Pomocy prosze o spr loga z programów

[t.w.21]

Pomocy prosze o spr loga z programów

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"GDFirewallTray" = "C:\Program Files\G DATA TotalCare\Firewall\GDFirewallTray.exe" ["G DATA Software AG"]
"AVKTray" = ""C:\Program Files\G DATA TotalCare\AVKTray\AVKTray.exe"" ["G DATA Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0124123D-61B4-456f-AF86-78C53A0790C5}\(Default) = "G DATA WebFilter Class"
{HKLM...CLSID} = "G DATA WebFilter"
\InProcServer32\(Default) = "C:\Program Files\G DATA TotalCare\Webfilter\AvkWebIE.dll" [null data]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
{HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
{HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
{HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
{HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
{HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
{HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
{HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
{HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
{HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\Windows\System32\uxtuneup.dll" ["TuneUp Software GmbH"]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\Windows\system32\userinit.exe,c:\program files\g data totalcare\avkkid\avkcks.exe" [MS], [file not found], [file not found], [file not found], [file not found]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
{HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
{HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
{HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVK9CM\(Default) = "{CAF4C320-32F5-11D3-A222-004095200FF2}"
{HKLM...CLSID} = "AVK9ContextMenue"
\InProcServer32\(Default) = "C:\Program Files\G DATA TotalCare\AVK\ShellExt.dll" ["G DATA Software AG"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
{HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
{HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
{HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVK9CM\(Default) = "{CAF4C320-32F5-11D3-A222-004095200FF2}"
{HKLM...CLSID} = "AVK9ContextMenue"
\InProcServer32\(Default) = "C:\Program Files\G DATA TotalCare\AVK\ShellExt.dll" ["G DATA Software AG"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

"SaveZoneInformation" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\elanowiec20\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

NMMPlayCDAudioOnArrival\
"Provider" = "Nokia Music Manager"
"InvokeProgID" = "NokiaMusicManager"
"InvokeVerb" = "NMMPlayCD"
HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD "%L"" ["Nokia"]

NMMRipCDAudioOnArrival\
"Provider" = "Nokia Music Manager"
"InvokeProgID" = "NokiaMusicManager"
"InvokeVerb" = "NMMRipCD"
HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD "%L"" ["Nokia"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Users\elanowiec20\Desktop\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
{HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


Startup items in "elanowiec20" & "All Users" startup folders:
-------------------------------------------------------------

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"G DATA Firewall Tray" shortcut to: "C:\Program Files\G DATA TotalCare\Firewall\GDFirewallTray.exe" ["G DATA Software AG"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 20


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0124123D-61B4-456F-AF86-78C53A0790C5}" = "G DATA WebFilter"
{HKLM...CLSID} = "G DATA WebFilter"
\InProcServer32\(Default) = "C:\Program Files\G DATA TotalCare\Webfilter\AvkWebIE.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
{HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Dostęp do urządzeń interfejsu HID, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}
G DATA AntiVirus Proxy, AVKProxy, ""C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe"" ["G DATA Software AG"]
G DATA Personal Firewall, GDFwSvc, "C:\Program Files\G DATA TotalCare\Firewall\GDFwSvc.exe" ["G DATA Software AG"]
G DATA Scheduler, AVKService, "C:\Program Files\G DATA TotalCare\AVK\AVKService.exe" ["G DATA Software AG"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Przeglądarka komputera, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
Strażnik AntiVirus, AVKWCtl, "C:\Program Files\G DATA TotalCare\AVK\AVKWCtl.exe" ["G DATA Software AG"]
TuneUp Theme Extension, UxTuneUp, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
Usługa Protokół SSTP, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]}
Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]
Windows Driver Foundation — User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}


---------- (launch time: 2008-05-30 19:22:46)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 57 seconds, including 15 seconds for message boxes)


ComboFix 08-05-29.1 - elanowiec20 2008-05-30 19:16:11.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1250.1.1045.18.307 [GMT 2:00]
Running from: C:\Users\elanowiec20\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 13:47 . 2008-05-30 14:18 <DIR> d-------- C:\Seven Kingdoms AA
2008-05-30 13:46 . 1997-08-26 12:06 315,904 --a------ C:\Windows\IsUninst.exe
2008-05-29 10:38 . 2008-05-30 11:23 <DIR> d-------- C:\Program Files\18 WoS Across America
2008-05-29 09:32 . 2008-05-29 09:35 <DIR> d-------- C:\Windows\UbiSoft
2008-05-29 09:32 . 2008-05-29 09:32 <DIR> d-------- C:\UbiSoft
2008-05-29 08:19 . 2008-03-08 04:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-29 08:19 . 2008-03-08 06:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-04 15:44 . 2005-05-26 15:34 2,297,552 --a------ C:\Windows\System32\d3dx9_26.dll
2008-05-04 12:31 . 2008-05-04 12:32 <DIR> d-------- C:\Program Files\Java
2008-05-04 12:24 . 2008-05-04 12:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 14:43 . 2008-04-21 14:45 <DIR> d-------- C:\Users\All Users\Adobe
2008-04-21 14:43 . 2008-04-21 14:44 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-20 14:23 . 2008-04-20 14:23 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\Systweak
2008-04-20 14:22 . 2008-04-20 14:23 <DIR> d-------- C:\Program Files\Systweak Photo Studio V2
2008-04-20 12:05 . 2008-04-20 12:05 <DIR> dr------- C:\Windows\System32\config\systemprofile\Videos
2008-04-20 12:05 . 2008-04-20 12:05 <DIR> dr------- C:\Windows\System32\config\systemprofile\Searches
2008-04-20 12:05 . 2008-04-20 12:05 <DIR> dr------- C:\Windows\System32\config\systemprofile\Saved Games
2008-04-20 12:05 . 2008-04-20 12:05 <DIR> dr------- C:\Windows\System32\config\systemprofile\Pictures
2008-04-20 12:05 . 2008-04-20 12:05 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-04-20 12:05 . 2008-04-20 12:05 <DIR> dr------- C:\Windows\System32\config\systemprofile\Links
2008-04-20 12:05 . 2008-04-20 12:05 <DIR> dr------- C:\Windows\System32\config\systemprofile\Downloads
2008-04-20 12:05 . 2008-04-20 12:05 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-04-19 23:03 . 2008-04-21 21:32 <DIR> d--h----- C:\Windows\Icons
2008-04-19 22:03 . 2008-04-19 22:03 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\TuneUp Software
2008-04-19 22:03 . 2007-05-16 08:41 29,704 --a------ C:\Windows\System32\uxtuneup.dll
2008-04-19 22:03 . 2007-04-26 14:57 16,904 --a------ C:\Windows\System32\authuitu.dll
2008-04-19 22:02 . 2008-04-19 22:02 <DIR> d-------- C:\Users\All Users\TuneUp Software
2008-04-19 22:02 . 2008-04-19 22:02 <DIR> d-------- C:\ProgramData\TuneUp Software
2008-04-19 22:02 . 2008-04-19 22:19 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2008-04-19 22:01 . 2008-04-19 22:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 21:22 . 2008-04-19 21:22 <DIR> d-------- C:\Wizualizacje
2008-04-19 21:21 . 2008-04-19 21:21 <DIR> d-------- C:\Program Files\Winamp
2008-04-19 21:20 . 2008-04-19 21:20 <DIR> d-------- C:\WMP_karnacje
2008-04-19 21:16 . 2008-04-19 21:41 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\Winamp
2008-04-19 21:16 . 2007-03-08 01:51 129,784 --------- C:\Windows\System32\pxafs.dll
2008-04-19 20:12 . 2008-04-19 20:12 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\DataLayer
2008-04-19 20:11 . 2008-04-19 20:15 <DIR> d-------- C:\Users\elanowiec20\Phone Browser
2008-04-19 20:06 . 2008-04-19 20:06 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-19 20:04 . 2008-04-19 20:06 <DIR> d-------- C:\Program Files\Nokia
2008-04-19 20:04 . 2006-05-29 08:26 50,688 --a------ C:\Windows\System32\nmwcdcls.dll
2008-04-19 20:03 . 2008-04-19 20:07 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\PC Suite
2008-04-19 20:03 . 2008-04-19 20:07 <DIR> d-------- C:\Users\All Users\PC Suite
2008-04-19 20:03 . 2008-04-19 20:07 <DIR> d-------- C:\ProgramData\PC Suite
2008-04-19 20:03 . 2008-04-19 20:06 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-19 20:01 . 2008-04-19 20:01 <DIR> d-------- C:\Users\All Users\Downloaded Installations
2008-04-19 20:01 . 2008-04-19 20:01 <DIR> d-------- C:\ProgramData\Downloaded Installations
2008-04-19 19:39 . 2008-04-19 19:39 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-19 09:40 . 2008-01-19 09:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-04-19 09:39 . 2008-01-19 08:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-04-19 09:38 . 2008-01-19 09:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-04-19 09:38 . 2008-01-19 09:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-04-19 09:38 . 2008-01-19 09:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-04-19 09:38 . 2008-01-19 09:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-04-19 09:38 . 2008-01-19 09:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-04-19 09:37 . 2008-01-19 09:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-04-19 09:37 . 2008-01-19 09:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-04-19 09:37 . 2008-01-19 09:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-04-19 09:37 . 2008-01-19 09:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-04-12 22:05 . 2008-04-12 22:05 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\Media Player Classic
2008-04-12 21:50 . 2008-04-12 21:50 <DIR> d-------- C:\Users\All Users\CyberLink
2008-04-12 21:50 . 2008-04-12 21:50 <DIR> d-------- C:\ProgramData\CyberLink
2008-04-12 21:50 . 2008-04-12 21:50 <DIR> d-------- C:\Program Files\CyberLink
2008-04-12 20:58 . 2006-10-16 14:19 197,522 --a------ C:\Windows\System32\V0260530.set
2008-04-12 20:58 . 2006-11-04 00:45 178,913 --a------ C:\Windows\System32\drivers\V0260Vid.sys
2008-04-12 20:58 . 2006-03-28 19:00 94,208 --a------ C:\Windows\System32\V0260Ext.ax
2008-04-12 20:58 . 2005-07-06 19:07 36,864 --a------ C:\Windows\System32\CtCamMgr.dll
2008-04-12 20:58 . 2006-03-27 19:00 32,874 --a------ C:\Windows\V0260Cfg.exe
2008-04-12 20:58 . 2006-03-30 19:00 28,672 --a------ C:\Windows\System32\V0260Hwx.dll
2008-04-12 20:58 . 2006-11-03 12:16 24,872 --a------ C:\Windows\System32\drivers\V0260Cmd.sys
2008-04-12 20:58 . 2005-02-02 03:53 24,576 --a------ C:\Windows\System32\CtCamPin.crl
2008-04-12 20:58 . 2005-11-30 19:00 20,564 --a------ C:\Windows\System32\V0260Srv.exe
2008-04-12 20:58 . 2006-03-01 04:02 20,480 --a------ C:\Windows\System32\V0260Ext.crl
2008-04-12 20:48 . 2008-05-25 17:50 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\Skype
2008-04-12 19:38 . 2008-04-12 19:38 <DIR> d-------- C:\Windows\System32\Macromed
2008-04-12 19:22 . 2008-04-12 19:22 0 --a------ C:\Windows\nsreg.dat
2008-04-12 19:10 . 2008-04-12 19:10 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\Gadu-Gadu
2008-04-12 19:08 . 2008-04-21 20:55 <DIR> d-------- C:\Users\elanowiec20\Gadu-Gadu
2008-04-12 18:19 . 2008-04-12 18:51 46,536 --a------ C:\Windows\System32\drivers\MiniIcpt.sys
2008-04-12 18:19 . 2008-04-12 18:19 42,952 --a------ C:\Windows\System32\drivers\PktIcpt.sys
2008-04-12 18:19 . 2008-04-12 18:51 32,200 --a------ C:\Windows\System32\drivers\HookCentre.sys
2008-04-12 18:19 . 2008-05-03 18:49 67 --a------ C:\Windows\Backup.INI
2008-04-12 18:18 . 2008-04-12 18:18 <DIR> d-------- C:\Users\All Users\Log
2008-04-12 18:18 . 2008-04-19 08:29 <DIR> d-------- C:\Users\All Users\G DATA
2008-04-12 18:18 . 2008-04-12 18:18 <DIR> d-------- C:\ProgramData\Log
2008-04-12 18:18 . 2008-04-19 08:29 <DIR> d-------- C:\ProgramData\G DATA
2008-04-12 18:18 . 2008-04-26 17:54 <DIR> d--hs---- C:\#GDATA.Trash.Store#
2008-04-12 18:18 . 2008-04-12 18:18 41,928 --a------ C:\Windows\System32\drivers\GDTdiIcpt.sys
2008-04-12 18:18 . 2008-02-14 17:34 39,880 --a------ C:\Windows\System32\drivers\gdwfpcd32.sys
2008-04-12 18:17 . 2008-04-12 18:18 <DIR> d-------- C:\Program Files\G DATA TotalCare
2008-04-12 18:17 . 2008-04-12 18:18 <DIR> d-------- C:\Program Files\Common Files\G DATA
2008-04-12 18:10 . 2008-04-12 18:10 <DIR> d-------- C:\Users\All Users\Skype
2008-04-12 18:10 . 2008-04-12 18:10 <DIR> d-------- C:\ProgramData\Skype
2008-04-12 18:10 . 2008-04-12 18:10 <DIR> d-------- C:\Program Files\Skype
2008-04-12 18:05 . 2008-04-12 18:05 <DIR> d-------- C:\Program Files\7-Zip
2008-04-12 17:51 . 2008-04-12 17:51 1,820 --a------ C:\Windows\System32\rasctrnm.h
2008-04-12 17:42 . 2008-01-19 09:34 15,872 --a------ C:\Windows\System32\hcrstco.dll
2008-04-12 17:42 . 2006-11-02 11:46 8,704 --a------ C:\Windows\System32\hccoin.dll
2008-04-12 17:38 . 2008-04-12 17:38 988,216 --a------ C:\Windows\System32\winload.exe
2008-04-12 17:38 . 2008-04-12 17:38 927,288 --a------ C:\Windows\System32\winresume.exe
2008-04-12 17:38 . 2008-04-12 17:38 615,992 --a------ C:\Windows\System32\ci.dll
2008-04-12 17:38 . 2008-04-12 17:38 378,368 --a------ C:\Windows\System32\srcore.dll
2008-04-12 17:38 . 2008-04-12 17:38 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-04-12 17:38 . 2008-04-12 17:38 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-04-12 17:38 . 2008-04-12 17:38 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-12 17:38 . 2008-04-12 17:38 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-12 17:38 . 2008-04-12 17:38 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-04-12 17:38 . 2008-04-12 17:38 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-12 17:37 . 2008-04-12 17:37 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-12 17:36 . 2008-04-12 17:36 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-12 17:31 . 2008-04-12 17:31 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-12 17:31 . 2008-04-12 17:31 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-12 16:59 . 2008-04-12 16:11 <DIR> d-------- C:\Windows\Panther
2008-04-12 16:58 . 2008-04-19 10:15 <DIR> d--hs---- C:\Boot
2008-04-12 16:58 . 2008-01-19 09:45 333,203 -rahs---- C:\bootmgr
2008-04-12 16:58 . 2006-12-04 22:00 99,414 -ra------ C:\Windows\OEMLOGO.BMP
2008-04-12 16:57 . 2008-04-12 16:57 <DIR> d-------- C:\DRIVERS
2008-04-12 16:53 . 2008-04-12 16:53 <DIR> d-------- C:\Windows\ConfigSetRoot
2008-04-12 16:53 . 2008-05-23 16:13 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2008-04-12 16:39 . 2008-04-12 16:39 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-04-12 16:38 . 2008-04-12 20:33 <DIR> d-------- C:\Users\elanowiec20\AppData\Roaming\Ahead
2008-04-12 16:36 . 2008-04-12 16:36 <DIR> d-------- C:\Users\All Users\Nero
2008-04-12 16:36 . 2008-04-12 16:36 <DIR> d-------- C:\ProgramData\Nero
2008-04-12 16:36 . 2008-04-12 16:36 <DIR> d-------- C:\Program Files\Nero
2008-04-12 16:36 . 2008-04-12 16:39 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-12 16:32 . 2006-11-09 19:01 126,976 --a------ C:\Windows\System32\V0260Vfw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 11:18 --------- d-----w C:\Program Files\Windows Mail
2008-04-19 08:15 174 --sha-w C:\Program Files\desktop.ini
2008-04-19 08:07 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-19 08:07 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-19 08:07 --------- d-----w C:\Program Files\Windows Journal
2008-04-19 08:07 --------- d-----w C:\Program Files\Windows Defender
2008-04-19 08:07 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-19 08:07 --------- d-----w C:\Program Files\Windows Calendar
2008-04-19 07:53 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-19 07:53 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-04-12 14:14 --------- d-sh--w C:\ProgramData\Ulubione
2008-04-12 14:14 --------- d-sh--w C:\ProgramData\Szablony
2008-04-12 14:14 --------- d-sh--w C:\ProgramData\Pulpit
2008-04-12 14:14 --------- d-sh--w C:\ProgramData\Menu Start
2008-04-12 14:14 --------- d-sh--w C:\ProgramData\Dokumenty
2008-04-12 14:14 --------- d-sh--w C:\ProgramData\Dane aplikacji
2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GDFirewallTray"="C:\Program Files\G DATA TotalCare\Firewall\GDFirewallTray.exe" [2008-02-07 12:59 1193648]
"AVKTray"="C:\Program Files\G DATA TotalCare\AVKTray\AVKTray.exe" [2008-03-04 10:23 603720]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
G DATA Firewall Tray.lnk - C:\Program Files\G DATA TotalCare\Firewall\GDFirewallTray.exe [2008-04-12 18:18:35 1193648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,c:\\program files\\g data totalcare\\avkkid\\avkcks.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2585779A-5E72-4A8B-8F38-C446337F7BCC}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

R0 videX32;videX32;C:\Windows\system32\DRIVERS\videX32.sys [2006-10-17 14:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\Windows\system32\DRIVERS\xfilt.sys [2006-10-18 11:39]
R1 gdwfpcd;G DATA WFP CD;C:\Windows\system32\DRIVERS\gdwfpcd32.sys [2008-02-14 17:34]
R2 AVKProxy;G DATA AntiVirus Proxy;"C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe" [2008-02-19 11:45]
R2 AVKService;G DATA Scheduler;C:\Program Files\G DATA TotalCare\AVK\AVKService.exe [2008-02-07 05:26]
R2 AVKWCtl;Strażnik AntiVirus;C:\Program Files\G DATA TotalCare\AVK\AVKWCtl.exe [2008-02-05 12:26]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\Windows\system32\drivers\GDTdiIcpt.sys [2008-04-12 18:18]
R2 UxTuneUp;TuneUp Theme Extension;C:\Windows\System32\svchost.exe [2008-01-19 09:33]
R3 GDFwSvc;G DATA Personal Firewall;C:\Program Files\G DATA TotalCare\Firewall\GDFwSvc.exe [2007-12-12 12:28]
R3 GDMnIcpt;GDMnIcpt;C:\Windows\system32\drivers\MiniIcpt.sys [2008-04-12 18:51]
R3 GDPkIcpt;GDPkIcpt;C:\Windows\system32\drivers\PktIcpt.sys [2008-04-12 18:19]
R3 HookCentre;HookCentre;C:\Windows\system32\drivers\HookCentre.sys [2008-04-12 18:51]
R3 V0260VID;Live! Cam Vista IM;C:\Windows\system32\DRIVERS\V0260Vid.sys [2006-11-04 00:45]
S3 G DATA Tuner Service;G DATA Tuner Service;C:\Program Files\G DATA TotalCare\AVKTuner\AVKTunerService.exe [2008-03-27 11:03]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 19:20:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-30 19:21:42
ComboFix-quarantined-files.txt 2008-05-30 17:21:34

Pre-Run: 78,613,958,656 bajtów wolnych
Post-Run: 78,581,415,936 bajtów wolnych

213 --- E O F --- 2008-05-29 06:20:39



To wyswietliło dodatkowo przy combo fixie

pushd "C:\327882R2FWJFW\"

=============================================

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\elanowiec20\AppData\Roaming
cfldr=327882R2FWJFW
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ELANOWIEC20-PC
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\elanowiec20
kmd=CF22452.exe
LOCALAPPDATA=C:\Users\elanowiec20\AppData\Local
LOGONSERVER=\\ELANOWIEC20-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$
PUBLIC=C:\Users\Public
sfxname=C:\Users\elanowiec20\Desktop\ComboFix.exe
system=C:\Windows\system32
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\ELANOW~1\AppData\Local\Temp
TMP=C:\Users\ELANOW~1\AppData\Local\Temp
USERDOMAIN=elanowiec20-PC
USERNAME=elanowiec20
USERPROFILE=C:\Users\elanowiec20
windir=C:\Windows

=============================================


if not defined sfxname goto END

Nircmd win close ititle "ComboFix"

If [] == [] Set "SfxCmd="

if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort

if exist "C:\Users\ELANOW~1\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\Users\ELANOW~1\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
Ownerchange for "C:\Windows\system32\cmd.exe" to Administrators group was successful

copy /y "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF22452.exe"
Liczba skopiowanych plik˘w: 1.

if not exist "C:\Windows\system32\CF22452.exe" catchme -l nul -c "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF22452.exe"

For /F "tokens=*" %g in ("C:\Users\elanowiec20\Desktop\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)

Set FileName 2>nul | GREP -Gisqx "FileName=[-[:alnum:]@.]*" || (
nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
goto END
)

DIR /AD/B C:\* | FindStr.exe -IVX ComboFix 1>dirname00

FindStr.exe -LIXC:"ComboFix" dirname00 1>nul && call :NameChk

If exist dirname0? del /Q dirname0?

If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && (
rd /s/q "\ComboFix"
If exist "\ComboFix" (
PV -kf findstr.exe *.cfexe
rd /s/q "\ComboFix"
)
If exist "\ComboFix" (
handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h
del /q temp00
rd /s/q "\ComboFix"
)
)

If exist "\ComboFix" rd /s/q "\ComboFix"

If exist "\ComboFix" goto :eof

VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) ||

CD ..

Set "comspec=C:\Windows\system32\CF22452.exe"

(
echo.md "\ComboFix"
echo.Move /y "\327882R2FWJFW\*" "\ComboFix"
echo.RD /S/Q "\327882R2FWJFW"
echo.Start "." /d"C:\ComboFix" "C:\Windows\system32\CF22452.exe" /k c.bat
echo.pv -kf cmd.exe
) 1>Start_.cmd

NirCmd exec hide "C:\Windows\system32\CF22452.exe" /f:off /d /c call Start_.cmd

NirCmd execmd del "\327882R2FWJFW\prep.cmd"

EXIT


a to log z Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:11, on 2008-05-30
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\G DATA TotalCare\Firewall\GDFirewallTray.exe
C:\Program Files\G DATA TotalCare\AVKTray\AVKTray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\G DATA TotalCare\GUI\avkis.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\elanowiec20\Desktop\Hjack i inne\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,c:\program files\g data totalcare\avkkid\avkcks.exe
O1 - Hosts: ::1 localhost
O2 - BHO: G DATA WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G DATA TotalCare\Webfilter\AvkWebIE.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: G DATA WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G DATA TotalCare\Webfilter\AvkWebIE.dll
O4 - HKLM\..\Run: [GDFirewallTray] C:\Program Files\G DATA TotalCare\Firewall\GDFirewallTray.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA TotalCare\AVKTray\AVKTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA SIECIOWA')
O4 - Global Startup: G DATA Firewall Tray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O23 - Service: G DATA AntiVirus Proxy (AVKProxy) - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: G DATA Scheduler (AVKService) - G DATA Software AG - C:\Program Files\G DATA TotalCare\AVK\AVKService.exe
O23 - Service: Strażnik AntiVirus (AVKWCtl) - G DATA Software AG - C:\Program Files\G DATA TotalCare\AVK\AVKWCtl.exe
O23 - Service: G DATA Tuner Service - G DATA Softwar - C:\Program Files\G DATA TotalCare\AVKTuner\AVKTunerService.exe
O23 - Service: G DATA Personal Firewall (GDFwSvc) - G DATA Software AG - C:\Program Files\G DATA TotalCare\Firewall\GDFwSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 4196 bytes


prosze o pomoc i spr.

[t.w.21]

Ten log dodatkowy z ComboFix

To wyswietliło dodatkowo przy combo fixie

pushd "C:\327882R2FWJFW\"

=============================================

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\elanowiec20\AppData\Roaming
cfldr=327882R2FWJFW
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ELANOWIEC20-PC
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\elanowiec20
kmd=CF22452.exe
LOCALAPPDATA=C:\Users\elanowiec20\AppData\Local
LOGONSERVER=\\ELANOWIEC20-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$
PUBLIC=C:\Users\Public
sfxname=C:\Users\elanowiec20\Desktop\ComboFix.exe
system=C:\Windows\system32
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\ELANOW~1\AppData\Local\Temp
TMP=C:\Users\ELANOW~1\AppData\Local\Temp
USERDOMAIN=elanowiec20-PC
USERNAME=elanowiec20
USERPROFILE=C:\Users\elanowiec20
windir=C:\Windows

=============================================


if not defined sfxname goto END

Nircmd win close ititle "ComboFix"

If [] == [] Set "SfxCmd="

if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort

if exist "C:\Users\ELANOW~1\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\Users\ELANOW~1\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
Ownerchange for "C:\Windows\system32\cmd.exe" to Administrators group was successful

copy /y "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF22452.exe"
Liczba skopiowanych plik˘w: 1.

if not exist "C:\Windows\system32\CF22452.exe" catchme -l nul -c "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF22452.exe"

For /F "tokens=*" %g in ("C:\Users\elanowiec20\Desktop\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)

Set FileName 2>nul | GREP -Gisqx "FileName=[-[:alnum:]@.]*" || (
nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
goto END
)

DIR /AD/B C:\* | FindStr.exe -IVX ComboFix 1>dirname00

FindStr.exe -LIXC:"ComboFix" dirname00 1>nul && call :NameChk

If exist dirname0? del /Q dirname0?

If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && (
rd /s/q "\ComboFix"
If exist "\ComboFix" (
PV -kf findstr.exe *.cfexe
rd /s/q "\ComboFix"
)
If exist "\ComboFix" (
handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h
del /q temp00
rd /s/q "\ComboFix"
)
)

If exist "\ComboFix" rd /s/q "\ComboFix"

If exist "\ComboFix" goto :eof

VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) ||

CD ..

Set "comspec=C:\Windows\system32\CF22452.exe"

(
echo.md "\ComboFix"
echo.Move /y "\327882R2FWJFW\*" "\ComboFix"
echo.RD /S/Q "\327882R2FWJFW"
echo.Start "." /d"C:\ComboFix" "C:\Windows\system32\CF22452.exe" /k c.bat
echo.pv -kf cmd.exe
) 1>Start_.cmd

NirCmd exec hide "C:\Windows\system32\CF22452.exe" /f:off /d /c call Start_.cmd

NirCmd execmd del "\327882R2FWJFW\prep.cmd"

EXIT


Ma nazwę Bug.txt i nie moge tego pliku wogole usunąc z kompa

pomocy


Dodam jeszcze że używam G-Data Antywirus

[huber2t]

W logach nic nie widze czy są jakieś problemy?

[t.w.21]

Raczej nie poza tym ze znika mi coróz miejsca na dysku i tym ze mi net Zmula Mam Vistę więc to może wina Visty

a ten plik txt pod nazwą BUg usunałem ale troche mnie zmartwił

[huber2t]

Wyłącz i Włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeczyśc dysk programem Ccleaner

[t.w.21]

Jo tylko ze ja mam Viste HP czy to za działa ta instrukcja na Viscie

[huber2t]

sorry
Start Panel sterowania System Ochrona systemu usuń ptaszki przy ikonach dysków i póżniej zaznacz ponownie tak jak było

[t.w.21]

Trochę pomogło dzięki jakoś se dalej poradzę