------- d--h--w D:\Program Files\InstallShield Installation Information 2007-06-06 10:11:30 24 ----a-w D:\WINNT\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat 2007-06-06 10:11:30 24 ----a-w D:\WINNT\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat 2007-06-06 09:50:20 -------- d-----w D:\Program Files\DC++ 2007-06-05 01:10:50 49,492 ----a-w D:\WINNT\system32\perfc015.dat 2007-06-05 01:10:50 355,486 ----a-w D:\WINNT\system32\perfh015.dat 2007-06-04 15:58:27 44,544 ----a-w D:\WINNT\system32\ftp.exe 2007-06-04 15:58:27 16,896 ----a-w D:\WINNT\system32\tftp.exe 2007-04-30 04:32:44 -------- d-----w D:\Program Files\PC Camer@ 2007-04-30 04:32:44 -------- d-----w D:\Program Files\Common Files\PCCamera 2007-04-30 01:56:20 4,096 ----a-w D:\WINNT\d3dx.dat 2007-04-30 01:51:31 -------- d-----w D:\Program Files\DAEMON Tools 2007-04-30 01:50:01 682,232 ----a-w D:\WINNT\system32\drivers\sptd.sys 2007-04-29 23:48:38 -------- d-----w D:\Program Files\XP Codec Pack 2007-04-29 16:18:01 -------- d-----w D:\Program Files\MarBit 2007-04-29 15:10:09 -------- d-----w D:\Program Files\Common Files\ODBC 2007-04-29 15:10:05 -------- d-----w D:\Program Files\Common Files\SpeechEngines 2007-04-29 14:42:08 -------- d-----w D:\Program Files\Winamp 2007-04-29 14:16:37 1,156 ----a-w D:\WINNT\mozver.dat 2007-04-29 14:05:08 -------- d-----w D:\Program Files\Common Files\InstallShield 2007-04-29 13:57:24 -------- d-----w D:\Program Files\INTERIAPL 2007-04-29 13:52:02 0 ----a-w D:\WINNT\nsreg.dat 2007-04-29 13:43:16 -------- d-----w D:\DOCUME~1\Kajtek\DANEAP~1\INTERIAPL 2007-04-29 13:39:52 -------- d-----w D:\Program Files\Creative 2007-04-29 13:20:20 -------- d--h--w D:\Program Files\WindowsUpdate 2007-04-29 13:20:15 -------- d-----w D:\Program Files\Usługi online 2007-04-29 13:19:24 -------- d-----w D:\Program Files\Common Files\MSSoap 2007-04-29 13:19:16 -------- d-----w D:\Program Files\Movie Maker 2007-04-29 13:18:14 21,856 ----a-w D:\WINNT\system32\emptyregdb.dat 2007-04-29 13:17:33 -------- d-----w D:\Program Files\Messenger 2007-04-29 13:17:28 -------- d-----w D:\Program Files\MSN Gaming Zone 2007-04-29 13:17:16 -------- d-----w D:\Program Files\Windows NT 2007-03-27 01:39:14 20,480 ----a-w D:\WINNT\system32\ac3config.exe 2007-03-17 13:47:17 293,376 ----a-w D:\WINNT\system32\winsrv.dll 2007-03-08 15:51:57 579,584 ----a-w D:\WINNT\system32\user32.dll 2007-03-08 15:51:57 40,960 ----a-w D:\WINNT\system32\mf3216.dll 2007-03-08 15:51:57 282,112 ----a-w D:\WINNT\system32\gdi32.dll 2007-03-08 15:49:53 1,844,224 ----a-w D:\WINNT\system32\win32k.sys 2007-03-07 23:51:00 129,784 ------w D:\WINNT\system32\pxafs.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}=D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2006-10-31 08:55] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2006-10-22 12:22 D:\WINNT\system32\nwiz.exe] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 D:\WINNT\system32\CTHELPER.EXE] "Jet Detection"="D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00] "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINNT\system32\ctfmon.exe" [2004-08-04 02:44] "RivChat"="C:\Program Files\RivChat2\RivChat.exe" [2006-05-03 12:23] "DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 00:29] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" "tscuninstall"=%systemroot%\system32\tscupgrd.exe HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* ************************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-06 12:16:21 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** Completion time: 2007-06-06 12:17:07 --- E O F ---

**Posty:** 18165 · przez **wojtas** 06 Cze 2007, 14:17

wklej do notatnika:

Windows Registry Editor Version 5.00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=-
"tscuninstall"=-

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> Uruchom plik FIX.REG

**Posty:** 68 · przez **Kajtek** 06 Cze 2007, 16:09

ok zrobione, to juz wszystko?

**Posty:** 18165 · przez **wojtas** 06 Cze 2007, 23:02

to juz wszystko?

tak

prosze o sprawdzenie loga

Prosze o sprawdzenie loga

Kto jest na forum