Komunikat - na kazdym dysku jest plik ybj12.cmd

[pantik]

na kompie pojawia mi sie komunikat ze na kazdym dysku jest plik ybj12.cmd ale nie ma go jak wchodza na dany dysk i nawet jak przeszukuje dysk ręcznie to zadnego z plików nie ma. avira mi nie widzi tych virusów a ashampoo (zainstalowałem bo był za free) wykrywa ale nie potrafi albo nie moze usunąc go...

ashampoo juz usunołem ale w logach pewnie jest jakas wzmianka o nim ...


nod 32 online wykrył mi kilka ale ni usunął nie wiem czemu, moze dlatego ze był online, zaisntalowałem wersje trial ale juz nie widzi niczego, jest wszytko ustawione na fulla ale on nic nie znajduje

HijackThis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56:19, on 2009-01-06
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
e:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
E:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
E:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~3\FlashGet\jccatch.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~3\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~3\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [VisualTaskTips] "C:\Program Files\VisualTaskTips\VisualTaskTips.exe" noTrayIcon
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GuardGui.lnk = E:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Programy p2p i akceleratory\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\Programy p2p i akceleratory\FlashGet\jc_all.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~3\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~3\FlashGet\flashget.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avGuard Service (avGuard) - Unknown owner - e:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7174 bytes


silent Runners

Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"DAEMON Tools Lite" = ""C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"]
"VisualTaskTips" = ""C:\Program Files\VisualTaskTips\VisualTaskTips.exe" noTrayIcon"
"H/PC Connection Agent" = ""E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"" [MS]
"vamsoft" = "C:\WINDOWS\system32\vamsoft.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"VMSnap3" = "C:\WINDOWS\VMSnap3.exe" ["Vimicro"]
"Domino" = "C:\WINDOWS\Domino.exe" [empty string]
"EPSON Stylus CX3600 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"" ["SEIKO EPSON CORPORATION"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"WinampAgent" = ""D:\Program Files\Winamp\winampa.exe"" [file not found]
"avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
  -> {HKLM...CLSID} = "Skype add-on (mastermind)"
                   \InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "IeCatch5 Class"
                   \InProcServer32\(Default) = "D:\PROGRA~3\FlashGet\jccatch.dll" ["FlashGet"]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "gFlash Class"
                   \InProcServer32\(Default) = "D:\PROGRA~3\FlashGet\getflash.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component"
  -> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"
                   \InProcServer32\(Default) = "G:\Corel_Draw_11_Portable\Corel Draw 11 Portable\portable\..\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" ["Corel Corporation"]
"{ABE00001-0123-ABED-1248-0248ADFA1909}" = "Zoom Player ShellExt"
  -> {HKLM...CLSID} = "ZPShellExt"
                   \InProcServer32\(Default) = "e:\PROGRA~1\ZOOMPL~1\zpshlext.dll" [null data]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
  -> {HKLM...CLSID} = "Urządzenie przenośne"
                   \InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\Wcesview.dll" [MS]
"{5E2121EE-0310-11D4-8D3B-444553540000}" = "AshAv extension"
  -> {HKLM...CLSID} = "AshAvShell Class"
                   \InProcServer32\(Default) = "e:\Program Files\Ashampoo\Ashampoo AntiVirus\ashavshell.dll" ["Ashampoo GmbH"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\SOFTWA   RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Shell" = "explorer.exe " [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZPShellExt\(Default) = "{ABE00001-0123-ABED-1248-0248ADFA1909}"
  -> {HKLM...CLSID} = "ZPShellExt"
                   \InProcServer32\(Default) = "e:\PROGRA~1\ZOOMPL~1\zpshlext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
ALSongContext\(Default) = "{CBE49257-71F8-44B4-B536-FF5359F0AEAA}"
  -> {HKLM...CLSID} = "ALContextMenu Class"
                   \InProcServer32\(Default) = "C:\Program Files\ESTsoft\ALSong\ALSongSh.dll" ["Copyright (C) 2005 ESTsoft corp."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Programy\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ALSongCDAudioOnArrival\
"Provider" = "ALSong Player"
"InvokeProgID" = "ALSong.AudioCD"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\ALSong.AudioCD\shell\open\Command\(Default) = ""C:\Program Files\ESTsoft\ALSong\ALSong.exe" "%1"" ["ESTsoft corp."]

ALSongMediaOnArrival\
"Provider" = "ALSong Player"
"InvokeProgID" = "ALSong.AutoPlay"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\ALSong.AutoPlay\shell\open\Command\(Default) = ""C:\Program Files\ESTsoft\ALSong\ALSong.exe" "%1"" ["ESTsoft corp."]

ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-burn"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-burn\Command\(Default) = ""C:\Program Files\Ashampoo\Ashampoo Burning Studio 6 FREE\burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"]

ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-copy"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-copy\Command\(Default) = "C:\Program Files\Ashampoo\Ashampoo Burning Studio 6 FREE\burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found]

ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-rip"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-rip\Command\(Default) = ""C:\Program Files\Ashampoo\Ashampoo Burning Studio 6 FREE\burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"]

FunMultiMediaHandler\
"Provider" = "MultiMedia Manager"
"ProgID" = "FUNBOX.Autoplay"
HKLM\SOFTWARE\Classes\FUNBOX.Autoplay\CLSID\(Default) = "{DF866F1F-10DF-4694-94A9-7F526FC8800A}"
  -> {HKLM...CLSID} = "FUNBOX Autoplay Sample 2"
                   \LocalServer32\(Default) = "C:\Program Files\Samsung\Samsung PC Studio 3\Share_autoplay.exe" ["TODO: <** **>" (unwritable string)]

LightScribeOnArrivalAP\
"Provider" = "LightScribe Direct Disc Labeling"
"InvokeProgID" = "LightScribe.AutoPlayHandler"
"InvokeVerb" = "LabelLightScribeDisc"
HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"]

MPCPlayCDAudioOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayCDAudio"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"]

MPCPlayDVDMovieOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayDVDMovie"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"]

MPCPlayMusicFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayMusicFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

MPCPlayVideoFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayVideoFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

Nikon Transfer\
"Provider" = "Nikon Transfer"
"InvokeProgID" = "Nikon Transfer"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Nikon Transfer\shell\open\command\(Default) = "D:\Program Files\Nikon\Nikon Transfer\NktTransfer.exe /D=%L" ["Nikon Corporation"]

Picasa2ImportPicturesOnArrival\
"Provider" = "Picasa2"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "d:\Program Files\Picasa2\Picasa2.exe "%1"" ["Google Inc."]


Startup items in "Programy" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\Programy\Menu Start\Programy\Autostart
"Nikon Monitor" -> shortcut to: "C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe" ["Nikon Corporation"]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"GuardGui" -> shortcut to: "E:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe" ["Ashampoo GmbH & Co K.G."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"
  -> {HKLM...CLSID} = "FlashGet Bar"
                   \InProcServer32\(Default) = "D:\PROGRA~3\FlashGet\fgiebar.dll" ["Amaze Soft"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
  -> {HKLM...CLSID} = "Create Mobile Favorite"
                   \InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
  -> {HKLM...CLSID} = "Create Mobile Favorite"
                   \InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
  -> {HKLM...CLSID} = "Skype add-on (button)"
                   \InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "&FlashGet"
"Exec" = "D:\PROGRA~3\FlashGet\flashget.exe" ["FlashGet.com"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avGuard Service, avGuard, "e:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe" [null data]
Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal – Free Antivirus Scheduler, AntiVirScheduler, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
HASP License Manager, hasplms, "C:\WINDOWS\system32\hasplms.exe  -run" ["Aladdin Knowledge Systems Ltd."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
PnkBstrB, PnkBstrB, "C:\WINDOWS\system32\PnkBstrB.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


---------- (launch time: 2009-01-06 16:53:34)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 70 seconds, including 2 seconds for message boxes)


[AJAN]

Wylecz pendriva lub kartę pamięci
Perlovga Removal Tool
Flash Disinfector
lub format

Uruchom Hijackthis Do a system scan only w okienku programu pokaże się log zaznacz kratki przy podanych wpisach klikasz Fix checked

O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe

Pobierz ComboFix, ale nie uruchamiaj
Zaznacz, wklej do notatnika, i zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Kod: Zaznacz wszystko

C:\WINDOWS\system32\vamsoft.exe


Zaznacz, wklej do notatnika, i zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe
Na czas skanowania proszę wyłączyć wszelkie zapory i antyvirusy
Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum
- jak na obrazku

Loga wklejasz na WKLEJ.EU lub WKLEJ.ORG a w poście daj linka

[pantik]

wynik z combofixa

Kod: Zaznacz wszystko

ComboFix 09-01-06.02 - Programy 2009-01-07 16:34:45.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.1535.1069 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Programy\Pulpit\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\Programy\Pulpit\CFScript.txt
 * Utworzono nowy punkt przywracania
 * Resident AV is active


[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll
C:\yb12j.cmd
D:\Autorun.inf
D:\yb12j.cmd
E:\Autorun.inf
E:\yb12j.cmd
F:\Autorun.inf
F:\yb12j.cmd
G:\Autorun.inf
G:\yb12j.cmd
I:\autorun.inf
I:\yb12j.cmd

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-12-07 do 2009-01-07  )))))))))))))))))))))))))))))))
.

2009-01-06 17:15 . 2009-01-06 17:15   <DIR>   d--------   c:\program files\ESET
2009-01-06 17:15 . 2009-01-06 17:15   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\ESET
2009-01-06 17:09 . 2009-01-06 17:09   <DIR>   d--------   C:\nup
2009-01-06 17:05 . 2009-01-06 17:08   <DIR>   d--------   c:\program files\EsetOnlineScanner
2009-01-06 16:55 . 2009-01-06 16:55   <DIR>   d--------   c:\program files\Trend Micro
2009-01-05 17:45 . 2009-01-04 15:38   122,140   -r-hs----   c:\windows\system32\vamsoft.exe
2009-01-05 17:45 . 2009-01-07 16:29   85,504   -r-hs----   c:\windows\system32\ciuytr0.dll
2009-01-03 09:03 . 2009-01-03 09:03   72,696   --a------   c:\documents and settings\Programy\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-01-02 22:02 . 2009-01-02 22:02   427   --a------   c:\windows\ODBC.INI
2009-01-02 22:01 . 2009-01-02 22:01   <DIR>   d--------   c:\windows\ShellNew
2008-12-27 22:23 . 2008-12-27 22:23   <DIR>   d--------   c:\program files\Avira
2008-12-27 22:23 . 2008-12-27 22:23   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Avira
2008-12-27 21:10 . 2009-01-06 17:11   0   --a------   C:\log.tmp
2008-12-27 20:54 . 2008-12-27 20:54   31   --a------   c:\windows\system32\bbcap.err
2008-12-27 20:52 . 2008-12-27 20:52   <DIR>   d--------   c:\documents and settings\Programy\Dane aplikacji\Blueberry
2008-12-27 20:52 . 2008-12-27 20:52   30,720   --a------   c:\windows\system32\bbcap.dll
2008-12-27 20:52 . 2008-12-27 20:52   4,608   --a------   c:\windows\system32\bbchlp.dll
2008-12-27 20:52 . 2008-12-27 20:52   4,096   --a------   c:\windows\system32\drivers\bbcap.sys
2008-12-27 20:51 . 2008-12-27 20:52   <DIR>   d--------   c:\documents and settings\Programy\Dane aplikacji\LogSys
2008-12-27 20:51 . 2008-12-27 20:51   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\LogSys
2008-12-27 11:02 . 2008-12-27 11:02   <DIR>   d--------   C:\cda
2008-12-20 19:52 . 2008-12-20 19:52   <DIR>   d--------   c:\documents and settings\Programy\Dane aplikacji\Thunderbird
2008-12-20 19:52 . 2008-12-20 19:52   0   --a------   c:\windows\nsreg.dat
2008-12-20 19:51 . 2008-12-22 19:08   <DIR>   d--------   c:\program files\Mozilla Thunderbird
2008-12-20 16:10 . 2008-12-20 16:10   <DIR>   d--------   c:\documents and settings\Programy\Dane aplikacji\DonationCoder
2008-12-20 16:10 . 2008-12-20 16:10   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\DonationCoder
2008-12-20 16:10 . 2008-12-20 16:10   58   --a------   c:\windows\system32\DonationCoder_ScreenshotCaptor_InstallInfo.dat
2008-12-18 19:10 . 2008-12-18 19:10   552   --a------   c:\windows\system32\d3d8caps.dat
2008-12-17 22:12 . 2002-11-21 15:07   765,952   --a------   c:\windows\system\crlds3d.dll
2008-12-17 22:12 . 2003-08-19 19:36   65,536   --a------   c:\windows\system32\Audio3D.dll
2008-12-15 23:21 . 2008-12-15 23:38   <DIR>   d--------   c:\windows\system32\Adobe
2008-12-15 21:15 . 2008-12-15 21:15   <DIR>   d--------   c:\documents and settings\Programy\Dane aplikacji\JAlbum
2008-12-13 18:18 . 2008-12-13 18:18   <DIR>   dr-------   c:\documents and settings\LocalService\Ulubione
2008-12-13 18:06 . 2004-02-27 06:01   79,654   --a------   c:\windows\system32\E_FLM9BE.DLL
2008-12-13 18:06 . 2003-05-21 03:27   64,000   --a------   c:\windows\system32\E_FBCB9BE.DLL
2008-12-13 18:06 . 2000-06-07 02:01   34,304   --a------   c:\windows\system32\E_FBCH9BE.DLL
2008-12-13 18:06 . 2003-04-10 06:40   31,744   --a------   c:\windows\system32\E_DCINST.DLL
2008-12-13 18:04 . 2008-12-13 18:07   <DIR>   d--------   c:\program files\epson
2008-12-13 18:04 . 2003-07-01 00:00   46,080   --a------   c:\windows\system32\escimgd.dll
2008-12-13 18:04 . 2003-08-06 00:00   29,184   --a------   c:\windows\system32\escwiadn.dll
2008-12-13 18:04 . 2003-07-01 00:00   22,528   --a------   c:\windows\system32\esccmd.dll
2008-12-13 18:03 . 2004-08-03 23:01   25,856   --a------   c:\windows\system32\drivers\usbprint.sys
2008-12-13 18:03 . 2004-08-03 23:01   25,856   --a--c---   c:\windows\system32\dllcache\usbprint.sys
2008-12-13 18:03 . 2008-12-13 18:03   25   --a------   c:\windows\CDE CX3600FGD.ini
2008-12-11 23:58 . 2008-12-13 17:35   20   ---h-----   c:\documents and settings\All Users\Dane aplikacji\PKP_DLdy.DAT
2008-12-10 17:26 . 2008-12-10 17:26   249,856   ---------   c:\windows\Setup1.exe
2008-12-10 17:26 . 2008-12-10 17:26   73,216   --a------   c:\windows\ST6UNST.EXE
2008-12-10 17:20 . 2008-12-10 17:21   <DIR>   d--------   c:\program files\AVS4YOU
2008-12-10 17:20 . 2003-05-22 00:50   156,910   --a------   c:\windows\WMSysPr8.prx
2008-12-10 17:20 . 2003-03-25 06:49   98,304   --a------   c:\windows\system32\L3CODECX.AX
2008-12-10 17:20 . 2003-05-22 00:50   82,944   --a------   c:\windows\system32\vct3216.acm
2008-12-10 17:20 . 2004-09-06 17:06   53,248   --a------   c:\windows\system32\xvid.ax
2008-12-10 17:20 . 2003-05-22 00:50   38,912   --a------   c:\windows\system32\alf2cd.acm
2008-12-10 17:20 . 2000-03-14 21:55   13,239   --a------   c:\windows\system32\Scg726.acm
2008-12-09 22:15 . 2008-12-09 22:20   <DIR>   d--------   c:\program files\APOD
2008-12-09 19:24 . 2007-09-27 15:22   524,288   --a------   c:\windows\system32\xvidcore.dll
2008-12-09 19:24 . 2007-09-27 15:22   139,264   --a------   c:\windows\system32\xvidvfw.dll
2008-12-09 19:24 . 2007-12-24 13:49   7,680   --a------   c:\windows\system32\ff_vfw.dll
2008-12-09 19:24 . 2007-07-10 17:10   547   --a------   c:\windows\system32\ff_vfw.dll.manifest
2008-12-08 23:42 . 2008-12-08 23:42   49,160   --ah-----   c:\windows\system32\mlfcache.dat
2008-12-08 21:26 . 2008-12-25 20:11   <DIR>   d--------   c:\documents and settings\Programy\Dane aplikacji\skypePM
2008-12-08 21:26 . 2008-12-08 21:26   56   --ah-----   c:\windows\system32\ezsidmv.dat
2008-12-08 21:22 . 2008-12-25 20:16   <DIR>   d--------   c:\documents and settings\Programy\Dane aplikacji\Skype
2008-12-08 21:21 . 2008-12-08 21:21   <DIR>   d--------   c:\program files\Skype
2008-12-08 21:21 . 2008-12-08 21:21   <DIR>   d--------   c:\program files\Common Files\Skype
2008-12-08 21:21 . 2008-12-08 21:21   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Skype
2008-12-07 18:51 . 2008-12-07 18:51   <DIR>   d--------   c:\documents and settings\Programy\Dane aplikacji\Digital Red

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 17:15   138,512   ----a-w   c:\windows\system32\drivers\PnkBstrK.sys
2009-01-06 17:14   201,440   ----a-w   c:\windows\system32\PnkBstrB.exe
2009-01-03 17:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-28 17:51   910   ----a-w   c:\documents and settings\Programy\Dane aplikacji\wklnhst.dat
2008-12-27 17:25   ---------   d-----w   c:\documents and settings\Programy\Dane aplikacji\FileZilla
2008-12-24 19:51   20   ---h--w   c:\documents and settings\All Users\Dane aplikacji\PKP_DLdw.DAT
2008-12-21 20:15   ---------   d-----w   c:\program files\Opera
2008-12-20 15:11   ---------   d-----w   c:\documents and settings\Programy\Dane aplikacji\FastStone
2008-12-17 20:39   ---------   d-----w   c:\program files\AlsRack
2008-12-17 20:00   ---------   d-----w   c:\program files\ScannerU
2008-12-13 16:35   ---------   d-----w   c:\program files\Common Files\Nikon
2008-12-11 22:58   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Ultima_T15
2008-12-11 22:58   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\EnterNHelp
2008-12-10 16:21   ---------   d-----w   c:\program files\Common Files\AVSMedia
2008-12-09 18:31   ---------   d-----w   c:\program files\DivX
2008-12-09 18:25   ---------   d-----w   c:\program files\K-Lite Codec Pack
2008-12-07 18:59   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Zoom Player
2008-12-07 18:58   ---------   d-----w   c:\program files\NAPI-PROJEKT
2008-12-06 08:43   ---------   d-----w   c:\documents and settings\Gry\Dane aplikacji\Any Video Converter
2008-12-01 15:38   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\VMware
2008-12-01 15:35   ---------   d-----w   c:\documents and settings\Programy\Dane aplikacji\VMware
2008-12-01 15:11   ---------   d-----w   c:\documents and settings\LocalService\Dane aplikacji\VMware
2008-11-27 17:53   ---------   d-----w   c:\program files\Ashampoo
2008-11-27 17:53   ---------   d-----w   c:\documents and settings\Programy\Dane aplikacji\Ashampoo
2008-11-27 17:51   ---------   d-----w   c:\documents and settings\Programy\Dane aplikacji\Ahead
2008-11-27 17:51   ---------   d-----w   c:\documents and settings\Gry\Dane aplikacji\Ahead
2008-11-27 17:45   ---------   d-----w   c:\program files\Digital Talking Parrot
2008-11-26 20:34   66,872   ----a-w   c:\windows\system32\PnkBstrA.exe
2008-11-26 19:58   ---------   d-----w   c:\documents and settings\Programy\Dane aplikacji\Reallusion
2008-11-26 19:56   ---------   d-----w   c:\program files\Reallusion
2008-11-26 19:56   ---------   d-----w   c:\program files\Common Files\Reallusion
2008-11-25 18:32   ---------   d-----w   c:\documents and settings\Programy\Dane aplikacji\Nikon
2008-11-24 21:29   ---------   d-----w   c:\program files\Common Files\Ahead
2008-11-24 17:59   20   ---h--w   c:\documents and settings\All Users\Dane aplikacji\PKP_DLdu.DAT
2008-11-23 15:06   ---------   d-----w   c:\program files\Common Files\muvee Technologies
2008-11-23 15:06   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Nikon
2008-11-23 15:05   106,496   ----a-w   c:\windows\system32\ATL71.DLL
2008-11-23 14:57   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\hps
2008-11-21 21:47   524,288   ----a-w   c:\windows\system32\DivXsm.exe
2008-11-21 21:47   3,596,288   ----a-w   c:\windows\system32\qt-dx331.dll
2008-11-21 21:46   200,704   ----a-w   c:\windows\system32\ssldivx.dll
2008-11-21 21:46   1,044,480   ----a-w   c:\windows\system32\libdivx.dll
2008-11-21 21:44   161,096   ----a-w   c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44   12,288   ----a-w   c:\windows\system32\DivXWMPExtType.dll
2008-11-14 09:30   ---------   d-----w   c:\program files\Real Alternative
2008-11-12 19:38   ---------   d-----w   c:\program files\Google
2008-11-11 11:32   ---------   d-----w   c:\documents and settings\Programy\Dane aplikacji\U3
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 25088]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-17 490952]
"VisualTaskTips"="c:\program files\VisualTaskTips\VisualTaskTips.exe" [2008-03-09 61440]
"H/PC Connection Agent"="e:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"vamsoft"="c:\windows\system32\vamsoft.exe" [2009-01-04 122140]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"VMSnap3"="c:\windows\VMSnap3.exe" [2006-07-18 49152]
"Domino"="c:\windows\Domino.exe" [2006-07-04 49152]
"EPSON Stylus CX3600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 25088]

c:\documents and settings\Programy\Menu Start\Programy\Autostart\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-25 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\TeamViewer3\\TeamViewer.exe"=
"e:\program files\Microsoft ActiveSync\rapimgr.exe"= e:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"e:\program files\Microsoft ActiveSync\wcescomm.exe"= e:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"e:\program files\Microsoft ActiveSync\WCESMgr.exe"= e:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"g:\\GPS\\My Mobile\\MyMobiler\\MyMobiler.exe"=
"d:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [2008-10-25 27704]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R3 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [2008-12-27 4096]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
R4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run --> c:\windows\system32\hasplms.exe  -run [?]
S3 3xHybrid;TV-Station DVR service;c:\windows\system32\drivers\3xHybrid.sys [2008-07-28 1121536]
S3 als4k;Avance Audio Miniport Driver (WDM);c:\windows\system32\drivers\als4000.sys [2008-09-10 28919]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\g:\test podzespołów\everestultimate_build_1180_y1obfjxk7ls\kerneld.wnt --> g:\test podzespołów\everestultimate_build_1180_y1obfjxk7ls\kerneld.wnt [?]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2008-08-06 428160]
S3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2008-09-13 475136]
S3 ZSMC0303;VIMICRO USB PC Camera (ZC0301PLH);c:\windows\system32\drivers\usbVM303.sys [2008-09-13 1474560]
S4 BulkUsb;Plustek USB Scanner;c:\windows\system32\drivers\usbscan.sys [2008-09-08 15104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f316c72d-72ec-11dd-a93e-0050045641d3}]
\Shell\AutoRun\command - K:\USBNB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKLM-Run-WinampAgent - d:\program files\Winamp\winampa.exe


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Ściągnij przy pomocy FlashGet'a - d:\programy p2p i akceleratory\FlashGet\jc_link.htm
IE: Ściągnij wszystko przy pomocy FlashGet'a - d:\programy p2p i akceleratory\FlashGet\jc_all.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 16:37:06
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
"ImagePath"="\??\g:\test podzespołów\everestultimate_build_1180_y1obfjxk7ls\kerneld.wnt"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll
.
Czas ukończenia: 2009-01-07 16:38:46
ComboFix-quarantined-files.txt  2009-01-07 15:38:23

Przed: 2 331 762 688 bajtów wolnych
Po: 2,906,644,480 bajtów wolnych

242


nowy log z poprzedniego programu

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:59, on 2009-01-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\VMSnap3.exe
C:\WINDOWS\Domino.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
E:\PROGRA~1\MICROS~1\rapimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~3\FlashGet\jccatch.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~3\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~3\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [VisualTaskTips] "C:\Program Files\VisualTaskTips\VisualTaskTips.exe" noTrayIcon
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Programy p2p i akceleratory\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\Programy p2p i akceleratory\FlashGet\jc_all.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~3\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~3\FlashGet\flashget.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6971 bytes


ten wpis:
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe

dopiero po 3 razie mi sie usuną bo za kazdym razem jak usunołem i włączyłem na nowo prgoram to on sie poajwaił spowrotem a terz juz przestał