system alert i spyware

[BZIKU]

Witam,załapałem jakieś świństwo,NOD32 zablokował i usunał do kwarantanny ale co chwile pokazuje mi sie w trayu na dziwnej ikonce->System Alert i odsyła mnie na strone http://www.antivirgear.com/?aff=1012


Proszę o sprawdzenie logów w celu usunięcia tego paskudztwa

hijaczek

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 08:32:38, on 2007-11-01
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\DOCUME~1\BZIKU\USTAWI~1\Temp\RtkBtMnt.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\System32\svchost.exe
E:\Programy\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe
C:\Documents and Settings\BZIKU\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programy\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Konwertuj do Adobe PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj do istniejącego pliku PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konwertuj miejsce docelowe łącza do Adobe PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj miejsce docelowe łącza do istniejącego pliku PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konwertuj wybrane łącza do Adobe PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Konwertuj wybrane łącza do istniejącego pliku PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Konwertuj zaznaczenie do Adobe PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj zaznaczenie do istniejącego pliku PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{312F0791-6C9D-43CD-AF95-C6D59DC3B61B}: NameServer = 85.255.114.68,85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{3681FC86-5C90-4DA2-94B5-8A50A579F151}: NameServer = 85.255.114.68,85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{58536E4A-C6B2-4D5C-9924-77D1F1D6F51C}: NameServer = 85.255.114.68,85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{9959690E-7D26-417D-BBC9-1658CBB5CC5A}: NameServer = 85.255.114.68,85.255.112.69
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.68 85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.68 85.255.112.69
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



silent runners z opcji "No"

Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PcSync" = "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog" ["Time Information Services Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"AzMixerSel" = "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" ["Realtek Semiconductor Corp."]
"ACU" = ""C:\Program Files\Atheros\ACU.exe" -nogui" ["Atheros Communications, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
"Acrobat Assistant 7.0" = ""E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"(Default)" = (empty string)
"NSLauncher" = "C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "e:\Programy\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                   \InProcServer32\(Default) = "C:\Program Files\K-Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {HKLM...CLSID} = "Portable Media Devices"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {HKLM...CLSID} = "Portable Media Devices Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
  -> {HKLM...CLSID} = "ShellLink for Application References"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
  -> {HKLM...CLSID} = "AlcoholShellEx"
                   \InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
  -> {HKLM...CLSID} = "Nokia Phone Browser"
                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{41591d7f-9e25-4bd0-af53-9908fcf3a738}" = "complacential"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\yneid.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "kdndj.exe" [** WMI GetObject error **]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"
  -> {HKLM...CLSID} = "AmvTransform Class"
                   \InProcServer32\(Default) = "C:\Program Files\MP3 Player Utilities 3.5.02\AMVTools\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "e:\Programy\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "e:\Programy\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "e:\Programy\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\BZIKU\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Startup items in "BZIKU" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Acrobat Speed Launcher" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-C740-7760-100000000002}\SC_Acrobat.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Atheros Configuration Service, ACS, "C:\WINDOWS\system32\acs.exe" [null data]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
ServiceLayer, ServiceLayer, ""C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe"" ["Nokia."]
StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Sunbelt Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"" ["Sunbelt Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 20 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 8 seconds.
---------- (total run time: 51 seconds)


[Red]

do usuniecia:

O17 - HKLM\System\CCS\Services\Tcpip\..\{312F0791-6C9D-43CD-AF95-C6D59DC3B61B}: NameServer = 85.255.114.68,85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{3681FC86-5C90-4DA2-94B5-8A50A579F151}: NameServer = 85.255.114.68,85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{58536E4A-C6B2-4D5C-9924-77D1F1D6F51C}: NameServer = 85.255.114.68,85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{9959690E-7D26-417D-BBC9-1658CBB5CC5A}: NameServer = 85.255.114.68,85.255.112.69
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.68 85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.68 85.255.112.69

Dodatkowo recznie usun:

C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe
C:\WINDOWS\system32\yneid.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "kdndj.exe"

oraz zastosuj:

http://downloads.subratam.org/Fixwareout.exe

[BZIKU]

Zalecenia wykonano....
HJ

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 09:13:03, on 2007-11-01
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
E:\Programy\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\DOCUME~1\BZIKU\USTAWI~1\Temp\RtkBtMnt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\BZIKU\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programy\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Konwertuj do Adobe PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj do istniejącego pliku PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konwertuj miejsce docelowe łącza do Adobe PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj miejsce docelowe łącza do istniejącego pliku PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konwertuj wybrane łącza do Adobe PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Konwertuj wybrane łącza do istniejącego pliku PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Konwertuj zaznaczenie do Adobe PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj zaznaczenie do istniejącego pliku PDF - res://E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



SR opcja "No"

Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PcSync" = "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog" ["Time Information Services Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"AzMixerSel" = "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" ["Realtek Semiconductor Corp."]
"ACU" = ""C:\Program Files\Atheros\ACU.exe" -nogui" ["Atheros Communications, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
"Acrobat Assistant 7.0" = ""E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"(Default)" = (empty string)
"NSLauncher" = "C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "e:\Programy\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                   \InProcServer32\(Default) = "C:\Program Files\K-Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {HKLM...CLSID} = "Portable Media Devices"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {HKLM...CLSID} = "Portable Media Devices Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
  -> {HKLM...CLSID} = "ShellLink for Application References"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
  -> {HKLM...CLSID} = "AlcoholShellEx"
                   \InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
  -> {HKLM...CLSID} = "Nokia Phone Browser"
                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"
  -> {HKLM...CLSID} = "AmvTransform Class"
                   \InProcServer32\(Default) = "C:\Program Files\MP3 Player Utilities 3.5.02\AMVTools\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "e:\Programy\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "e:\Programy\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "e:\Programy\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\BZIKU\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Startup items in "BZIKU" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Acrobat Speed Launcher" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-C740-7760-100000000002}\SC_Acrobat.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "E:\Programy\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Atheros Configuration Service, ACS, "C:\WINDOWS\system32\acs.exe" [null data]
NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
ServiceLayer, ServiceLayer, ""C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe"" ["Nokia."]
StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Sunbelt Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"" ["Sunbelt Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 19 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 8 seconds.
---------- (total run time: 44 seconds)


oraz zastosuj:

Kod: Zaznacz wszystko

Username "BZIKU" - 2007-11-01  9:02:09 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdndj.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{312F0791-6C9D-43CD-AF95-C6D59DC3B61B}
"DhcpNameServer"="85.255.114.68,85.255.112.69" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3681FC86-5C90-4DA2-94B5-8A50A579F151}
"DhcpNameServer"="85.255.114.68,85.255.112.69" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{58536E4A-C6B2-4D5C-9924-77D1F1D6F51C}
"DhcpNameServer"="85.255.114.68,85.255.112.69" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9959690E-7D26-417D-BBC9-1658CBB5CC5A}
"DhcpNameServer"="85.255.114.68,85.255.112.69" <Value cleared.

Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdndj.ren 72263 2004-08-03

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"ACU"=""C:\\Program Files\\Atheros\\ACU.exe" -nogui"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"nod32kui"=""C:\\Program Files\\Eset\\nod32kui.exe" /WAITSERVICE"
"Acrobat Assistant 7.0"=""E:\\Programy\\Acrobat 7.0\\Distillr\\Acrotray.exe""
"NSLauncher"="C:\\Program Files\\Nokia\\Nokia Software Launcher\\NSLauncher.exe /startup"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


[Red]

System was rebooted successfully.

Autor postu otrzymał pochwałę

[BZIKU]

[Kuba1]

Bziku zastosuj:

Pobierz narzędzie SDFix


*Klikamy 2 krotknie na ikonę SDFix.exe,program wypakuje się domyślnie do lokalizacji C:\SDFix

*Wchodzimy do trybu awaryjnego z obsługą sieci:
>>>>>>Jak wejść do trybu awaryjnego z obsługą sieci?

*F8 podczas bootowania systemu.
*Używamy narzędzia BootSafe.exe zaznaczamy opcje Safe Mode- Networking i klikamy reboot

*Gdy już jesteśmy w trybie awaryjnym,wchodzimy do folderu SDFix i uruchamiamy narzędzie klikająć
2-krotnie na plik RunThis.bat lewym przyciskiem myszy.

*Wciskamy Y co uruchomi proces usuwania

*Kiedy proces usuwania się zakończy wciskamy dowolny klawisz>>nastąpi restart.

*Po restarcie SDFix dokończy proces usuwania,kiedy w oknie narzędzia SDFix pojawi się napis Finished
klikamy dowolny klawisz,narzędzie zakończy swoją pracę,na pulpicie załadują się ikony.

*Wchodzimy do folderu SDFix i kopiujemy zawartość pliku tekstowego Report.txt i wklejamy go na forum



Następnie zastosuj SmitFraudFix z opcji nr 2 w trybie awaryjnym.

Następnie zastosuj ComboFix

Daj raporty z SDFix i SmitFraudFix oraz log z ComboFix.

[BZIKU]

W laptaczu troszku inaczej wchodzi i wychodzi się z trybu awaryjnego-ale poradziłam sobie
logi:

catchme

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 11:31:44
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,86,d2,dc,71,8e,b6,59,1f,42,9f,9c,9b,9b,e9,03,f2,46,..
"ljej40"=hex:d7,43,2e,ee,fd,c3,8a,ef,ed,b5,14,86,d2,80,20,0d,52,61,a7,c6,ea,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

SDFix

SDFix: Version 1.113

Run by BZIKU on 2007-11-01 at 11:26

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 11:31:44
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,86,d2,dc,71,8e,b6,59,1f,42,9f,9c,9b,9b,e9,03,f2,46,..
"ljej40"=hex:d7,43,2e,ee,fd,c3,8a,ef,ed,b5,14,86,d2,80,20,0d,52,61,a7,c6,ea,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"="C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe:*:Enabled:Sunbelt Kerio Firewall GUI"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:


Finished!

SmitFraudFix opcja nr 2

SmitFraudFix v2.246

Scan done at 11:37:49,68, 2007-11-01
Run from C:\Documents and Settings\BZIKU\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{41591d7f-9e25-4bd0-af53-9908fcf3a738}"="complacential"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\BZIKU\Ulubione\Online Security Test.url Deleted
C:\Program Files\Video Add-on\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Atheros AR5005G Wireless Network Adapter - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 194.204.159.1
DNS Server Search Order: 217.98.63.164

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3681FC86-5C90-4DA2-94B5-8A50A579F151}: DhcpNameServer=194.204.159.1 217.98.63.164
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3681FC86-5C90-4DA2-94B5-8A50A579F151}: DhcpNameServer=194.204.159.1 217.98.63.164
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3681FC86-5C90-4DA2-94B5-8A50A579F151}: DhcpNameServer=194.204.159.1 217.98.63.164
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{41591d7f-9e25-4bd0-af53-9908fcf3a738}"="complacential"



»»»»»»»»»»»»»»»»»»»»»»»» End

ComboFix

ComboFix 07-11-01.1 - BZIKU 2007-11-01 11:43:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.563 [GMT 1:00]
Running from: C:\Documents and Settings\BZIKU\Pulpit\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 11:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 11:37 1,914 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-01 11:26 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-01 07:59 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-01 07:58 <DIR> d-------- C:\Program Files\EZVideo
2007-10-28 21:36 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\BZIKU\Dane aplikacji\PC Suite
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Downloaded Installations
2007-10-28 21:36 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-28 21:35 <DIR> d-------- C:\Program Files\Nokia
2007-10-28 21:35 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-28 15:41 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-10-28 15:41 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-10-28 15:41 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-28 15:41 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-22 20:47 <DIR> d-------- C:\WINDOWS\V38S
2007-10-22 20:47 <DIR> d-------- C:\Program Files\PMP DV
2007-10-22 20:47 50,976 --a------ C:\WINDOWS\system32\drivers\CoachUsb.sys
2007-10-22 20:47 49,152 --a------ C:\WINDOWS\system32\CoachWia.dll
2007-10-22 20:47 44,256 --a------ C:\WINDOWS\system32\drivers\CoachVc.sys
2007-10-22 20:47 16,896 --a------ C:\WINDOWS\system32\CoachDlg.dll
2007-10-22 20:47 10,368 --a------ C:\WINDOWS\system32\drivers\CoachAud.sys
2007-10-22 20:47 8,192 --a------ C:\WINDOWS\system32\CoachWrp.dll
2007-10-13 19:48 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.5.02
2007-10-13 19:47 <DIR> d-------- C:\Documents and Settings\BZIKU\WINDOWS
2007-10-12 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\muvee Technologies
2007-10-10 20:17 <DIR> d-------- C:\Documents and Settings\BZIKU\Dane aplikacji\vlc
2007-10-10 20:14 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-02 23:15 <DIR> d-------- C:\Program Files\Common Files\EZB Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 06:58 12,800 --s-a-w C:\WINDOWS\system32\yneid.dll
2007-10-28 20:45 --------- d-----w C:\Program Files\Opera
2007-10-28 20:37 --------- d-----w C:\Program Files\DIFX
2007-10-22 19:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-24 20:28 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\fltk.org
2007-09-19 16:05 --------- d-----w C:\Program Files\Comodo
2007-09-19 16:02 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\Comodo
2007-09-19 16:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Comodo
2007-09-05 20:00 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\AdobeUM
2007-09-05 19:55 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-02 19:00 --------- d-----w C:\Program Files\Sunbelt Software
2007-08-21 17:31 270,336 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 19:58]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 19:58]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 19:51]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2005-01-31 07:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 19:02]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-21 18:31]
"Acrobat Assistant 7.0"="E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 10:12]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
S3 ISODrive;ISO CD-ROM Device Driver;\??\E:\Programy\UltraISO\drivers\ISODrive.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.EXE

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 11:46:20
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 11:47:41
.
--- E O F ---

[Kuba1]

C:\WINDOWS\system32\yneid.dll

Przeskanuj ten plik na www.virustotal.com i wklej raport.

I wróc z logiem z ComboFix-a .

[BZIKU]

i wklej raport.

VirusTotal - Skaner podejrzanego oprogramowania - Wyniki Strona 1
opera:1 2007-11-01 12:16:35
Plik yneid.dll otrzymany 2007.11.01 12:08:35 (CET)
Obecny status: zakończono
Wynik: 1/32 (3.13%)
Zwięzły
Drukuj wyniki Antywirus Wersja Ostatnia aktualizacja Wynik
AhnLab-V3 2007.11.1.1 2007.11.01 -
AntiVir 7.6.0.30 2007.11.01 -
Authentium 4.93.8 2007.10.31 -
Avast 4.7.1074.0 2007.10.31 -
AVG 7.5.0.503 2007.11.01 -
BitDefender 7.2 2007.11.01 -
CAT-QuickHeal 9.00 2007.10.31 -
ClamAV 0.91.2 2007.11.01 -
DrWeb 4.44.0.09170 2007.11.01 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5259 2007.11.01 -
Ewido 4.0 2007.10.31 -
FileAdvisor 1 2007.11.01 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.31 -
F-Secure 6.70.13030.0 2007.11.01 -
Ikarus T3.1.1.12 2007.11.01 -
Kaspersky 7.0.0.125 2007.11.01 -
McAfee 5153 2007.10.31 FakeAlert-S.dll
Microsoft 1.2908 2007.11.01 -
NOD32v2 2631 2007.11.01 -
Norman 5.80.02 2007.10.31 -
Panda 9.0.0.4 2007.11.01 -
Prevx1 V2 2007.11.01 -
Rising 20.16.31.00 2007.11.01 -
Sophos 4.23.0 2007.11.01 -
Sunbelt 2.2.907.0 2007.10.31 -
Symantec 10 2007.11.01 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.31 -
VirusBuster 4.3.26:9 2007.11.01 -
Webwasher-Gateway 6.6.1 2007.11.01 -
Dodatkowe informacje
File size: 12800 bytes
MD5: 8e8374ef0a445b6f709327b692a7510a
SHA1: af89764c4e76cf60b48ce9c104aced7232682915

ComboFix

ComboFix 07-11-01.1 - BZIKU 2007-11-01 12:18:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.512 [GMT 1:00]
Running from: C:\Documents and Settings\BZIKU\Pulpit\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 11:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 11:37 1,914 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-01 11:26 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-01 07:59 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-01 07:58 <DIR> d-------- C:\Program Files\EZVideo
2007-10-28 21:36 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\BZIKU\Dane aplikacji\PC Suite
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Downloaded Installations
2007-10-28 21:36 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-28 21:35 <DIR> d-------- C:\Program Files\Nokia
2007-10-28 21:35 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-28 15:41 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-10-28 15:41 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-10-28 15:41 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-28 15:41 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-22 20:47 <DIR> d-------- C:\WINDOWS\V38S
2007-10-22 20:47 <DIR> d-------- C:\Program Files\PMP DV
2007-10-22 20:47 50,976 --a------ C:\WINDOWS\system32\drivers\CoachUsb.sys
2007-10-22 20:47 49,152 --a------ C:\WINDOWS\system32\CoachWia.dll
2007-10-22 20:47 44,256 --a------ C:\WINDOWS\system32\drivers\CoachVc.sys
2007-10-22 20:47 16,896 --a------ C:\WINDOWS\system32\CoachDlg.dll
2007-10-22 20:47 10,368 --a------ C:\WINDOWS\system32\drivers\CoachAud.sys
2007-10-22 20:47 8,192 --a------ C:\WINDOWS\system32\CoachWrp.dll
2007-10-13 19:48 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.5.02
2007-10-13 19:47 <DIR> d-------- C:\Documents and Settings\BZIKU\WINDOWS
2007-10-12 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\muvee Technologies
2007-10-10 20:17 <DIR> d-------- C:\Documents and Settings\BZIKU\Dane aplikacji\vlc
2007-10-10 20:14 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-02 23:15 <DIR> d-------- C:\Program Files\Common Files\EZB Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 06:58 12,800 --s-a-w C:\WINDOWS\system32\yneid.dll
2007-10-28 20:45 --------- d-----w C:\Program Files\Opera
2007-10-28 20:37 --------- d-----w C:\Program Files\DIFX
2007-10-22 19:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-24 20:28 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\fltk.org
2007-09-19 16:05 --------- d-----w C:\Program Files\Comodo
2007-09-19 16:02 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\Comodo
2007-09-19 16:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Comodo
2007-09-05 20:00 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\AdobeUM
2007-09-05 19:55 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-02 19:00 --------- d-----w C:\Program Files\Sunbelt Software
2007-08-21 17:31 270,336 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_11.46.49,03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-01 10:44:50 58,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-01 10:57:59 58,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-01 10:44:51 74,408 ----a-w C:\WINDOWS\system32\perfc015.dat
+ 2007-11-01 10:57:59 74,408 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2007-11-01 10:44:50 392,630 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-01 10:57:59 392,630 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-01 10:44:51 448,506 ----a-w C:\WINDOWS\system32\perfh015.dat
+ 2007-11-01 10:57:59 448,506 ----a-w C:\WINDOWS\system32\perfh015.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 19:58]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 19:58]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 19:51]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2005-01-31 07:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 19:02]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-21 18:31]
"Acrobat Assistant 7.0"="E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 10:12]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
S3 ISODrive;ISO CD-ROM Device Driver;\??\E:\Programy\UltraISO\drivers\ISODrive.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.EXE

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 12:21:50
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 12:23:15
.
--- E O F ---

[Kuba1]

Pobierz narzędzie Killbox zaznacz opcje Delete on reboot i w polu full patch of file to delete wklej:

C:\WINDOWS\system32\yneid.dll

Klikasz X reset kompa.


Zastosuj się do wskazówek w tym temacie:

>>http://www.forum.programosy.pl/bad-generic-host-process-for-win32-services-vt79489.html

Chodzi o zamknięcie portów.

Pokaż jeszcze log z ComboFix.

[BZIKU]

WWDC uzywam cały czas,ten drugi juz też w uzyciu
log z ComboFix

ComboFix 07-11-01.1 - BZIKU 2007-11-01 13:22:48.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.576 [GMT 1:00]
Running from: C:\Documents and Settings\BZIKU\Pulpit\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 11:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 11:37 1,914 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-01 11:26 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-01 07:59 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-01 07:58 <DIR> d-------- C:\Program Files\EZVideo
2007-10-28 21:36 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\BZIKU\Dane aplikacji\PC Suite
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2007-10-28 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Downloaded Installations
2007-10-28 21:36 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-28 21:35 <DIR> d-------- C:\Program Files\Nokia
2007-10-28 21:35 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-28 15:41 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-10-28 15:41 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-10-28 15:41 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-28 15:41 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-22 20:47 <DIR> d-------- C:\WINDOWS\V38S
2007-10-22 20:47 <DIR> d-------- C:\Program Files\PMP DV
2007-10-22 20:47 50,976 --a------ C:\WINDOWS\system32\drivers\CoachUsb.sys
2007-10-22 20:47 49,152 --a------ C:\WINDOWS\system32\CoachWia.dll
2007-10-22 20:47 44,256 --a------ C:\WINDOWS\system32\drivers\CoachVc.sys
2007-10-22 20:47 16,896 --a------ C:\WINDOWS\system32\CoachDlg.dll
2007-10-22 20:47 10,368 --a------ C:\WINDOWS\system32\drivers\CoachAud.sys
2007-10-22 20:47 8,192 --a------ C:\WINDOWS\system32\CoachWrp.dll
2007-10-13 19:48 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.5.02
2007-10-13 19:47 <DIR> d-------- C:\Documents and Settings\BZIKU\WINDOWS
2007-10-12 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\muvee Technologies
2007-10-10 20:17 <DIR> d-------- C:\Documents and Settings\BZIKU\Dane aplikacji\vlc
2007-10-10 20:14 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-02 23:15 <DIR> d-------- C:\Program Files\Common Files\EZB Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 20:45 --------- d-----w C:\Program Files\Opera
2007-10-28 20:37 --------- d-----w C:\Program Files\DIFX
2007-10-22 19:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-24 20:28 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\fltk.org
2007-09-19 16:05 --------- d-----w C:\Program Files\Comodo
2007-09-19 16:02 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\Comodo
2007-09-19 16:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Comodo
2007-09-05 20:00 --------- d-----w C:\Documents and Settings\BZIKU\Dane aplikacji\AdobeUM
2007-09-05 19:55 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-02 19:00 --------- d-----w C:\Program Files\Sunbelt Software
2007-08-21 17:31 270,336 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_11.46.49,03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-01 10:44:50 58,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-01 12:24:51 58,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-01 10:44:51 74,408 ----a-w C:\WINDOWS\system32\perfc015.dat
+ 2007-11-01 12:24:51 74,408 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2007-11-01 10:44:50 392,630 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-01 12:24:51 392,630 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-01 10:44:51 448,506 ----a-w C:\WINDOWS\system32\perfh015.dat
+ 2007-11-01 12:24:51 448,506 ----a-w C:\WINDOWS\system32\perfh015.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 19:58]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 19:58]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 19:51]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2005-01-31 07:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 19:02]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-21 18:31]
"Acrobat Assistant 7.0"="E:\Programy\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 10:12]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
S3 ISODrive;ISO CD-ROM Device Driver;\??\E:\Programy\UltraISO\drivers\ISODrive.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.EXE

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 13:26:14
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 13:27:37
C:\ComboFix2.txt ... 2007-11-01 12:23
.
--- E O F ---

[wojtas]

czysto

[Kuba1]

Jedynie mi powiedz czy znasz ten folder?

C:\WINDOWS\V38S

??


W logu juz jest ok.


Proponowałbym na przyszłosć zastosowac Spyware Blaster który wykrywa szkodliwe kontrolki na stronach.

Updates >> Check for updates.
Restricted Sites >>Zaznacz poprzez V to co tam się znajduje
Zakładka Internet Explorer>>Zaznaczasz poprzez V to co tam się znajduje.
Zakładka Opera >>Zaznaczasz C to co tam się znajduje.
Zakładka Status>>Klikasz Enable all protections.

Autor postu otrzymał pochwałę

[BZIKU]

C:\WINDOWS\V38S

nie moge tego przyszyć nigdzie,nie kojarze go,generalnie nic nie instaluje na C....

[wojtas]

to sprawdz BZIKU co sie w nik ukrywa

[BZIKU]

co sie w nik ukrywa

program do odpalania kamerki.....

[wojtas]

wiec juz jest ok

Autor postu otrzymał pochwałę

[BZIKU]

Kuba1,wojtas19162