wirus, backdoor, robaki ??????????????

**Posty:** 17 · przez **gucio_one** 10 Lip 2008, 22:19

Witam!
Miałem trojana win32/mebroot.K. Zlikwidowałem go progsem mbr.exe (tak jak na forum było napisane)
Jednak coś jest nie tak. Pomóżcie. Załączam logi

SDFix

Kod: Zaznacz wszystko: [b]SDFix: Version 1.204 [/b] Run by gucio on 2008-07-10 at 21:23 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix [b]Checking Services [/b]: Restoring Default Security Values Restoring Default Hosts File Rebooting [b]Checking Files [/b]: No Trojan Files Found Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-10 21:28:11 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 52\" "h0"=dword:00000000 "ujdew"=hex:f3,22,44,22,cf,7c,67,47,ad,3a,98,eb,5c,96,ca,03,65,fc,e8,e4,15,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 52\" "h0"=dword:00000000 "ujdew"=hex:f3,22,44,22,cf,7c,67,47,ad,3a,98,eb,5c,96,ca,03,65,fc,e8,e4,15,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 52\" "h0"=dword:00000000 "ujdew"=hex:f3,22,44,22,cf,7c,67,47,ad,3a,98,eb,5c,96,ca,03,65,fc,e8,e4,15,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Documents and Settings\\gucio\\Ustawienia lokalne\\Temp\\Rar$EX00.578\\emule.exe"="C:\\Documents and Settings\\gucio\\Ustawienia lokalne\\Temp\\Rar$EX00.578\\emule.exe:*:Enabled:eMule" "C:\\Program Files\\eMule\\eMule.exe"="C:\\Program Files\\eMule\\eMule.exe:*:Enabled:eMule Plus" "C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare" "C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny" "C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test" "C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Uruchamia plik DLL jako aplikacj©" "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb" "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray" "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [b]Remaining Files [/b]: [b]Files with Hidden Attributes [/b]: Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0322ecbb4c55105c9d4e6fe001726b44\BIT31.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0bb92b69a8b84ccfe2b28134ac1cec34\BIT34.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0d939b75e10b1906f461d71b0b3a18f7\BIT37.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\15d10e20c713fa334c0a91b43212f21b\BIT28.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\16a4581b2390408d533117e6c44b89ea\BIT2B.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\1e62aefbda5a35c565c0bb27bb401d8f\BIT24.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\235632fdaa8ce7a40ab2d52780cdc519\BIT35.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\285bf1053ffb643f7139c4d81e30e7b2\BIT32.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3234746c3bb5ff4c390a7ec7f2f1bd02\BIT25.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\41a38b6f30f6e2781dc85df9f274dc03\BIT2D.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\469552d53c51475457f5a7134dfb9872\BIT2E.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4e2064890f6e8a2cd9ff1520a902dd7d\BIT29.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\51c2e610af213e8493a4667a54b1de1a\BIT2C.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5987d53f2945e9c72ec6d4fddc0f8999\BIT30.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\86d2e5e43e5a3fe0252bfd91116c7fb4\BIT2F.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8e9e9f4339fd173726f18d2380650a2d\BIT36.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\94610e87c9aac3e27d40a596fbd54933\BIT26.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bc5ff7ae090af64b51a4e6639bffdfbd\BIT2A.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\d54963be23fc20b8853183f00cb55bb6\BIT33.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e6156b4fe5d5bd1d8d698b4eb0be8af7\BIT27.tmp" Thu 10 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f6093d45de2c82c204eacff9a9fe91ec\BIT23.tmp" [b]Finished![/b]

ComboFix 08-07-09.5 - gucio 2008-07-10 21:32:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.226 [GMT 2:00]
Running from: C:\Documents and Settings\gucio\Pulpit\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\gucio\Dane aplikacji\Adssite Advanced Toolbar
C:\Documents and Settings\gucio\Dane aplikacji\Adssite Advanced Toolbar\advertbuttons.xml
C:\Documents and Settings\gucio\Dane aplikacji\Adssite Advanced Toolbar\selected.xml
C:\Documents and Settings\gucio\Dane aplikacji\urlredir.cfg
C:\Program Files\myglobalsearch
C:\WINDOWS\g32.txt
C:\WINDOWS\system32\oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-10 21:19 . 2008-07-10 21:19 2,247 --a------ C:\XP_CodecRepair.inf
2008-07-10 21:14 . 2008-07-10 21:29 <DIR> d-------- C:\SDFix
2008-07-10 17:02 . 2006-08-04 09:34 33,792 -ra------ C:\WINDOWS\system32\OLD7D9.tmp
2008-07-10 16:02 . 2008-06-30 16:47 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-07-10 16:01 . 2008-07-10 16:02 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-07-08 22:59 . 2008-07-08 22:59 4 --a------ C:\WINDOWS\system32\proc-859417382.bin
2008-07-06 22:02 . 2008-07-09 12:53 <DIR> d-------- C:\Documents and Settings\gucio\Dane aplikacji\GanymedeNet
2008-07-06 22:01 . 2008-07-06 22:01 <DIR> d-------- C:\Program Files\Ganymede
2008-07-05 12:26 . 2008-07-05 12:26 2,494,464 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-07-05 12:14 . 2008-07-05 12:14 3,591,168 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-07-05 12:14 . 2008-07-05 12:14 456,192 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-07-05 12:13 . 2008-07-05 12:13 708,096 --a------ C:\WINDOWS\system32\ff_x264.dll
2008-07-02 20:57 . 2008-07-02 20:59 <DIR> d-------- C:\Program Files\Odkurzacz
2008-07-02 20:39 . 2008-07-02 20:39 <DIR> d-------- C:\Program Files\CCleaner
2008-07-02 19:51 . 2008-07-02 19:51 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-02 18:09 . 2008-07-02 18:09 <DIR> d-------- C:\Program Files\ESET
2008-07-02 18:09 . 2008-07-02 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-07-02 13:36 . 2008-07-02 20:38 <DIR> d-------- C:\Documents and Settings\gucio\Dane aplikacji\Uniblue
2008-07-02 13:32 . 2008-07-02 13:35 <DIR> d-------- C:\Program Files\Security Task Manager
2008-07-02 13:32 . 2008-07-02 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SecTaskMan
2008-06-30 13:00 . 2008-06-30 13:00 0 --a------ C:\WINDOWS\system32\setup_XP.ini
2008-06-28 12:51 . 2008-06-30 13:34 <DIR> d-------- C:\Documents and Settings\gucio\DoctorWeb
2008-06-28 12:21 . 2008-06-28 12:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-28 10:14 . 2008-06-28 10:13 66,048 --a------ C:\mbr.exe
2008-06-27 22:14 . 2008-06-27 22:14 <DIR> d-------- C:\WINDOWS\LastGood(2)
2008-06-25 22:41 . 2008-06-25 22:41 <DIR> d--hs---- C:\found.000
2008-06-25 19:50 . 2008-06-25 19:50 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-25 19:45 . 2008-07-02 21:43 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-24 21:04 . 2008-06-24 21:07 1,783 --a------ C:\WINDOWS\unins000.dat
2008-06-23 19:58 . 2008-06-24 20:01 <DIR> d-------- C:\G
2008-06-23 18:22 . 2008-06-23 18:22 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-22 18:34 . 2008-06-22 18:34 177,664 --a------ C:\WINDOWS\system32\ff_theora.dll
2008-06-13 14:45 . 2008-02-20 03:06 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-06-13 14:45 . 2008-02-20 03:06 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-06-13 12:39 . 2008-06-13 12:39 23,552 --a------ C:\WINDOWS\system32\ff_wmv9.dll
2008-06-12 19:36 . 2008-06-12 19:36 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-06-12 18:25 . 2008-06-12 18:25 962,560 --a------ C:\WINDOWS\system32\VSFilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 19:10 --------- d-----w C:\Program Files\Syncrosoft
2008-07-10 18:28 --------- d-----w C:\Program Files\ACE Mega CoDecS Pack
2008-07-03 19:32 --------- d-----w C:\Program Files\free-downloads.net
2008-07-02 19:43 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-02 19:43 --------- d-----w C:\Program Files\Waves
2008-07-02 19:43 --------- d-----w C:\Program Files\vanBasco's Karaoke Player
2008-07-02 12:25 --------- d-----w C:\Program Files\eMule
2008-07-02 05:23 --------- d-----w C:\Program Files\Monkey's Audio
2008-06-29 21:18 --------- d-----w C:\Program Files\BearShare
2008-06-25 20:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 18:38 81,920 ----a-w C:\Documents and Settings\gucio\Dane aplikacji\ezpinst.exe
2008-01-29 18:38 47,360 ----a-w C:\Documents and Settings\gucio\Dane aplikacji\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2008-07-03 21:32 1569304 --a------ C:\Program Files\free-downloads.net\tbfre1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "C:\Program Files\free-downloads.net\tbfre1.dll" [2008-07-03 21:32 1569304]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= "C:\Program Files\free-downloads.net\tbfre1.dll" [2008-07-03 21:32 1569304]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-01 20:12 68856]
"Weflirt"="C:\Program Files\Weflirt\weflirt.exe" [2007-10-25 15:53 6893568]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-12-22 09:09 221056]
"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]
"SetDefaultMIDI"="MIDIDef.exe" [2006-08-04 09:04 25600 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19 15872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Copy handler"="C:\Program Files\Copy Handler\Copy Handler.exe" [2003-08-14 15:38 155136]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 08:33 45056]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-09-30 22:17 98304]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-03-23 12:06 888832]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-12-18 15:18 307200]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-23 21:51 1410304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\gucio\Menu Start\Programy\Autostart\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-01-29 21:17:48 557568]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 08:15:54 65588]
PowerMenu.lnk - C:\Program Files\PowerMenu\PowerMenu.exe [2007-09-30 19:14:17 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"msacm.sl_anet"= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"msacm.msaudio1"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm
"aux2"= ctwdm32.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\eMule\\eMule.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 12:43]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-23 21:52]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe []
S3 ctlsb16;Sterownik Creative SB16/AWE32/AWE64 (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 21:19]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 17:21:56 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-07-02 11:35:44 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 21:34:12
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-10 21:35:08
ComboFix-quarantined-files.txt 2008-07-10 19:34:55

Pre-Run: 70,556,221,440 bajtów wolnych
Post-Run: 70,540,193,792 bajtów wolnych

176

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:36:41, on 2008-07-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Copy Handler\Copy Handler.exe C:\WINDOWS\system32\qttask.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Weflirt\weflirt.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\PowerMenu\PowerMenu.exe C:\Program Files\MagicDisc\MagicDisc.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\gucio\Pulpit\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre1.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - (no file) O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file) O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre1.dll O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Copy handler] C:\Program Files\Copy Handler\Copy Handler.exe O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Weflirt] "C:\Program Files\Weflirt\weflirt.exe" -background O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM') O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user') O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}: NameServer = 85.255.115.93 85.255.112.181 O17 - HKLM\System\CCS\Services\Tcpip\..\{BC64A26B-BBB9-42F8-9383-37D3FB446361}: NameServer = 85.255.115.93,85.255.112.181 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.93 85.255.112.181 O17 - HKLM\System\CS2\Services\Tcpip\..\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}: NameServer = 85.255.115.93 85.255.112.181 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.93 85.255.112.181 O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe -- End of file - 8111 bytes :?: [color=darkred][/color][size=18][/size][size=12][/size]

**Posty:** 3854 · przez **Dzi@dek** 10 Lip 2008, 22:35

Usuń w HJ:

Kod: Zaznacz wszystko: O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - (no file) O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)

Zastosuj się do tematu:
http://forum.programosy.pl/bad-generic-host-process-for-win32-services-vt79489.html

oraz

http://forum.programosy.pl/specjalne-narzedzia-czyszczace-vt96631.html

i użyć

Aby to zrobić trzeba pobrać Program FixWareOut. Jego ikonka wygląda tak:

Nowe logi po zastosowaniu.

**Posty:** 17 · przez **gucio_one** 10 Lip 2008, 22:55

Zastosuj się do tematu:
http://forum.programosy.pl/bad-generic-host-process-for-win32-services-vt79489.html

Kwestia taka że RPC i Net Bios świecą na żółto (niby net bios może ) ale co z tym pierwszym??????

[ Dodano: Dzisiaj o 21:58 ]
A najgorsze to ze nie chce ściągnąć tej aktualizacji z e strony windows'a :cry:

[ Dodano: Dzisiaj o 22:49 ]
Spoko już wszystko si. Windows Worms Doors Cleaner świeci sie wszystko na zielono jak nie jestem podłączony do netu, jak sie podłącze to Net Bios pali się na żółto.
SmitfraudFix odpaliłem w awaryjnym i wykonałem krok po kroku. potem restart i skanowałem w normalnym trybie i sie zawieszał. Procek ciągle na 100%.
Poniżej zamieszcze logi

[ Dodano: Dzisiaj o 23:11 ]
daje logi
fixwareout - wpisy rejestru

Kod: Zaznacz wszystko: REGEDIT4 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters] "NV Hostname"="gucio-aab08eba2" "DataBasePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,64,72,69,76,65,72,73,5c,65,74,63,00 "ForwardBroadcasts"=dword:00000000 "IPEnableRouter"=dword:00000000 "Domain"="" "Hostname"="gucio-aab08eba2" "SearchList"="" "UseDomainNameDevolution"=dword:00000001 "DeadGWDetectDefault"=dword:00000001 "DontAddDefaultGatewayDefault"=dword:00000000 "DisableIPSourceRouting.seconfig.delete"=dword:00000001 "DisableIPSourceRouting"=dword:00000002 "EnableDeadGWDetect.seconfig.delete"=dword:00000001 "EnableDeadGWDetect"=dword:00000000 "EnableICMPRedirect.seconfig.delete"=dword:00000001 "EnableICMPRedirect"=dword:00000000 "ReservedPorts.seconfig.delete"=dword:00000001 "ReservedPorts"=hex(7):31,30,32,35,2d,31,30,39,36,00,00 "StrictArpUpdate.seconfig.delete"=dword:00000001 "StrictArpUpdate"=dword:00000001 "QueryIpMatching.seconfig.delete"=dword:00000001 "QueryIpMatching"=dword:00000001 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Adapters] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Adapters\NdisWanIp] "LLInterface"="WANARP" "IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\ 65,72,66,61,63,65,73,5c,7b,39,39,34,39,41,30,44,30,2d,38,37,34,45,2d,34,39,\ 46,36,2d,41,32,41,33,2d,32,41,38,39,42,35,45,37,35,37,30,44,7d,00,54,63,70,\ 69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,65,72,66,61,63,65,73,5c,\ 7b,45,35,38,38,36,37,33,30,2d,46,34,39,30,2d,34,30,34,38,2d,42,38,46,44,2d,\ 46,35,35,45,43,37,43,43,42,46,36,39,7d,00,54,63,70,69,70,5c,50,61,72,61,6d,\ 65,74,65,72,73,5c,49,6e,74,65,72,66,61,63,65,73,5c,7b,33,34,42,37,34,35,39,\ 36,2d,44,31,34,30,2d,34,38,41,44,2d,42,31,35,31,2d,35,42,39,31,39,30,37,38,\ 34,46,34,35,7d,00,54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,\ 74,65,72,66,61,63,65,73,5c,7b,31,43,33,31,30,41,34,30,2d,31,43,42,42,2d,34,\ 42,39,43,2d,42,41,41,39,2d,36,31,37,33,38,41,34,37,43,42,45,38,7d,00,00 "NumInterfaces"=dword:00000004 "IpInterfaces"=hex:d0,a0,49,99,4e,87,f6,49,a2,a3,2a,89,b5,e7,57,0d,30,67,88,e5,\ 90,f4,48,40,b8,fd,f5,5e,c7,cc,bf,69,96,45,b7,34,40,d1,ad,48,b1,51,5b,91,90,\ 78,4f,45,40,0a,31,1c,bb,1c,9c,4b,ba,a9,61,73,8a,47,cb,e8 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Adapters\{BC64A26B-BBB9-42F8-9383-37D3FB446361}] "LLInterface"="" "IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\ 65,72,66,61,63,65,73,5c,7b,42,43,36,34,41,32,36,42,2d,42,42,42,39,2d,34,32,\ 46,38,2d,39,33,38,33,2d,33,37,44,33,46,42,34,34,36,33,36,31,7d,00,00 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\DNSRegisteredAdapters] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Interfaces] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Interfaces\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}] "UseZeroBroadcast"=dword:00000000 "EnableDHCP"=dword:00000000 "IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00 "SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00 "DefaultGateway"=hex(7):00 "EnableDeadGWDetect"=dword:00000001 "DontAddDefaultGateway"=dword:00000000 "NTEContextList"=hex(7):00 "DhcpIPAddress"="0.0.0.0" "DhcpSubnetMask"="0.0.0.0" "DhcpClassIdBin"=hex: "Domain"="" "NameServer"="" "RegistrationEnabled"=dword:00000000 "RegisterAdapterName"=dword:00000000 "PerformRouterDiscovery.seconfig.delete"=dword:00000001 "PerformRouterDiscovery"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Interfaces\{34B74596-D140-48AD-B151-5B9190784F45}] "UseZeroBroadcast"=dword:00000000 "EnableDHCP"=dword:00000000 "IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00 "SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00 "DefaultGateway"=hex(7):00 "EnableDeadGWDetect"=dword:00000001 "DontAddDefaultGateway"=dword:00000000 "PerformRouterDiscovery.seconfig.delete"=dword:00000001 "PerformRouterDiscovery"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Interfaces\{9949A0D0-874E-49F6-A2A3-2A89B5E7570D}] "UseZeroBroadcast"=dword:00000000 "EnableDHCP"=dword:00000000 "IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00 "SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00 "DefaultGateway"=hex(7):00 "EnableDeadGWDetect"=dword:00000001 "DontAddDefaultGateway"=dword:00000000 "NameServer"="" "DhcpNameServer"="85.255.115.93,85.255.112.181" "Domain"="" "PerformRouterDiscovery.seconfig.delete"=dword:00000001 "PerformRouterDiscovery"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Interfaces\{BC64A26B-BBB9-42F8-9383-37D3FB446361}] "UseZeroBroadcast"=dword:00000000 "EnableDeadGWDetect"=dword:00000001 "EnableDHCP"=dword:00000000 "IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00 "SubnetMask"=hex(7):32,35,35,2e,30,2e,30,2e,30,00,00 "DefaultGateway"=hex(7):00,00 "DefaultGatewayMetric"=hex(7):00 "NameServer"="" "Domain"="" "RegistrationEnabled"=dword:00000001 "RegisterAdapterName"=dword:00000001 "TCPAllowedPorts"=hex(7):30,00,00 "UDPAllowedPorts"=hex(7):30,00,00 "RawIPAllowedProtocols"=hex(7):30,00,00 "NTEContextList"=hex(7):30,78,30,30,30,30,30,30,30,32,00,00 "DhcpIPAddress"="0.0.0.0" "DhcpSubnetMask"="255.0.0.0" "PerformRouterDiscovery.seconfig.delete"=dword:00000001 "PerformRouterDiscovery"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Interfaces\{E5886730-F490-4048-B8FD-F55EC7CCBF69}] "UseZeroBroadcast"=dword:00000000 "EnableDHCP"=dword:00000000 "IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00 "SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00 "DefaultGateway"=hex(7):00 "EnableDeadGWDetect"=dword:00000001 "DontAddDefaultGateway"=dword:00000000 "NTEContextList"=hex(7):00 "DhcpClassIdBin"=hex: "DhcpIPAddress"="0.0.0.0" "DhcpSubnetMask"="0.0.0.0" "Domain"="" "NameServer"="" "RegistrationEnabled"=dword:00000000 "RegisterAdapterName"=dword:00000000 "PerformRouterDiscovery.seconfig.delete"=dword:00000001 "PerformRouterDiscovery"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\PersistentRoutes] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\Winsock] "UseDelayedAcceptance"=dword:00000000 "HelperDllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,\ 6d,33,32,5c,77,73,68,74,63,70,69,70,2e,64,6c,6c,00 "MaxSockAddrLength"=dword:00000010 "MinSockAddrLength"=dword:00000010 "Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\ 00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\ 00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\ 00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\ 00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\ 00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

[ Dodano: Dzisiaj o 23:13 ]
HJ

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:12:16, on 2008-07-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Copy Handler\Copy Handler.exe C:\WINDOWS\system32\qttask.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\gucio\Pulpit\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre1.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre1.dll O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Copy handler] C:\Program Files\Copy Handler\Copy Handler.exe O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Weflirt] "C:\Program Files\Weflirt\weflirt.exe" -background O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM') O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user') O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}: NameServer = 85.255.115.93 85.255.112.181 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.93 85.255.112.181 O17 - HKLM\System\CS2\Services\Tcpip\..\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}: NameServer = 85.255.115.93 85.255.112.181 O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe -- End of file - 7348 bytes

**Posty:** 84 · przez **gloni** 11 Lip 2008, 08:37

na fix w HijackThis w trybie awaryjnym

Kod: Zaznacz wszystko: Unknown O4 - HKCU\..\Run: [Weflirt] "C:\Program Files\Weflirt\weflirt.exe" -background O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O17 - HKLM\System\CCS\Services\Tcpip\..\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}: NameServer = 85.255.115.93 85.255.112.181 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.93 85.255.112.181 O17 - HKLM\System\CS2\Services\Tcpip\..\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}: NameServer = 85.255.115.93 85.255.112.181

**Posty:** 18165 · przez **wojtas** 11 Lip 2008, 10:27

Proszę pamiętać o tym

http://forum.programosy.pl/przeczytaj-zanim-wstawisz-logi-na-forum-vt93842.html

**Posty:** 17 · przez **gucio_one** 11 Lip 2008, 15:13

na fix w HijackThis w trybie awaryjnym
Kod:
Unknown
O4 - HKCU\..\Run: [Weflirt] "C:\Program Files\Weflirt\weflirt.exe" -background
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}: NameServer = 85.255.115.93 85.255.112.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.93 85.255.112.181
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C310A40-1CBB-4B9C-BAA9-61738A47CBE8}: NameServer = 85.255.115.93 85.255.112.181

zrobiłem tak jak kazałeś

ale wyświetliło 04, 08 i te drugie 017 i te trzy skasowałem.
Te pierwsze 017 i trzecie wogóle nie było jak odpaliłem HJ

Myślę, że przez Mozille dużo rzeczy mi sie wtrynia do kompa bo mam NOD32 i jakoś daje rade. Są jakieś pluginy do niej???? Ogólnie mam NoScript ale jest do dupy, nawet pocztę mi blokuje.
Tak wogóle to mam tez jakiś problem z obrazem bo nie chce mi wyswietlac filmików na np .xvideos.com

Pozdro

**Posty:** 7956 · przez **Magik** 11 Lip 2008, 15:24

gucio_one napisał(a):Są jakieś pluginy do niej???? Ogólnie mam NoScript ale jest do dupy, nawet pocztę mi blokuje.

musisz dodac w no-script strone z poczta do zaufanych i tyle :!:

gucio_one napisał(a):Są jakieś pluginy do niej????

ad-block jeszcze :arrow:

gucio_one napisał(a):Myślę, że przez Mozille dużo rzeczy mi sie wtrynia

nie przez FF'a :arrow:

predzej czyjas nieuwage

Zainstaluj IE,a po tygodniu zrobisz format z pow

Tak wogóle to mam tez jakiś problem z obrazem bo nie chce mi wyswietlac filmików na np .xvideos.com

odu syfu

Plugin flashplayer masz zainstalowany :?:

jesli tak to analogicznie dodaj strone do zaufanych w no-script

**Posty:** 17 · przez **gucio_one** 11 Lip 2008, 15:48

Tak poza tym skanuje teraz komp NOD32 i wykrył 2 infekcje.
I co ciekawe że to są programy polecane na forum SDFix i SmitfraudFix

Ocb?????????????????

**Posty:** 8001 · przez **Okocza** 11 Lip 2008, 15:50

bo antywiry wykrywają je jako szkodniki, bo one na siłe wyłączają niektóre procesy. tzw killproces - nazywa sie to cos.

**Posty:** 17 · przez **gucio_one** 11 Lip 2008, 15:56

No dobra ale xvideos nadal nie chodzi mimo że ma flash playera 9 (instalki .pl)
a na stronce komunikat
You need to enable Javascript in your browser
........i najgorsze że mam włączona obsługe języka Java Script w FF

Paranoja

**Posty:** 7956 · przez **Magik** 11 Lip 2008, 16:01

You need to enable Javascript in your browser
........i najgorsze że mam włączona obsługe języka Java Script w FF Smile
Paranoja

wylacz no script'a na tej stronie

kliknij na jego ionce w FF'ie i zaznacz "nie blokuj z xvideos blabla

[ Dodano: Dzisiaj o 16:01 ]
BTW, obsluge amsz wlaczona?? a jave scignales??

**Posty:** 17 · przez **gucio_one** 11 Lip 2008, 16:12

No spoko wyłączyłem no script
Jave mam 1.6.0.
Nie wiem o co chodzi z tym BTW????

Tak poza tym to ciągle mi się wtrynia jakiś program skanujący ze strony winantiviruspro.net i pyta non stop o skanowamnie a ja odrzucam

Co robić????

**Posty:** 7956 · przez **Magik** 11 Lip 2008, 16:19

gucio_one napisał(a):No spoko wyłączyłem no script
Jave mam 1.6.0.
Nie wiem o co chodzi z tym BTW????

jave masz zainstalowana//oki wiec zapomnij o tym BTW

ale dalej jesli jest komunikat o javie, jest tam takze link na ktory klikniesz i pobierze Jave jako wtyke do FF'a :arrow:

http://securebrowsing.finjan.com/

masz to zainstalowane??
mcafee site adviser :arrow:

on kieruje an strone winativirus blabla

http://www.pcthreat.com/parasitebyid-6810en.html

pzreskanuj kompa
http://www.programosy.pl/program,avg-anti-spyware.html

i laskawie popraw ta nazwe tematu

**Posty:** 17 · przez **gucio_one** 11 Lip 2008, 16:36

pzreskanuj kompa
http://www.programosy.pl/program,avg-anti-spyware.html

500 Internal Server Error
takze nie moge pobrać w.w. programu

no a jave pobrałem i tema t zmieniłem

co dalej z ta męcząca strona, która wyskakuje?????

**Posty:** 8001 · przez **Okocza** 11 Lip 2008, 16:37

smitfraudfix z opcji 2
(sciagasz -> uruchamiasz-> klikasz dowolny klawisz -> wpisujesz w programie 2 i enter potem czekasz chwile -> gdy wyskoczy pytanie w programie Do you want to clean the registry ? to wpisujesz literke Y i znowu enter i czekasz do wyskoczenia raportu (znak ze skan dobiegł konca)

**Posty:** 3854 · przez **Dzi@dek** 11 Lip 2008, 16:39

emo Magik napisał(a):i laskawie popraw ta nazwe tematu

gucio_one napisał(a):i tema t zmieniłem

problem z kompem

Żartujesz sobie chyba.

**Posty:** 17 · przez **gucio_one** 11 Lip 2008, 17:07

Spoko AVG Anti Spyware mam na pokładzie

Tak java pomogła sa juz obrazki ale filmów nadal nie moge oglądać

Może to kodeki bo ostatnie przeinstalowywałem cały pakiet ACE Mega CoDecS Pack 6.03 Pro ????????

Macie coś lepszego?????

Żartujesz sobie chyba.

Może być????

**Posty:** 7956 · przez **Magik** 11 Lip 2008, 17:09

gucio_one napisał(a):Może być????

yes

gucio_one napisał(a):Może to kodeki bo ostatnie przeinstalowywałem cały pakiet ACE Mega CoDecS Pack 6.03 Pro ????????

te filmy w czym??

http://forum.programosy.pl/youtube-i-flash-vt84338.html?highlight=firefox+filmy

http://forum.programosy.pl/nie-dziaa-mi-gos-na-stronkach-typu-youtube-vt96982.html?highlight=youtube

**Posty:** 17 · przez **gucio_one** 12 Lip 2008, 10:17

Niby wszystko działa

Wyłączyłem zupełnie NoScripta i jest si.
Filmy na you tubie chodzą na full screenie ale nie w tym samym oknie tylko otwiera sie drugie

Ważne że działa

Jak macie fajne wtyki do ff 2.0.15 to zapodajcie coś :banan:

wirus, backdoor, robaki ??????????????

wirus, backdoor, robaki ??????????????

Kto jest na forum