win32:tiny-if [trj] i win32:vundo-gen47 [adw]

[NaturalKiller]

Avast wykrył Win32:Tiny-IF [Trj] i oraz Win32:Vundo-gen47 [Adw] nawet jak go wywala to wraca.

Kod: Zaznacz wszystko

"Silent Runners.vbs", revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Domowy Keylogger" = "C:\WINDOWS\System32\domowykeylogger.exe" [null data]
"Steam" = ""h:\steam\steam.exe" -silent" ["Valve Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"PestPatrol Control Center" = "C:\PROGRA~1\PESTPA~1\PPControl.exe" ["Computer Associates International"]
"PPMemCheck" = "C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data]
"CookiePatrol" = "C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" ["Computer Associates International"]
"ISUSPM" = ""C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler" ["Macrovision Corporation"]
"e-Kiosk" = ""C:\Program Files\e-Kiosk Reader\eGazetaST.exe"" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3088F9C5-1615-4A0B-88B7-E818FA391A2B}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\cbxxyxu.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{D16125FD-5C3A-43EF-8DAE-4D3B8089D9D9}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\jkklk.dll" [null data]
{F200F895-0A3A-4398-B5EF-BA8ECC6DF79C}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\jkklk.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
  -> {HKLM...CLSID} = "AlcoholShellEx"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
  -> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"
  -> {HKLM...CLSID} = "UIContextMenu Class"
                   \InProcServer32\(Default) = "H:\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{3088F9C5-1615-4A0B-88B7-E818FA391A2B}" = "*n" (unwritable string)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\cbxxyxu.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> cbxxyxu\DLLName = "cbxxyxu.dll" [null data]
<<!>> jkklk\DLLName = "C:\WINDOWS\system32\jkklk.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
  -> {HKLM...CLSID} = "UIContextMenu Class"
                   \InProcServer32\(Default) = "H:\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
  -> {HKLM...CLSID} = "UIContextMenu Class"
                   \InProcServer32\(Default) = "H:\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\paweł\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 12
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
  -> {HKLM...CLSID} = "Easy-WebPrint"
                   \InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,
      1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
IviRegMgr, IviRegMgr, "C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe" ["InterVideo"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor PIXMA iP3000\Driver = "CNMLM61.DLL" ["CANON INC."]
OLFax Ports\Driver = "OLFMNT40.DLL" [MS]


---------- (launch time: 2007-08-27 11:58:38)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 107 seconds.
---------- (total run time: 164 seconds)

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:29, on 2007-08-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\domowykeylogger.exe
H:\steam\steam.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\paweł\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 - Hosts: 217.153.219.170 L2authd.lineage2.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [e-Kiosk] "C:\Program Files\e-Kiosk Reader\eGazetaST.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Domowy Keylogger] C:\WINDOWS\System32\domowykeylogger.exe
O4 - HKCU\..\Run: [Steam] "h:\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-21-839522115-616249376-2147125571-1004\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray (User 'agnieszka')
O4 - HKUS\S-1-5-21-839522115-616249376-2147125571-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'agnieszka')
O4 - HKUS\S-1-5-21-839522115-616249376-2147125571-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'agnieszka')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 6059 bytes

Może polecilibyście innego antywirusa,obrócz noda32.
Pozdrawiam

[Red]

Jeśli vundo to prosze zastosować:

http://securityresponse.symantec.com/avcenter/FixVundo.exe

http://www.atribune.org/ccount/click.php?id=4

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

wszystkie kolejno......

Autor postu otrzymał pochwałę

[NaturalKiller]

a co z Tiny?
Pozdrawiam

[Red]

Dodatkowo zastosuj:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

z opcji 2

Autor postu otrzymał pochwałę

[NaturalKiller]

[ Dodano: Dzisiaj o 21:08 ]

SmitFraudFix v2.217

Scan done at 20:21:16,04, 2007-08-27
Run from F:\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

217.153.219.170 L2authd.lineage2.com

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 82.139.8.7
DNS Server Search Order: 82.139.8.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{031A4A09-D681-44FF-986A-C9DE22495A59}: DhcpNameServer=82.139.8.7 82.139.8.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{031A4A09-D681-44FF-986A-C9DE22495A59}: DhcpNameServer=82.139.8.7 82.139.8.4
HKLM\SYSTEM\CS2\Services\Tcpip\..\{031A4A09-D681-44FF-986A-C9DE22495A59}: DhcpNameServer=82.139.8.7 82.139.8.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=82.139.8.7 82.139.8.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=82.139.8.7 82.139.8.4
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=82.139.8.7 82.139.8.4


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning not selected.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[08/27/2007, 19:10:31] - VirtumundoBeGone v1.5 ( "F:\VirtumundoBeGone.exe" )
[08/27/2007, 19:10:36] - Detected System Information:
[08/27/2007, 19:10:36] - Windows Version: 5.1.2600, Dodatek Service Pack 2
[08/27/2007, 19:10:36] - Current Username: andrzej (Admin)
[08/27/2007, 19:10:36] - Windows is in NORMAL mode.
[08/27/2007, 19:10:36] - Searching for Browser Helper Objects:
[08/27/2007, 19:10:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:37] - BHO 2: {2A587D1C-DAEC-4507-AE58-5EB6F54F5899} ()
[08/27/2007, 19:10:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:37] - Checking for HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 19:10:37] - Found: HKLM\...\Winlogon\Notify\ssqpp - This is probably Virtumundo.
[08/27/2007, 19:10:37] - Assigning {2A587D1C-DAEC-4507-AE58-5EB6F54F5899} MSEvents Object
[08/27/2007, 19:10:37] - BHO list has been changed! Starting over...
[08/27/2007, 19:10:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:37] - BHO 2: {2A587D1C-DAEC-4507-AE58-5EB6F54F5899} (MSEvents Object)
[08/27/2007, 19:10:37] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:37] - BHO 3: {3088F9C5-1615-4A0B-88B7-E818FA391A2B} ()
[08/27/2007, 19:10:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:37] - Checking for HKLM\...\Winlogon\Notify\cbxxyxu
[08/27/2007, 19:10:37] - Found: HKLM\...\Winlogon\Notify\cbxxyxu - This is probably Virtumundo.
[08/27/2007, 19:10:37] - Assigning {3088F9C5-1615-4A0B-88B7-E818FA391A2B} MSEvents Object
[08/27/2007, 19:10:38] - BHO list has been changed! Starting over...
[08/27/2007, 19:10:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:38] - BHO 2: {2A587D1C-DAEC-4507-AE58-5EB6F54F5899} (MSEvents Object)
[08/27/2007, 19:10:38] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:38] - BHO 3: {3088F9C5-1615-4A0B-88B7-E818FA391A2B} (MSEvents Object)
[08/27/2007, 19:10:38] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:38] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 19:10:38] - BHO 5: {7D244FE0-A698-491E-92FB-1F8F44800055} ()
[08/27/2007, 19:10:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:38] - Checking for HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 19:10:38] - Found: HKLM\...\Winlogon\Notify\ssqpp - This is probably Virtumundo.
[08/27/2007, 19:10:38] - Assigning {7D244FE0-A698-491E-92FB-1F8F44800055} MSEvents Object
[08/27/2007, 19:10:38] - BHO list has been changed! Starting over...
[08/27/2007, 19:10:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:38] - BHO 2: {2A587D1C-DAEC-4507-AE58-5EB6F54F5899} (MSEvents Object)
[08/27/2007, 19:10:38] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:38] - BHO 3: {3088F9C5-1615-4A0B-88B7-E818FA391A2B} (MSEvents Object)
[08/27/2007, 19:10:38] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:38] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 19:10:38] - BHO 5: {7D244FE0-A698-491E-92FB-1F8F44800055} (MSEvents Object)
[08/27/2007, 19:10:38] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:38] - BHO 6: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} ()
[08/27/2007, 19:10:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:38] - Checking for HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 19:10:38] - Found: HKLM\...\Winlogon\Notify\ssqpp - This is probably Virtumundo.
[08/27/2007, 19:10:38] - Assigning {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} MSEvents Object
[08/27/2007, 19:10:39] - BHO list has been changed! Starting over...
[08/27/2007, 19:10:39] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:39] - BHO 2: {2A587D1C-DAEC-4507-AE58-5EB6F54F5899} (MSEvents Object)
[08/27/2007, 19:10:39] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:39] - BHO 3: {3088F9C5-1615-4A0B-88B7-E818FA391A2B} (MSEvents Object)
[08/27/2007, 19:10:39] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:40] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 19:10:40] - BHO 5: {7D244FE0-A698-491E-92FB-1F8F44800055} (MSEvents Object)
[08/27/2007, 19:10:40] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:40] - BHO 6: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} (MSEvents Object)
[08/27/2007, 19:10:40] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:40] - BHO 7: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 19:10:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:40] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:40] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:40] - BHO 8: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 19:10:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:40] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:40] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:40] - Finished Searching Browser Helper Objects
[08/27/2007, 19:10:40] - *** Detected MSEvents Object
[08/27/2007, 19:10:40] - Trying to remove MSEvents Object...
[08/27/2007, 19:10:41] - Terminating Process: IEXPLORE.EXE
[08/27/2007, 19:10:41] - Terminating Process: RUNDLL32.EXE
[08/27/2007, 19:10:41] - Disabling Automatic Shell Restart
[08/27/2007, 19:10:41] - Terminating Process: EXPLORER.EXE
[08/27/2007, 19:10:43] - Suspending the NT Session Manager System Service
[08/27/2007, 19:10:43] - Terminating Windows NT Logon/Logoff Manager
[08/27/2007, 19:10:43] - Re-enabling Automatic Shell Restart
[08/27/2007, 19:10:43] - File to disable: C:\WINDOWS\system32\ssqpp.dll
[08/27/2007, 19:10:43] - Renaming C:\WINDOWS\system32\ssqpp.dll -> C:\WINDOWS\system32\ssqpp.dll.vir
[08/27/2007, 19:10:44] - File successfully renamed!
[08/27/2007, 19:10:44] - Removing HKLM\...\Browser Helper Objects\{2A587D1C-DAEC-4507-AE58-5EB6F54F5899}
[08/27/2007, 19:10:44] - Removing HKCR\CLSID\{2A587D1C-DAEC-4507-AE58-5EB6F54F5899}
[08/27/2007, 19:10:44] - Adding Kill Bit for ActiveX for GUID: {2A587D1C-DAEC-4507-AE58-5EB6F54F5899}
[08/27/2007, 19:10:44] - Deleting ATLEvents/MSEvents Registry entries
[08/27/2007, 19:10:44] - Removing HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 19:10:44] - Searching for Browser Helper Objects:
[08/27/2007, 19:10:44] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:44] - BHO 2: {3088F9C5-1615-4A0B-88B7-E818FA391A2B} (MSEvents Object)
[08/27/2007, 19:10:44] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:44] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 19:10:44] - BHO 4: {7D244FE0-A698-491E-92FB-1F8F44800055} (MSEvents Object)
[08/27/2007, 19:10:44] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:45] - BHO 5: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} (MSEvents Object)
[08/27/2007, 19:10:45] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:45] - BHO 6: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 19:10:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:45] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:45] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:45] - BHO 7: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 19:10:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:45] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:45] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:45] - Finished Searching Browser Helper Objects
[08/27/2007, 19:10:45] - *** Detected MSEvents Object
[08/27/2007, 19:10:45] - Trying to remove MSEvents Object...
[08/27/2007, 19:10:46] - Terminating Process: IEXPLORE.EXE
[08/27/2007, 19:10:46] - Terminating Process: RUNDLL32.EXE
[08/27/2007, 19:10:46] - Disabling Automatic Shell Restart
[08/27/2007, 19:10:46] - Terminating Process: EXPLORER.EXE
[08/27/2007, 19:10:46] - Suspending the NT Session Manager System Service
[08/27/2007, 19:10:46] - Terminating Windows NT Logon/Logoff Manager
[08/27/2007, 19:10:46] - Re-enabling Automatic Shell Restart
[08/27/2007, 19:10:46] - File to disable: C:\WINDOWS\system32\cbxxyxu.dll
[08/27/2007, 19:10:46] - Renaming C:\WINDOWS\system32\cbxxyxu.dll -> C:\WINDOWS\system32\cbxxyxu.dll.vir
[08/27/2007, 19:10:46] - File successfully renamed!
[08/27/2007, 19:10:47] - Removing HKLM\...\Browser Helper Objects\{3088F9C5-1615-4A0B-88B7-E818FA391A2B}
[08/27/2007, 19:10:47] - Removing HKCR\CLSID\{3088F9C5-1615-4A0B-88B7-E818FA391A2B}
[08/27/2007, 19:10:47] - Adding Kill Bit for ActiveX for GUID: {3088F9C5-1615-4A0B-88B7-E818FA391A2B}
[08/27/2007, 19:10:47] - Deleting ATLEvents/MSEvents Registry entries
[08/27/2007, 19:10:47] - Removing HKLM\...\Winlogon\Notify\cbxxyxu
[08/27/2007, 19:10:47] - Searching for Browser Helper Objects:
[08/27/2007, 19:10:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:47] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 19:10:47] - BHO 3: {7D244FE0-A698-491E-92FB-1F8F44800055} (MSEvents Object)
[08/27/2007, 19:10:47] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:47] - BHO 4: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} (MSEvents Object)
[08/27/2007, 19:10:47] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:47] - BHO 5: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 19:10:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:47] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:47] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:47] - BHO 6: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 19:10:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:47] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:47] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:47] - Finished Searching Browser Helper Objects
[08/27/2007, 19:10:47] - *** Detected MSEvents Object
[08/27/2007, 19:10:47] - Trying to remove MSEvents Object...
[08/27/2007, 19:10:48] - Terminating Process: IEXPLORE.EXE
[08/27/2007, 19:10:48] - Terminating Process: RUNDLL32.EXE
[08/27/2007, 19:10:48] - Disabling Automatic Shell Restart
[08/27/2007, 19:10:48] - Terminating Process: EXPLORER.EXE
[08/27/2007, 19:10:48] - Suspending the NT Session Manager System Service
[08/27/2007, 19:10:48] - Terminating Windows NT Logon/Logoff Manager
[08/27/2007, 19:10:48] - Re-enabling Automatic Shell Restart
[08/27/2007, 19:10:48] - File to disable: C:\WINDOWS\system32\ssqpp.dll
[08/27/2007, 19:10:48] - Removing HKLM\...\Browser Helper Objects\{7D244FE0-A698-491E-92FB-1F8F44800055}
[08/27/2007, 19:10:48] - Removing HKCR\CLSID\{7D244FE0-A698-491E-92FB-1F8F44800055}
[08/27/2007, 19:10:48] - Adding Kill Bit for ActiveX for GUID: {7D244FE0-A698-491E-92FB-1F8F44800055}
[08/27/2007, 19:10:48] - Deleting ATLEvents/MSEvents Registry entries
[08/27/2007, 19:10:49] - Removing HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 19:10:49] - Searching for Browser Helper Objects:
[08/27/2007, 19:10:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 19:10:49] - BHO 3: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} (MSEvents Object)
[08/27/2007, 19:10:49] - ALERT: Found MSEvents Object!
[08/27/2007, 19:10:49] - BHO 4: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 19:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:49] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:49] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:49] - BHO 5: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 19:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:49] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:49] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:49] - Finished Searching Browser Helper Objects
[08/27/2007, 19:10:49] - *** Detected MSEvents Object
[08/27/2007, 19:10:49] - Trying to remove MSEvents Object...
[08/27/2007, 19:10:50] - Terminating Process: IEXPLORE.EXE
[08/27/2007, 19:10:50] - Terminating Process: RUNDLL32.EXE
[08/27/2007, 19:10:50] - Disabling Automatic Shell Restart
[08/27/2007, 19:10:50] - Terminating Process: EXPLORER.EXE
[08/27/2007, 19:10:50] - Suspending the NT Session Manager System Service
[08/27/2007, 19:10:50] - Terminating Windows NT Logon/Logoff Manager
[08/27/2007, 19:10:50] - Re-enabling Automatic Shell Restart
[08/27/2007, 19:10:50] - File to disable: C:\WINDOWS\system32\ssqpp.dll
[08/27/2007, 19:10:50] - Removing HKLM\...\Browser Helper Objects\{B6C5627B-CB4F-40EE-85B8-019C32DDAF20}
[08/27/2007, 19:10:50] - Removing HKCR\CLSID\{B6C5627B-CB4F-40EE-85B8-019C32DDAF20}
[08/27/2007, 19:10:50] - Adding Kill Bit for ActiveX for GUID: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20}
[08/27/2007, 19:10:50] - Deleting ATLEvents/MSEvents Registry entries
[08/27/2007, 19:10:50] - Removing HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 19:10:50] - Searching for Browser Helper Objects:
[08/27/2007, 19:10:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 19:10:50] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 19:10:50] - BHO 3: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 19:10:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:50] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:50] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:50] - BHO 4: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 19:10:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 19:10:51] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 19:10:51] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 19:10:51] - Finished Searching Browser Helper Objects
[08/27/2007, 19:10:51] - Finishing up...
[08/27/2007, 19:10:51] - A restart is needed.
[08/27/2007, 19:10:56] - Attempting to Restart via STOP error (Blue Screen!)

[08/27/2007, 20:10:40] - VirtumundoBeGone v1.5 ( "F:\VirtumundoBeGone.exe" )
[08/27/2007, 20:10:42] - Detected System Information:
[08/27/2007, 20:10:42] - Windows Version: 5.1.2600, Dodatek Service Pack 2
[08/27/2007, 20:10:42] - Current Username: andrzej (Admin)
[08/27/2007, 20:10:42] - Windows is in NORMAL mode.
[08/27/2007, 20:10:42] - Searching for Browser Helper Objects:
[08/27/2007, 20:10:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 20:10:42] - BHO 2: {2A587D1C-DAEC-4507-AE58-5EB6F54F5899} (MSEvents Object)
[08/27/2007, 20:10:42] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:42] - BHO 3: {3088F9C5-1615-4A0B-88B7-E818FA391A2B} (MSEvents Object)
[08/27/2007, 20:10:42] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:42] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 20:10:42] - BHO 5: {7D244FE0-A698-491E-92FB-1F8F44800055} (MSEvents Object)
[08/27/2007, 20:10:42] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:42] - BHO 6: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} (MSEvents Object)
[08/27/2007, 20:10:42] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:42] - BHO 7: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 20:10:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:42] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:42] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:42] - BHO 8: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 20:10:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:42] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:42] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:42] - Finished Searching Browser Helper Objects
[08/27/2007, 20:10:42] - *** Detected MSEvents Object
[08/27/2007, 20:10:42] - Trying to remove MSEvents Object...
[08/27/2007, 20:10:43] - Terminating Process: IEXPLORE.EXE
[08/27/2007, 20:10:44] - Terminating Process: RUNDLL32.EXE
[08/27/2007, 20:10:44] - Disabling Automatic Shell Restart
[08/27/2007, 20:10:44] - Terminating Process: EXPLORER.EXE
[08/27/2007, 20:10:44] - Suspending the NT Session Manager System Service
[08/27/2007, 20:10:44] - Terminating Windows NT Logon/Logoff Manager
[08/27/2007, 20:10:44] - Re-enabling Automatic Shell Restart
[08/27/2007, 20:10:44] - File to disable: C:\WINDOWS\system32\ssqpp.dll
[08/27/2007, 20:10:44] - Removing HKLM\...\Browser Helper Objects\{2A587D1C-DAEC-4507-AE58-5EB6F54F5899}
[08/27/2007, 20:10:44] - Removing HKCR\CLSID\{2A587D1C-DAEC-4507-AE58-5EB6F54F5899}
[08/27/2007, 20:10:44] - Adding Kill Bit for ActiveX for GUID: {2A587D1C-DAEC-4507-AE58-5EB6F54F5899}
[08/27/2007, 20:10:44] - Deleting ATLEvents/MSEvents Registry entries
[08/27/2007, 20:10:44] - Removing HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 20:10:44] - Searching for Browser Helper Objects:
[08/27/2007, 20:10:44] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 20:10:44] - BHO 2: {3088F9C5-1615-4A0B-88B7-E818FA391A2B} (MSEvents Object)
[08/27/2007, 20:10:44] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:44] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 20:10:44] - BHO 4: {7D244FE0-A698-491E-92FB-1F8F44800055} (MSEvents Object)
[08/27/2007, 20:10:44] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:44] - BHO 5: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} (MSEvents Object)
[08/27/2007, 20:10:44] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:44] - BHO 6: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 20:10:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:44] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:44] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:44] - BHO 7: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 20:10:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:44] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:44] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:44] - Finished Searching Browser Helper Objects
[08/27/2007, 20:10:44] - *** Detected MSEvents Object
[08/27/2007, 20:10:45] - Trying to remove MSEvents Object...
[08/27/2007, 20:10:46] - Terminating Process: IEXPLORE.EXE
[08/27/2007, 20:10:46] - Terminating Process: RUNDLL32.EXE
[08/27/2007, 20:10:46] - Disabling Automatic Shell Restart
[08/27/2007, 20:10:46] - Terminating Process: EXPLORER.EXE
[08/27/2007, 20:10:46] - Suspending the NT Session Manager System Service
[08/27/2007, 20:10:46] - Terminating Windows NT Logon/Logoff Manager
[08/27/2007, 20:10:46] - Re-enabling Automatic Shell Restart
[08/27/2007, 20:10:46] - File to disable: C:\WINDOWS\system32\cbxxyxu.dll
[08/27/2007, 20:10:46] - Removing HKLM\...\Browser Helper Objects\{3088F9C5-1615-4A0B-88B7-E818FA391A2B}
[08/27/2007, 20:10:46] - Removing HKCR\CLSID\{3088F9C5-1615-4A0B-88B7-E818FA391A2B}
[08/27/2007, 20:10:46] - Adding Kill Bit for ActiveX for GUID: {3088F9C5-1615-4A0B-88B7-E818FA391A2B}
[08/27/2007, 20:10:46] - Deleting ATLEvents/MSEvents Registry entries
[08/27/2007, 20:10:46] - Removing HKLM\...\Winlogon\Notify\cbxxyxu
[08/27/2007, 20:10:46] - Searching for Browser Helper Objects:
[08/27/2007, 20:10:46] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 20:10:46] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 20:10:46] - BHO 3: {7D244FE0-A698-491E-92FB-1F8F44800055} (MSEvents Object)
[08/27/2007, 20:10:46] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:46] - BHO 4: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} (MSEvents Object)
[08/27/2007, 20:10:46] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:46] - BHO 5: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 20:10:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:46] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:46] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:46] - BHO 6: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 20:10:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:46] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:46] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:46] - Finished Searching Browser Helper Objects
[08/27/2007, 20:10:46] - *** Detected MSEvents Object
[08/27/2007, 20:10:46] - Trying to remove MSEvents Object...
[08/27/2007, 20:10:47] - Terminating Process: IEXPLORE.EXE
[08/27/2007, 20:10:47] - Terminating Process: RUNDLL32.EXE
[08/27/2007, 20:10:47] - Disabling Automatic Shell Restart
[08/27/2007, 20:10:47] - Terminating Process: EXPLORER.EXE
[08/27/2007, 20:10:47] - Suspending the NT Session Manager System Service
[08/27/2007, 20:10:48] - Terminating Windows NT Logon/Logoff Manager
[08/27/2007, 20:10:48] - Re-enabling Automatic Shell Restart
[08/27/2007, 20:10:48] - File to disable: C:\WINDOWS\system32\ssqpp.dll
[08/27/2007, 20:10:48] - Removing HKLM\...\Browser Helper Objects\{7D244FE0-A698-491E-92FB-1F8F44800055}
[08/27/2007, 20:10:48] - Removing HKCR\CLSID\{7D244FE0-A698-491E-92FB-1F8F44800055}
[08/27/2007, 20:10:48] - Adding Kill Bit for ActiveX for GUID: {7D244FE0-A698-491E-92FB-1F8F44800055}
[08/27/2007, 20:10:48] - Deleting ATLEvents/MSEvents Registry entries
[08/27/2007, 20:10:48] - Removing HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 20:10:48] - Searching for Browser Helper Objects:
[08/27/2007, 20:10:48] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 20:10:48] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 20:10:48] - BHO 3: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20} (MSEvents Object)
[08/27/2007, 20:10:48] - ALERT: Found MSEvents Object!
[08/27/2007, 20:10:48] - BHO 4: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 20:10:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:48] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:48] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:48] - BHO 5: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 20:10:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:48] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:48] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:48] - Finished Searching Browser Helper Objects
[08/27/2007, 20:10:48] - *** Detected MSEvents Object
[08/27/2007, 20:10:48] - Trying to remove MSEvents Object...
[08/27/2007, 20:10:49] - Terminating Process: IEXPLORE.EXE
[08/27/2007, 20:10:49] - Terminating Process: RUNDLL32.EXE
[08/27/2007, 20:10:49] - Disabling Automatic Shell Restart
[08/27/2007, 20:10:49] - Terminating Process: EXPLORER.EXE
[08/27/2007, 20:10:49] - Suspending the NT Session Manager System Service
[08/27/2007, 20:10:49] - Terminating Windows NT Logon/Logoff Manager
[08/27/2007, 20:10:49] - Re-enabling Automatic Shell Restart
[08/27/2007, 20:10:49] - File to disable: C:\WINDOWS\system32\ssqpp.dll
[08/27/2007, 20:10:49] - Removing HKLM\...\Browser Helper Objects\{B6C5627B-CB4F-40EE-85B8-019C32DDAF20}
[08/27/2007, 20:10:49] - Removing HKCR\CLSID\{B6C5627B-CB4F-40EE-85B8-019C32DDAF20}
[08/27/2007, 20:10:49] - Adding Kill Bit for ActiveX for GUID: {B6C5627B-CB4F-40EE-85B8-019C32DDAF20}
[08/27/2007, 20:10:49] - Deleting ATLEvents/MSEvents Registry entries
[08/27/2007, 20:10:49] - Removing HKLM\...\Winlogon\Notify\ssqpp
[08/27/2007, 20:10:49] - Searching for Browser Helper Objects:
[08/27/2007, 20:10:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 20:10:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 20:10:49] - BHO 3: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 20:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:49] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:49] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:49] - BHO 4: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 20:10:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:10:50] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:10:50] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:10:50] - Finished Searching Browser Helper Objects
[08/27/2007, 20:10:50] - Finishing up...
[08/27/2007, 20:10:50] - A restart is needed.
[08/27/2007, 20:10:57] - Attempting to Restart via STOP error (Blue Screen!)

[08/27/2007, 20:14:23] - VirtumundoBeGone v1.5 ( "F:\VirtumundoBeGone.exe" )
[08/27/2007, 20:14:28] - Detected System Information:
[08/27/2007, 20:14:28] - Windows Version: 5.1.2600, Dodatek Service Pack 2
[08/27/2007, 20:14:28] - Current Username: andrzej (Admin)
[08/27/2007, 20:14:29] - Windows is in NORMAL mode.
[08/27/2007, 20:14:29] - Searching for Browser Helper Objects:
[08/27/2007, 20:14:29] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 20:14:29] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 20:14:29] - BHO 3: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 20:14:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:14:29] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:14:29] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:14:29] - BHO 4: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 20:14:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:14:29] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:14:29] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:14:29] - Finished Searching Browser Helper Objects
[08/27/2007, 20:14:29] - Finishing up...
[08/27/2007, 20:14:29] - Nothing found! Exiting...

[08/27/2007, 20:14:55] - VirtumundoBeGone v1.5 ( "F:\VirtumundoBeGone.exe" )
[08/27/2007, 20:14:56] - Detected System Information:
[08/27/2007, 20:14:56] - Windows Version: 5.1.2600, Dodatek Service Pack 2
[08/27/2007, 20:14:56] - Current Username: andrzej (Admin)
[08/27/2007, 20:14:56] - Windows is in NORMAL mode.
[08/27/2007, 20:14:56] - Searching for Browser Helper Objects:
[08/27/2007, 20:14:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/27/2007, 20:14:56] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/27/2007, 20:14:56] - BHO 3: {DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6} ()
[08/27/2007, 20:14:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:14:56] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:14:56] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:14:56] - BHO 4: {F3DA3B40-BC88-4599-B6F6-CAC1838936E8} ()
[08/27/2007, 20:14:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2007, 20:14:56] - Checking for HKLM\...\Winlogon\Notify\jkklk
[08/27/2007, 20:14:57] - Key not found: HKLM\...\Winlogon\Notify\jkklk, continuing.
[08/27/2007, 20:14:57] - Finished Searching Browser Helper Objects
[08/27/2007, 20:14:57] - Finishing up...
[08/27/2007, 20:14:57] - Nothing found! Exiting...

ComboFix 07-08-14.4 - "andrzej" 2007-08-27 20:08:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.648 [GMT 2:00]


((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))


2007-08-27 20:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-27 17:07 298,080 --a------ C:\WINDOWS\system32\ssqpp.dll.vir
2007-08-27 15:15 <DIR> d-------- C:\VundoFix Backups
2007-08-25 13:57 <DIR> d-------- C:\DOCUME~1\andrzej\DANEAP~1\e-Kiosk Reader
2007-08-25 13:56 <DIR> d-------- C:\Program Files\e-Kiosk Reader
2007-08-25 13:15 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DANEAP~1\Opera
2007-08-25 12:43 574,508 --a------ C:\WINDOWS\system32\bkmffqyp.exe
2007-08-25 11:01 574,508 --a------ C:\WINDOWS\system32\clksiyys.exe
2007-08-24 17:21 43,542 --a------ C:\WINDOWS\system32\cbxxyxu.dll.vir
2007-08-21 23:44 <DIR> d-------- C:\DOCUME~1\PAWE~1\DANEAP~1\Apple Computer
2007-08-21 13:36 <DIR> d-------- C:\DOCUME~1\andrzej\DANEAP~1\Help
2007-08-20 00:07 0 --a------ C:\WINDOWS\system32\UTSCSI.EXE
2007-08-20 00:07 <DIR> d-------- C:\USB Notebook Data
2007-08-20 00:07 <DIR> d-------- C:\DOCUME~1\andrzej\DANEAP~1\PLAux
2007-08-20 00:07 <DIR> d-------- C:\DOCUME~1\andrzej\DANEAP~1\OTi
2007-08-09 22:01 <DIR> d-------- C:\Program Files\NAPI-PROJEKT
2007-08-06 22:46 <DIR> d-------- C:\DOCUME~1\PAWE~1\DANEAP~1\Lavasoft
2007-07-30 23:11 <DIR> d-------- C:\Program Files\GraveLand
2007-07-30 23:06 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-07-30 22:52 <DIR> d-------- C:\DOCUME~1\PAWE~1\DANEAP~1\InstallShield
2007-07-30 22:37 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-07-30 16:44 <DIR> d-------- C:\DOCUME~1\PAWE~1\DANEAP~1\InterVideo
2007-07-30 16:01 <DIR> d-------- C:\Program Files\QuickTime
2007-07-30 16:01 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-30 16:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Apple Computer
2007-07-30 15:59 <DIR> d-------- C:\Program Files\InterVideo Information Service
2007-07-30 15:59 <DIR> d-------- C:\Program Files\Common Files\Ulead
2007-07-30 15:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\InstallShield
2007-07-30 15:29 <DIR> d-------- C:\DOCUME~1\andrzej\DANEAP~1\InterVideo
2007-07-29 12:21 15,872 --------- C:\WINDOWS\system32\winskfr.dll
2007-07-29 12:21 119,568 --------- C:\WINDOWS\system32\vb6fr.dll
2007-07-29 11:24 <DIR> d-------- C:\Program Files\PestPatrol
2007-07-28 21:21 <DIR> d-------- C:\WINDOWS\speech


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-27 19:52 --------- d-------- C:\DOCUME~1\andrzej\DANEAP~1\Skype
2007-08-26 23:14 --------- d-------- C:\Program Files\eMule
2007-08-12 13:30 --------- d-------- C:\Program Files\Gadu-Gadu
2007-07-30 22:55 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-30 15:58 --------- d-------- C:\Program Files\InterVideo
2007-07-30 15:58 --------- d-------- C:\Program Files\Common Files\InterVideo
2007-07-30 15:58 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-28 00:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 16:36 --------- d-------- C:\Program Files\Opera
2007-07-19 15:52 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-13 17:00 --------- d-------- C:\Program Files\Player Tool
2007-07-10 22:41 --------- d-------- C:\Program Files\Fiat
2007-07-10 15:16 110304 --a------ C:\WINDOWS\system32\drivers\ACEDRV09.sys
1999-05-17 14:58 99840 --a------ C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70144 --a------ C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48640 --a------ C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31744 --a------ C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186368 --a------ C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17920 --a------ C:\Program Files\Common Files\IRASRIAL.DLL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A587D1C-DAEC-4507-AE58-5EB6F54F5899}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3088F9C5-1615-4A0B-88B7-E818FA391A2B}]
C:\WINDOWS\system32\cbxxyxu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D244FE0-A698-491E-92FB-1F8F44800055}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6C5627B-CB4F-40EE-85B8-019C32DDAF20}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6}]
C:\WINDOWS\system32\jkklk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3DA3B40-BC88-4599-B6F6-CAC1838936E8}]
C:\WINDOWS\system32\jkklk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22]
"nwiz"="nwiz.exe" [2006-06-01 17:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 17:22 C:\WINDOWS\system32\nvmctray.dll]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 C:\WINDOWS\system32\tweakui.cpl]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 13:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 15:11]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34]
"e-Kiosk"="C:\Program Files\e-Kiosk Reader\eGazetaST.exe" [2007-07-11 13:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-10-10 17:51]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3088F9C5-1615-4A0B-88B7-E818FA391A2B}"= C:\WINDOWS\system32\cbxxyxu.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxyxu]
cbxxyxu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]
C:\WINDOWS\system32\ssqpp.dll

R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys
R2 ACEDRV09;ACEDRV09;\??\C:\WINDOWS\system32\drivers\ACEDRV09.sys
R3 axsaki;axsaki;C:\WINDOWS\system32\DRIVERS\axsaki.sys
R3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys
S3 ddsxeiservice;ddsxeiservice;\??\H:\sXe Injected\ddsxei.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d5d307b-e750-11db-8e3a-000c6ee65eb5}]
AutoRun\command- Y:\USBNB.exe


Contents of the 'Scheduled Tasks' folder
2007-07-30 14:01:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-27 20:09:26
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-27 20:09:59

--- E O F ---

[wojtas]

skasuj te pliki:

C:\WINDOWS\system32\ssqpp.dll.vir
C:\WINDOWS\system32\bkmffqyp.exe
C:\WINDOWS\system32\clksiyys.exe
C:\WINDOWS\system32\cbxxyxu.dll.vir

potem wklej do notatnika:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A587D1C-DAEC-4507-AE58-5EB6F54F5899}]

[-KEY_LOCAL_MACHINE\~\Browser Helper Objects\{3088F9C5-1615-4A0B-88B7-E818FA391A2B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D244FE0-A698-491E-92FB-1F8F44800055}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6C5627B-CB4F-40EE-85B8-019C32DDAF20}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEDA8EB2-700C-4B8E-BDA4-1A7341CF57E6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3DA3B40-BC88-4599-B6F6-CAC1838936E8}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxyxu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3088F9C5-1615-4A0B-88B7-E818FA391A2B}"=-

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

potem nowy log z combo

Autor postu otrzymał pochwałę