proszę o sprawdzenie loga

[armasis]

witam od 2 dni anttivir wykrywa mi Bankera, próbuje go usunąć ale nic z tego log z hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:20:11, on 2007-07-22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\Spyware Terminator\SpywareTerminatorShield.exe
D:\nagrywara\PowerDVD\PDVDServ.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
D:\icq\X_icq-pl.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\download\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\winsrv.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\adobe acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] D:\nagrywara\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ICQ-PL - Auto Update.lnk = D:\icq\icq-pl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\OFFICE\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows service - Unknown owner - C:\WINDOWS\winsrv.exe

[wojtas]

skasuj wpisy"

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\winsrv.exe
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

start -> uruchom -> services.msc -> zatrzymaj i wyłącz usługe Windows service

potem skasujesz pogrubiony do kosza i wpis w hijacku (jesli bedzie)

O23 - Service: Windows service - Unknown owner - C:\WINDOWS\winsrv.exe

[armasis]

start -> uruchom -> services.msc -> zatrzymaj i wyłącz usługe Windows service

nie moge wylaczyc tej usługi bo nie podswietlaja mi sie opcje zatrzymaj:/

[wojtas]

to start>uruchom>cmd>wpisz

sc stop Windows service

enter

sc delete Windows service

enter

i reszte usuwasz tak jak kazalem

[armasis]

ok poradziłem sobie....ale banker nadal jest wykrywany:/

[wojtas]

ale banker nadal jest wykrywany:/

pokaz screena
daj loga z hijacka oraz z combofixa

[armasis]

combofix log:

ComboFix 07-07-14.6 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-22 20:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 19:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-07-22 13:18 <DIR> d-------- C:\WINDOWS\pss
2007-07-22 12:39 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-22 12:35 44,032 -ra------ C:\WINDOWS\system32\msxml3r.dll
2007-07-22 12:32 <DIR> d-------- C:\Program Files\Movie Maker
2007-07-22 12:28 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-07-22 12:25 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-07-22 12:25 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-07-21 13:58 625,152 --a------ C:\WINDOWS\system32\ple.exe
2007-07-21 13:47 <DIR> d-------- C:\Program Files\RegCleaner
2007-07-21 10:13 625,152 --------- C:\WINDOWS\winsrv.exe.vir
2007-07-21 10:02 <DIR> d-------- C:\Program Files\Messenger
2007-07-18 09:03 <DIR> d-------- C:\Temp
2007-07-14 12:48 135,168 --a------ C:\WINDOWS\system32\erw.exe
2007-07-12 17:46 50,688 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-12 17:46 372,736 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-07-12 17:46 22,016 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-07-12 17:46 211,712 -ra------ C:\WINDOWS\system32\drivers\LV561AV.SYS
2007-07-12 17:46 204,800 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-07-12 17:46 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-07-12 17:46 2,180,096 -ra------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-07-12 17:46 106,496 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-07-12 17:44 1,129,472 --a------ C:\WINDOWS\system32\msxml3.dll
2007-07-12 17:42 997,888 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2007-07-12 17:42 892,416 --a------ C:\WINDOWS\system32\wmspdmoe.dll
2007-07-12 17:42 486,536 --a------ C:\WINDOWS\system32\wmspdmod.dll
2007-07-12 17:42 384,512 --a------ C:\WINDOWS\system32\mp4sdmod.dll
2007-07-12 17:42 316,040 --a------ C:\WINDOWS\system32\mp43dmod.dll
2007-07-12 17:42 143,360 --a------ C:\WINDOWS\system32\wmidx.dll
2007-07-12 17:42 1,111,040 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2007-07-12 17:38 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2007-07-12 17:37 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-07-12 17:37 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2007-07-12 17:37 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2007-07-12 17:37 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2007-07-12 17:37 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2007-07-12 17:37 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2007-07-12 17:37 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2007-07-12 17:37 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-12 17:37 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2007-07-12 17:37 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2007-07-12 17:37 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2007-07-12 17:37 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2007-07-12 17:37 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2007-07-12 17:37 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2007-07-12 17:37 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2007-07-12 17:37 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-12 17:37 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2007-07-12 17:37 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2007-07-12 17:37 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2007-07-12 17:37 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2007-07-12 17:37 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2007-07-12 17:37 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2007-07-12 17:37 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2007-07-12 17:37 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2007-07-12 17:37 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-07-12 17:37 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2007-07-12 17:37 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-07-12 17:36 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2007-07-12 17:35 <DIR> d-------- C:\Program Files\Logitech
2007-07-12 17:28 <DIR> d-------- C:\WUTemp
2007-07-09 14:41 <DIR> d-------- C:\DOCUME~1\ja1\DANEAP~1\CyberLink
2007-07-01 07:32 <DIR> d-------- C:\Program Files\Jetico


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 11:04:46 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-07-22 10:45:37 46,756 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-07-22 10:45:37 349,454 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-07-22 10:43:54 42,496 ----a-w C:\WINDOWS\system32\ftp.exe
2007-07-22 10:43:54 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
2007-07-22 10:40:00 133,120 ------w C:\WINDOWS\system32\sfc_os.dll
2007-07-22 10:31:07 23,072 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-07-22 10:30:30 -------- d--h--w C:\Program Files\WindowsUpdate
2007-07-21 19:20:40 -------- d-----w C:\DOCUME~1\ja1\DANEAP~1\Skype
2007-07-15 12:55:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 04:51:30 -------- d-----w C:\Program Files\Winamp
2007-06-11 15:59:25 -------- d-----w C:\Program Files\DFX
2007-06-11 15:58:09 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-10 15:03:10 176,128 ----a-w C:\WINDOWS\system32\sqw.exe
2007-06-07 20:04:25 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-02 14:27:53 7,891 ----a-w C:\WINDOWS\mozver.dat
2007-05-30 15:03:06 -------- d-----w C:\Program Files\Borland
2007-05-28 19:09:02 -------- d-----w C:\DOCUME~1\ja1\DANEAP~1\Media Player Classic
2007-05-25 04:19:47 -------- d-----w C:\DOCUME~1\ja1\DANEAP~1\OpenOffice.org2
2007-05-22 17:52:32 -------- d-----w C:\DOCUME~1\ja1\DANEAP~1\Microsoft Web Folders
2007-05-22 17:52:11 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-22 14:15:47 -------- d-----w C:\DOCUME~1\ja1\DANEAP~1\Help
2007-05-20 12:53:22 100,483 -c--a-w C:\WINDOWS\UninstallFirefox.exe
2007-05-20 12:18:17 56 -csha-r C:\WINDOWS\system32\CF31124928.sys
2007-05-20 12:18:17 1,682 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-20 11:43:57 0 --sha-r C:\MSDOS.SYS
2007-05-20 11:43:57 0 --sha-r C:\IO.SYS
2007-05-20 11:43:57 0 ----a-w C:\CONFIG.SYS
2007-05-20 11:43:57 0 ----a-w C:\AUTOEXEC.BAT
2005-03-31 20:17:42 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-05-20 14:24]
"JeticoPFStartup"="C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-19 08:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 19:29]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
D:\nagrywara\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
"D:\Spyware Terminator\SpywareTerminatorShield.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
uploadmgr


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:03:04, on 2007-07-22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
E:\download\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

[/img]

[wojtas]

Pobierz i uruchom narzędzie
The Avenger
Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Files to delete:

C:\WINDOWS\winsrv.exe.vir
C:\WINDOWS\system32\ple.exe
C:\WINDOWS\system32\erw.exe
C:\WINDOWS\system32\sqw.exe

Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK.

ale banker nadal jest wykrywany:/

daj screena

[armasis]

[wojtas]

wykonaj co kazalem z avnegerem i daj nowe logi

[armasis]

po użyciu avangera logi :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13:44, on 2007-07-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\icq\ICQLite.exe
D:\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\explorer.exe
E:\download\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\RunOnce: [AAW] "D:\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\icq\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))


2007-07-22 20:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 19:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-07-22 13:18 <DIR> d-------- C:\WINDOWS\pss
2007-07-22 12:39 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-22 12:35 44,032 -ra------ C:\WINDOWS\system32\msxml3r.dll
2007-07-22 12:32 <DIR> d-------- C:\Program Files\Movie Maker
2007-07-22 12:28 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-07-22 12:25 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-07-22 12:25 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-07-21 13:47 <DIR> d-------- C:\Program Files\RegCleaner
2007-07-21 10:02 <DIR> d-------- C:\Program Files\Messenger
2007-07-18 09:03 <DIR> d-------- C:\Temp
2007-07-12 17:46 50,688 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-12 17:46 372,736 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-07-12 17:46 22,016 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-07-12 17:46 211,712 -ra------ C:\WINDOWS\system32\drivers\LV561AV.SYS
2007-07-12 17:46 204,800 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-07-12 17:46 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-07-12 17:46 2,180,096 -ra------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-07-12 17:46 106,496 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-07-12 17:44 1,129,472 --a------ C:\WINDOWS\system32\msxml3.dll
2007-07-12 17:42 997,888 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2007-07-12 17:42 892,416 --a------ C:\WINDOWS\system32\wmspdmoe.dll
2007-07-12 17:42 486,536 --a------ C:\WINDOWS\system32\wmspdmod.dll
2007-07-12 17:42 384,512 --a------ C:\WINDOWS\system32\mp4sdmod.dll
2007-07-12 17:42 316,040 --a------ C:\WINDOWS\system32\mp43dmod.dll
2007-07-12 17:42 143,360 --a------ C:\WINDOWS\system32\wmidx.dll
2007-07-12 17:42 1,111,040 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2007-07-12 17:38 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2007-07-12 17:37 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-07-12 17:37 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2007-07-12 17:37 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2007-07-12 17:37 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2007-07-12 17:37 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2007-07-12 17:37 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2007-07-12 17:37 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2007-07-12 17:37 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-12 17:37 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2007-07-12 17:37 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2007-07-12 17:37 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2007-07-12 17:37 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2007-07-12 17:37 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2007-07-12 17:37 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2007-07-12 17:37 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2007-07-12 17:37 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-12 17:37 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2007-07-12 17:37 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2007-07-12 17:37 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2007-07-12 17:37 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2007-07-12 17:37 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2007-07-12 17:37 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2007-07-12 17:37 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2007-07-12 17:37 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2007-07-12 17:37 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-07-12 17:37 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2007-07-12 17:37 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-07-12 17:36 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2007-07-12 17:35 <DIR> d-------- C:\Program Files\Logitech
2007-07-12 17:28 <DIR> d-------- C:\WUTemp
2007-07-09 14:41 <DIR> d-------- C:\DOCUME~1\ja1\DANEAP~1\CyberLink
2007-07-01 07:32 <DIR> d-------- C:\Program Files\Jetico


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 17:04:56 -------- d-----w C:\DOCUME~1\ja1\DANEAP~1\Skype
2007-07-23 13:39:26 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-07-22 10:45:37 46,756 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-07-22 10:45:37 349,454 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-07-22 10:43:54 42,496 ----a-w C:\WINDOWS\system32\ftp.exe
2007-07-22 10:43:54 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
2007-07-22 10:40:00 133,120 ------w C:\WINDOWS\system32\sfc_os.dll
2007-07-22 10:31:07 23,072 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-07-22 10:30:30 -------- d--h--w C:\Program Files\WindowsUpdate
2007-07-15 12:55:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 04:51:30 -------- d-----w C:\Program Files\Winamp
2007-06-11 15:59:25 -------- d-----w C:\Program Files\DFX
2007-06-11 15:58:09 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 20:04:25 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-02 14:27:53 7,891 ----a-w C:\WINDOWS\mozver.dat
2007-05-30 15:03:06 -------- d-----w C:\Program Files\Borland
2007-05-28 19:09:02 -------- d-----w C:\DOCUME~1\ja1\DANEAP~1\Media Player Classic
2007-05-25 04:19:47 -------- d-----w C:\DOCUME~1\ja1\DANEAP~1\OpenOffice.org2
2007-05-20 12:53:22 100,483 -c--a-w C:\WINDOWS\UninstallFirefox.exe
2007-05-20 12:18:17 56 -csha-r C:\WINDOWS\system32\CF31124928.sys
2007-05-20 12:18:17 1,682 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-20 11:43:57 0 --sha-r C:\MSDOS.SYS
2007-05-20 11:43:57 0 --sha-r C:\IO.SYS
2007-05-20 11:43:57 0 ----a-w C:\CONFIG.SYS
2007-05-20 11:43:57 0 ----a-w C:\AUTOEXEC.BAT
2005-03-31 20:17:42 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-05-20 14:24]
"JeticoPFStartup"="C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-19 08:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 19:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AAW"="D:\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
D:\nagrywara\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
"D:\Spyware Terminator\SpywareTerminatorShield.exe"


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

[wojtas]

ten plik w ktorym jest wykrywany wirus jest prawidlowym plikem..

sciagnij moze ten plik i go podmien (wrzuc do C:\WINDOWS\System32\)

[armasis]

nie można podmieniś wyswietla sie okienko w ktorym pisze ze plik jest jest uzywany przez inna osobe lub program:/

[wojtas]

a w trybie awaryjnym