Najpierw zrobiłem to co napisal "okocza".....ale SDFixa nie udało sie włączyc....cały czas brakowalo 3 plików
pozniej zrobiłem wszystko z postu "wojtasa"....wklejam log z Combofixa:
ComboFix 08-03-30.5 - HoUsEmuSic 2008-04-01 19:23:38.2 - FAT32x86
Running from: C:\instalki\ComboFix.exe
Command switches used :: C:\instalki\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
F:\Program Files\bit.bat
F:\Program Files\bit2.bat
F:\Program Files\bit3.bat
F:\Program Files\inc1.bat
F:\Program Files\sleep.bat
F:\Program Files\temp1.exe.txt
F:\Program Files\temp2.exe.txt
F:\Program Files\temp3.exe.txt
F:\WINDOWS\ccpa.exe
F:\WINDOWS\system32\bkfkque.exe
F:\WINDOWS\system32\msygl32.exe
F:\WINDOWS\system32\rdriv.sys
F:\WINDOWS\system32\redyLive.exe
F:\WINDOWS\system32\x
F:\WINDOWS\system32\xpsp1hfm.exe
F:\WINDOWS\Tasks\B30ACA65954D402D.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\Program Files\bit.bat
F:\Program Files\bit2.bat
F:\Program Files\bit3.bat
F:\Program Files\inc1.bat
F:\Program Files\sleep.bat
F:\Program Files\temp1.exe.txt
F:\Program Files\temp2.exe.txt
F:\Program Files\temp3.exe.txt
F:\WINDOWS\ccpa.exe
F:\WINDOWS\system32\bkfkque.exe
F:\WINDOWS\system32\msygl32.exe
F:\WINDOWS\system32\rdriv.sys
F:\WINDOWS\system32\redyLive.exe
F:\WINDOWS\system32\xpsp1hfm.exe
F:\WINDOWS\Tasks\B30ACA65954D402D.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RDRIV
-------\Legacy_WINDOWSYS
-------\Service_rdriv
-------\Service_windowsys
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.
2008-04-01 16:16 . 2008-04-01 16:16 81,920 ---hs---- F:\WINDOWS\system32\slsass.exe
2008-03-31 20:05 . 2008-03-31 20:11 352 --a------ F:\WINDOWS\system32\tmp.reg
2008-03-31 20:03 . 2007-09-05 23:22 289,144 --a------ F:\WINDOWS\system32\VCCLSID.exe
2008-03-31 20:03 . 2006-04-27 16:49 288,417 --a------ F:\WINDOWS\system32\SrchSTS.exe
2008-03-31 20:03 . 2008-03-28 23:19 86,528 --a------ F:\WINDOWS\system32\VACFix.exe
2008-03-31 20:03 . 2008-03-26 08:50 82,432 --a------ F:\WINDOWS\system32\IEDFix.exe
2008-03-31 20:03 . 2003-06-05 20:13 53,248 --a------ F:\WINDOWS\system32\Process.exe
2008-03-31 20:03 . 2004-07-31 17:50 51,200 --a------ F:\WINDOWS\system32\dumphive.exe
2008-03-31 20:03 . 2007-10-03 23:36 25,600 --a------ F:\WINDOWS\system32\WS2Fix.exe
2008-03-31 19:51 . 2004-12-04 12:56 <DIR> d--h----- F:\Documents and Settings\Administrator\Ustawienia lokalne
2008-03-31 19:51 . 2004-12-04 12:56 <DIR> d-------- F:\Documents and Settings\Administrator\Ulubione
2008-03-31 19:51 . 2004-12-04 12:56 <DIR> d--h----- F:\Documents and Settings\Administrator\Szablony
2008-03-31 19:51 . 2004-12-04 12:56 <DIR> d-------- F:\Documents and Settings\Administrator\Pulpit
2008-03-31 19:51 . 2004-12-04 12:56 <DIR> d-------- F:\Documents and Settings\Administrator\Moje dokumenty
2008-03-31 19:51 . 2004-12-04 12:56 <DIR> dr------- F:\Documents and Settings\Administrator\Menu Start
2008-03-31 19:51 . 2004-12-04 12:56 <DIR> dr-h----- F:\Documents and Settings\Administrator\Dane aplikacji
2008-03-31 19:48 . 2008-03-31 10:34 <DIR> d-------- F:\SDFix
2008-03-31 19:39 . 2008-03-31 19:41 151,552 --a------ F:\WINDOWS\system32\Java32.com
2008-03-31 19:05 . 2008-03-31 19:11 250 --a------ F:\WINDOWS\gmer.ini
2008-03-26 21:35 . 2008-03-26 21:35 <DIR> d--h----- F:\WINDOWS\$xpsp1hfm$
2008-03-26 20:09 . 2008-03-26 20:09 33,952 --a------ F:\WINDOWS\system32\drivers\oreans32.sys
2008-03-24 18:07 . 2008-03-24 18:07 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-03-24 18:07 . 2008-03-24 18:07 1,409 --a------ F:\WINDOWS\QTFont.for
2008-03-12 00:34 . 2008-03-12 00:35 <DIR> d-------- F:\Program Files\Shockwave.com
2008-03-06 18:30 . 2007-12-04 15:44 23,600 --a------ F:\WINDOWS\system32\drivers\TVICHW32.SYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 17:25 524,288 ---ha-w F:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-04-01 17:25 524,288 ---ha-w F:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-04-01 17:25 524,288 ---ha-w F:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-04-01 17:25 524,288 ---ha-w F:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-03-12 21:18 45,056 ----a-w F:\WINDOWS\NCUNINST.EXE
2008-01-17 17:06 1,594,396 ----a-w F:\WINDOWS\WANEUninstaller.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-01_16.15.12.88 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-31 17:45:34 16,384 ----a-w F:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-01 14:16:34 16,384 ----a-w F:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-31 17:45:34 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-04-01 14:16:34 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
- 2008-03-31 17:45:34 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-01 14:16:34 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
- 2006-01-09 18:04:16 52,764 ----a-w F:\WINDOWS\system32\perfc009.dat
+ 2008-04-01 14:15:44 52,764 ----a-w F:\WINDOWS\system32\perfc009.dat
- 2006-01-09 18:04:16 67,078 ----a-w F:\WINDOWS\system32\perfc015.dat
+ 2008-04-01 14:15:44 67,078 ----a-w F:\WINDOWS\system32\perfc015.dat
- 2006-01-09 18:04:16 380,350 ----a-w F:\WINDOWS\system32\perfh009.dat
+ 2008-04-01 14:15:44 380,350 ----a-w F:\WINDOWS\system32\perfh009.dat
- 2006-01-09 18:04:16 435,978 ----a-w F:\WINDOWS\system32\perfh015.dat
+ 2008-04-01 14:15:44 435,978 ----a-w F:\WINDOWS\system32\perfh015.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"skrzynka bogiego"="C:\Tools\skrzynka bogiego\skrzynka.exe" [2002-04-11 22:22 997888]
"IncrediMail"="C:\Tools\INCRED~1\bin\IncMail.exe" [2004-11-14 16:26 188459]
"Gadu-Gadu"="C:\Tools\Gadu-Gadu\gg.exe" [2006-01-31 14:25 2408448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="F:\Program Files\Eset\nod32kui.exe" [2006-01-22 10:49 921600]
"WinDLL (slsass.exe)"="F:\WINDOWS\System32\slsass.exe" [2008-04-01 16:16 81920]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\System32\CTFMON.EXE" [2001-10-26 17:29 13312]
"Gadu-Gadu"="C:\Tools\Gadu-Gadu\gg.exe" [2006-01-31 14:25 2408448]
"IncrediMail"="C:\Tools\IncrediMail\bin\IncMail.exe" [2004-11-14 16:26 188459]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= F:\WINDOWS\System32\RadExe.dll [2004-11-28 22:39 212992]
[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ Labtec Mouse Software 2.0.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Labtec Mouse Software 2.0.lnk
backup=F:\WINDOWS\pss\ Labtec Mouse Software 2.0.lnkCommon Startup
[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk
backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdStatus Service]
F:\Program Files\AdStatus Service\AdStatServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-11-30 21:10 344064 F:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMExtreme]
C:\Tools\BMExtreme\BMExtreme.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2001-10-26 17:29 13312 F:\WINDOWS\System32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSetupPatch]
F:\PROGRA~1\Creative\Audio\CTSetup\CtSetup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cuub]
F:\Documents and Settings\HoUsEmuSic\Dane aplikacji\cruo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskAd Service]
F:\Program Files\DeskAd Service\DeskAdServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Tools\Nero 7.0\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
F:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 F:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 F:\WINDOWS\System32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Booster]
C:\Tools\PC Booster\PCBooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-12-18 22:40 98304 C:\tools\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-13 12:28 180269 F:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Tools\RegistryBooster 2\RegistryBooster.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="F:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\tools\QuickTime\qttask.exe" -atboottime
"TkBellExe"="F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"DeskAd Service"=F:\Program Files\DeskAd Service\DeskAdServ.exe
"HydraVisionViewPort"=C:\Tools\ATI Technologies\ATI HydraVision\HydraMD.exe
"CTHelper"=CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 19:27:05
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: F:\WINDOWS\system32\winlogon.exe
-> F:\WINDOWS\system32\Ati2evxx.dll
PROCESS: F:\WINDOWS\system32\lsass.exe
-> F:\Program Files\Eset\pr_imon.dll
PROCESS: F:\WINDOWS\explorer.exe
-> C:\Tools\Gadu-Gadu\ggwhook.dll
.
------------------------ Other Running Processes ------------------------
.
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\System32\rundll32.exe
F:\WINDOWS\System32\drivers\CDAC11BA.EXE
F:\WINDOWS\System32\CTsvcCDA.exe
C:\Tools\INCRED~1\bin\IMApp.exe
F:\Program Files\Eset\nod32krn.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\WINDOWS\system32\cmd.exe
F:\WINDOWS\system32\ftp.exe
F:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-01 19:29:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 17:28:20
ComboFix2.txt 2008-04-01 14:16:56
Pre-Run: 3,849,216 bajtów wolnych
Post-Run: 3,761,152 bajt˘w wolnych
i log z HijackThis v2.0.2 :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:22, on 2008-04-01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Safe mode
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
C:\instalki\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.onet.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Tools\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [skrzynka bogiego] C:\Tools\skrzynka bogiego\skrzynka.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Tools\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Tools\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Gadu-Gadu] "C:\Tools\Gadu-Gadu\gg.exe" /tray (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IncrediMail] C:\Tools\IncrediMail\bin\IncMail.exe /c (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Tools\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\TOOLS\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\TOOLS\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Tools\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Tools\WinHTTrack\WinHTTrackIEBar.dll
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 4191 bytes
Zastosuj sie do wskazowek z tematu: http://forum.programosy.pl/bad-generic-host-process-for-win32-services-vt79489.html
