proszę o sprawdzenie..

[jacek15]

Ostatni moj anty-wirus wykryl jakiegos exploita wmf i prosze o sprawdzenie loga

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:33:40, on 2007-09-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\services.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Sound Driver] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

ComboFix 07-09-10.6 - "Jacek" 2007-09-12 22:46:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.50 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\iexplore.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 22:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 22:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 18:56 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-12 18:56 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-12 18:56 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-12 17:23 3 --a------ C:\WINDOWS\drivers.dll
2007-09-08 20:56 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-08 17:32 <DIR> d-------- C:\Program Files\MarBit
2007-09-06 17:47 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-09-03 21:03 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-03 21:03 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-09-03 21:03 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-09-03 21:03 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-09-03 21:03 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-09-03 21:03 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-03 21:03 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-09-03 21:03 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-09-03 21:03 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-09-03 21:02 <DIR> d-------- C:\Program Files\Ahead
2007-09-03 19:15 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Help
2007-09-02 13:39 <DIR> d-------- C:\Program Files\Three Rings Design
2007-09-01 20:00 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\uTorrent
2007-09-01 19:34 <DIR> d-------- C:\Program Files\VS Online
2007-09-01 13:05 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-01 12:53 176,640 --ahs---- C:\WINDOWS\system32\lotek.exe
2007-09-01 12:47 176,640 --ahs---- C:\WINDOWS\system32\program.exe
2007-08-30 15:58 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\PC Tools
2007-08-30 15:11 172,032 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-30 15:11 <DIR> d-------- C:\WINDOWS\nview
2007-08-30 12:39 4 --a------ C:\WINDOWS\system32\proc-220146841.bin
2007-08-30 12:39 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\GanymedeNet
2007-08-29 22:02 <DIR> d-------- C:\Nowy folder
2007-08-29 14:47 <DIR> d-------- C:\Program Files\Ares
2007-08-29 14:36 <DIR> d---s---- C:\DOCUME~1\Jacek\UserData
2007-08-29 09:34 <DIR> d-------- C:\DOCUME~1\Jacek\.borland
2007-08-29 09:31 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2007-08-29 09:31 <DIR> d-------- C:\Program Files\Borland
2007-08-28 10:30 <DIR> d-------- C:\Program Files\ARPR
2007-08-28 10:23 <DIR> d-------- C:\Program Files\FDRLab
2007-08-28 06:29 <DIR> d-------- C:\Program Files\IrfanView
2007-08-24 16:23 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2007-08-24 16:20 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-24 16:20 <DIR> d-------- C:\NVIDIA
2007-08-24 16:16 9,424 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-24 16:12 <DIR> d-------- C:\WINDOWS\NV780220.TMP
2007-08-24 15:30 <DIR> d-------- C:\WINDOWS\NV15521088.TMP
2007-08-24 15:29 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 17:30 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\MSN6
2007-08-23 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\MSN6
2007-08-23 16:17 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Lavasoft
2007-08-23 11:07 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-23 10:46 <DIR> d-------- C:\Program Files\SkanerOnline
2007-08-23 10:35 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\WinRAR
2007-08-23 09:33 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Tibia
2007-08-23 09:32 57,856 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-08-23 09:32 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-08-23 09:32 27,392 --a------ C:\WINDOWS\system32\drivers\VIAAGP.SYS
2007-08-23 09:32 <DIR> d-------- C:\Program Files\Tibia
2007-08-23 09:31 70,144 --a------ C:\WINDOWS\system32\usbui.dll
2007-08-23 09:31 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\DEFAUL~1\Ustawienia lokalne
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\DEFAUL~1\Dane aplikacji
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\ALLUSE~1\Dane aplikacji
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\DEFAUL~1\Menu Start
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Menu Start
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Dokumenty
2007-08-23 09:30 <DIR> d--h----- C:\DOCUME~1\DEFAUL~1\Szablony
2007-08-23 09:30 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\Szablony
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Ulubione
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Pulpit
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Moje dokumenty
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Ulubione
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Pulpit
2007-08-23 09:26 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-08-23 09:26 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-08-23 09:26 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-23 09:26 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-23 09:12 <DIR> d-------- C:\Program Files\Winamp
2007-08-23 09:10 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Gadu-Gadu
2007-08-23 09:08 <DIR> d-------- C:\Program Files\Gadu-Gadu
2007-08-23 09:08 <DIR> d-------- C:\DOCUME~1\Jacek\Gadu-Gadu
2007-08-23 09:06 1,670 --a------ C:\WINDOWS\mozver.dat
2007-08-23 09:00 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-23 08:54 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-08-23 08:54 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-08-23 08:54 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-08-23 08:51 7,040 -ra------ C:\WINDOWS\system32\ntsim.sys
2007-08-23 08:51 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2007-08-23 08:51 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-08-23 08:51 42,496 -ra------ C:\WINDOWS\system32\drivers\fetnd5b.sys
2007-08-23 08:51 36,864 --a------ C:\WINDOWS\system32\UnAudioNT.dll
2007-08-23 08:51 307,200 --a------ C:\WINDOWS\IsUn0415.exe
2007-08-23 08:51 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2007-08-23 08:51 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-08-23 08:51 117,248 -ra------ C:\WINDOWS\system32\drivers\viaudios.sys
2007-08-23 08:51 <DIR> d-------- C:\Program Files\VIAudioi
2007-08-23 08:50 27,904 -ra------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2007-08-23 08:49 36,224 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2007-08-23 08:49 36,224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2007-08-23 08:49 306,688 --a------ C:\WINDOWS\IsUninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 66408 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-20 20:46 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
--------- C:\Program Files\Usługi online
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 10:50]
"nwiz"="nwiz.exe" [2004-10-29 10:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 10:50]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-12 18:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 20:05]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-04 02:32]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"Sound Driver"="C:\WINDOWS\services.exe" []

S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 22:47:28
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [1108] 0x81398020


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 22:47:57
C:\ComboFix-quarantined-files.txt ... 2007-09-12 22:47
.
--- E O F ---

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ares" = ""C:\Program Files\Ares\Ares.exe" -h" ["Ares Development Group"]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Sound Driver" = "C:\WINDOWS\services.exe" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jacek\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 17
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


---------- (launch time: 2007-09-12 22:41:31)
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 81 seconds, including 18 seconds for message boxes)

[wojtas]

daj nowy log z hijacka i combofixa nie edytuj odpowiedzi tylko napisz kolejnego posta

[jacek15]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:51:13, on 2007-09-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Sound Driver] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2491 bytes

ComboFix 07-09-10.6 - "Jacek" 2007-09-12 22:52:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.55 [GMT 2:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 22:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 22:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 18:56 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-12 18:56 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-12 18:56 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-12 17:23 3 --a------ C:\WINDOWS\drivers.dll
2007-09-08 20:56 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-08 17:32 <DIR> d-------- C:\Program Files\MarBit
2007-09-06 17:47 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-09-03 21:03 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-03 21:03 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-09-03 21:03 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-09-03 21:03 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-09-03 21:03 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-09-03 21:03 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-03 21:03 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-09-03 21:03 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-09-03 21:03 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-09-03 21:02 <DIR> d-------- C:\Program Files\Ahead
2007-09-03 19:15 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Help
2007-09-02 13:39 <DIR> d-------- C:\Program Files\Three Rings Design
2007-09-01 20:00 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\uTorrent
2007-09-01 19:34 <DIR> d-------- C:\Program Files\VS Online
2007-09-01 13:05 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-01 12:53 176,640 --ahs---- C:\WINDOWS\system32\lotek.exe
2007-09-01 12:47 176,640 --ahs---- C:\WINDOWS\system32\program.exe
2007-08-30 15:58 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\PC Tools
2007-08-30 15:11 172,032 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-30 15:11 <DIR> d-------- C:\WINDOWS\nview
2007-08-30 12:39 4 --a------ C:\WINDOWS\system32\proc-220146841.bin
2007-08-30 12:39 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\GanymedeNet
2007-08-29 22:02 <DIR> d-------- C:\Nowy folder
2007-08-29 14:47 <DIR> d-------- C:\Program Files\Ares
2007-08-29 14:36 <DIR> d---s---- C:\DOCUME~1\Jacek\UserData
2007-08-29 09:34 <DIR> d-------- C:\DOCUME~1\Jacek\.borland
2007-08-29 09:31 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2007-08-29 09:31 <DIR> d-------- C:\Program Files\Borland
2007-08-28 10:30 <DIR> d-------- C:\Program Files\ARPR
2007-08-28 10:23 <DIR> d-------- C:\Program Files\FDRLab
2007-08-28 06:29 <DIR> d-------- C:\Program Files\IrfanView
2007-08-24 16:23 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2007-08-24 16:20 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-24 16:20 <DIR> d-------- C:\NVIDIA
2007-08-24 16:16 9,424 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-24 16:12 <DIR> d-------- C:\WINDOWS\NV780220.TMP
2007-08-24 15:30 <DIR> d-------- C:\WINDOWS\NV15521088.TMP
2007-08-24 15:29 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 17:30 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\MSN6
2007-08-23 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\MSN6
2007-08-23 16:17 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Lavasoft
2007-08-23 11:07 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-23 10:46 <DIR> d-------- C:\Program Files\SkanerOnline
2007-08-23 10:35 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\WinRAR
2007-08-23 09:33 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Tibia
2007-08-23 09:32 57,856 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-08-23 09:32 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-08-23 09:32 27,392 --a------ C:\WINDOWS\system32\drivers\VIAAGP.SYS
2007-08-23 09:32 <DIR> d-------- C:\Program Files\Tibia
2007-08-23 09:31 70,144 --a------ C:\WINDOWS\system32\usbui.dll
2007-08-23 09:31 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\DEFAUL~1\Ustawienia lokalne
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\DEFAUL~1\Dane aplikacji
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\ALLUSE~1\Dane aplikacji
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\DEFAUL~1\Menu Start
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Menu Start
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Dokumenty
2007-08-23 09:30 <DIR> d--h----- C:\DOCUME~1\DEFAUL~1\Szablony
2007-08-23 09:30 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\Szablony
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Ulubione
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Pulpit
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Moje dokumenty
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Ulubione
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Pulpit
2007-08-23 09:26 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-08-23 09:26 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-08-23 09:26 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-23 09:26 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-23 09:12 <DIR> d-------- C:\Program Files\Winamp
2007-08-23 09:10 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Gadu-Gadu
2007-08-23 09:08 <DIR> d-------- C:\Program Files\Gadu-Gadu
2007-08-23 09:08 <DIR> d-------- C:\DOCUME~1\Jacek\Gadu-Gadu
2007-08-23 09:06 1,670 --a------ C:\WINDOWS\mozver.dat
2007-08-23 09:00 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-23 08:54 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-08-23 08:54 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-08-23 08:54 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-08-23 08:51 7,040 -ra------ C:\WINDOWS\system32\ntsim.sys
2007-08-23 08:51 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2007-08-23 08:51 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-08-23 08:51 42,496 -ra------ C:\WINDOWS\system32\drivers\fetnd5b.sys
2007-08-23 08:51 36,864 --a------ C:\WINDOWS\system32\UnAudioNT.dll
2007-08-23 08:51 307,200 --a------ C:\WINDOWS\IsUn0415.exe
2007-08-23 08:51 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2007-08-23 08:51 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-08-23 08:51 117,248 -ra------ C:\WINDOWS\system32\drivers\viaudios.sys
2007-08-23 08:51 <DIR> d-------- C:\Program Files\VIAudioi
2007-08-23 08:50 27,904 -ra------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2007-08-23 08:49 36,224 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2007-08-23 08:49 36,224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2007-08-23 08:49 306,688 --a------ C:\WINDOWS\IsUninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 66408 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-20 20:46 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
--------- C:\Program Files\Usługi online
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 10:50]
"nwiz"="nwiz.exe" [2004-10-29 10:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 10:50]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-12 18:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 20:05]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-04 02:32]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"Sound Driver"="C:\WINDOWS\services.exe" []

S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 22:52:27
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [1576] 0x81381DA8


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 22:53:01
C:\ComboFix-quarantined-files.txt ... 2007-09-12 22:52
C:\ComboFix2.txt ... 2007-09-12 22:47
.
--- E O F ---

[wojtas]

O4 - HKCU\..\Run: [Sound Driver] C:\WINDOWS\services.exe

Uruchamiasz HijackThis => klikasz Do a system scan only => pokaże się lista wpisów => stawiasz ptaszek przy wpisie , które wymieniłem => klikasz Fix checked i potwierdzasz usunięcie.

te pliki (zeby je zobaczyc musisz :przejdz do opcji: Narzedzia>>Widok>>Pokaz ukryte pliki lub foldery oraz Ukryj chronione pliki systemu operacyjnego)

C:\WINDOWS\drivers.dll
C:\WINDOWS\system32\lotek.exe
C:\WINDOWS\system32\program.exe

skanujesz tu :

http://virusscan.jotti.org/
http://www.virustotal.com/


i dajesz raporty

[jacek15]

C:\WINDOWS\drivers.dll <---- plik czysty ... skanowane http://virusscan.jotti.org/

File: drivers.dll
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: c91511aca2c7bb71d2e7c40dea5fd4b2
Packers detected:
-
Bit9 reports: Not analyzed yet (more info)

C:\WINDOWS\system32\lotek.exe <--- plik czysty ...<-- skanowane http://virusscan.jotti.org/

File: lotek.exe
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 36dc591ca34f4eed0479f56fadb600a0
Packers detected:
PE_PATCH.UPX, UPX
Bit9 reports: File not found



C:\WINDOWS\system32\program.exe <--- ten plik tez czysty .. skanowane http://virusscan.jotti.org/

File: program.exe
Status:
OK
MD5: 36dc591ca34f4eed0479f56fadb600a0
Packers detected:
PE_PATCH.UPX, UPX
Bit9 reports: File not found

[wojtas]

przeskanuj te pliki jeszcze tu:

http://www.virustotal.com/pl/

[jacek15]

wiec tak .. :

drivers.dll <----czysty

program.exe <--- jakis wirus ..

eSafe 7.0.15.0 2007.09.12 suspicious Trojan/Worm
Ikarus T3.1.1.12 2007.09.13 Trojan-Downloader.Win32.Banload.F
Panda 9.0.0.4 2007.09.13 Suspicious file
Webwasher-Gateway 6.0.1 2007.09.13 Win32.ModifiedUPX.gen!90 (suspicious)

lotek.exe <---wirus.. :

eSafe 7.0.15.0 2007.09.12 suspicious Trojan/Worm
Ikarus T3.1.1.12 2007.09.13 Trojan-Downloader.Win32.Banload.F
Panda 9.0.0.4 2007.09.13 Suspicious file
Webwasher-Gateway 6.0.1 2007.09.13 Win32.ModifiedUPX.gen!90 (suspicious)

[Red]

lotek.exe <---wirus.. :

a czy to nie jest od programu lotek, z zestawieniem wyników losowań w toto-lotka?

[jacek15]

hmm..nie to napewno nie jets programo do totolotka pierwszy raz taki program u siebie widze ... jak go usunac ?

[Red]

ściągnij:
http://www.bleepingcomputer.com/files/killbox.php




odpalasz Killboxa zaznacz opcję Delete on Reboot + All Files następnie w polu Full Path of File to Delete wklej scieżke:
C:\WINDOWS\system32\lotek.exe wciskasz x
następnie program będzie pytał o restart-potwierdzasz

tak samo usuniesz:

C:\WINDOWS\system32\program.exe

[jacek15]

ok zarz to zrobie ...ale teraz moj problem polega na czyms innym ...Przeskanowalem nod32 C: i wykrylo mi pare wiruskow all mi usunelo hmm... i teraz juz np. nie moge wlonczyc gg .. winampa .. Mozzili co sie stalo z moim kompem ?

[Dzi@dek]

Usuń to j.w. i daj ponownie loga

[jacek15]

jak odpalam killbox wyskakuje mi blad

Component "MSCOMCTL.OCX" or one of its dependencies not correctly registered : a file is missig or invalid

[Dzi@dek]

W awaryjnym spróbuj go ręcznie wywalić.
I daj loga.

[ Dodano: Dzisiaj o 19:20 ]
http://www.javacoolsoftware.net/downloads/missingfilesetup.exe
i uruchom.

[jacek15]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:58, on 2007-09-13
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2354 bytes

ComboFix 07-09-13.3 - "Jacek" 2007-09-13 19:48:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.65 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-13 19:29 <DIR> d-------- C:\!KillBox
2007-09-12 22:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 22:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 18:56 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-12 18:56 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-12 18:56 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-12 17:23 3 --a------ C:\WINDOWS\drivers.dll
2007-09-08 20:56 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-08 17:32 <DIR> d-------- C:\Program Files\MarBit
2007-09-06 17:47 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-09-03 21:03 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-03 21:03 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-09-03 21:03 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-09-03 21:03 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-09-03 21:03 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-09-03 21:03 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-03 21:03 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-09-03 21:03 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-09-03 21:03 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-09-03 21:02 <DIR> d-------- C:\Program Files\Ahead
2007-09-03 19:15 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Help
2007-09-01 20:00 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\uTorrent
2007-09-01 13:05 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-30 15:58 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\PC Tools
2007-08-30 15:11 172,032 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-30 15:11 <DIR> d-------- C:\WINDOWS\nview
2007-08-30 12:39 4 --a------ C:\WINDOWS\system32\proc-220146841.bin
2007-08-30 12:39 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\GanymedeNet
2007-08-29 22:02 <DIR> d-------- C:\Nowy folder
2007-08-29 14:47 <DIR> d-------- C:\Program Files\Ares
2007-08-29 14:36 <DIR> d---s---- C:\DOCUME~1\Jacek\UserData
2007-08-29 09:34 <DIR> d-------- C:\DOCUME~1\Jacek\.borland
2007-08-29 09:31 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2007-08-29 09:31 <DIR> d-------- C:\Program Files\Borland
2007-08-28 10:30 <DIR> d-------- C:\Program Files\ARPR
2007-08-28 06:29 <DIR> d-------- C:\Program Files\IrfanView
2007-08-24 16:23 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2007-08-24 16:20 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-24 16:20 <DIR> d-------- C:\NVIDIA
2007-08-24 16:16 9,424 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-24 16:12 <DIR> d-------- C:\WINDOWS\NV780220.TMP
2007-08-24 15:30 <DIR> d-------- C:\WINDOWS\NV15521088.TMP
2007-08-24 15:29 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 17:30 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\MSN6
2007-08-23 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\MSN6
2007-08-23 16:17 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Lavasoft
2007-08-23 11:07 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-23 10:46 <DIR> d-------- C:\Program Files\SkanerOnline
2007-08-23 10:35 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\WinRAR
2007-08-23 09:33 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Tibia
2007-08-23 09:32 57,856 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-08-23 09:32 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-08-23 09:32 27,392 --a------ C:\WINDOWS\system32\drivers\VIAAGP.SYS
2007-08-23 09:32 <DIR> d-------- C:\Program Files\Tibia
2007-08-23 09:31 70,144 --a------ C:\WINDOWS\system32\usbui.dll
2007-08-23 09:31 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\DEFAUL~1\Ustawienia lokalne
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\DEFAUL~1\Dane aplikacji
2007-08-23 09:30 <DIR> dr-h----- C:\DOCUME~1\ALLUSE~1\Dane aplikacji
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\DEFAUL~1\Menu Start
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Menu Start
2007-08-23 09:30 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Dokumenty
2007-08-23 09:30 <DIR> d--h----- C:\DOCUME~1\DEFAUL~1\Szablony
2007-08-23 09:30 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\Szablony
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Ulubione
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Pulpit
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Moje dokumenty
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Ulubione
2007-08-23 09:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Pulpit
2007-08-23 09:26 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-08-23 09:26 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-08-23 09:26 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-23 09:26 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-23 09:12 <DIR> d-------- C:\Program Files\Winamp
2007-08-23 09:10 <DIR> d-------- C:\DOCUME~1\Jacek\DANEAP~1\Gadu-Gadu
2007-08-23 09:08 <DIR> d-------- C:\Program Files\Gadu-Gadu
2007-08-23 09:08 <DIR> d-------- C:\DOCUME~1\Jacek\Gadu-Gadu
2007-08-23 09:06 1,670 --a------ C:\WINDOWS\mozver.dat
2007-08-23 09:00 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-24 15:29 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-23 08:51 --------- d-------- C:\Program Files\VIAudioi
2007-08-23 08:41 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 66408 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-20 20:46 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
--------- C:\Program Files\Usługi online
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 10:50]
"nwiz"="nwiz.exe" [2004-10-29 10:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 10:50]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-12 18:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 20:05]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-09-13 18:03]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-04 02:32]

S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 19:48:58
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [2860] 0x816A7220


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-13 19:49:37
.
--- E O F ---

[Dzi@dek]

Czysto
Usuń tylko C:\!KillBox

[jacek15]

firefox.exe - bład aplikacji

Instrukcja spod "0x00000000" odwołuje się do pamięci pod adresem "0x00000000" Pamiec nie może byc "read"
czesto mi to wyskakuje i wtedy wylancza mi sie firefox ...hmm taki sam blad mi wyskakuje na gg ... i w winamp albo cos podobny do tego ..

[ Dodano: Dzisiaj o 19:01 ]
i jak chce usunac to lub oglnie cos usunac to mi wyje nood ze cos wirus ... ;/

[Dzi@dek]

Próbowałes przeinstalowywać FF pobierz najnowszą wersję. 2.0.0.6

[jacek15]

zdaje mi sie ze to od noda mi sie cos dzieje bo wczesnij nim dyski skanowalem on tam wykryl cos i pousuwalem jakeis pliki .dll i chyba terz all mi sie wali z windowsem ;/

[ Dodano: Dzisiaj o 20:24 ]
OK JA JUZ FORMATA ZROBILEM dziekuje za pomoc wszytkim i pozdrawiam