Zablokowane przywracanie systemu, regedit wyłączony.

**Posty:** 101 · przez **M@+** 26 Paź 2009, 20:02

Witam ostatnio mam wrazenie, ze mój komputer został zainfekowany. Przywracanie systemu jakby było wyłączone, opcje folderów zniknęły i poza tym mam dziwne wpisy w procesach.

OTL :

Kod: Zaznacz wszystko: OTL logfile created on: 2009-10-26 17:59:56 - Run 1 OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\Radek\Moje dokumenty\Pobieranie Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 2,00 Gb Total Physical Memory | 1,26 Gb Available Physical Memory | 63,13% Memory free 3,85 Gb Paging File | 3,31 Gb Available in Paging File | 85,98% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 467,52 Gb Total Space | 335,40 Gb Free Space | 71,74% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 466,28 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DOM-005B0A7554D Current User Name: Radek Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2009-10-26 17:59:25 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Radek\Moje dokumenty\Pobieranie\OTL.exe PRC - [2009-10-26 16:37:24 | 00,021,508 | -H-- | M] () -- C:\Documents and Settings\Radek\Ustawienia lokalne\Temp\win32.exe PRC - [2009-10-24 22:09:17 | 01,217,808 | ---- | M] (Valve Corporation) -- C:\program files\steam\steam.exe PRC - [2009-09-10 13:53:56 | 01,312,080 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe PRC - [2009-08-24 20:23:38 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2009-07-25 04:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe PRC - [2009-07-25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe PRC - [2009-03-27 09:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe PRC - [2009-03-08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE PRC - [2009-02-06 10:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe PRC - [2008-08-18 18:01:52 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvraidservice.exe PRC - [2008-04-14 17:21:16 | 01,035,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE PRC - [2008-03-21 09:41:46 | 02,109,952 | ---- | M] () -- C:\Program Files\NAPI-PROJEKT\napisy.exe PRC - [2006-03-02 12:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe PRC - [2005-08-07 22:10:22 | 00,018,944 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTXFIHLP.EXE PRC - [2005-08-07 22:10:20 | 00,016,384 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\CTHELPER.EXE PRC - [2005-08-07 22:04:44 | 00,699,392 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTXFISPI.EXE PRC - [2005-05-27 13:22:00 | 00,824,832 | ---- | M] (Lavasoft Sweden) -- C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe PRC - [2005-03-31 09:18:49 | 00,790,528 | ---- | M] (sms-express.com) -- C:\Program Files\Gadu-Gadu\gg.exe [color=#E56717]========== Win32 Services (SafeList) ==========[/color] SRV - [2009-07-25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running]) SRV - [2009-03-27 09:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running]) SRV - [2008-07-29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped]) SRV - [2008-07-29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped]) SRV - [2008-07-29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped]) SRV - [2008-07-25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) SRV - [2008-07-25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped]) SRV - [2008-04-14 17:20:44 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running]) SRV - [2006-10-18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped]) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV - [2009-10-02 01:38:07 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\63f5905f.sys -- (63f5905f [System | Stopped]) DRV - [2009-10-01 22:39:05 | 00,685,816 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running]) DRV - [2009-09-10 13:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Running]) DRV - [2009-08-22 18:25:00 | 00,009,088 | ---- | M] () -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys -- (RivaTuner32 [On_Demand | Running]) DRV - [2009-03-27 09:03:00 | 06,280,416 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running]) DRV - [2008-11-12 15:59:08 | 00,133,152 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvrd32.sys -- (nvrd32 [Boot | Running]) DRV - [2008-11-12 15:59:06 | 00,145,952 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvgts.sys -- (nvgts [Boot | Running]) DRV - [2008-08-20 17:58:58 | 00,044,944 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running]) DRV - [2008-08-01 09:36:26 | 00,022,016 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nvnetbus.sys -- (nvnetbus [On_Demand | Running]) DRV - [2008-08-01 09:36:20 | 00,054,784 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\NVENETFD.sys -- (NVENETFD [On_Demand | Running]) DRV - [2008-04-13 18:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running]) DRV - [2008-04-13 16:39:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped]) DRV - [2008-04-13 16:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Stopped]) DRV - [2006-03-02 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running]) DRV - [2005-08-07 21:54:38 | 00,007,168 | R--- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running]) DRV - [2005-08-07 21:54:36 | 00,439,424 | R--- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running]) DRV - [2005-08-07 21:54:30 | 01,093,632 | R--- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ha20x2k.sys -- (ha20x2k [On_Demand | Running]) DRV - [2005-08-07 21:54:22 | 00,114,688 | R--- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running]) DRV - [2005-08-07 21:54:18 | 00,142,848 | R--- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running]) DRV - [2005-08-07 21:54:18 | 00,077,824 | R--- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\emupia2k.sys -- (emupia [On_Demand | Running]) DRV - [2005-08-07 21:54:14 | 00,501,760 | R--- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running]) DRV - [2005-07-13 09:18:50 | 00,340,704 | R--- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\ctdvda2k.sys -- (ctdvda2k [On_Demand | Stopped]) [color=#E56717]========== Modules (SafeList) ==========[/color] MOD - [2009-10-26 17:59:25 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Radek\Moje dokumenty\Pobieranie\OTL.exe MOD - [2009-03-26 18:35:40 | 00,034,224 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\idmmkb.dll MOD - [2008-04-14 16:59:08 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll MOD - [2005-08-07 22:10:18 | 00,007,168 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\ctagent.dll MOD - [2000-07-07 16:42:56 | 00,032,768 | ---- | M] () -- C:\Program Files\Gadu-Gadu\ggwhook.dll [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - prefs.js..browser.startup.homepage: "wp.pl" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15 FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.7 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3 FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009-09-02 04:34:34 | 00,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009-07-08 05:50:49 | 00,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009-10-24 21:58:45 | 00,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009-10-24 21:58:43 | 00,000,000 | ---D | M] [2009-10-24 21:58:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Radek\Dane aplikacji\mozilla\Extensions [2009-10-24 21:58:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Radek\Dane aplikacji\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009-10-25 22:08:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Radek\Dane aplikacji\mozilla\Firefox\Profiles\9t1hg6pu.default\extensions [2009-10-24 22:00:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Radek\Dane aplikacji\mozilla\Firefox\Profiles\9t1hg6pu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2009-10-25 22:08:35 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions [2009-10-24 21:58:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009-07-08 05:50:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [2009-08-25 22:35:04 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [2009-08-24 20:23:38 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll [2009-08-24 20:23:38 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll [2009-07-25 04:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll [2009-09-18 15:43:32 | 00,120,296 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npganymedenet.dll [2009-08-24 20:23:38 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll [2009-02-27 11:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2008-09-10 19:56:44 | 00,144,960 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2008-09-10 19:37:54 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll [2009-08-24 19:19:13 | 00,002,767 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\allegro-pl.xml [2009-08-24 19:19:13 | 00,001,406 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fbc-pl.xml [2009-08-24 19:19:13 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml [2009-08-24 19:19:13 | 00,000,917 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\merlin-pl.xml [2009-08-24 19:19:13 | 00,000,858 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\pwn-pl.xml [2009-08-24 19:19:13 | 00,001,183 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-pl.xml [2009-08-24 19:19:13 | 00,001,683 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wp-pl.xml O1 HOSTS File: (742 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.) O2 - BHO: (no name) - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - No CLSID value found. O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe () O4 - HKLM..\Run: [RivaTunerStartupDaemon] C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe () O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKCU..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\gg.exe (sms-express.com) O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation) O4 - HKCU..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\Documents and Settings\Radek\Ustawienia lokalne\Temp\win32.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1 O8 - Extra context menu item: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm () O8 - Extra context menu item: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm () O8 - Extra context menu item: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm () O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240859678015 (WUWebControl Class) O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.pl/skaner/SkanerOnline.cab (MksSkanerOnline Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation) O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009-04-27 18:54:44 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: (*) - File not found O35 - comfile [open] -- "%1" %* File not found O35 - exefile [open] -- "%1" %* File not found [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [7 C:\WINDOWS\*.tmp files] [2009-10-02 01:50:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes [2009-10-10 06:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Dane aplikacji\DMCache [2009-10-03 18:26:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Dane aplikacji\FOG Downloader [2009-10-03 23:20:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Dane aplikacji\GanymedeNet [2009-10-10 06:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Dane aplikacji\IDM [2009-10-02 01:50:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Dane aplikacji\Malwarebytes [2009-09-26 20:16:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Ustawienia lokalne\Dane aplikacji\Help [2009-10-10 03:36:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Ustawienia lokalne\Dane aplikacji\RapidShare [2009-10-17 14:48:05 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared [2009-10-17 14:48:10 | 00,000,000 | ---D | C] -- C:\Program Files\DivX [2009-10-03 23:19:42 | 00,000,000 | ---D | C] -- C:\Program Files\Ganymede [2009-10-10 06:20:58 | 00,000,000 | ---D | C] -- C:\Program Files\Internet Download Manager [2009-10-01 23:58:17 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft [2009-10-02 01:50:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2009-10-03 18:26:37 | 00,000,000 | ---D | C] -- C:\Program Files\Runes of Magic [2009-10-01 23:55:28 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [2009-10-18 09:01:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Moje dokumenty\WTF [2009-10-18 09:00:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Moje dokumenty\Interface [2009-10-14 10:00:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\nview [2009-10-02 01:50:24 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009-10-02 01:50:23 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009-09-30 20:17:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Radek\Pulpit\FILMY [2009-09-27 17:20:04 | 02,173,544 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcplui.exe [2009-09-27 17:20:04 | 00,420,456 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcpl.cpl [2009-04-27 19:09:59 | 00,033,792 | R--- | C] ( ) -- C:\WINDOWS\System32\a3d.dll [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2 C:\WINDOWS\System32\*.tmp files] [7 C:\WINDOWS\*.tmp files] [2009-10-26 17:46:22 | 00,000,507 | ---- | M] () -- C:\WINDOWS\win.ini [2009-10-26 17:46:22 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2009-10-26 17:46:22 | 00,000,211 | -HS- | M] () -- C:\boot.ini [2009-10-26 17:42:16 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2009-10-26 14:54:35 | 00,002,267 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Skype.lnk [2009-10-26 14:15:40 | 00,215,474 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml [2009-10-26 14:15:39 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2009-10-26 14:14:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2009-10-26 14:14:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2009-10-26 04:49:29 | 00,064,988 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000009-00001102-00000005-00231102}.rfx [2009-10-26 04:49:29 | 00,054,672 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000009-00001102-00000005-00231102}.rfx [2009-10-26 04:49:29 | 00,054,672 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000009-00001102-00000005-00231102}.rfx [2009-10-26 04:49:29 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm [2009-10-26 04:49:29 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm [2009-10-26 04:49:15 | 06,425,730 | -H-- | M] () -- C:\Documents and Settings\Radek\Ustawienia lokalne\Dane aplikacji\IconCache.db [2009-10-24 21:58:43 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Mozilla Firefox.lnk [2009-10-24 16:14:58 | 00,002,193 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Steam.lnk [2009-10-17 07:49:48 | 00,167,424 | ---- | M] () -- C:\Documents and Settings\Radek\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009-10-10 06:20:58 | 00,001,676 | ---- | M] () -- C:\Documents and Settings\Radek\Pulpit\ IDM.lnk [2009-10-02 01:50:26 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk [2009-10-02 01:38:07 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\63f5905f.sys [2009-10-02 00:37:58 | 00,000,333 | ---- | M] () -- C:\WINDOWS\wininit.ini [2009-10-01 23:58:17 | 00,000,841 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Ad-Aware SE Personal.lnk [2009-10-01 23:55:29 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Radek\Pulpit\Spybot - Search & Destroy.lnk [2009-10-01 23:44:16 | 00,001,905 | ---- | M] () -- C:\WINDOWS\diagwrn.xml [2009-10-01 23:44:16 | 00,001,905 | ---- | M] () -- C:\WINDOWS\diagerr.xml [2009-10-01 22:39:05 | 00,685,816 | ---- | M] () -- C:\WINDOWS\System32\drivers\sptd.sys [2009-09-27 17:20:04 | 02,173,544 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcplui.exe [2009-09-27 17:20:04 | 00,420,456 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcpl.cpl [2009-09-27 15:12:22 | 00,490,088 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvudisp.exe [2009-09-27 12:41:27 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Adobe Reader 9.lnk [color=#E56717]========== Files - No Company Name ==========[/color] [2009-10-24 21:58:43 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Mozilla Firefox.lnk [2009-10-14 10:00:56 | 00,215,474 | ---- | C] () -- C:\WINDOWS\System32\nvapps.xml [2009-10-14 10:00:55 | 00,019,054 | ---- | C] () -- C:\WINDOWS\System32\nvdisp.nvu [2009-10-10 06:20:58 | 00,001,676 | ---- | C] () -- C:\Documents and Settings\Radek\Pulpit\ IDM.lnk [2009-10-02 01:50:26 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk [2009-10-02 00:37:57 | 00,000,333 | ---- | C] () -- C:\WINDOWS\wininit.ini [2009-10-01 23:58:17 | 00,000,841 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Ad-Aware SE Personal.lnk [2009-10-01 23:55:29 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Radek\Pulpit\Spybot - Search & Destroy.lnk [2009-10-01 23:40:06 | 00,001,905 | ---- | C] () -- C:\WINDOWS\diagwrn.xml [2009-10-01 23:40:06 | 00,001,905 | ---- | C] () -- C:\WINDOWS\diagerr.xml [2009-10-01 22:51:27 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\63f5905f.sys [2009-10-01 22:39:05 | 00,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2009-08-02 23:21:54 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll [2009-08-02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll [2009-08-02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll [2009-08-02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll [2009-08-02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll [2009-08-02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll [2009-08-02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll [2009-08-02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll [2009-08-02 23:21:52 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll [2009-08-02 23:21:52 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll [2009-07-07 14:42:57 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini [2009-06-16 00:10:42 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll [2009-06-16 00:10:42 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll [2009-06-16 00:10:42 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll [2009-05-29 17:08:03 | 00,000,130 | ---- | C] () -- C:\Documents and Settings\Radek\Ustawienia lokalne\Dane aplikacji\fusioncache.dat [2009-05-25 17:47:55 | 06,425,730 | -H-- | C] () -- C:\Documents and Settings\Radek\Ustawienia lokalne\Dane aplikacji\IconCache.db [2009-05-01 21:10:03 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2009-05-01 21:09:36 | 00,167,424 | ---- | C] () -- C:\Documents and Settings\Radek\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009-04-27 19:52:08 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll [2009-04-27 19:52:06 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll [2009-04-27 19:52:06 | 00,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll [2009-04-27 19:52:06 | 00,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll [2009-04-27 19:52:06 | 00,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll [2009-04-27 19:52:06 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest [2009-04-27 19:47:08 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\desktop.ini [2009-04-27 19:12:02 | 00,013,664 | ---- | C] () -- C:\Documents and Settings\Radek\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT [2009-04-27 18:58:00 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Radek\Dane aplikacji\desktop.ini [2009-03-27 09:03:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2009-03-27 09:03:00 | 01,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll [2009-03-27 09:03:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll [2009-03-27 09:03:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll [2006-03-02 12:00:00 | 00,000,507 | ---- | C] () -- C:\WINDOWS\win.ini [2006-03-02 12:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini [2005-08-07 22:19:00 | 00,038,400 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL [2005-08-07 21:42:12 | 00,068,135 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini [2005-08-07 21:42:10 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini [2005-06-07 13:10:50 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL [2003-03-21 09:56:12 | 00,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI [1996-04-03 19:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys < End of report >

Oprócz tego Spybot wykrył plik : win32.agent.fbx którego nie może usunąć, trzykrotnie skanowałem i nic.

**Posty:** 18165 · przez **wojtas** 26 Paź 2009, 23:29

Uruchom OTL i w oknie Custom Scans/Fixes wklej :

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\Documents and Settings\Radek\Ustawienia lokalne\Temp\win32.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

:Files
C:\WINDOWS\System32\drivers\63f5905f.sys

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db1b3e60-05ac-11de-a5d3-00001cd72a97}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""

:Commands
[emptytemp]
[start explorer]
[Reboot]

Kliknij w Run Fix. I potwierdz reset kompa .

Daj loga z combofixa ale zainstaluj wraz z nim konsolę odzyskiwania ( instrukcja programu )

**Posty:** 101 · przez **M@+** 26 Paź 2009, 23:48

combofix :

Kod: Zaznacz wszystko: ComboFix 09-10-26.01 - Radek 2009-10-26 21:44.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2046.1521 [GMT 0:00] Uruchomiony z: c:\documents and settings\Radek\Moje dokumenty\Pobieranie\ComboFix.exe . ((((((((((((((((((((((((( Pliki utworzone od 2009-09-26 do 2009-10-26 ))))))))))))))))))))))))))))))) . 2009-10-26 21:39 . 2009-10-26 21:39 -------- d-----w- C:\_OTL 2009-10-17 14:48 . 2009-10-17 14:48 -------- d-----w- c:\program files\DivX 2009-10-17 14:48 . 2009-10-17 14:48 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-10-14 10:00 . 2009-10-14 10:00 -------- d-----w- c:\windows\nview 2009-10-10 06:21 . 2009-10-24 22:09 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\DMCache 2009-10-10 06:21 . 2009-10-10 06:47 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\IDM 2009-10-10 06:20 . 2009-10-10 06:21 -------- d-----w- c:\program files\Internet Download Manager 2009-10-10 03:36 . 2009-10-10 03:37 -------- d-----w- c:\documents and settings\Radek\Ustawienia lokalne\Dane aplikacji\RapidShare 2009-10-03 23:20 . 2009-10-04 00:03 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\GanymedeNet 2009-10-03 23:19 . 2009-10-03 23:19 -------- d-----w- c:\program files\Ganymede 2009-10-03 18:26 . 2009-10-03 19:51 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\FOG Downloader 2009-10-03 18:26 . 2009-10-04 02:06 -------- d-----w- c:\program files\Runes of Magic 2009-10-02 01:50 . 2009-10-02 01:50 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\Malwarebytes 2009-10-02 01:50 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-02 01:50 . 2009-10-02 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-02 01:50 . 2009-10-02 01:50 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2009-10-02 01:50 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-01 23:58 . 2009-10-01 23:58 -------- d-----w- c:\program files\Lavasoft 2009-10-01 23:55 . 2009-10-02 00:03 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-01 22:51 . 2009-10-01 22:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-01 22:39 . 2009-10-01 22:39 685816 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-09-27 17:20 . 2009-09-27 17:20 2173544 ----a-w- c:\windows\system32\nvcplui.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-26 21:43 . 2006-03-02 12:00 88838 ----a-w- c:\windows\system32\perfc015.dat 2009-10-26 21:43 . 2006-03-02 12:00 500302 ----a-w- c:\windows\system32\perfh015.dat 2009-10-26 21:41 . 2009-04-27 20:21 -------- d-----w- c:\program files\Steam 2009-10-26 20:45 . 2009-04-27 20:06 -------- d-----w- c:\program files\World of Warcraft 2009-10-26 17:11 . 2009-06-15 13:13 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\Skype 2009-10-26 16:04 . 2009-06-15 13:13 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\skypePM 2009-10-11 11:44 . 2009-05-24 13:47 -------- d-----w- c:\program files\NVIDIA Corporation 2009-10-05 19:13 . 2009-06-15 23:31 -------- d-----w- c:\program files\Diablo II 2009-10-01 23:59 . 2009-06-26 00:15 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2009-10-01 23:58 . 2009-06-26 00:15 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\Lavasoft 2009-10-01 23:22 . 2009-05-15 04:04 -------- d-----w- c:\program files\SkanerOnline 2009-09-30 14:37 . 2009-04-28 05:57 -------- d-----w- c:\documents and settings\Radek\Dane aplikacji\uTorrent 2009-09-27 15:12 . 2009-04-27 19:01 490088 ----a-w- c:\windows\system32\nvudisp.exe 2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll 2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll 2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll 2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll 2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll 2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll 2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll 2009-09-24 08:24 . 2009-04-27 18:59 490088 ----a-w- c:\windows\system32\NVUNINST.EXE 2009-09-13 16:29 . 2009-09-13 12:44 -------- d-----w- c:\program files\SpeedFan 2009-09-13 10:32 . 2009-08-05 06:35 -------- d-----w- c:\program files\AGEIA Technologies 2009-09-13 10:32 . 2009-04-27 19:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-09-11 04:45 . 2009-04-27 19:12 13664 ----a-w- c:\documents and settings\Radek\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-09-10 07:52 . 2009-09-10 07:52 -------- d-----w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition 2009-09-07 18:58 . 2009-09-07 18:58 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\NVIDIA Corporation 2009-09-04 16:44 . 2009-09-10 07:49 515416 ----a-w- c:\windows\system32\XAudio2_5.dll 2009-09-04 16:44 . 2009-09-10 07:49 238936 ----a-w- c:\windows\system32\xactengine3_5.dll 2009-09-04 16:44 . 2009-04-27 19:07 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll 2009-09-04 16:29 . 2009-09-10 07:49 453456 ----a-w- c:\windows\system32\d3dx10_42.dll 2009-09-04 16:29 . 2009-09-10 07:49 235344 ----a-w- c:\windows\system32\d3dx11_42.dll 2009-09-04 16:29 . 2009-09-10 07:49 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll 2009-09-04 16:29 . 2009-09-10 07:49 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll 2009-09-04 16:29 . 2009-09-10 07:49 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2009-08-14 12:36 . 2009-08-14 12:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll 2009-08-05 09:01 . 2006-03-02 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2005-03-31 790528] "Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "WiseStubReboot"="MSIEXEC" [X] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-18 203296] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2005-08-07 18944] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Curse\\CurseClient.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= S1 63f5905f;63f5905f;c:\windows\system32\drivers\63f5905f.sys --> c:\windows\system32\drivers\63f5905f.sys [?] --- Inne Usługi/Sterowniki w Pamięci --- *NewlyCreated* - MBR *Deregistered* - mbr . . ------- Skan uzupełniający ------- . uStart Page = hxxp://wp.pl/ IE: Ściągnij przez IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Ściągnij wszystkie linki przez IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Ściągnij zawartość wideo FLV przez IDM - c:\program files\Internet Download Manager\IEGetVL.htm FF - ProfilePath - c:\documents and settings\Radek\Dane aplikacji\Mozilla\Firefox\Profiles\9t1hg6pu.default\ FF - prefs.js: browser.startup.homepage - wp.pl FF - component: c:\documents and settings\Radek\Dane aplikacji\IDM\idmmzcc3\components\idmmzcc.dll FF - plugin: c:\documents and settings\Radek\Dane aplikacji\Mozilla\plugins\npoctoshape.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-26 21:46 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys nvrd32.sys >>UNKNOWN [0x8A484E31]<< kernel: MBR read successfully user & kernel MBR OK Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net error reading "catchme.sys" driver IRP handlers Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net nvrd32.sys @ 0xB9DFC000 0x24000 bytes \Driver\nvrd32 [ IRP_MJ_CREATE ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_CREATE_NAMED_PIPE ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_CLOSE ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_READ ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_WRITE ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_QUERY_INFORMATION ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_SET_INFORMATION ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_QUERY_EA ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_SET_EA ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_FLUSH_BUFFERS ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_QUERY_VOLUME_INFORMATION ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_SET_VOLUME_INFORMATION ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_DIRECTORY_CONTROL ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_FILE_SYSTEM_CONTROL ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_DEVICE_CONTROL ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_SHUTDOWN ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_LOCK_CONTROL ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_CLEANUP ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_CREATE_MAILSLOT ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_QUERY_SECURITY ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_SET_SECURITY ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_POWER ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_SYSTEM_CONTROL ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_DEVICE_CHANGE ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_QUERY_QUOTA ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 [ IRP_MJ_SET_QUOTA ] 0xB9E03D22 != 0xB9E0F177 nvrd32.sys \Driver\nvrd32 IRP hooks detected ! ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-1275210071-1788223648-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID] @Denied: (Full) (LocalSystem) . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'explorer.exe'(2800) c:\windows\system32\WININET.dll c:\program files\Gadu-Gadu\ggwhook.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Czas ukończenia: 2009-10-26 21:47 ComboFix-quarantined-files.txt 2009-10-26 21:47 Przed: 360 381 796 352 bajtów wolnych Po: 360 343 752 704 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - ACD8DD5B8F46BB529FF5C92CD99138B4

Zauważyłem takze, że windows update kompletnie mi nie działał, po wykonaniu tych czynności które zaleciłeś problem ustąpił. Mam nadzieję, że w logu czysto.

**Posty:** 18165 · przez **wojtas** 26 Paź 2009, 23:58

Otworz notatnik i wklej w nim to:

File::
c:\windows\system32\drivers\63f5905f.sys

Driver::
63f5905f

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->

1.Uruchom OTL z opcji CleanUp
2. wykonaj optymalizację windowsa
3.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem]
4. zrób skan Malwarebytes Anti-Malware (usuń co znajdzie )