worm.win32.netsky

[BabyFaceKiller]

Witam
Mam problem, otóż od dwóch dni mój komputer jest zainfekowany...co kilka minut wyskakują mi ikonki typu:
System detected virus activities.....
albo
Worm.Win32.NetSky detected on your machine..
i co z tym zrobić? Gdy robię skana mks vir'em nic nie wykrywa..
Pozdrawiam

[jeff]

wrzuć logi z HijackThis i SR według opisu

http://forum.programosy.pl/hijackthis-amp-silent-runners-gtobsuga-i-umieszczanie-vt9452.html

[BabyFaceKiller]

zgodnie z życzeniem daję loga do tego tematu:

Cytat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22:25, on 2008-03-04
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\mks_vir_2007\bin\mksregmon.exe
D:\Program Files\mks_vir_2007\bin\mks_mail.exe
D:\Program Files\mks_vir_2007\bin\mkstray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\OczyszczaczKomputerza\GDC.exe
D:\Program Files\mks_vir_2007\bin\MksFwall.exe
D:\Program Files\mks_vir_2007\bin\MksPC.exe
D:\Program Files\mks_vir_2007\bin\mksupdate.exe
D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\mks_vir_2007\bin\mks_scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ekvgsnw - {BBE2B433-33B2-4953-BC77-0669D2E9B748} - D:\WINDOWS\ekvgsnw.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tray Temperature] D:\PROGRA~1\AWS\MiniBug.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe
O4 - HKLM\..\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe
O4 - HKLM\..\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1614895754-1336601894-725345543-1005\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - S-1-5-21-1614895754-1336601894-725345543-1005 Startup: PowerReg Scheduler.exe (User '?')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - G:\Player\__CDS2.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mszsrn32 - D:\WINDOWS\system32\mszsrn32.dll
O21 - SSODL: alofkmn - {9E6EB395-1ECE-4BAA-8E38-943B422D91B6} - D:\WINDOWS\alofkmn.dll
O21 - SSODL: bxlrvps - {26097507-369E-4B00-B08E-17C36DA5E5FE} - D:\WINDOWS\bxlrvps.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MksFwall - MKS Sp z o.o. - D:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown owner - D:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS Sp. z o. o. - D:\Program Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown owner - D:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///D:\WINDOWS\privacy_danger\index.htm

--
End of file - 8127 bytes




Mam problem aby zrobić loga z SR, bo po tak mi komputer muli że ledwo zrobiłem z HijackThis, ale oczywiście jeżeli będzie to konieczne to spróbuję zrobić.
Pozdrawiam

[ Dodano: Dzisiaj o 12:20 ]
Przy próbie zrobienia loga z SR wyskakuje mi coś takiego::


"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

FATAL ERROR!
------------

"Silent Runners" cannot use WMI to identify the operating system.
This is caused by corruption of the WMI installation.

WMI is complex and it is recommended that you use a Microsoft
tool, "WMIDiag.vbs," to diagnose WMI on your system.

It can be downloaded here:

http://go.microsoft.com/fwlink/?LinkId=62562
Cytat:

[Avenger]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O3 - Toolbar: ekvgsnw - {BBE2B433-33B2-4953-BC77-0669D2E9B748} - D:\WINDOWS\ekvgsnw.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - S-1-5-21-1614895754-1336601894-725345543-1005 Startup: PowerReg Scheduler.exe (User '?')
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O20 - Winlogon Notify: mszsrn32 - D:\WINDOWS\system32\mszsrn32.dll
O21 - SSODL: alofkmn - {9E6EB395-1ECE-4BAA-8E38-943B422D91B6} - D:\WINDOWS\alofkmn.dll
O21 - SSODL: bxlrvps - {26097507-369E-4B00-B08E-17C36DA5E5FE} - D:\WINDOWS\bxlrvps.dll
O24 - Desktop Component 0: Privacy Protection - file:///D:\WINDOWS\privacy_danger\index.htm

Usuń pogrubione pliki ręcznie z dysku w trybie awaryjnym i wyłączonym przywracaniem systemu, wpisy skasuj hijackiem.

Zastosuj Smitfraudfix opcja nr 2

Po zabiegach dajesz nowe logi z hijacka, Combofixoraz raport ze smitfraudfix

[BabyFaceKiller]

Usuń pogrubione pliki ręcznie z dysku w trybie awaryjnym i wyłączonym przywracaniem systemu, wpisy skasuj hijackiem.

będąc w trybie awaryjnym i wyłączonym przywracaniem systemu nie mogę skasować tych plików ręcznie bo ich nie widzę. Czyli od razu hijackiem czy co?
Pozdrawiam

[snajper$]

Włącz pokazywanie ukrytych plików i je usuń (w awaryjnym)

[BabyFaceKiller]

tak właśnie myślałem bo czytałem coś o tym ale nie byłem pewien;]
dzięki

[snajper$]

Teraz daj nowe logi

[BabyFaceKiller]

3godziny temu gdy włączyłem kompa w trybie awaryjnym i wyłączonym przywracaniem systemu nie zdążyłem usunąć tych plików. Włączyłem przed chwilą komputer w trybie normalnym a tu patrzę że nie ma ikonek Error Cleaner , Malware&Spyware Protector. Trochę się zdzwiłem bo zawsze przy uruchomieniu się pojawiały. Pojawił mi się natomiast taki komunikat:
System odzyskał sprawność działania po poważnym błędzie.
Robiąc skan Spyware Doctor'em nie wykrywa mi już worma... ale wykrywa Adware.Agent.BN

O co chodzi?

[Avenger]

BabyFaceKiller Daj nowe logi to zobaczymy co się stało.

[BabyFaceKiller]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07, on 2008-03-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\mks_vir_2007\bin\mksregmon.exe
D:\Program Files\mks_vir_2007\bin\mks_mail.exe
D:\Program Files\mks_vir_2007\bin\mkstray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\mks_vir_2007\bin\MksFwall.exe
D:\Program Files\mks_vir_2007\bin\MksPC.exe
D:\Program Files\mks_vir_2007\bin\mksupdate.exe
D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ekvgsnw - {BBE2B433-33B2-4953-BC77-0669D2E9B748} - D:\WINDOWS\ekvgsnw.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tray Temperature] D:\PROGRA~1\AWS\MiniBug.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe
O4 - HKLM\..\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe
O4 - HKLM\..\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - G:\Player\__CDS2.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: alofkmn - {9E6EB395-1ECE-4BAA-8E38-943B422D91B6} - D:\WINDOWS\alofkmn.dll
O21 - SSODL: bxlrvps - {26097507-369E-4B00-B08E-17C36DA5E5FE} - D:\WINDOWS\bxlrvps.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MksFwall - MKS Sp z o.o. - D:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown owner - D:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS Sp. z o. o. - D:\Program Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown owner - D:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7622 bytes
[quote][/quote]

[Avenger]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: ekvgsnw - {BBE2B433-33B2-4953-BC77-0669D2E9B748} - D:\WINDOWS\ekvgsnw.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O21 - SSODL: alofkmn - {9E6EB395-1ECE-4BAA-8E38-943B422D91B6} - D:\WINDOWS\alofkmn.dll
O21 - SSODL: bxlrvps - {26097507-369E-4B00-B08E-17C36DA5E5FE} - D:\WINDOWS\bxlrvps.dll
O24 - Desktop Component 0: Privacy Protection - (no file)

Skasuj te wpisy w hijacku, w trybie awaryjnym i wyłączonym przywracaniem systemu

Pobierz program SDFix


* Dwuklik na SDFix.exe następnie program wypakuje się na dysk systemowy (standardowo C:\SDFix)
* Zrestartuj komputer i wejdź do trybu awaryjnego (klawisz F8 przed bootem Windowsa)
* Wejdź do folderu z SDFix kliknij dwa razy na plik RunThis.bat
* Wciśnij Y nastąpi proces usuwania.
* Kiedy usuwanie się ukończy wciśnij dowolny klawisz (Any Key). Nastąpi restart komputera.
* Po restarcie SDFix uruchomi się ponownie, żeby dokończyć proces usuwania kiedy pojawi się w oknie programu Finished, wciśnij dowolny klawisz do zakończenia scryptu i załadowania ikon na pulpicie.
* Pokaż Report.txt znajdujący się w folderze SDFix.

Po zabiegach dajesz nowe logi z hijacka, Combofix oraz raport z SDFix

[BabyFaceKiller]

Zrobiłem to o co prosiłeś tyle że po restarcie komputera nie pojawiło mi się to ostatnie okno...z SDFix mam 2raporty.. oto one:


SDFix: Version 1.153

Run by kamel on 2008-03-05 at 16:25

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

[code][/code]

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 16:25:01
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden files ...

IPC error: 2 Nie można odnaleźć określonego pliku.
scan completed successfully
hidden files: 0

i log z Hijacka:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:44, on 2008-03-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\mks_vir_2007\bin\mksregmon.exe
D:\Program Files\mks_vir_2007\bin\mks_mail.exe
D:\Program Files\mks_vir_2007\bin\mkstray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\mks_vir_2007\bin\MksFwall.exe
D:\Program Files\mks_vir_2007\bin\MksPC.exe
D:\Program Files\mks_vir_2007\bin\mksupdate.exe
D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\mks_vir_2007\bin\mks_scan.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tray Temperature] D:\PROGRA~1\AWS\MiniBug.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe
O4 - HKLM\..\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe
O4 - HKLM\..\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - G:\Player\__CDS2.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MksFwall - MKS Sp z o.o. - D:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown owner - D:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS Sp. z o. o. - D:\Program Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown owner - D:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7296 bytes

[Avenger]

O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm

Usuń pogrubiony plik ręcznie z dysku, sposób usuwania znasz.

Daj log z DSS

[BabyFaceKiller]

PowerReg.Scheduler.exe skasowany. Oto log z DSS: właściwie mam 2(main.txt. extra.txt)

Deckard's System Scanner v20071014.68
Run by kamel on 2008-03-05 17:33:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-03-05 16:33:36 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-03-05 16:30:21 UTC - RP1 - Punkt kontrolny systemu


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as kamel.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36, on 2008-03-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\mks_vir_2007\bin\mksregmon.exe
D:\Program Files\mks_vir_2007\bin\mks_mail.exe
D:\Program Files\mks_vir_2007\bin\mkstray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\mks_vir_2007\bin\MksFwall.exe
D:\Program Files\mks_vir_2007\bin\MksPC.exe
D:\Program Files\mks_vir_2007\bin\mksupdate.exe
D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Documents and Settings\kamel\Pulpit\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\kamel.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tray Temperature] D:\PROGRA~1\AWS\MiniBug.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe
O4 - HKLM\..\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe
O4 - HKLM\..\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - G:\Player\__CDS2.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MksFwall - MKS Sp z o.o. - D:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown owner - D:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS Sp. z o. o. - D:\Program Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown owner - D:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7235 bytes

-- HijackThis Fixed Entries (D:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080305-161149-381 O21 - SSODL: bxlrvps - {26097507-369E-4B00-B08E-17C36DA5E5FE} - D:\WINDOWS\bxlrvps.dll
backup-20080305-161149-607 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20080305-161149-765 O3 - Toolbar: ekvgsnw - {BBE2B433-33B2-4953-BC77-0669D2E9B748} - D:\WINDOWS\ekvgsnw.dll (file missing)
backup-20080305-161149-816 O21 - SSODL: alofkmn - {9E6EB395-1ECE-4BAA-8E38-943B422D91B6} - D:\WINDOWS\alofkmn.dll
backup-20080305-161149-835 O24 - Desktop Component 0: Privacy Protection - (no file)
backup-20080305-161149-848 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 mksidsa - d:\windows\system32\mksidsa.sys
R1 AFS2K - d:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 mksfwallf - d:\windows\system32\mksfwallf.sys
R1 mksfwallt - d:\windows\system32\mksfwallt.sys
R3 mksidsf - d:\windows\system32\mksidsf.sys
R3 MksMonEn - d:\program files\mks_vir_2007\bin\mksmonen.sys
R3 MksMonEv - d:\program files\mks_vir_2007\bin\mksmonev.sys
R3 MksMonFd - d:\program files\mks_vir_2007\bin\mksmonfd.sys

S3 38749650-f194-44fb-a14a-f509b15f8e1e - g:\player\cds300.dll (file missing)
S3 catchme - d:\docume~1\kamel\ustawi~1\temp\catchme.sys (file missing)
S3 e4c377ac-ff1a-44c6-8243-48b9b7953e40 - f:\player\cds300.dll (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MksFwall - "d:\program files\mks_vir_2007\bin\mksfwall.exe" <Not Verified; MKS Sp z o.o.; mks_vir 2k7>
R2 MksPC - "d:\program files\mks_vir_2007\bin\mkspc.exe"
R2 MksUpdate - "d:\program files\mks_vir_2007\bin\mksupdate.exe" <Not Verified; MKS Sp. z o. o.; MKSUpdate>
R2 MksVirMonSvc (mks_vir file monitor) - d:\program files\mks_vir_2007\bin\mksvirmonsvc.exe

S3 MkS_Scan - d:\program files\mks_vir_2007\bin\mks_scan.exe <Not Verified; ; mks_scan Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Kontroler Uniwersalnej magistrali szeregowej (USB)
Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_50041458&REV_86\3&13C0B0C5&0&84
Manufacturer:
Name: Kontroler Uniwersalnej magistrali szeregowej (USB)
PNP Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_50041458&REV_86\3&13C0B0C5&0&84
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Miniport mostka MAC
Device ID: ROOT\MS_BRIDGEMP\0000
Manufacturer: Microsoft
Name: Miniport mostka MAC
PNP Device ID: ROOT\MS_BRIDGEMP\0000
Service: BridgeMP


-- Scheduled Tasks -------------------------------------------------------------

2008-03-05 17:34:39 418 --a------ D:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-02-05 and 2008-03-05 -----------------------------

2008-03-05 16:29:16 2066 --a------ D:\Documents and Settings\kamel\clean.reg
2008-03-05 16:23:07 0 d-------- D:\WINDOWS\ERUNT
2008-03-04 18:48:36 68096 --a------ D:\WINDOWS\System32\zip.exe
2008-03-04 18:48:36 98816 --a------ D:\WINDOWS\System32\sed.exe
2008-03-04 18:48:36 80412 --a------ D:\WINDOWS\System32\grep.exe
2008-03-04 18:48:36 73728 --a------ D:\WINDOWS\System32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-04 18:48:32 53248 --a------ D:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-03-04 18:48:12 0 d-------- D:\Combo-Fix.exe
2008-03-04 09:17:42 0 d-------- D:\Program Files\Trend Micro
2008-03-03 20:01:41 0 d-------- D:\Program Files\mks_vir_2007
2008-03-03 10:04:58 0 d-------- D:\Program Files\Spyware Doctor
2008-02-29 17:51:50 0 dr------- D:\Documents and Settings\All Users\Application Data


-- Find3M Report ---------------------------------------------------------------

2008-03-05 17:30:03 0 d-------- D:\Program Files\Common Files\Symantec Shared
2008-03-04 13:15:12 0 d-------- D:\Program Files\Common Files
2008-03-03 10:04:58 0 d-------- D:\Documents and Settings\kamel\Dane aplikacji\PC Tools
2008-02-29 17:56:01 0 d-------- D:\Documents and Settings\kamel\Dane aplikacji\OczyszczaczKomputerza
2008-02-29 16:41:58 0 d-------- D:\Documents and Settings\kamel\Dane aplikacji\GanymedeNet
2008-02-28 21:05:53 481912 --a------ D:\WINDOWS\System32\perfh015.dat
2008-02-28 21:05:53 86046 --a------ D:\WINDOWS\System32\perfc015.dat
2008-02-21 11:15:22 0 d-------- D:\Documents and Settings\kamel\Dane aplikacji\Hamachi
2008-02-14 13:39:46 0 d-------- D:\Program Files\Ganymede
2008-01-04 20:47:34 23512 --a------ D:\Documents and Settings\kamel\Dane aplikacji\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 08:34 D:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 21:10]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22]
"ccRegVfy"="D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23]
"Advanced Tools Check"="D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-26 22:35]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HPDJ Taskbar Utility"="D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 08:19]
"HP Software Update"="D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40]
"DeviceDiscovery"="D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56]
"WinampAgent"="D:\Program Files\Winamp\Winampa.exe" [2004-01-24 10:38]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2004-02-11 14:25]
"Tray Temperature"="D:\PROGRA~1\AWS\MiniBug.exe" []
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"ISTray"="D:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53]
"MKSRegmon"="D:\Program Files\mks_vir_2007\bin\mksregmon.exe" [2007-05-24 05:06]
"mks_mail"="D:\Program Files\mks_vir_2007\bin\mks_mail.exe" [2007-05-24 05:06]
"mkstray"="D:\Program Files\mks_vir_2007\bin\mkstray.exe" [2007-08-13 18:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2002-09-20 18:05]

D:\Documents and Settings\kamel\Menu Start\Programy\Autostart\
PowerReg Scheduler.exe [2007-10-19 16:04:29]

D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MkS_Scan]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-03-05 17:38:46 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: Polish

CPU 0: AMD Athlon(tm)
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 511.49 MiB / 130.24 MiB
Pagefile Memory (total/avail): 1250.35 MiB / 814.19 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.57 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 9.76 GiB total, 7.12 GiB free.
D: is Fixed (NTFS) - 27.35 GiB total, 10.07 GiB free.
E: is Fixed (FAT32) - 37.4 GiB total, 11.56 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 3 partitions
\PARTITION0 (bootable) - Unknown - 9.77 GiB - C:
\PARTITION1 - Instalowalny system plików - 27.35 GiB - D:
\PARTITION2 - Unknown - 37.41 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer has updates disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\kamel\Dane aplikacji
CLASSPATH=C:\Program Files\HEAT\navbar;%CLASSPATH%
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=KML
ComSpec=D:\WINDOWS\system32\cmd.exe
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\kamel
INCLUDE=D:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
LIB=D:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
LOGONSERVER=\\KML
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\system32\wbem;D:\Program Files\ATI Technologies\ATI Control Panel;;C:\PROGRA~1\ATITEC~1\ATICON~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=D:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\kamel\USTAWI~1\Temp
TMP=D:\DOCUME~1\kamel\USTAWI~1\Temp
USERDOMAIN=KML
USERNAME=kamel
USERPROFILE=D:\Documents and Settings\kamel
VS71COMNTOOLS=D:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Zdzislaw (admin)
Krzys
kamel (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> D:\Program Files\AC3Filter\uninstall.exe
Adobe Flash Player 9 ActiveX --> D:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 6.0 CE --> MsiExec.exe /I{AC76BA86-7AD7-1038-7646-CE0000000001}
Age of Empires III --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
America's Secret Operations: Close Conflict --> "D:\Program Files\City Interactive\Americas Secret Operations - Close Conflict\unins000.exe"
American Conquest - Divided Nation --> D:\Program Files\American Conquest - Divided Nation\Uninstall\uninstall.exe /C "/U:D:\Program Files\American Conquest - Divided Nation\Uninstall\uninstall.xml"
ATI Control Panel --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 D:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HydraVision --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
Bitwa o Śródziemie™ --> E:\games\Bitwa o Śródziemie\EAUninstall.exe
Delta Force - Black Hawk Down --> D:\WINDOWS\IsUninst.exe -fe:\games\Uninst.isu
Delta Force - Helikopter w ogniu --> D:\WINDOWS\IsUn0415.exe -fe:\games\Uninst.isu
Dev-C++ 5 beta 9 release (4.9.9.1) --> "D:\Program Files\Dev-Cpp\uninstall.exe"
Dysk wspomnieniowy HP --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
Enable S3 for USB Device --> D:\WINDOWS\IsUninst.exe -f"D:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
Europa Universalis 2 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{929C29A0-E9C3-11D5-BA55-00C0CA129740}\setup.exe"
ffdshow (remove only) --> "D:\Program Files\ffdshow\uninstall.exe"
GameDesire-Poker --> D:\Program Files\Ganymede\poker_uninstall.exe
GameDesire-Pool & Snooker --> D:\Program Files\Ganymede\billiards_uninstall.exe
Gothic --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{758A4269-70E5-4B11-B419-F692882408A9}\Setup.exe" -l0x15 -uninst
Hamachi 1.0.2.5 --> E:\\uninstall.exe
Heroes of Might and Magic(TM) III Armageddon's Blade --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{BD6C47B3-DA97-4694-813B-C41CAC6D8BD6}\setup.exe" -l0x15
Heroes of Might and Magic® III The Shadow of Death(TM) --> D:\WINDOWS\IsUn0415.exe -f"E:\games\Heroes III\Uninst.isu" -c"E:\games\Heroes III\uninst.dll
HijackThis 2.0.2 --> "D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp deskjet 5100 --> msiexec /x{FEDA56C4-82F3-46DD-8B50-FC592BBE1C0D}
hp deskjet 5100 series --> rundll32 hpzcon08.dll,VendorJettison hp deskjet 5100 series
HP Photo and Imaging 2.0 - Deskjet Series --> MsiExec.exe /I{E0828692-FD9D-459F-9312-C645C3CA6650}
hp print screen utility --> C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe
Instalacja programu mks_vir 2k7 --> MsiExec.exe /X{6ECB6EE7-DF64-4F26-9273-9525FC11A417}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
K-Lite Codec Pack 2.24 Full --> "D:\Program Files\K-Lite Codec Pack\unins000.exe"
LiveReg (Symantec Corporation) --> D:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Mała Księgowość Rzeczpospolitej --> "D:\Documents and Settings\Zdzislaw\Pulpit\Odinstaluj.exe"
Microsoft Office XP Professional z programem FrontPage --> MsiExec.exe /I{90280415-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual Studio .NET Enterprise Architect 2003 - English --> "D:\Program Files\Microsoft Visual Studio .NET 2003\Setup\Visual Studio .NET Enterprise Architect 2003 - English\setup.exe" /MaintMode
Mjuice Components --> D:\Program Files\Mjuice Media PlayerMJUninst.exe
Mozilla Firefox (2.0.0.12) --> D:\Program Files\Mozilla Firefox\uninstall\helper.exe
Narzędzie Software Uninstall Utility firmy ATI --> D:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
Nero 6 Demo --> D:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Norton AntiVirus 2003 Professional Edition --> MsiExec.exe /I{F4C9398F-B6C6-4A4B-8B6D-795CD86F915D}
Odinstaluj Igrzyska Sportowe 2004 --> C:\Program Files\IgrzyskaSportowe\uninstall.exe
Poprawka systemu Windows XP - KB823980 --> D:\WINDOWS\$NtUninstallKB823980$\spuninst\spuninst.exe
Pyramid Song Screen Saver --> D:\WINDOWS\System32\uninstall.exe Pyramid Song Screen Saver
QuickTime --> D:\WINDOWS\unvise32qt.exe D:\WINDOWS\System32\QuickTime\Uninstall.log
Rally Championship Xtreme --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{DFF29C16-11B8-4AD2-AC1A-2841DA197982}\Setup.exe"
Realtek AC'97 Audio --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RTLSetup --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\Setup.exe" -l0x9 REMOVE
SETTLERS - Dziedzictwo Królów --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{8FDC1610-3FB5-4EF2-A0D0-CEDC3A525A25}\setup.exe" -l0x15 -removeonly
Settlers III wersja 1.60 --> "E:\games\Settlers III\Settlers III - Zlota edycja\unins000.exe"
Shockwave --> D:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE D:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sony USB Driver --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\setup.exe" UNINSTALL
SPSS 12.0 for Windows --> MsiExec.exe /I{B3B77C66-1553-4FFE-B044-53B179FBE0B6}
Spyware Doctor 5.5 --> D:\Program Files\Spyware Doctor\unins000.exe /LOG
Storm for Windows --> D:\WINDOWS\uninst.exe -f"D:\Program Files\Storm\DeIsL1.isu" -c"D:\Program Files\Storm\_ISREG32.DLL"
Total Commander (Remove or Repair) --> c:\totalcmd\tcuninst.exe
VIA Integrated Setup Wizard --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}
Władca Pierścieni - Drużyna Pierścienia --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{7756D8A9-0774-11D7-B613-00A0C90176D7}\Setup.exe" -l0x15
Wilk Morski --> E:\GAMES\WILKMO~1\UNWISE.EXE E:\GAMES\WILKMO~1\INSTALL.LOG
Winamp (Remove Only) --> "D:\Program Files\Winamp\Winamp.exe" /UNINSTALL
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
WinZip --> "D:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Worms World Party --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{AD309EDF-17A6-4968-9CE9-35887D9E1871}\setup.exe" -l0x15
WP Powrót Króla tm --> D:\Program Files\EA GAMES\WP Powrót Króla tm\EAUninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1590 / Error
Event Submitted/Written: 03/05/2008 05:22:14 PM
Event ID/Source: 8193 / VSS
Event Description:
Błąd Usługi kopiowania woluminów w tle: nieoczekiwany błąd podczas wywoływania procedury CoCreateInstance. hr = 0x80040206.

Event Record #/Type1589 / Error
Event Submitted/Written: 03/05/2008 05:22:14 PM
Event ID/Source: 4609 / EventSystem
Event Description:
Podczas wewnętrznego przetwarzania system zdarzeń modelu COM+ wykrył zły kod powrotu. HRESULT to 8007043C z w wierszu 44 z d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Skontaktuj się z Pomocą techniczną firmy Microsoft i zgłoś ten błąd.

Event Record #/Type1577 / Error
Event Submitted/Written: 03/05/2008 04:35:49 PM
Event ID/Source: 8193 / VSS
Event Description:
Błąd Usługi kopiowania woluminów w tle: nieoczekiwany błąd podczas wywoływania procedury CoCreateInstance. hr = 0x80040206.

Event Record #/Type1576 / Error
Event Submitted/Written: 03/05/2008 04:35:49 PM
Event ID/Source: 4609 / EventSystem
Event Description:
Podczas wewnętrznego przetwarzania system zdarzeń modelu COM+ wykrył zły kod powrotu. HRESULT to 8007043C z w wierszu 44 z d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Skontaktuj się z Pomocą techniczną firmy Microsoft i zgłoś ten błąd.

Event Record #/Type1568 / Error
Event Submitted/Written: 03/05/2008 04:22:13 PM
Event ID/Source: 8193 / VSS
Event Description:
Błąd Usługi kopiowania woluminów w tle: nieoczekiwany błąd podczas wywoływania procedury CoCreateInstance. hr = 0x80040206.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type988 / Error
Event Submitted/Written: 03/05/2008 05:30:42 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Usługa Usługa Czas systemu Windows zakończyła działanie; wystąpił następujący błąd:
%%126

Event Record #/Type987 / Error
Event Submitted/Written: 03/05/2008 05:30:42 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Usługa Usługa inteligentnego transferu w tle zakończyła działanie; wystąpił następujący błąd:
%%126

Event Record #/Type982 / Error
Event Submitted/Written: 03/05/2008 05:28:05 PM
Event ID/Source: 10005 / DCOM
Event Description:
Model DCOM odebrał błąd „%%1084” podczas próby uruchomienia usługi EventSystem z argumentami „”
w celu uruchomienia serwera:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type980 / Error
Event Submitted/Written: 03/05/2008 05:22:56 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
Nie można załadować następujących sterowników startu rozruchowego lub systemowego:
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip

Event Record #/Type979 / Error
Event Submitted/Written: 03/05/2008 05:22:56 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Usługa Publikowanie w sieci World Wide Web zależy od usługi Administrator programu IIS, której nie można uruchomić z powodu następującego błędu:
%%1068



-- End of Deckard's System Scanner: finished at 2008-03-05 17:38:46 ------------

[Dzi@dek]

Wszystkie logi umieszczamy w tagi.

[BabyFaceKiller]

I jak te logi?
zauważyłem już pewne polepszenie w działaniu windowsa ale jeszcze coś musi siedzieć bo mozilla się zwiesza czasami.
Pozdrawiam

[wojtas]

daj nowe logi jeszcze raz z hijacka i combofixa

[BabyFaceKiller]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23, on 2008-03-06
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\mks_vir_2007\bin\mksregmon.exe
D:\Program Files\mks_vir_2007\bin\mks_mail.exe
D:\Program Files\mks_vir_2007\bin\mkstray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\mks_vir_2007\bin\MksFwall.exe
D:\Program Files\mks_vir_2007\bin\MksPC.exe
D:\Program Files\mks_vir_2007\bin\mksupdate.exe
D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\mks_vir_2007\bin\mks_scan.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tray Temperature] D:\PROGRA~1\AWS\MiniBug.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe
O4 - HKLM\..\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe
O4 - HKLM\..\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - G:\Player\__CDS2.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MksFwall - MKS Sp z o.o. - D:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown owner - D:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS Sp. z o. o. - D:\Program Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown owner - D:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7296 bytes
[quote]



Natomiast co do loga z Combofixa to nie jestem przekonany czy dawać bo jak go jakoś dwa dni temu uruchomiłem to w pewnym momencie wyskoczyło mi okno Deleting Files/Folders co mnie trochę zdziwiło, ale jak będzie to konieczne to zrobię.
Pozdrawiam

[wojtas]

daj loga z combofixa w tagach oraz hijacka w tagach