Regulamin forum
1. Każdy temat powinien odzwierciedlać treść wątku.2. W przypadku wklejania logów; należy je wykonać od razu przynajmniej z dwóch narzędzi: FRST oraz z GMER
3. Wszelkie logi proszę publikować na przeznaczonych do tego stronach a w poście wklejać tylko link.
4. Nie wskazane jest skracanie logów, należy wkleić cały - od początku, do końca.
5. Nie wskazane jest podczepianie się do tematów innych użytkowników - proszę założyć nowy temat w dziale Bezpieczeństwo, ułatwi to pomoc sprawdzającemu.
6. Osoby nie posiadające odpowiedniej wiedzy, nie powinny sprawdzać logów, ponieważ grozi to poważnym uszkodzeniem systemu lub aplikacji zainstalowanych na komputerze.
7. Należy dokładnie opisać problem, występujące objawy oraz wszelkie podjęte działania.
8. Każdy skrypt jest unikatowy, napisany dla każdego przypadku z osobna, więc nie może być stosowany przez innych.
9. W przypadku zamieszczenia zrzutu ekranu (screenshot'a) proszę korzystać z zewnętrznego serwisu oferującego hosting zdjęć.
Problemy z wirusami - proszę o sprawdzenie Loga
05 Sie 2008, 18:16
Ostatnio mam spore problemy z wirusami
Proszę więc o sprawdzenie loga z hijacka i rady co i jak
LOG :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:03:09, on 2008-08-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA81D561-9945-4F62-B967-E8D069B7E6D8}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{26D55AAC-B5C0-4466-AA53-76DA8425C17A}: NameServer = 192.168.2.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: Strażnik AVK (AVKWCtl) - G DATA Software AG - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
--
End of file - 6665 bytes
Proszę więc o sprawdzenie loga z hijacka i rady co i jak
LOG :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:03:09, on 2008-08-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA81D561-9945-4F62-B967-E8D069B7E6D8}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{26D55AAC-B5C0-4466-AA53-76DA8425C17A}: NameServer = 192.168.2.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: Strażnik AVK (AVKWCtl) - G DATA Software AG - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
--
End of file - 6665 bytes
05 Sie 2008, 20:21
Log z Combo fixa
Mam np takie coś że mi tapeta znika z pulpitu
ComboFix 08-08-04.06 - us 2008-08-05 17:55:55.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.171 [GMT 2:00]
Running from: C:\Documents and Settings\us\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\us\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.
2008-08-03 22:07 . 2008-08-05 17:57 <DIR> d--h----- C:\Documents and Settings\GeorGe\Ustawienia lokalne
2008-08-03 22:07 . 2008-08-03 22:08 <DIR> dr------- C:\Documents and Settings\GeorGe\Ulubione
2008-08-03 22:07 . 2006-12-16 16:04 <DIR> d--h----- C:\Documents and Settings\GeorGe\Szablony
2008-08-03 22:07 . 2008-08-03 22:13 <DIR> d-------- C:\Documents and Settings\GeorGe\Pulpit
2008-08-03 22:07 . 2008-08-03 22:08 <DIR> dr------- C:\Documents and Settings\GeorGe\Moje dokumenty
2008-08-03 22:07 . 2006-01-01 02:40 <DIR> dr------- C:\Documents and Settings\GeorGe\Menu Start
2008-08-03 22:07 . 2008-08-03 22:14 <DIR> dr-h----- C:\Documents and Settings\GeorGe\Dane aplikacji
2008-08-03 22:07 . 2008-08-03 22:07 <DIR> d-------- C:\Documents and Settings\GeorGe
2008-08-01 00:12 . 2008-08-01 00:12 <DIR> d-------- C:\Program Files\Surreal
2008-07-29 21:53 . 2008-07-29 21:53 565 --a------ C:\WINDOWS\eReg.dat
2008-07-29 21:17 . 2008-07-29 21:17 <DIR> d-------- C:\Program Files\Maxis
2008-07-27 20:53 . 2008-07-27 20:56 <DIR> d-------- C:\Program Files\Kurka Wodna 3
2008-07-25 00:08 . 2008-07-25 00:24 <DIR> d-------- C:\Documents and Settings\us\Dane aplikacji\Hide IP NG
2008-07-21 10:34 . 2008-07-21 10:39 20 --a------ C:\sccfg.sys
2008-07-16 12:06 . 2008-07-16 12:11 <DIR> d-------- C:\Program Files\A4Proxy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:08 --------- d-----w C:\Program Files\eMule
2008-08-03 19:47 --------- d-----w C:\Program Files\Ubisoft
2008-08-03 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 21:31 --------- d-----w C:\Program Files\SpeedFan
2008-07-30 16:42 --------- d--h--w C:\Program Files\Valve
2008-07-25 19:40 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-21 18:28 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-02 21:41 2,211,328 ----a-w C:\WINDOWS\system32\kernel1.exe
2008-07-02 20:56 --------- d-----w C:\Program Files\OneStepSearch
2008-07-02 10:31 --------- d-----w C:\Program Files\SEGA
2008-07-01 12:43 --------- d-----w C:\Program Files\SubEdit-Player
2008-06-22 20:51 --------- d-----w C:\Program Files\3do
2008-06-22 20:49 --------- d-----w C:\Documents and Settings\us\Dane aplikacji\Corel
2008-06-22 20:43 --------- d-----w C:\Documents and Settings\us\Dane aplikacji\Gearbox Software
2008-06-20 17:37 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-03-25 18:36 88 --sh--r C:\Documents and Settings\All Users\Dane aplikacji\F68B7C3427.sys
2008-03-25 18:36 2,516 --sha-w C:\Documents and Settings\All Users\Dane aplikacji\KGyGaAvL.sys
2004-07-22 09:51 3,432,656 ----a-w C:\Program Files\ManagedDX.CAB
2004-07-19 21:58 1,156,363 ----a-w C:\Program Files\BDANT.cab
2004-07-19 21:53 976,020 ----a-w C:\Program Files\BDAXP.cab
2004-07-09 13:17 13,265,040 ----a-w C:\Program Files\dxnt.cab
2004-07-09 08:13 703,080 ----a-w C:\Program Files\BDA.cab
2004-07-09 08:13 15,493,481 ----a-w C:\Program Files\DirectX.cab
2004-07-09 03:08 472,576 ----a-w C:\Program Files\dxsetup.exe
2004-07-09 03:08 2,242,560 ----a-w C:\Program Files\dsetup32.dll
2004-07-09 02:03 62,976 ----a-w C:\Program Files\DSETUP.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 19:25 1961984]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 20:31 1372160]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 17:09 171464]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2007-05-13 16:57 5308416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 10:42 1519616]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
C:\Documents and Settings\us\Menu Start\Programy\Autostart\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 AVKProxy;AVKProxy;C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe [2005-12-19 14:12]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [2007-05-06 13:57]
R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 GDInterceptor;GDInterceptor;C:\WINDOWS\system32\interceptor.sys [2007-05-06 13:57]
S3 Hl_mull;Hl_mull;C:\WINDOWS\system32\drivers\hl_mull.SYS [2003-10-10 17:15]
S3 HookCentre;HookCentre;C:\WINDOWS\system32\drivers\HookCentre.sys [2007-05-06 13:57]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a1233d2-02cb-11dc-afb6-00179a7be981}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 17:57:46
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-05 17:58:32
ComboFix-quarantined-files.txt 2008-08-05 15:58:29
ComboFix2.txt 2008-08-05 15:54:06
Pre-Run: 16,528,834,560 bajtów wolnych
Post-Run: 16,522,883,072 bajtów wolnych
125 --- E O F --- 2008-08-04 16:48:51
Mam np takie coś że mi tapeta znika z pulpitu
ComboFix 08-08-04.06 - us 2008-08-05 17:55:55.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.171 [GMT 2:00]
Running from: C:\Documents and Settings\us\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\us\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.
2008-08-03 22:07 . 2008-08-05 17:57 <DIR> d--h----- C:\Documents and Settings\GeorGe\Ustawienia lokalne
2008-08-03 22:07 . 2008-08-03 22:08 <DIR> dr------- C:\Documents and Settings\GeorGe\Ulubione
2008-08-03 22:07 . 2006-12-16 16:04 <DIR> d--h----- C:\Documents and Settings\GeorGe\Szablony
2008-08-03 22:07 . 2008-08-03 22:13 <DIR> d-------- C:\Documents and Settings\GeorGe\Pulpit
2008-08-03 22:07 . 2008-08-03 22:08 <DIR> dr------- C:\Documents and Settings\GeorGe\Moje dokumenty
2008-08-03 22:07 . 2006-01-01 02:40 <DIR> dr------- C:\Documents and Settings\GeorGe\Menu Start
2008-08-03 22:07 . 2008-08-03 22:14 <DIR> dr-h----- C:\Documents and Settings\GeorGe\Dane aplikacji
2008-08-03 22:07 . 2008-08-03 22:07 <DIR> d-------- C:\Documents and Settings\GeorGe
2008-08-01 00:12 . 2008-08-01 00:12 <DIR> d-------- C:\Program Files\Surreal
2008-07-29 21:53 . 2008-07-29 21:53 565 --a------ C:\WINDOWS\eReg.dat
2008-07-29 21:17 . 2008-07-29 21:17 <DIR> d-------- C:\Program Files\Maxis
2008-07-27 20:53 . 2008-07-27 20:56 <DIR> d-------- C:\Program Files\Kurka Wodna 3
2008-07-25 00:08 . 2008-07-25 00:24 <DIR> d-------- C:\Documents and Settings\us\Dane aplikacji\Hide IP NG
2008-07-21 10:34 . 2008-07-21 10:39 20 --a------ C:\sccfg.sys
2008-07-16 12:06 . 2008-07-16 12:11 <DIR> d-------- C:\Program Files\A4Proxy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:08 --------- d-----w C:\Program Files\eMule
2008-08-03 19:47 --------- d-----w C:\Program Files\Ubisoft
2008-08-03 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 21:31 --------- d-----w C:\Program Files\SpeedFan
2008-07-30 16:42 --------- d--h--w C:\Program Files\Valve
2008-07-25 19:40 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-21 18:28 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-02 21:41 2,211,328 ----a-w C:\WINDOWS\system32\kernel1.exe
2008-07-02 20:56 --------- d-----w C:\Program Files\OneStepSearch
2008-07-02 10:31 --------- d-----w C:\Program Files\SEGA
2008-07-01 12:43 --------- d-----w C:\Program Files\SubEdit-Player
2008-06-22 20:51 --------- d-----w C:\Program Files\3do
2008-06-22 20:49 --------- d-----w C:\Documents and Settings\us\Dane aplikacji\Corel
2008-06-22 20:43 --------- d-----w C:\Documents and Settings\us\Dane aplikacji\Gearbox Software
2008-06-20 17:37 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-03-25 18:36 88 --sh--r C:\Documents and Settings\All Users\Dane aplikacji\F68B7C3427.sys
2008-03-25 18:36 2,516 --sha-w C:\Documents and Settings\All Users\Dane aplikacji\KGyGaAvL.sys
2004-07-22 09:51 3,432,656 ----a-w C:\Program Files\ManagedDX.CAB
2004-07-19 21:58 1,156,363 ----a-w C:\Program Files\BDANT.cab
2004-07-19 21:53 976,020 ----a-w C:\Program Files\BDAXP.cab
2004-07-09 13:17 13,265,040 ----a-w C:\Program Files\dxnt.cab
2004-07-09 08:13 703,080 ----a-w C:\Program Files\BDA.cab
2004-07-09 08:13 15,493,481 ----a-w C:\Program Files\DirectX.cab
2004-07-09 03:08 472,576 ----a-w C:\Program Files\dxsetup.exe
2004-07-09 03:08 2,242,560 ----a-w C:\Program Files\dsetup32.dll
2004-07-09 02:03 62,976 ----a-w C:\Program Files\DSETUP.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 19:25 1961984]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 20:31 1372160]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 17:09 171464]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2007-05-13 16:57 5308416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 10:42 1519616]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
C:\Documents and Settings\us\Menu Start\Programy\Autostart\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 AVKProxy;AVKProxy;C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe [2005-12-19 14:12]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [2007-05-06 13:57]
R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 GDInterceptor;GDInterceptor;C:\WINDOWS\system32\interceptor.sys [2007-05-06 13:57]
S3 Hl_mull;Hl_mull;C:\WINDOWS\system32\drivers\hl_mull.SYS [2003-10-10 17:15]
S3 HookCentre;HookCentre;C:\WINDOWS\system32\drivers\HookCentre.sys [2007-05-06 13:57]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a1233d2-02cb-11dc-afb6-00179a7be981}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 17:57:46
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-05 17:58:32
ComboFix-quarantined-files.txt 2008-08-05 15:58:29
ComboFix2.txt 2008-08-05 15:54:06
Pre-Run: 16,528,834,560 bajtów wolnych
Post-Run: 16,522,883,072 bajtów wolnych
125 --- E O F --- 2008-08-04 16:48:51
06 Sie 2008, 06:26
otwórz notatnik i wklej
Z menu Notatnika
Plik Zapisz jako Zmień rozszerzenie z .txt na wszystkie pliki zapisz pod nazwą Fix.reg
Uruchom ten plik, uruchom ponownie komputer
usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.
Przeczyść komputer Ccleanerem
Wykonaj optymalizację autostartu
Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja
Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum
lub
Dr.WEB CureIt!
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a1233d2-02cb-11dc-afb6-00179a7be981}]
Z menu Notatnika
Plik Zapisz jako Zmień rozszerzenie z .txt na wszystkie pliki zapisz pod nazwą Fix.reg
Uruchom ten plik, uruchom ponownie komputer
usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.
Przeczyść komputer Ccleanerem
Wykonaj optymalizację autostartu
Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja
Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum
lub
Dr.WEB CureIt!