prosze o sprawdzenie loga

**Posty:** 16 · przez **woytek2** 04 Gru 2007, 22:29

witam,
ostatnio nawiedzilo moj komputer cale stado trojanow i nie moge sobie z nimi dac rady
jak powywalam to po jakims czasie i tak znow sie sciagna
czasem na pasku pojawia sie ikonka z wykrzyknikiem a pozniej otwiera ie z reklama jakiegos antyspyware
log z hijack

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
f:\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
f:\Spyware Doctor\swdsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\wojtek\Pulpit\HiJackThis_v2.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - f:\GetRight\xx2gr.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {983CFA1B-7559-45CB-B7D2-FA8CF03C9F75} - C:\WINDOWS\system32\c_g1803.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "f:\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - f:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - f:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool

- http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.33/g_bin/pl/snooker_2_0_0_35.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2B8FDD-83EE-4FA4-BE7B-23C801043EB5}: NameServer = 194.204.159.1,194.204.152.34
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - f:\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Spyware Doctor\swdsvc.exe

log z combofix

ComboFix 07-11-19.4C - wojtek 2007-11-29 10:30:30.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.589 [GMT 1:00]
Running from: C:\Documents and Settings\wojtek\Pulpit\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk
C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\system32\m2
C:\WINDOWS\system32\o1
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\srijmdch.dllbox
C:\WINDOWS\system32\txfecvzr.dllbox
C:\WINDOWS\system32\v4
C:\WINDOWS\system32\v4\caws83122.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-26 12:05 <DIR> d-------- C:\Program Files\Soulseek-Test
2007-11-24 15:19 83,456 --a------ C:\WINDOWS\system32\c_g1803.dll
2007-11-24 15:19 19,200 C:\WINDOWS\system32\drivers\vmtwqxza.dat
2007-11-11 10:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll
2007-11-09 13:49 77,888 --a------ C:\WINDOWS\system32\suyjaoqy.dll
2007-11-09 13:47 881,820 ---hs---- C:\WINDOWS\system32\hjhrfwbv.ini
2007-11-09 13:47 88,128 --a------ C:\WINDOWS\system32\vbwfrhjh.dll
2007-11-09 13:41 145,984 --a------ C:\WINDOWS\system32\jtudrpot.dll
2007-11-09 13:36 71,232 --a------ C:\WINDOWS\system32\uxvsidcn.exe
2007-11-09 13:32 <DIR> d-------- C:\VundoFix Backups
2007-11-09 13:16 583,472 ---hs---- C:\WINDOWS\system32\oibxkbcq.ini
2007-11-09 13:13 77,888 --a------ C:\WINDOWS\system32\iybfttnt.dll
2007-11-09 13:10 71,232 --a------ C:\WINDOWS\system32\thieqgax.exe
2007-11-09 08:31 <DIR> d-------- C:\!KillBox
2007-11-09 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-09 08:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-09 08:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-09 08:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-09 08:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-09 08:11 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\PC Tools
2007-11-09 08:06 583,009 ---hs---- C:\WINDOWS\system32\tajdpywn.ini
2007-11-09 08:04 71,232 --a------ C:\WINDOWS\system32\uxbhjsow.exe
2007-11-09 08:03 145,984 --a------ C:\WINDOWS\system32\shlsjdeu.dll
2007-11-08 22:58 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\Apple Computer
2007-11-08 22:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-08 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple
2007-11-08 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-11-08 17:43 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent
2007-11-08 12:52 35,328 --a------ C:\WINDOWS\system32\efcbxyv.dll
2007-11-08 12:49 35,328 --a------ C:\WINDOWS\system32\xxywust.dll
2007-11-08 12:48 <DIR> d-------- C:\Temp\mZOr
2007-11-08 12:48 <DIR> d-------- C:\Temp
2007-11-08 12:48 225,121 --a------ C:\Temp\mrse.exe
2007-10-31 19:30 <DIR> d-------- C:\Poker
2007-10-31 13:37 <DIR> d-------- C:\Documents and Settings\jacek\Dane aplikacji\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 12:42 145,984 ----a-w C:\WINDOWS\system32\srijmdch.dll.vir
2007-11-09 07:12 77,888 ----a-w C:\WINDOWS\system32\lfqnhgtu.dll
2007-11-09 07:06 88,128 ------w C:\WINDOWS\system32\nwypdjat.dll
2007-11-08 11:48 35,328 ----a-w C:\WINDOWS\system32\awttttr.dll.vir
2007-10-23 15:20 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7375.exe
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free Toolbar
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free
2007-10-21 08:54 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Media Player Classic
2007-10-15 20:34 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Talkback
2007-10-03 21:00 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\SopCast
2007-10-03 09:53 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-03 09:50 --------- d-----w C:\Program Files\Codec Pack - All In 1
2007-10-02 21:36 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\TVU Networks
2007-10-02 21:31 --------- d-----w C:\Program Files\XP Codec Pack
2007-10-02 21:26 --------- d-----w C:\Program Files\TVUPlayer
2007-10-02 21:26 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\TVU Networks
2007-10-02 21:13 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\SopCast
2007-10-02 19:59 --------- d-----w C:\Program Files\SopCast
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-03 13:35 966,656 ----a-w C:\WINDOWS\system32\VSFilter.dll
2007-07-27 21:54 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]
2001-10-26 17:27 83456 --a------ C:\WINDOWS\system32\c_g1803.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1af2398-809f-46b0-ad04-c3ba4af50314}]
2007-11-09 13:49 77888 --a------ C:\WINDOWS\system32\suyjaoqy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" []
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-08 17:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS\RTHDCPL.exe]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"SMSERIAL"="sm56hlpr.exe" [2005-09-16 14:01 C:\WINDOWS\sm56hlpr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="F:\QuickTime\qttask.exe" [2007-10-19 20:16]
"SDTray"="f:\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]
"423e1575"="C:\WINDOWS\system32\vbwfrhjh.dll" [2007-11-09 13:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 jxeefiis;jxeefiis;C:\WINDOWS\system32\drivers\vmtwqxza.dat
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
R2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"

*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 11:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 10:34:22
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

**Posty:** 18165 · przez **wojtas** 04 Gru 2007, 22:36

logi nie sa w tagach.. log z hijacka nie ma naglowka

**Posty:** 16 · przez **woytek2** 04 Gru 2007, 22:40

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:31:06, on 2007-12-04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
f:\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
f:\Spyware Doctor\swdsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\wojtek\Pulpit\HiJackThis_v2.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - f:\GetRight\xx2gr.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {983CFA1B-7559-45CB-B7D2-FA8CF03C9F75} - C:\WINDOWS\system32\c_g1803.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "f:\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - f:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - f:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.33/g_bin/pl/snooker_2_0_0_35.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2B8FDD-83EE-4FA4-BE7B-23C801043EB5}: NameServer = 194.204.159.1,194.204.152.34
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - f:\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Spyware Doctor\swdsvc.exe

--
End of file - 6434 bytes

[ Dodano: Dzisiaj o 21:41 ]
combofix

Kod: Zaznacz wszystko: ComboFix 07-11-19.4C - wojtek 2007-11-29 10:30:30.1 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.589 [GMT 1:00] Running from: C:\Documents and Settings\wojtek\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\WINDOWS\b122.exe C:\WINDOWS\b128.exe C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe C:\WINDOWS\system32\m2 C:\WINDOWS\system32\o1 C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\srijmdch.dllbox C:\WINDOWS\system32\txfecvzr.dllbox C:\WINDOWS\system32\v4 C:\WINDOWS\system32\v4\caws83122.exe . ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 ))))))))))))))))))))))))))))))) . 2007-11-26 12:05 <DIR> d-------- C:\Program Files\Soulseek-Test 2007-11-24 15:19 83,456 --a------ C:\WINDOWS\system32\c_g1803.dll 2007-11-24 15:19 19,200 C:\WINDOWS\system32\drivers\vmtwqxza.dat 2007-11-11 10:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll 2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll 2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\kbd103.dll 2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll 2007-11-09 13:49 77,888 --a------ C:\WINDOWS\system32\suyjaoqy.dll 2007-11-09 13:47 881,820 ---hs---- C:\WINDOWS\system32\hjhrfwbv.ini 2007-11-09 13:47 88,128 --a------ C:\WINDOWS\system32\vbwfrhjh.dll 2007-11-09 13:41 145,984 --a------ C:\WINDOWS\system32\jtudrpot.dll 2007-11-09 13:36 71,232 --a------ C:\WINDOWS\system32\uxvsidcn.exe 2007-11-09 13:32 <DIR> d-------- C:\VundoFix Backups 2007-11-09 13:16 583,472 ---hs---- C:\WINDOWS\system32\oibxkbcq.ini 2007-11-09 13:13 77,888 --a------ C:\WINDOWS\system32\iybfttnt.dll 2007-11-09 13:10 71,232 --a------ C:\WINDOWS\system32\thieqgax.exe 2007-11-09 08:31 <DIR> d-------- C:\!KillBox 2007-11-09 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-09 08:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-11-09 08:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-11-09 08:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-11-09 08:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-11-09 08:11 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\PC Tools 2007-11-09 08:06 583,009 ---hs---- C:\WINDOWS\system32\tajdpywn.ini 2007-11-09 08:04 71,232 --a------ C:\WINDOWS\system32\uxbhjsow.exe 2007-11-09 08:03 145,984 --a------ C:\WINDOWS\system32\shlsjdeu.dll 2007-11-08 22:58 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\Apple Computer 2007-11-08 22:54 <DIR> d-------- C:\Program Files\Apple Software Update 2007-11-08 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple 2007-11-08 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer 2007-11-08 17:43 <DIR> d-------- C:\Program Files\BitTorrent_DNA 2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent DNA 2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent 2007-11-08 12:52 35,328 --a------ C:\WINDOWS\system32\efcbxyv.dll 2007-11-08 12:49 35,328 --a------ C:\WINDOWS\system32\xxywust.dll 2007-11-08 12:48 <DIR> d-------- C:\Temp\mZOr 2007-11-08 12:48 <DIR> d-------- C:\Temp 2007-11-08 12:48 225,121 --a------ C:\Temp\mrse.exe 2007-10-31 19:30 <DIR> d-------- C:\Poker 2007-10-31 13:37 <DIR> d-------- C:\Documents and Settings\jacek\Dane aplikacji\Talkback . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-09 12:42 145,984 ----a-w C:\WINDOWS\system32\srijmdch.dll.vir 2007-11-09 07:12 77,888 ----a-w C:\WINDOWS\system32\lfqnhgtu.dll 2007-11-09 07:06 88,128 ------w C:\WINDOWS\system32\nwypdjat.dll 2007-11-08 11:48 35,328 ----a-w C:\WINDOWS\system32\awttttr.dll.vir 2007-10-23 15:20 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7375.exe 2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free Toolbar 2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free 2007-10-21 08:54 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Media Player Classic 2007-10-15 20:34 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Talkback 2007-10-03 21:00 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\SopCast 2007-10-03 09:53 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-10-03 09:50 --------- d-----w C:\Program Files\Codec Pack - All In 1 2007-10-02 21:36 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\TVU Networks 2007-10-02 21:31 --------- d-----w C:\Program Files\XP Codec Pack 2007-10-02 21:26 --------- d-----w C:\Program Files\TVUPlayer 2007-10-02 21:26 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\TVU Networks 2007-10-02 21:13 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\SopCast 2007-10-02 19:59 --------- d-----w C:\Program Files\SopCast 2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2007-09-03 13:35 966,656 ----a-w C:\WINDOWS\system32\VSFilter.dll 2007-07-27 21:54 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}] 2001-10-26 17:27 83456 --a------ C:\WINDOWS\system32\c_g1803.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1af2398-809f-46b0-ad04-c3ba4af50314}] 2007-11-09 13:49 77888 --a------ C:\WINDOWS\system32\suyjaoqy.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39] "AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" [] "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-08 17:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41] "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS\RTHDCPL.exe] "WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06] "SMSERIAL"="sm56hlpr.exe" [2005-09-16 14:01 C:\WINDOWS\sm56hlpr.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "QuickTime Task"="F:\QuickTime\qttask.exe" [2007-10-19 20:16] "SDTray"="f:\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27] "423e1575"="C:\WINDOWS\system32\vbwfrhjh.dll" [2007-11-09 13:47] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" R0 jxeefiis;jxeefiis;C:\WINDOWS\system32\drivers\vmtwqxza.dat R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys R2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" *Newly Created Service* - HTTPFILTER . Contents of the 'Scheduled Tasks' folder "2007-11-26 11:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-29 10:34:22 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-29 10:35:15 - machine was rebooted . --- E O F ---

**Posty:** 18165 · przez **wojtas** 04 Gru 2007, 23:07

sciagnij ATF_Cleaner
zaznacz
Windows Temp
Temporary internet files
i wcisnij EMPTY SELECTED

Otworz notatnik i wklej w nim to:

File::
C:\WINDOWS\system32\suyjaoqy.dll
C:\WINDOWS\system32\hjhrfwbv.ini
C:\WINDOWS\system32\vbwfrhjh.dll
C:\WINDOWS\system32\jtudrpot.dll
C:\WINDOWS\system32\uxvsidcn.exe
C:\WINDOWS\system32\oibxkbcq.ini
C:\WINDOWS\system32\iybfttnt.dll
C:\WINDOWS\system32\thieqgax.exe
C:\WINDOWS\system32\c_g1803.dll
C:\WINDOWS\system32\drivers\vmtwqxza.dat
C:\WINDOWS\system32\tajdpywn.ini
C:\WINDOWS\system32\uxbhjsow.exe
C:\WINDOWS\system32\shlsjdeu.dll
C:\WINDOWS\system32\efcbxyv.dll
C:\WINDOWS\system32\xxywust.dll
C:\Temp\mrse.exe
C:\WINDOWS\system32\srijmdch.dll.vir
C:\WINDOWS\system32\lfqnhgtu.dll
C:\WINDOWS\system32\nwypdjat.dll
C:\WINDOWS\system32\awttttr.dll.vir

Driver::
jxeefiis

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1af2398-809f-46b0-ad04-c3ba4af50314}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"423e1575"=-

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . Potwierdz >>> zresetuje sie komputer

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER). Rozpocznie się proces usuwania
Potem nowy log z hijacka oraz combofixa

**Posty:** 16 · przez **woytek2** 05 Gru 2007, 00:07

combofix

[/code]ComboFix 07-11-19.4C - wojtek 2007-12-04 23:00:31.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.551 [GMT 1:00]
Running from: C:\Documents and Settings\wojtek\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\wojtek\Pulpit\CFScript.txt
* Created a new restore point

FILE
C:\Temp\mrse.exe
C:\WINDOWS\system32\awttttr.dll.vir
C:\WINDOWS\system32\c_g1803.dll
C:\WINDOWS\system32\drivers\vmtwqxza.dat
C:\WINDOWS\system32\efcbxyv.dll
C:\WINDOWS\system32\hjhrfwbv.ini
C:\WINDOWS\system32\iybfttnt.dll
C:\WINDOWS\system32\jtudrpot.dll
C:\WINDOWS\system32\lfqnhgtu.dll
C:\WINDOWS\system32\nwypdjat.dll
C:\WINDOWS\system32\oibxkbcq.ini
C:\WINDOWS\system32\shlsjdeu.dll
C:\WINDOWS\system32\srijmdch.dll.vir
C:\WINDOWS\system32\suyjaoqy.dll
C:\WINDOWS\system32\tajdpywn.ini
C:\WINDOWS\system32\thieqgax.exe
C:\WINDOWS\system32\uxbhjsow.exe
C:\WINDOWS\system32\uxvsidcn.exe
C:\WINDOWS\system32\vbwfrhjh.dll
C:\WINDOWS\system32\xxywust.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\mrse.exe
C:\WINDOWS\system32\awttttr.dll.vir
C:\WINDOWS\system32\efcbxyv.dll
C:\WINDOWS\system32\hjhrfwbv.ini
C:\WINDOWS\system32\iybfttnt.dll
C:\WINDOWS\system32\lfqnhgtu.dll
C:\WINDOWS\system32\nwypdjat.dll
C:\WINDOWS\system32\oibxkbcq.ini
C:\WINDOWS\system32\tajdpywn.ini
C:\WINDOWS\system32\thieqgax.exe
C:\WINDOWS\system32\uxbhjsow.exe
C:\WINDOWS\system32\uxvsidcn.exe
C:\WINDOWS\system32\xxywust.dll
C:\WINDOWS\system32\c_g1803.dll . . . . failed to delete
C:\WINDOWS\system32\drivers\vmtwqxza.dat . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_JXEEFIIS
-------\jxeefiis

((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-02 20:44 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-12-02 20:44 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-12-02 20:44 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-12-02 20:43 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-12-02 20:39 <DIR> d-------- C:\Program Files\Activision
2007-12-02 15:03 <DIR> d-------- C:\Downloads
2007-12-02 15:03 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\GetRight
2007-11-29 10:38 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione
2007-11-26 12:05 <DIR> d-------- C:\Program Files\Soulseek-Test
2007-11-24 15:19 106,752 --a------ C:\WINDOWS\system32\c_g1803.2
2007-11-24 15:19 89,088 --a------ C:\WINDOWS\system32\c_g1803.dll
2007-11-24 15:19 83,456 --a------ C:\WINDOWS\system32\c_g1803.1
2007-11-24 15:19 19,200 C:\WINDOWS\system32\drivers\vmtwqxza.dat
2007-11-11 10:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll
2007-11-09 13:32 <DIR> d-------- C:\VundoFix Backups
2007-11-09 08:31 <DIR> d-------- C:\!KillBox
2007-11-09 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-09 08:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-09 08:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-09 08:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-09 08:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-09 08:11 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\PC Tools
2007-11-09 08:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-09 08:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-08 22:58 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\Apple Computer
2007-11-08 22:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-08 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple
2007-11-08 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-11-08 17:43 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent
2007-11-08 12:48 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-08 12:48 <DIR> d-------- C:\Temp\mZOr
2007-11-08 12:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 12:37 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\Talkback
2007-10-23 15:20 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7375.exe
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free Toolbar
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free
2007-10-21 08:54 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Media Player Classic
2007-10-15 20:34 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Talkback
2007-10-03 09:53 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-07-27 21:54 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-29_10.34.42.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-26 19:58:08 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2007-12-02 19:43:52 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2007-07-26 19:58:08 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2007-12-02 19:43:52 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2007-07-26 19:58:08 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2007-12-02 19:43:52 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2007-12-02 19:43:48 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:50 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:50 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:50 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-07-25 13:56:22 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:50 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:50 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-07-26 19:58:10 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:50 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:52 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:52 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-02 19:43:54 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-07-26 19:58:10 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2007-12-02 19:43:54 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2007-07-26 19:58:10 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2007-12-02 19:43:54 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2007-07-26 19:58:10 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2007-12-02 19:43:54 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2007-07-26 19:58:10 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2007-12-02 19:43:54 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2007-07-26 19:58:08 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2007-12-02 19:43:52 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2007-03-13 09:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-12-02 19:43:16 216,358 ----a-r C:\WINDOWS\Installer\{6734CA10-8FB8-4C7F-B8C7-75317C617DC5}\ARPPRODUCTICON.exe
+ 2004-09-29 11:38:58 2,676,224 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3DX.dll
+ 2004-12-01 14:53:06 2,846,720 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2903.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-02-05 18:32:54 563,712 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2904.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-03-18 16:23:14 567,296 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2905.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-07-22 16:21:34 577,024 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-12-05 16:20:50 577,536 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2909.0\Microsoft.DirectX.Direct3DX.dll
+ 2006-02-03 06:40:48 578,560 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.dll
+ 2006-03-31 10:27:50 578,560 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.dll
+ 2007-03-12 15:42:30 1,123,696 ----a-w C:\WINDOWS\system32\D3DCompiler_33.dll
+ 2007-03-15 15:57:58 443,752 ----a-w C:\WINDOWS\system32\d3dx10_33.dll
+ 2005-02-05 18:45:26 2,222,800 ----a-w C:\WINDOWS\system32\d3dx9_24.dll
+ 2005-03-18 16:19:58 2,337,488 ----a-w C:\WINDOWS\system32\d3dx9_25.dll
+ 2005-12-05 17:09:18 2,323,664 ----a-w C:\WINDOWS\system32\d3dx9_28.dll
+ 2006-02-03 07:43:16 2,332,368 ----a-w C:\WINDOWS\system32\d3dx9_29.dll
+ 2006-03-31 11:40:58 2,388,176 ----a-w C:\WINDOWS\system32\d3dx9_30.dll
+ 2006-09-28 15:05:20 2,414,360 ----a-w C:\WINDOWS\system32\d3dx9_31.dll
+ 2006-11-29 12:06:18 3,426,072 ----a-w C:\WINDOWS\system32\d3dx9_32.dll
+ 2007-03-12 15:42:30 3,495,784 ----a-w C:\WINDOWS\system32\d3dx9_33.dll
+ 2007-05-16 15:45:16 3,497,832 ----a-w C:\WINDOWS\system32\d3dx9_34.dll
+ 2006-02-03 07:41:26 14,032 ----a-w C:\WINDOWS\system32\x3daudio1_0.dll
+ 2007-03-05 11:42:18 15,128 ----a-w C:\WINDOWS\system32\x3daudio1_1.dll
+ 2006-02-03 07:42:06 230,096 ----a-w C:\WINDOWS\system32\xactengine2_0.dll
+ 2006-03-31 11:39:48 229,584 ----a-w C:\WINDOWS\system32\xactengine2_1.dll
+ 2006-05-31 06:24:16 230,168 ----a-w C:\WINDOWS\system32\xactengine2_2.dll
+ 2006-07-28 08:30:32 236,824 ----a-w C:\WINDOWS\system32\xactengine2_3.dll
+ 2006-09-28 15:05:56 237,848 ----a-w C:\WINDOWS\system32\xactengine2_4.dll
+ 2006-12-08 11:02:00 251,672 ----a-w C:\WINDOWS\system32\xactengine2_5.dll
+ 2007-01-24 14:27:30 255,848 ----a-w C:\WINDOWS\system32\xactengine2_6.dll
+ 2007-04-04 17:55:00 261,480 ----a-w C:\WINDOWS\system32\xactengine2_7.dll
+ 2006-03-31 11:39:24 62,672 ----a-w C:\WINDOWS\system32\xinput1_1.dll
+ 2006-07-28 08:30:14 62,744 ----a-w C:\WINDOWS\system32\xinput1_2.dll
+ 2007-04-04 17:53:42 81,768 ----a-w C:\WINDOWS\system32\xinput1_3.dll
- 2005-09-28 14:35:48 61,136 ----a-w C:\WINDOWS\system32\xinput9_1_0.dll
+ 2005-12-05 17:07:30 61,136 ----a-w C:\WINDOWS\system32\xinput9_1_0.dll
+ 2007-12-04 22:04:06 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_5c8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]
2001-10-26 17:27 89088 --a------ C:\WINDOWS\system32\c_g1803.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" []
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-08 17:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS\RTHDCPL.exe]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"SMSERIAL"="sm56hlpr.exe" [2005-09-16 14:01 C:\WINDOWS\sm56hlpr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="F:\QuickTime\qttask.exe" [2007-10-19 20:16]
"SDTray"="f:\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 jxeefiis;jxeefiis;C:\WINDOWS\system32\drivers\vmtwqxza.dat
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
R2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"

*Newly Created Service* - JXEEFIIS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 11:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 23:04:39
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 23:05:18 - machine was rebooted
C:\ComboFix3.txt ... 2007-11-30 20:05
C:\ComboFix2.txt ... 2007-12-02 11:12
.
--- E O F ---

Kod: Zaznacz wszystko: [size=75][ [i][b][color=#B50158]Dodano:[/b] Dzisiaj o 23:08[/i] ][/size] [/color] hijack [code]ComboFix 07-11-19.4C - wojtek 2007-12-04 23:00:31.4 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.551 [GMT 1:00] Running from: C:\Documents and Settings\wojtek\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\wojtek\Pulpit\CFScript.txt * Created a new restore point FILE C:\Temp\mrse.exe C:\WINDOWS\system32\awttttr.dll.vir C:\WINDOWS\system32\c_g1803.dll C:\WINDOWS\system32\drivers\vmtwqxza.dat C:\WINDOWS\system32\efcbxyv.dll C:\WINDOWS\system32\hjhrfwbv.ini C:\WINDOWS\system32\iybfttnt.dll C:\WINDOWS\system32\jtudrpot.dll C:\WINDOWS\system32\lfqnhgtu.dll C:\WINDOWS\system32\nwypdjat.dll C:\WINDOWS\system32\oibxkbcq.ini C:\WINDOWS\system32\shlsjdeu.dll C:\WINDOWS\system32\srijmdch.dll.vir C:\WINDOWS\system32\suyjaoqy.dll C:\WINDOWS\system32\tajdpywn.ini C:\WINDOWS\system32\thieqgax.exe C:\WINDOWS\system32\uxbhjsow.exe C:\WINDOWS\system32\uxvsidcn.exe C:\WINDOWS\system32\vbwfrhjh.dll C:\WINDOWS\system32\xxywust.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Temp\mrse.exe C:\WINDOWS\system32\awttttr.dll.vir C:\WINDOWS\system32\efcbxyv.dll C:\WINDOWS\system32\hjhrfwbv.ini C:\WINDOWS\system32\iybfttnt.dll C:\WINDOWS\system32\lfqnhgtu.dll C:\WINDOWS\system32\nwypdjat.dll C:\WINDOWS\system32\oibxkbcq.ini C:\WINDOWS\system32\tajdpywn.ini C:\WINDOWS\system32\thieqgax.exe C:\WINDOWS\system32\uxbhjsow.exe C:\WINDOWS\system32\uxvsidcn.exe C:\WINDOWS\system32\xxywust.dll C:\WINDOWS\system32\c_g1803.dll . . . . failed to delete C:\WINDOWS\system32\drivers\vmtwqxza.dat . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_JXEEFIIS -------\jxeefiis ((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 ))))))))))))))))))))))))))))))) . 2007-12-02 20:44 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll 2007-12-02 20:44 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2007-12-02 20:44 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-12-02 20:43 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll 2007-12-02 20:39 <DIR> d-------- C:\Program Files\Activision 2007-12-02 15:03 <DIR> d-------- C:\Downloads 2007-12-02 15:03 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\GetRight 2007-11-29 10:38 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione 2007-11-26 12:05 <DIR> d-------- C:\Program Files\Soulseek-Test 2007-11-24 15:19 106,752 --a------ C:\WINDOWS\system32\c_g1803.2 2007-11-24 15:19 89,088 --a------ C:\WINDOWS\system32\c_g1803.dll 2007-11-24 15:19 83,456 --a------ C:\WINDOWS\system32\c_g1803.1 2007-11-24 15:19 19,200 C:\WINDOWS\system32\drivers\vmtwqxza.dat 2007-11-11 10:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll 2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll 2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll 2007-11-09 13:32 <DIR> d-------- C:\VundoFix Backups 2007-11-09 08:31 <DIR> d-------- C:\!KillBox 2007-11-09 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-09 08:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-11-09 08:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-11-09 08:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-11-09 08:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-11-09 08:11 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\PC Tools 2007-11-09 08:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-09 08:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-11-08 22:58 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\Apple Computer 2007-11-08 22:54 <DIR> d-------- C:\Program Files\Apple Software Update 2007-11-08 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple 2007-11-08 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer 2007-11-08 17:43 <DIR> d-------- C:\Program Files\BitTorrent_DNA 2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent DNA 2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent 2007-11-08 12:48 <DIR> d-------- C:\WINDOWS\system32\Mz02r 2007-11-08 12:48 <DIR> d-------- C:\Temp\mZOr 2007-11-08 12:48 <DIR> d-------- C:\Temp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-31 12:37 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\Talkback 2007-10-23 15:20 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7375.exe 2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free Toolbar 2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free 2007-10-21 08:54 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Media Player Classic 2007-10-15 20:34 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Talkback 2007-10-03 09:53 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2007-07-27 21:54 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2007-11-29_10.34.42.87 ))))))))))))))))))))))))))))))))))))))))) . - 2007-07-26 19:58:08 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll + 2007-12-02 19:43:52 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll - 2007-07-26 19:58:08 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll + 2007-12-02 19:43:52 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll - 2007-07-26 19:58:08 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll + 2007-12-02 19:43:52 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll + 2007-12-02 19:43:48 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:50 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:50 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:50 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll - 2007-07-25 13:56:22 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:50 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:50 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll - 2007-07-26 19:58:10 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:50 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:52 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:52 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll + 2007-12-02 19:43:54 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll - 2007-07-26 19:58:10 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll + 2007-12-02 19:43:54 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll - 2007-07-26 19:58:10 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll + 2007-12-02 19:43:54 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll - 2007-07-26 19:58:10 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll + 2007-12-02 19:43:54 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll - 2007-07-26 19:58:10 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll + 2007-12-02 19:43:54 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll - 2007-07-26 19:58:08 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll + 2007-12-02 19:43:52 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll + 2007-03-13 09:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE + 2007-12-02 19:43:16 216,358 ----a-r C:\WINDOWS\Installer\{6734CA10-8FB8-4C7F-B8C7-75317C617DC5}\ARPPRODUCTICON.exe + 2004-09-29 11:38:58 2,676,224 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3DX.dll + 2004-12-01 14:53:06 2,846,720 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2903.0\Microsoft.DirectX.Direct3DX.dll + 2005-02-05 18:32:54 563,712 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2904.0\Microsoft.DirectX.Direct3DX.dll + 2005-03-18 16:23:14 567,296 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2905.0\Microsoft.DirectX.Direct3DX.dll + 2005-07-22 16:21:34 577,024 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll + 2005-12-05 16:20:50 577,536 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2909.0\Microsoft.DirectX.Direct3DX.dll + 2006-02-03 06:40:48 578,560 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.dll + 2006-03-31 10:27:50 578,560 ----a-w C:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.dll + 2007-03-12 15:42:30 1,123,696 ----a-w C:\WINDOWS\system32\D3DCompiler_33.dll + 2007-03-15 15:57:58 443,752 ----a-w C:\WINDOWS\system32\d3dx10_33.dll + 2005-02-05 18:45:26 2,222,800 ----a-w C:\WINDOWS\system32\d3dx9_24.dll + 2005-03-18 16:19:58 2,337,488 ----a-w C:\WINDOWS\system32\d3dx9_25.dll + 2005-12-05 17:09:18 2,323,664 ----a-w C:\WINDOWS\system32\d3dx9_28.dll + 2006-02-03 07:43:16 2,332,368 ----a-w C:\WINDOWS\system32\d3dx9_29.dll + 2006-03-31 11:40:58 2,388,176 ----a-w C:\WINDOWS\system32\d3dx9_30.dll + 2006-09-28 15:05:20 2,414,360 ----a-w C:\WINDOWS\system32\d3dx9_31.dll + 2006-11-29 12:06:18 3,426,072 ----a-w C:\WINDOWS\system32\d3dx9_32.dll + 2007-03-12 15:42:30 3,495,784 ----a-w C:\WINDOWS\system32\d3dx9_33.dll + 2007-05-16 15:45:16 3,497,832 ----a-w C:\WINDOWS\system32\d3dx9_34.dll + 2006-02-03 07:41:26 14,032 ----a-w C:\WINDOWS\system32\x3daudio1_0.dll + 2007-03-05 11:42:18 15,128 ----a-w C:\WINDOWS\system32\x3daudio1_1.dll + 2006-02-03 07:42:06 230,096 ----a-w C:\WINDOWS\system32\xactengine2_0.dll + 2006-03-31 11:39:48 229,584 ----a-w C:\WINDOWS\system32\xactengine2_1.dll + 2006-05-31 06:24:16 230,168 ----a-w C:\WINDOWS\system32\xactengine2_2.dll + 2006-07-28 08:30:32 236,824 ----a-w C:\WINDOWS\system32\xactengine2_3.dll + 2006-09-28 15:05:56 237,848 ----a-w C:\WINDOWS\system32\xactengine2_4.dll + 2006-12-08 11:02:00 251,672 ----a-w C:\WINDOWS\system32\xactengine2_5.dll + 2007-01-24 14:27:30 255,848 ----a-w C:\WINDOWS\system32\xactengine2_6.dll + 2007-04-04 17:55:00 261,480 ----a-w C:\WINDOWS\system32\xactengine2_7.dll + 2006-03-31 11:39:24 62,672 ----a-w C:\WINDOWS\system32\xinput1_1.dll + 2006-07-28 08:30:14 62,744 ----a-w C:\WINDOWS\system32\xinput1_2.dll + 2007-04-04 17:53:42 81,768 ----a-w C:\WINDOWS\system32\xinput1_3.dll - 2005-09-28 14:35:48 61,136 ----a-w C:\WINDOWS\system32\xinput9_1_0.dll + 2005-12-05 17:07:30 61,136 ----a-w C:\WINDOWS\system32\xinput9_1_0.dll + 2007-12-04 22:04:06 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_5c8.dat . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}] 2001-10-26 17:27 89088 --a------ C:\WINDOWS\system32\c_g1803.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39] "AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" [] "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-08 17:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41] "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS\RTHDCPL.exe] "WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06] "SMSERIAL"="sm56hlpr.exe" [2005-09-16 14:01 C:\WINDOWS\sm56hlpr.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "QuickTime Task"="F:\QuickTime\qttask.exe" [2007-10-19 20:16] "SDTray"="f:\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" R0 jxeefiis;jxeefiis;C:\WINDOWS\system32\drivers\vmtwqxza.dat R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys R2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" *Newly Created Service* - JXEEFIIS . Contents of the 'Scheduled Tasks' folder "2007-11-26 11:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 23:04:39 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-04 23:05:18 - machine was rebooted C:\ComboFix3.txt ... 2007-11-30 20:05 C:\ComboFix2.txt ... 2007-12-02 11:12 . --- E O F ---

[ Dodano: Dzisiaj o 23:11 ]
spyware doctor wykrywa:
spyware.known_bad_Sites
adware.advertising
trojan-PWS.tanspy
trojan.generic

**Posty:** 18165 · przez **wojtas** 05 Gru 2007, 00:27

Wykonaj to co jest podane w tym temacie

skasuj ten wpis:

O2 - BHO: (no name) - {983CFA1B-7559-45CB-B7D2-FA8CF03C9F75} - C:\WINDOWS\system32\c_g1803.dll

start>uruchom>cmd>wpisz:

sc stop jxeefiis

enter

sc delete jxeefiis

enter

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Otworz notatnik i wklej w nim to:

File::
C:\WINDOWS\system32\drivers\vmtwqxza.dat
C:\WINDOWS\system32\c_g1803.2
C:\WINDOWS\system32\c_g1803.dll
C:\WINDOWS\system32\c_g1803.1

Folder::
C:\Temp\mZOr
C:\WINDOWS\system32\Mz02r

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . Potwierdz >>> zresetuje sie komputer

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER). Rozpocznie się proces usuwania
Potem wejdz do folderu SDFix wrzuc zawartość pliku Report.txt + log z hijacka oraz z log z combofixa wszystko w tagach

**Posty:** 16 · przez **woytek2** 05 Gru 2007, 01:00

wpisu z hijacka nie moze usunac

sdfix

SDFix: Version 1.116

Run by wojtek on 2007-12-04 at 23:52

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 23:55:10
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

Fri 27 Jul 2007 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 3 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!

combofix

Kod: Zaznacz wszystko: ComboFix 07-11-19.4C - wojtek 2007-12-04 23:42:40.5 - [color=red][b]FAT32[/b][/color]x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.812 [GMT 1:00] Running from: C:\Documents and Settings\wojtek\Pulpit\ComboFix.exe Command switches used :: C:\SDFix\CFScript.txt FILE C:\WINDOWS\system32\c_g1803.1 C:\WINDOWS\system32\c_g1803.2 C:\WINDOWS\system32\c_g1803.dll C:\WINDOWS\system32\drivers\vmtwqxza.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Temp\mZOr C:\Temp\mZOr\tOasF.log C:\WINDOWS\system32\c_g1803.1 C:\WINDOWS\system32\c_g1803.2 C:\WINDOWS\system32\Mz02r C:\WINDOWS\system32\Mz02r\Mz02r1065.exe C:\WINDOWS\system32\c_g1803.dll . . . . failed to delete C:\WINDOWS\system32\drivers\vmtwqxza.dat . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 ))))))))))))))))))))))))))))))) . 2007-12-04 23:41 149,504 --a------ C:\Documents and Settings\wojtek\regedit.exe 2007-12-04 23:41 28,160 --a------ C:\Documents and Settings\wojtek\findstr.exe 2007-12-04 23:41 11,264 --a------ C:\Documents and Settings\wojtek\attrib.exe 2007-12-04 23:41 9,216 --a------ C:\Documents and Settings\wojtek\find.exe 2007-12-02 20:44 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll 2007-12-02 20:44 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2007-12-02 20:44 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-12-02 20:43 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll 2007-12-02 20:39 <DIR> d-------- C:\Program Files\Activision 2007-12-02 15:03 <DIR> d-------- C:\Downloads 2007-12-02 15:03 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\GetRight 2007-11-29 10:38 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione 2007-11-26 12:05 <DIR> d-------- C:\Program Files\Soulseek-Test 2007-11-24 15:19 89,088 --a------ C:\WINDOWS\system32\c_g1803.dll 2007-11-24 15:19 19,200 C:\WINDOWS\system32\drivers\vmtwqxza.dat 2007-11-11 10:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll 2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll 2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll 2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll 2007-11-09 13:32 <DIR> d-------- C:\VundoFix Backups 2007-11-09 08:31 <DIR> d-------- C:\!KillBox 2007-11-09 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-09 08:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-11-09 08:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-11-09 08:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-11-09 08:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-11-09 08:11 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\PC Tools 2007-11-09 08:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-09 08:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-11-08 22:58 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\Apple Computer 2007-11-08 22:54 <DIR> d-------- C:\Program Files\Apple Software Update 2007-11-08 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple 2007-11-08 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer 2007-11-08 17:43 <DIR> d-------- C:\Program Files\BitTorrent_DNA 2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent DNA 2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent 2007-11-08 12:48 <DIR> d-------- C:\Temp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-31 12:37 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\Talkback 2007-10-23 15:20 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7375.exe 2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free Toolbar 2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free 2007-10-21 08:54 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Media Player Classic 2007-10-15 20:34 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Talkback 2007-10-03 09:53 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2007-07-27 21:54 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot_2007-12-04_23.04.48.82 ))))))))))))))))))))))))))))))))))))))))) . + 2007-03-13 09:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE + 2007-12-04 22:44:36 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_5e8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}] 2001-10-26 17:27 89088 --a------ C:\WINDOWS\system32\c_g1803.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39] "AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" [] "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-08 17:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41] "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS\RTHDCPL.exe] "WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06] "SMSERIAL"="sm56hlpr.exe" [2005-09-16 14:01 C:\WINDOWS\sm56hlpr.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "QuickTime Task"="F:\QuickTime\qttask.exe" [2007-10-19 20:16] "SDTray"="f:\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" R0 jxeefiis;jxeefiis;C:\WINDOWS\system32\drivers\vmtwqxza.dat R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys R2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" . Contents of the 'Scheduled Tasks' folder "2007-11-26 11:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 23:45:10 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-04 23:45:51 - machine was rebooted C:\ComboFix2.txt ... 2007-12-04 23:05 C:\ComboFix3.txt ... 2007-12-02 11:12 . --- E O F ---

hijack

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:59:05, on 2007-12-04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
f:\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
f:\Spyware Doctor\swdsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
f:\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\wojtek\Pulpit\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - f:\GetRight\xx2gr.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {983CFA1B-7559-45CB-B7D2-FA8CF03C9F75} - C:\WINDOWS\system32\c_g1803.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "f:\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - f:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - f:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.33/g_bin/pl/snooker_2_0_0_35.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2B8FDD-83EE-4FA4-BE7B-23C801043EB5}: NameServer = 194.204.159.1,194.204.152.34
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - f:\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Spyware Doctor\swdsvc.exe

--
End of file - 6666 bytes

**Posty:** 3854 · przez **Dzi@dek** 05 Gru 2007, 13:40

wpisu z hijacka nie moze usunac

Rób to w trybie awaryjnym.

**Posty:** 16 · przez **woytek2** 05 Gru 2007, 17:40

tak robilem, probowalem kilka razy
mialem otworzonego tylko hijacka i pokazywal sie komunikat:
"hijackkthis is about to remove a bho and the corresponding files from your system. close all ie windows and all winows explorer windows before continuing for the best chance of success"

**Posty:** 18165 · przez **wojtas** 05 Gru 2007, 18:47

sciagnij gmera

Wklej do notatnika

gmer -del service jxeefiis
gmer -del file C:\WINDOWS\system32\drivers\vmtwqxza.dat
gmer -del file C:\WINDOWS\system32\c_g1803.dll
gmer -del file C:\Documents and Settings\wojtek\regedit.exe
gmer -del file C:\Documents and Settings\wojtek\findstr.exe
gmer -del file C:\Documents and Settings\wojtek\attrib.exe
gmer -del file C:\Documents and Settings\wojtek\find.exe
gmer –reboot

Plik >>> zapisz jako >>> zmien rozszerzenie z TXT na wszystkie typy plików >>> zapisz pod nazwa FIX.BAT

Uruchamiasz Gmera, w zakładce Procesy wybierasz opcje Gmer Awaryjny. Komputer się zresetuje i uruchomi się Gmer. Wybierasz znów zakładke Procesy i na dole w poleceniu przez trzy kropki wskaz plik FIX.BAT i go uruchom.

wklej do notatnika

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\~\BrowserHelperObjects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

potem nowy log z hijacka i combofixa

**Posty:** 16 · przez **woytek2** 05 Gru 2007, 21:54

po wlaczeniu gmera awaryjnego i wskazaniu fix.bat wywala:
"delete service: parametr jest niepoprawny"
pozniej widac cala serie bledow podczas wywalania pliczkow

logi:
combofix:

ComboFix 07-11-19.4C - wojtek 2007-12-05 20:51:40.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.570 [GMT 1:00]
Running from: C:\Documents and Settings\wojtek\Pulpit\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 23:51 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-04 23:41 149,504 --a------ C:\Documents and Settings\wojtek\regedit.exe
2007-12-04 23:41 28,160 --a------ C:\Documents and Settings\wojtek\findstr.exe
2007-12-04 23:41 11,264 --a------ C:\Documents and Settings\wojtek\attrib.exe
2007-12-04 23:41 9,216 --a------ C:\Documents and Settings\wojtek\find.exe
2007-12-02 20:44 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-12-02 20:44 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-12-02 20:44 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-12-02 20:43 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-12-02 20:39 <DIR> d-------- C:\Program Files\Activision
2007-12-02 15:03 <DIR> d-------- C:\Downloads
2007-12-02 15:03 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\GetRight
2007-11-29 10:38 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione
2007-11-26 12:05 <DIR> d-------- C:\Program Files\Soulseek-Test
2007-11-24 15:19 89,088 --a------ C:\WINDOWS\system32\c_g1803.dll
2007-11-24 15:19 19,200 C:\WINDOWS\system32\drivers\vmtwqxza.dat
2007-11-11 10:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll
2007-11-09 13:32 <DIR> d-------- C:\VundoFix Backups
2007-11-09 08:31 <DIR> d-------- C:\!KillBox
2007-11-09 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-09 08:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-09 08:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-09 08:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-09 08:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-09 08:11 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\PC Tools
2007-11-09 08:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-09 08:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-08 22:58 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\Apple Computer
2007-11-08 22:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-08 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple
2007-11-08 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-11-08 17:43 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent
2007-11-08 12:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 12:37 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\Talkback
2007-10-23 15:20 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7375.exe
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free Toolbar
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free
2007-10-21 08:54 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Media Player Classic
2007-10-15 20:34 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Talkback
2007-10-03 09:53 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-07-27 21:54 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2007-12-04_23.04.48.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 09:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-12-03 11:52:40 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-04 22:51:54 3,080,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-04 22:51:54 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-03 11:52:40 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-04 22:51:54 3,080,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-12-04 22:51:54 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-12-05 16:51:04 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-12-05 16:51:04 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2007-12-05 19:24:36 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]
2001-10-26 17:27 89088 --a------ C:\WINDOWS\system32\c_g1803.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" []
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-08 17:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS\RTHDCPL.exe]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"SMSERIAL"="sm56hlpr.exe" [2005-09-16 14:01 C:\WINDOWS\sm56hlpr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="F:\QuickTime\qttask.exe" [2007-10-19 20:16]
"SDTray"="f:\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 jxeefiis;jxeefiis;C:\WINDOWS\system32\drivers\vmtwqxza.dat
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
R2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 11:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 20:53:07
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 20:53:45
C:\ComboFix3.txt ... 2007-12-04 23:05
C:\ComboFix2.txt ... 2007-12-04 23:45
.
--- E O F ---

hijack

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:51, on 2007-12-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
f:\Spyware Doctor\svcntaux.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\BitTorrent_DNA\dna.exe
f:\Spyware Doctor\swdsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Documents and Settings\wojtek\Pulpit\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\ComboFix\swreg.cfexe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - f:\GetRight\xx2gr.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {983CFA1B-7559-45CB-B7D2-FA8CF03C9F75} - C:\WINDOWS\system32\c_g1803.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "f:\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - f:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - f:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.33/g_bin/pl/snooker_2_0_0_35.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2B8FDD-83EE-4FA4-BE7B-23C801043EB5}: NameServer = 194.204.159.1,194.204.152.34
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - f:\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Spyware Doctor\swdsvc.exe

--
End of file - 6650 bytes

**Posty:** 18165 · przez **wojtas** 05 Gru 2007, 22:18

Ściągnij OTMoveIt W okienko po lewej Paste List of Files/Folders to be Moved wklej

C:\WINDOWS\system32\c_g1803.dll
C:\WINDOWS\system32\drivers\vmtwqxza.dat

Następnie naciskamy - MoveIt!. Pliki zostały przeniesione. Wynik operacji zobaczymy w prawym oknie Results.
Log po pracy programu zobaczymy w lokalizacji - C:\_OTMoveIt\MovedFiles
Po całej operacji należy zresetować komputer

potem start>uruchom>regedit>przejdz do klucza:

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]

i skasuj pogrubiony wpis

start -> uruchom -> services.msc -> zatrzymaj i wyłącz usługe jxeefiis

potem nowe 2 logi

**Posty:** 16 · przez **woytek2** 05 Gru 2007, 23:01

nie ma takiej uslugi jak jxeefiis

otmoveit:

C:\WINDOWS\system32\c_g1803.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\c_g1803.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\drivers\vmtwqxza.dat scheduled to be moved on reboot.

Created on 12-05-2007 21:27:54

podczas kasowanie z rejestru:

nie mozna usunac klucza:blad podczas usuwania klucza

hijack:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:58:08, on 2007-12-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
f:\Spyware Doctor\svcntaux.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
f:\Spyware Doctor\swdsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\wojtek\Pulpit\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - f:\GetRight\xx2gr.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {983CFA1B-7559-45CB-B7D2-FA8CF03C9F75} - C:\WINDOWS\system32\c_g1803.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "f:\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - f:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - f:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.33/g_bin/pl/snooker_2_0_0_35.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2B8FDD-83EE-4FA4-BE7B-23C801043EB5}: NameServer = 194.204.159.1,194.204.152.34
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - f:\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Spyware Doctor\swdsvc.exe

--
End of file - 6559 bytes

combofix

ComboFix 07-11-19.4C - wojtek 2007-12-05 21:58:55.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.568 [GMT 1:00]
Running from: C:\Documents and Settings\wojtek\Pulpit\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 23:51 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-04 23:41 149,504 --a------ C:\Documents and Settings\wojtek\regedit.exe
2007-12-04 23:41 28,160 --a------ C:\Documents and Settings\wojtek\findstr.exe
2007-12-04 23:41 11,264 --a------ C:\Documents and Settings\wojtek\attrib.exe
2007-12-04 23:41 9,216 --a------ C:\Documents and Settings\wojtek\find.exe
2007-12-02 20:44 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-12-02 20:44 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-12-02 20:44 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-12-02 20:43 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-12-02 20:39 <DIR> d-------- C:\Program Files\Activision
2007-12-02 15:03 <DIR> d-------- C:\Downloads
2007-12-02 15:03 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\GetRight
2007-11-29 10:38 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione
2007-11-26 12:05 <DIR> d-------- C:\Program Files\Soulseek-Test
2007-11-24 15:19 89,088 --a------ C:\WINDOWS\system32\c_g1803.dll
2007-11-24 15:19 19,200 C:\WINDOWS\system32\drivers\vmtwqxza.dat
2007-11-11 10:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll
2007-11-09 13:32 <DIR> d-------- C:\VundoFix Backups
2007-11-09 08:31 <DIR> d-------- C:\!KillBox
2007-11-09 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-09 08:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-09 08:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-09 08:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-09 08:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-09 08:11 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\PC Tools
2007-11-09 08:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-09 08:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-08 22:58 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\Apple Computer
2007-11-08 22:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-08 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple
2007-11-08 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-11-08 17:43 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent
2007-11-08 12:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 12:37 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\Talkback
2007-10-23 15:20 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7375.exe
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free Toolbar
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free
2007-10-21 08:54 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Media Player Classic
2007-10-15 20:34 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Talkback
2007-10-03 09:53 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-07-27 21:54 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2007-12-04_23.04.48.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 09:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-12-03 11:52:40 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-04 22:51:54 3,080,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-04 22:51:54 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-03 11:52:40 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-04 22:51:54 3,080,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-12-04 22:51:54 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-12-05 16:51:04 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-12-05 16:51:04 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2007-12-05 20:49:58 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_5cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]
2001-10-26 17:27 89088 --a------ C:\WINDOWS\system32\c_g1803.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" []
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-08 17:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS\RTHDCPL.exe]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"SMSERIAL"="sm56hlpr.exe" [2005-09-16 14:01 C:\WINDOWS\sm56hlpr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="F:\QuickTime\qttask.exe" [2007-10-19 20:16]
"SDTray"="f:\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 jxeefiis;jxeefiis;C:\WINDOWS\system32\drivers\vmtwqxza.dat
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
R2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 11:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 22:00:25
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 22:01:00
C:\ComboFix3.txt ... 2007-12-04 23:45
C:\ComboFix2.txt ... 2007-12-05 20:53
.
--- E O F ---

**Posty:** 18165 · przez **wojtas** 05 Gru 2007, 23:09

sciagnij killbox’a

odpalasz Killboxa zaznacz opcję Delete on Reboot + All Files następnie w polu Full Path of File to Delete wklej scieżki:

C:\WINDOWS\system32\drivers\vmtwqxza.dat
C:\WINDOWS\system32\c_g1803.dll
C:\Documents and Settings\wojtek\regedit.exe
C:\Documents and Settings\wojtek\findstr.exe
C:\Documents and Settings\wojtek\attrib.exe
C:\Documents and Settings\wojtek\find.exe

wciskasz x następnie program będzie pytał o restart-potwierdzasz

**Posty:** 16 · przez **woytek2** 05 Gru 2007, 23:59

jak wcixkalem x nic sie nie dzialo wiec usuwalem pojedynczko wszystko
pozniej sprobowalem wkleic to do txt i puscic tak
po restarcie log:

Pocket Killbox version 2.0.0.648
Running on Windows XP as wojtek(Administrator)
was started @ piątek, listopad 09, 2007, 8:31 AM

# 1 [Files to Delete]
Path = C:\WINDOWS\SYSTEM32\qomlkhe.dll
*This file does not seem to exist

# 2 [Files to Delete]
Path = C:\WINDOWS\System32\sxigpdgp.dll
*This file does not seem to exist

# 3 [Files to Delete]
Path = C:\WINDOWS\System32\awvtt.dll
*This file does not seem to exist

Killbox Closed(Exit) @ 8:32:23 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as wojtek(Administrator)
was started @ środa, grudzień 05, 2007, 10:42 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\vmtwqxza.dat

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 10:44:48 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\vmtwqxza.dat

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 10:45:16 PM
# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\vmtwqxza.dat

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 10:45:38 PM
# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\vmtwqxza.dat

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 10:45:55 PM
# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\vmtwqxza.dat

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 10:46:09 PM
# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\vmtwqxza.dat

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 10:46:24 PM
Killbox Closed(Exit) @ 10:46:26 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as wojtek(Administrator)
was started @ środa, grudzień 05, 2007, 10:46 PM

# 1 [Files to Delete]
Path = C:\WINDOWS\system32\drivers\vmtwqxza.dat
*This file does not seem to exist

Killbox Closed(Exit) @ 10:47:05 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as wojtek(Administrator)
was started @ środa, grudzień 05, 2007, 10:47 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\c_g1803.dll

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 10:48:29 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\c_g1803.dll

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 10:48:47 PM
# 3 [Delete on Reboot]
Path = C:\Documents and Settings\wojtek\Pulpit\ddd.txt

# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\c_g1803.dll

I Rebooted @ 10:50:08 PM
Killbox Closed(Exit) @ 10:50:11 PM
__________________________________________________

hijack

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:55:35, on 2007-12-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
f:\Spyware Doctor\svcntaux.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
f:\Spyware Doctor\swdsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\wojtek\Pulpit\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - f:\GetRight\xx2gr.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {983CFA1B-7559-45CB-B7D2-FA8CF03C9F75} - C:\WINDOWS\system32\c_g1803.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "f:\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - f:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - f:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.33/g_bin/pl/snooker_2_0_0_35.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2B8FDD-83EE-4FA4-BE7B-23C801043EB5}: NameServer = 194.204.159.1,194.204.152.34
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - f:\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Spyware Doctor\swdsvc.exe

--
End of file - 6600 bytes

combofix

ComboFix 07-11-19.4C - wojtek 2007-12-05 22:57:12.8 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.576 [GMT 1:00]
Running from: C:\Documents and Settings\wojtek\Pulpit\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 23:51 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-04 23:41 149,504 --a------ C:\Documents and Settings\wojtek\regedit.exe
2007-12-04 23:41 28,160 --a------ C:\Documents and Settings\wojtek\findstr.exe
2007-12-04 23:41 11,264 --a------ C:\Documents and Settings\wojtek\attrib.exe
2007-12-04 23:41 9,216 --a------ C:\Documents and Settings\wojtek\find.exe
2007-12-02 20:44 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-12-02 20:44 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-12-02 20:44 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-12-02 20:43 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-12-02 20:39 <DIR> d-------- C:\Program Files\Activision
2007-12-02 15:03 <DIR> d-------- C:\Downloads
2007-12-02 15:03 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\GetRight
2007-11-29 10:38 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione
2007-11-26 12:05 <DIR> d-------- C:\Program Files\Soulseek-Test
2007-11-24 15:19 89,088 --a------ C:\WINDOWS\system32\c_g1803.dll
2007-11-24 15:19 19,200 C:\WINDOWS\system32\drivers\vmtwqxza.dat
2007-11-11 10:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-10 13:13 8,704 --a------ C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-11-10 13:13 8,192 --a------ C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-11-10 13:13 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-11-10 13:13 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll
2007-11-09 13:32 <DIR> d-------- C:\VundoFix Backups
2007-11-09 08:31 <DIR> d-------- C:\!KillBox
2007-11-09 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-09 08:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-09 08:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-09 08:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-09 08:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-09 08:11 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\PC Tools
2007-11-09 08:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-09 08:07 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-08 22:58 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\Apple Computer
2007-11-08 22:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-08 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple
2007-11-08 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-11-08 17:43 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent DNA
2007-11-08 17:43 <DIR> d-------- C:\Documents and Settings\wojtek\Dane aplikacji\BitTorrent
2007-11-08 12:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 12:37 --------- d-----w C:\Documents and Settings\jacek\Dane aplikacji\Talkback
2007-10-23 15:20 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7375.exe
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free Toolbar
2007-10-23 15:20 --------- d-----w C:\Program Files\Burn4Free
2007-10-21 08:54 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Media Player Classic
2007-10-15 20:34 --------- d-----w C:\Documents and Settings\wojtek\Dane aplikacji\Talkback
2007-10-03 09:53 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-07-27 21:54 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2007-12-04_23.04.48.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 09:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-12-03 11:52:40 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-04 22:51:54 3,080,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-04 22:51:54 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-03 11:52:40 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-04 22:51:54 3,080,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-12-04 22:51:54 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-12-05 16:51:04 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-12-05 16:51:04 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2007-12-05 21:51:28 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]
2001-10-26 17:27 89088 --a------ C:\WINDOWS\system32\c_g1803.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" []
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-08 17:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS\RTHDCPL.exe]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"SMSERIAL"="sm56hlpr.exe" [2005-09-16 14:01 C:\WINDOWS\sm56hlpr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="F:\QuickTime\qttask.exe" [2007-10-19 20:16]
"SDTray"="f:\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 jxeefiis;jxeefiis;C:\WINDOWS\system32\drivers\vmtwqxza.dat
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
R2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 11:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 22:58:44
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 22:59:18
C:\ComboFix2.txt ... 2007-12-05 22:01
C:\ComboFix3.txt ... 2007-12-05 20:53
.
--- E O F ---

idziemy cos do przodu z tym?

**Posty:** 18165 · przez **wojtas** 06 Gru 2007, 00:18

http://forum.programosy.pl/usuwanie-uuywanych-plikow--vt84984.html

poczytaj ten temat ^^

C:\WINDOWS\system32\c_g1803.dll
C:\WINDOWS\system32\drivers\vmtwqxza.dat
C:\Documents and Settings\wojtek\regedit.exe
C:\Documents and Settings\wojtek\findstr.exe
C:\Documents and Settings\wojtek\attrib.exe
C:\Documents and Settings\wojtek\find.exe

sprobuj skasowac te pliki metodami tam wskazanymi. sprobuj w trybie awaryjnym je usunac F8 przy starcie kompa

**Posty:** 16 · przez **woytek2** 06 Gru 2007, 14:01

probowalem wsyzstkich sposobow ale to zostalo:

C:\WINDOWS\system32\c_g1803.dll
C:\WINDOWS\system32\drivers\vmtwqxza.dat

**Posty:** 3854 · przez **Dzi@dek** 06 Gru 2007, 14:07

Nie ma bata - musi sie usunąć w awaryjnym - killbox-em bądź FileASSASSIN zaznaczając wszystkie trzy kwadraciki w oknie programu.

**Posty:** 16 · przez **woytek2** 06 Gru 2007, 14:33

musi a nie chce

killbox "this file could not be deleted"
fileassassin "unlock completed with no errors"
a jak zaznacze z delete file to "the file could not be deleted, nie pomaga use delete on wondows reboot funct."
bo wyswietla "pending file rename operations registry data has been removed by external process" a po restarcie jest po staremu
a jak probuje z vmtwqxza.dat to file assanssin wywala ?findremotefilehandles return null value this may affect deletion on file
please reoirt this error to support team"

**Posty:** 18165 · przez **wojtas** 06 Gru 2007, 18:38

skasuj moze ten wpis w awaryjnym:

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983CFA1B-7559-45CB-B7D2-FA8CF03C9F75}]

Pobierz i uruchom narzędzie
The Avenger
Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Drivers to unload:

jxeefiis

Files to delete:

C:\WINDOWS\system32\c_g1803.dll
C:\WINDOWS\system32\drivers\vmtwqxza.dat

Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + log z combo

prosze o sprawdzenie loga

prosze o sprawdzenie loga

Kto jest na forum