Prośba o sprawdzenie loga

przez **PawelG** » 03 Cze 2008, 16:52

ComboFix 08-06-01.6 - Admin 2008-06-03 15:03:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.675 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\dehkj.dll
C:\WINDOWS\system32\dtrgjy.dll
C:\WINDOWS\system32\yzztimsn.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\linkinfo.dll
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\crugd.cfg
C:\WINDOWS\system32\drivers\cdralw.sys
C:\WINDOWS\system32\etshabty.exe
C:\WINDOWS\system32\hfrdzx.dll
C:\WINDOWS\system32\ismhasrv.exe
C:\WINDOWS\system32\jashbbty.sys
C:\WINDOWS\system32\lariytrz.cfg
C:\WINDOWS\system32\opshbbty.dll
C:\WINDOWS\system32\oqrthc.cfg
C:\WINDOWS\system32\smmhbsrv.sys
C:\WINDOWS\system32\SysWoWCt.dll
C:\WINDOWS\system32\xfztbmsn.sys
C:\WINDOWS\system32\zaztamsn.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDRALW
-------\Service_cdralw

((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-03 14:31 . 2008-06-03 14:50 <DIR> d-------- C:\Program Files\SkanerOnline
2008-06-03 14:30 . 2008-06-03 14:30 280 ---hs---- C:\WINDOWS\system32\sthth.cfg
2008-06-03 08:49 . 2008-06-03 08:49 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-03 08:48 . 2008-06-03 15:05 24 --a------ C:\WINDOWS\system32\wymxajkl.sys
2008-06-03 08:48 . 2008-06-03 15:05 24 --a------ C:\WINDOWS\system32\toqnabib.sys
2008-06-03 08:48 . 2008-06-03 15:05 24 --a------ C:\WINDOWS\system32\pzwmaime.sys
2008-06-03 08:48 . 2008-06-03 15:05 24 --a------ C:\WINDOWS\system32\ijsgajba.sys
2008-06-03 08:47 . 2008-06-03 08:47 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-06-03 08:47 . 2008-06-03 08:48 <DIR> d-------- C:\Documents and Settings\Admin\Gadu-Gadu
2008-06-03 08:46 . 2008-06-03 08:46 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\Talkback
2008-06-03 08:45 . 2008-06-03 08:45 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 12:30 232,960 ---ha-w C:\WINDOWS\system32\hhrdxd.dll
2008-06-03 12:30 218,624 ---ha-w C:\WINDOWS\system32\zdesfx.dll
2008-06-03 12:29 9,728 ----a-w C:\WINDOWS\AppPatch\AcSpecf.dll(1).VIR
2008-06-03 12:29 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-06-03 06:46 225,792 ---ha-w C:\WINDOWS\system32\wyrsdj.dll
2008-06-03 06:46 218,624 ---ha-w C:\WINDOWS\system32\jhrcar.dll
2008-06-02 22:51 13,824 ----a-w C:\WINDOWS\AppPatch\Jview.dll
2008-06-02 21:32 27,136 ----a-w C:\WINDOWS\AppPatch\AcPlugin.dll(1).VIR
2008-06-02 21:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-02 21:21 --------- d-----w C:\Program Files\My Company Name
2008-06-02 21:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-02 21:15 --------- d-----w C:\Program Files\Realtek
2008-06-02 21:13 --------- d-----w C:\Program Files\AMD
2008-06-02 21:12 4,501 ----a-w C:\WINDOWS\gdrv.sys
2008-06-02 21:07 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-02 21:05 --------- d-----w C:\Program Files\Usługi online
2008-03-13 13:59 137,216 --sh--r C:\yo2mq6.exe
2004-08-08 06:48 15,914 --sh--w C:\WINDOWS\system32\aitlasys.exe
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\aoqnabib.sys
2004-08-08 06:48 536,584 --sh--w C:\WINDOWS\system32\apsgdjba.dll
2004-08-08 06:48 15,204 --sh--w C:\WINDOWS\system32\axptajpg.exe
2004-08-08 06:46 16,375 --sh--w C:\WINDOWS\system32\azcbaime.exe
2004-08-08 12:30 16,461 --sh--w C:\WINDOWS\system32\azwmaime.exe
2004-08-08 06:46 520 --sh--w C:\WINDOWS\system32\bcsxachu.sys
2004-08-08 06:48 15,309 --sh--w C:\WINDOWS\system32\dfqnabib.exe
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\fstlbsys.sys
2004-08-08 06:46 520 --sh--w C:\WINDOWS\system32\fxcbbime.sys
2004-08-08 12:30 1,040 --sh--w C:\WINDOWS\system32\fxwmbime.sys
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\fzptbjpg.sys
2004-08-08 06:46 15,706 --sh--w C:\WINDOWS\system32\ghwxattb.exe
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\gpsgajba.sys
2004-08-03 22:44 7,680 --sha-w C:\WINDOWS\system32\hjmh.dll
2004-08-08 06:48 15,666 --sh--w C:\WINDOWS\system32\lpmxajkl.exe
2004-08-08 06:48 16,191 --sh--w C:\WINDOWS\system32\lpsgajba.exe
2004-08-08 12:30 538,120 --sh--w C:\WINDOWS\system32\mnmhgsrv.dll
2004-08-08 06:46 520 --sh--w C:\WINDOWS\system32\newxbttb.sys
2004-08-08 06:48 535,560 --sh--w C:\WINDOWS\system32\nhmxbjkl.dll
2004-08-08 06:46 535,048 --sh--w C:\WINDOWS\system32\oswxcttb.dll
2004-08-08 06:48 534,024 --sh--w C:\WINDOWS\system32\ozfydbyt.dll
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-03 22:44 8,192 --sha-w C:\WINDOWS\system32\sefawe.dll
2004-08-08 06:46 15,528 --sh--w C:\WINDOWS\system32\sfsxachu.exe
2004-08-08 06:48 535,048 --sh--w C:\WINDOWS\system32\skqncbib.dll
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
2004-08-08 06:46 535,048 --sh--w C:\WINDOWS\system32\swsxachu.dll
2004-08-08 06:48 15,037 --sh--w C:\WINDOWS\system32\tjfyabyt.exe
2004-08-03 22:44 7,680 --sha-w C:\WINDOWS\system32\ukrth.dll
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\xsdjbbmp.sys
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\xzcsbhlp.sys
2004-08-08 06:48 520 --sh--w C:\WINDOWS\system32\xzfhbjpg.sys
2004-08-08 06:48 536,072 --sh--w C:\WINDOWS\system32\ypdjfbmp.dll
2004-08-08 06:48 533,512 --sh--w C:\WINDOWS\system32\yxcschlp.dll
2004-08-08 06:48 533,512 --sh--w C:\WINDOWS\system32\yxfhcjpg.dll
2004-08-08 06:48 535,560 --sh--w C:\WINDOWS\system32\zptlcsys.dll
2004-08-08 06:48 16,147 --sh--w C:\WINDOWS\system32\zsdjabmp.exe
2004-08-08 06:48 14,915 --sh--w C:\WINDOWS\system32\zxcsahlp.exe
2004-08-08 06:48 14,895 --sh--w C:\WINDOWS\system32\zxfhajpg.exe
2004-08-08 06:48 534,536 --sh--w C:\WINDOWS\system32\zxptejpg.dll
2004-08-08 06:46 537,096 --sh--w C:\WINDOWS\system32\zycbdime.dll
2004-08-08 06:48 537,096 --sh--w C:\WINDOWS\system32\zywmfime.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13FD5987-65D2-C58D-D87E-987451F12531}]
2004-08-08 08:46 535048 ---hs---- C:\WINDOWS\system32\swsxachu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}]
2004-08-08 08:48 535560 ---hs---- C:\WINDOWS\system32\nhmxbjkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32023698-6984-8541-9654-698745012523}]
2004-08-08 08:48 535048 ---hs---- C:\WINDOWS\system32\skqncbib.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33512378-9874-5641-1025-985420368733}]
2004-08-08 08:46 535048 ---hs---- C:\WINDOWS\system32\oswxcttb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653}]
2004-08-08 08:48 533512 ---hs---- C:\WINDOWS\system32\yxcschlp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A069845-2036-6084-9054-6087502480A4}]
2004-08-08 08:48 534024 ---hs---- C:\WINDOWS\system32\ozfydbyt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A698102-5904-AFD0-20DF-CD1A65829CA4}]
2004-08-08 08:46 537096 ---hs---- C:\WINDOWS\system32\zycbdime.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FD45A54-9875-698F-E56E-65102358FDF4}]
2004-08-08 08:48 536584 ---hs---- C:\WINDOWS\system32\apsgdjba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50940F85-F015-14F1-A05F-F69858AC6D05}]
2004-08-08 08:48 535560 ---hs---- C:\WINDOWS\system32\zptlcsys.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6319A1F1-9410-9654-3201-345FFA349136}]
2004-08-08 08:48 537096 ---hs---- C:\WINDOWS\system32\zywmfime.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}]
2004-08-08 14:30 538120 ---hs---- C:\WINDOWS\system32\mnmhgsrv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81954FAC-1023-154F-895A-1458258AD818}]
2004-08-08 08:48 536072 ---hs---- C:\WINDOWS\system32\ypdjfbmp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38}]
2004-08-08 08:48 533512 ---hs---- C:\WINDOWS\system32\yxfhcjpg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91698482-6555-3666-1222-954784129019}]
2004-08-08 08:48 534536 ---hs---- C:\WINDOWS\system32\zxptejpg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9490415F-65F8-B5C5-D8BA-9405FB120549}]
2004-08-08 14:30 536072 --a------ C:\WINDOWS\system32\yzztimsn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
2008-06-02 23:32 45056 --a------ C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-27 04:47 16208384 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 11:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 11:22 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{33512378-9874-5641-1025-985420368733}"= C:\WINDOWS\system32\oswxcttb.dll [2004-08-08 08:46 535048]
"{1DB3C525-5271-46F7-887A-D4E1ADAA7632}"= C:\WINDOWS\system32\hfrdzx.dll [ ]
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"= C:\WINDOWS\system32\zdesfx.dll [2008-06-03 14:30 218624]
"{CAED0F3B-DF8B-4DBF-BB20-8DFBC3199068}"= C:\WINDOWS\system32\jhrcar.dll [2008-06-03 08:46 218624]
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= C:\WINDOWS\system32\wyrsdj.dll [2008-06-03 08:46 225792]
"{4A698102-5904-AFD0-20DF-CD1A65829CA4}"= C:\WINDOWS\system32\zycbdime.dll [2004-08-08 08:46 537096]
"{13FD5987-65D2-C58D-D87E-987451F12531}"= C:\WINDOWS\system32\swsxachu.dll [2004-08-08 08:46 535048]
"{6319A1F1-9410-9654-3201-345FFA349136}"= C:\WINDOWS\system32\zywmfime.dll [2004-08-08 08:48 537096]
"{4A069845-2036-6084-9054-6087502480A4}"= C:\WINDOWS\system32\ozfydbyt.dll [2004-08-08 08:48 534024]
"{4FD45A54-9875-698F-E56E-65102358FDF4}"= C:\WINDOWS\system32\apsgdjba.dll [2004-08-08 08:48 536584]
"{35671234-7890-ABCD-CDEF-567801237653}"= C:\WINDOWS\system32\yxcschlp.dll [2004-08-08 08:48 533512]
"{81954FAC-1023-154F-895A-1458258AD818}"= C:\WINDOWS\system32\ypdjfbmp.dll [2004-08-08 08:48 536072]
"{83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38}"= C:\WINDOWS\system32\yxfhcjpg.dll [2004-08-08 08:48 533512]
"{27AC9076-C898-B098-D098-A18319080972}"= C:\WINDOWS\system32\nhmxbjkl.dll [2004-08-08 08:48 535560]
"{91698482-6555-3666-1222-954784129019}"= C:\WINDOWS\system32\zxptejpg.dll [2004-08-08 08:48 534536]
"{32023698-6984-8541-9654-698745012523}"= C:\WINDOWS\system32\skqncbib.dll [2004-08-08 08:48 535048]
"{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"= C:\WINDOWS\system32\mnmhgsrv.dll [2004-08-08 14:30 538120]
"{9490415F-65F8-B5C5-D8BA-9405FB120549}"= C:\WINDOWS\system32\yzztimsn.dll [2004-08-08 14:30 536072]
"{50940F85-F015-14F1-A05F-F69858AC6D05}"= C:\WINDOWS\system32\zptlcsys.dll [2004-08-08 08:48 535560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ThunderAdvise"= {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [2008-06-02 23:32 45056]
"JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [2008-06-03 00:51 13824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=nhmxbjkl.dll,yzztimsn.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-06-02 23:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\yo2mq6.exe
\Shell\explore\Command - F:\yo2mq6.exe
\Shell\open\Command - F:\yo2mq6.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\yo2mq6.exe
\Shell\explore\Command - G:\yo2mq6.exe
\Shell\open\Command - G:\yo2mq6.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c2dd46b-30ea-11dd-bbc1-806d6172696f}]
\Shell\AutoRun\command - G:\yo2mq6.exe
\Shell\explore\Command - G:\yo2mq6.exe
\Shell\open\Command - G:\yo2mq6.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5a78460-30f5-11dd-bbc3-000fea5b8914}]
\Shell\AutoRun\command - F:\yo2mq6.exe
\Shell\explore\Command - F:\yo2mq6.exe
\Shell\open\Command - F:\yo2mq6.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 15:05:17
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-03 15:05:48 - machine was rebooted [Admin]
ComboFix-quarantined-files.txt 2008-06-03 13:05:45

Pre-Run: 7,414,145,024 bajtów wolnych
Post-Run: 7,419,363,328 bajt˘w wolnych

229

przez **huber2t** » 03 Cze 2008, 20:04

Do wyleczenia pendrive z wirusów użyj
Perlovga Removal Tool
Flash Disinfector
lub format

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko: File:: C:\WINDOWS\system32\wymxajkl.sys C:\WINDOWS\system32\toqnabib.sys C:\WINDOWS\system32\pzwmaime.sys C:\WINDOWS\system32\ijsgajba.sys C:\WINDOWS\system32\hhrdxd.dll C:\WINDOWS\system32\zdesfx.dll C:\WINDOWS\AppPatch\AcSpecf.dll(1).VIR C:\WINDOWS\AppPatch\AcXtrnel.dll C:\WINDOWS\system32\wyrsdj.dll C:\WINDOWS\system32\jhrcar.dll C:\WINDOWS\AppPatch\Jview.dll C:\WINDOWS\AppPatch\AcPlugin.dll(1).VIR C:\yo2mq6.exe C:\WINDOWS\system32\swsxachu.dll C:\WINDOWS\system32\aitlasys.exe C:\WINDOWS\system32\aoqnabib.sys C:\WINDOWS\system32\apsgdjba.dll C:\WINDOWS\system32\axptajpg.exe C:\WINDOWS\system32\azcbaime.exe C:\WINDOWS\system32\azwmaime.exe C:\WINDOWS\system32\bcsxachu.sys C:\WINDOWS\system32\dfqnabib.exe C:\WINDOWS\system32\fstlbsys.sys C:\WINDOWS\system32\fxcbbime.sys C:\WINDOWS\system32\fxwmbime.sys C:\WINDOWS\system32\fzptbjpg.sys C:\WINDOWS\system32\ghwxattb.exe C:\WINDOWS\system32\gpsgajba.sys C:\WINDOWS\system32\hjmh.dll C:\WINDOWS\system32\lpmxajkl.exe C:\WINDOWS\system32\lpsgajba.exe C:\WINDOWS\system32\mnmhgsrv.dll C:\WINDOWS\system32\newxbttb.sys C:\WINDOWS\system32\nhmxbjkl.dll C:\WINDOWS\system32\oswxcttb.dll C:\WINDOWS\system32\ozfydbyt.dll C:\WINDOWS\system32\rnmxajkl.sys C:\WINDOWS\system32\sefawe.dll C:\WINDOWS\system32\sfsxachu.exe C:\WINDOWS\system32\skqncbib.dll C:\WINDOWS\system32\snfybbyt.sys C:\WINDOWS\system32\swsxachu.dll C:\WINDOWS\system32\tjfyabyt.exe C:\WINDOWS\system32\ukrth.dll C:\WINDOWS\system32\xsdjbbmp.sys C:\WINDOWS\system32\xzcsbhlp.sys C:\WINDOWS\system32\xzfhbjpg.sys C:\WINDOWS\system32\ypdjfbmp.dll C:\WINDOWS\system32\yxcschlp.dll C:\WINDOWS\system32\yxfhcjpg.dll C:\WINDOWS\system32\zptlcsys.dll C:\WINDOWS\system32\zsdjabmp.exe C:\WINDOWS\system32\zxcsahlp.exe C:\WINDOWS\system32\zxfhajpg.exe C:\WINDOWS\system32\zxptejpg.dll C:\WINDOWS\system32\zycbdime.dll C:\WINDOWS\system32\zywmfime.dll Folder:: C:\WINDOWS\Downloaded Program Files Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13FD5987-65D2-C58D-D87E-987451F12531}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32023698-6984-8541-9654-698745012523}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33512378-9874-5641-1025-985420368733}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A069845-2036-6084-9054-6087502480A4}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A698102-5904-AFD0-20DF-CD1A65829CA4}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FD45A54-9875-698F-E56E-65102358FDF4}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50940F85-F015-14F1-A05F-F69858AC6D05}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6319A1F1-9410-9654-3201-345FFA349136}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81954FAC-1023-154F-895A-1458258AD818}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91698482-6555-3666-1222-954784129019}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9490415F-65F8-B5C5-D8BA-9405FB120549}] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{33512378-9874-5641-1025-985420368733}"=- "{1DB3C525-5271-46F7-887A-D4E1ADAA7632}"=- "{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"=- "{CAED0F3B-DF8B-4DBF-BB20-8DFBC3199068}"=- "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"=- "{4A698102-5904-AFD0-20DF-CD1A65829CA4}"=- "{13FD5987-65D2-C58D-D87E-987451F12531}"=- "{6319A1F1-9410-9654-3201-345FFA349136}"=- "{4A069845-2036-6084-9054-6087502480A4}"=- "{4FD45A54-9875-698F-E56E-65102358FDF4}"=- "{35671234-7890-ABCD-CDEF-567801237653}"=- "{81954FAC-1023-154F-895A-1458258AD818}"=- "{83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38}"=- "{27AC9076-C898-B098-D098-A18319080972}"=- "{91698482-6555-3666-1222-954784129019}"=- "{32023698-6984-8541-9654-698745012523}"=- "{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"=- "{9490415F-65F8-B5C5-D8BA-9405FB120549}"=- "{50940F85-F015-14F1-A05F-F69858AC6D05}"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "ThunderAdvise"=- "JavaView"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik

zapisz jako

CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

przez **PawelG** » 03 Cze 2008, 20:33

Kod: Zaznacz wszystko: ComboFix 08-06-01.6 - Admin 2008-06-03 20:27:33.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.630 [GMT 2:00] Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Admin\Pulpit\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\AppPatch\AcPlugin.dll(1).VIR C:\WINDOWS\AppPatch\AcSpecf.dll(1).VIR C:\WINDOWS\AppPatch\AcXtrnel.dll C:\WINDOWS\AppPatch\Jview.dll C:\WINDOWS\system32\aitlasys.exe C:\WINDOWS\system32\aoqnabib.sys C:\WINDOWS\system32\apsgdjba.dll C:\WINDOWS\system32\axptajpg.exe C:\WINDOWS\system32\azcbaime.exe C:\WINDOWS\system32\azwmaime.exe C:\WINDOWS\system32\bcsxachu.sys C:\WINDOWS\system32\dfqnabib.exe C:\WINDOWS\system32\fstlbsys.sys C:\WINDOWS\system32\fxcbbime.sys C:\WINDOWS\system32\fxwmbime.sys C:\WINDOWS\system32\fzptbjpg.sys C:\WINDOWS\system32\ghwxattb.exe C:\WINDOWS\system32\gpsgajba.sys C:\WINDOWS\system32\hhrdxd.dll C:\WINDOWS\system32\hjmh.dll C:\WINDOWS\system32\ijsgajba.sys C:\WINDOWS\system32\jhrcar.dll C:\WINDOWS\system32\lpmxajkl.exe C:\WINDOWS\system32\lpsgajba.exe C:\WINDOWS\system32\mnmhgsrv.dll C:\WINDOWS\system32\newxbttb.sys C:\WINDOWS\system32\nhmxbjkl.dll C:\WINDOWS\system32\oswxcttb.dll C:\WINDOWS\system32\ozfydbyt.dll C:\WINDOWS\system32\pzwmaime.sys C:\WINDOWS\system32\rnmxajkl.sys C:\WINDOWS\system32\sefawe.dll C:\WINDOWS\system32\sfsxachu.exe C:\WINDOWS\system32\skqncbib.dll C:\WINDOWS\system32\snfybbyt.sys C:\WINDOWS\system32\swsxachu.dll C:\WINDOWS\system32\tjfyabyt.exe C:\WINDOWS\system32\toqnabib.sys C:\WINDOWS\system32\ukrth.dll C:\WINDOWS\system32\wymxajkl.sys C:\WINDOWS\system32\wyrsdj.dll C:\WINDOWS\system32\xsdjbbmp.sys C:\WINDOWS\system32\xzcsbhlp.sys C:\WINDOWS\system32\xzfhbjpg.sys C:\WINDOWS\system32\ypdjfbmp.dll C:\WINDOWS\system32\yxcschlp.dll C:\WINDOWS\system32\yxfhcjpg.dll C:\WINDOWS\system32\zdesfx.dll C:\WINDOWS\system32\zptlcsys.dll C:\WINDOWS\system32\zsdjabmp.exe C:\WINDOWS\system32\zxcsahlp.exe C:\WINDOWS\system32\zxfhajpg.exe C:\WINDOWS\system32\zxptejpg.dll C:\WINDOWS\system32\zycbdime.dll C:\WINDOWS\system32\zywmfime.dll C:\yo2mq6.exe C:\WINDOWS\Downloaded Program Files :#: . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\AppPatch\AcXtrnel.dll C:\WINDOWS\AppPatch\Jview.dll C:\WINDOWS\system32\aitlasys.exe C:\WINDOWS\system32\aoqnabib.sys C:\WINDOWS\system32\apsgdjba.dll C:\WINDOWS\system32\axptajpg.exe C:\WINDOWS\system32\azcbaime.exe C:\WINDOWS\system32\azwmaime.exe C:\WINDOWS\system32\bcsxachu.sys C:\WINDOWS\system32\crugd.dll C:\WINDOWS\system32\dfqnabib.exe C:\WINDOWS\system32\fstlbsys.sys C:\WINDOWS\system32\fxcbbime.sys C:\WINDOWS\system32\fxwmbime.sys C:\WINDOWS\system32\fzptbjpg.sys C:\WINDOWS\system32\ghwxattb.exe C:\WINDOWS\system32\gpsgajba.sys C:\WINDOWS\system32\hhrdxd.dll C:\WINDOWS\system32\hjmh.dll C:\WINDOWS\system32\ijsgajba.sys C:\WINDOWS\system32\ismhasrv.exe C:\WINDOWS\system32\jhrcar.dll C:\WINDOWS\system32\lariytrz.dll C:\WINDOWS\system32\lpmxajkl.exe C:\WINDOWS\system32\lpsgajba.exe C:\WINDOWS\system32\mnmhgsrv.dll C:\WINDOWS\system32\newxbttb.sys C:\WINDOWS\system32\nhmxbjkl.dll C:\WINDOWS\system32\oqrthc.dll C:\WINDOWS\system32\oswxcttb.dll C:\WINDOWS\system32\ozfydbyt.dll C:\WINDOWS\system32\pzwmaime.sys C:\WINDOWS\system32\rnmxajkl.sys C:\WINDOWS\system32\sefawe.dll C:\WINDOWS\system32\sfsxachu.exe C:\WINDOWS\system32\skqncbib.dll C:\WINDOWS\system32\smmhbsrv.sys C:\WINDOWS\system32\snfybbyt.sys C:\WINDOWS\system32\swsxachu.dll C:\WINDOWS\system32\tjfyabyt.exe C:\WINDOWS\system32\toqnabib.sys C:\WINDOWS\system32\ukrth.dll C:\WINDOWS\system32\wymxajkl.sys C:\WINDOWS\system32\wyrsdj.dll C:\WINDOWS\system32\xsdjbbmp.sys C:\WINDOWS\system32\xzcsbhlp.sys C:\WINDOWS\system32\xzfhbjpg.sys C:\WINDOWS\system32\ypdjfbmp.dll C:\WINDOWS\system32\yxcschlp.dll C:\WINDOWS\system32\yxfhcjpg.dll C:\WINDOWS\system32\zdesfx.dll C:\WINDOWS\system32\zptlcsys.dll C:\WINDOWS\system32\zsdjabmp.exe C:\WINDOWS\system32\zxcsahlp.exe C:\WINDOWS\system32\zxfhajpg.exe C:\WINDOWS\system32\zxptejpg.dll C:\WINDOWS\system32\zycbdime.dll C:\WINDOWS\system32\zywmfime.dll C:\yo2mq6.exe . ((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 ))))))))))))))))))))))))))))))) . 2008-06-03 15:15 . 2008-06-03 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-06-03 15:15 . 2008-06-03 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab 2008-06-03 14:31 . 2008-06-03 14:50 <DIR> d-------- C:\Program Files\SkanerOnline 2008-06-03 14:30 . 2008-06-03 14:30 280 ---hs---- C:\WINDOWS\system32\sthth.cfg 2008-06-03 08:49 . 2008-06-03 08:49 1,160 --a------ C:\WINDOWS\mozver.dat 2008-06-03 08:47 . 2008-06-03 08:47 <DIR> d-------- C:\Program Files\Gadu-Gadu 2008-06-03 08:47 . 2008-06-03 08:48 <DIR> d-------- C:\Documents and Settings\Admin\Gadu-Gadu 2008-06-03 08:46 . 2008-06-03 08:46 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\Talkback 2008-06-03 08:46 . 2008-06-03 14:30 280 ---hs---- C:\WINDOWS\system32\xfgnfx.cfg 2008-06-03 08:46 . 2008-06-03 14:30 280 ---hs---- C:\WINDOWS\system32\xdhdg.cfg 2008-06-03 08:46 . 2008-06-03 08:46 280 ---hs---- C:\WINDOWS\system32\thef.cfg 2008-06-03 08:46 . 2008-06-03 14:30 280 ---hs---- C:\WINDOWS\system32\kduy.cfg 2008-06-03 08:46 . 2008-06-03 08:46 144 ---hs---- C:\WINDOWS\system32\ydgn.cfg 2008-06-03 08:46 . 2008-06-03 19:58 24 --a------ C:\WINDOWS\system32\tiwxattb.sys 2008-06-03 08:46 . 2008-06-03 19:58 24 --a------ C:\WINDOWS\system32\lesxachu.sys 2008-06-03 08:45 . 2008-06-03 08:45 0 --a------ C:\WINDOWS\nsreg.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-02 21:21 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-02 21:21 --------- d-----w C:\Program Files\My Company Name 2008-06-02 21:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-02 21:15 --------- d-----w C:\Program Files\Realtek 2008-06-02 21:13 --------- d-----w C:\Program Files\AMD 2008-06-02 21:12 4,501 ----a-w C:\WINDOWS\gdrv.sys 2008-06-02 21:07 --------- d-----w C:\Program Files\microsoft frontpage 2008-06-02 21:05 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((( snapshot@2008-06-03_15.05.38.45 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-03 13:05:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-03 18:29:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9490415F-65F8-B5C5-D8BA-9405FB120549}] 2004-08-08 14:30 536072 --a------ C:\WINDOWS\system32\yzztimsn.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-05-27 04:47 16208384 C:\WINDOWS\RTHDCPL.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22 7618560] "nwiz"="nwiz.exe" [2006-06-01 11:22 1519616 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 11:22 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{9490415F-65F8-B5C5-D8BA-9405FB120549}"= C:\WINDOWS\system32\yzztimsn.dll [2004-08-08 14:30 536072] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-06-02 23:12] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-03 20:29:21 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\ATKKBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-06-03 20:29:50 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-03 18:29:48 ComboFix2.txt 2008-06-03 13:05:48 Pre-Run: 7,386,103,808 bajtów wolnych Post-Run: 7,376,314,368 bajt˘w wolnych 213

przez **huber2t** » 04 Cze 2008, 05:53

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko: File:: C:\WINDOWS\system32\xfgnfx.cfg C:\WINDOWS\system32\xdhdg.cfg C:\WINDOWS\system32\thef.cfg C:\WINDOWS\system32\kduy.cfg C:\WINDOWS\system32\ydgn.cfg C:\WINDOWS\system32\tiwxattb.sys C:\WINDOWS\system32\lesxachu.sys C:\WINDOWS\system32\yzztimsn.dll Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9490415F-65F8-B5C5-D8BA-9405FB120549}] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{9490415F-65F8-B5C5-D8BA-9405FB120549}"=-

Plik

zapisz jako

CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

przez **PawelG** » 04 Cze 2008, 09:17

Kod: Zaznacz wszystko: ComboFix 08-06-01.6 - Admin 2008-06-04 9:12:08.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.710 [GMT 2:00] Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Admin\Pulpit\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\system32\kduy.cfg C:\WINDOWS\system32\lesxachu.sys C:\WINDOWS\system32\thef.cfg C:\WINDOWS\system32\tiwxattb.sys C:\WINDOWS\system32\xdhdg.cfg C:\WINDOWS\system32\xfgnfx.cfg C:\WINDOWS\system32\ydgn.cfg C:\WINDOWS\system32\yzztimsn.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\linkinfo.dll C:\WINDOWS\system32\drivers\cdralw.sys C:\WINDOWS\system32\ismhasrv.exe C:\WINDOWS\system32\kduy.cfg C:\WINDOWS\system32\lesxachu.sys C:\WINDOWS\system32\smmhbsrv.sys C:\WINDOWS\system32\thef.cfg C:\WINDOWS\system32\tiwxattb.sys C:\WINDOWS\system32\xdhdg.cfg C:\WINDOWS\system32\xfgnfx.cfg C:\WINDOWS\system32\ydgn.cfg C:\WINDOWS\system32\yzztimsn.dll D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CDRALW -------\Service_cdralw ((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 ))))))))))))))))))))))))))))))) . 2008-06-03 15:15 . 2008-06-03 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-06-03 15:15 . 2008-06-03 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab 2008-06-03 14:31 . 2008-06-03 14:50 <DIR> d-------- C:\Program Files\SkanerOnline 2008-06-03 14:30 . 2008-06-03 14:30 280 ---hs---- C:\WINDOWS\system32\sthth.cfg 2008-06-03 08:49 . 2008-06-03 08:49 1,160 --a------ C:\WINDOWS\mozver.dat 2008-06-03 08:47 . 2008-06-03 08:47 <DIR> d-------- C:\Program Files\Gadu-Gadu 2008-06-03 08:47 . 2008-06-03 08:48 <DIR> d-------- C:\Documents and Settings\Admin\Gadu-Gadu 2008-06-03 08:46 . 2008-06-03 08:46 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\Talkback 2008-06-03 08:45 . 2008-06-03 08:45 0 --a------ C:\WINDOWS\nsreg.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-04 07:10 9,728 ----a-w C:\WINDOWS\AppPatch\AcSpecf.dll 2008-06-04 07:10 27,136 ----a-w C:\WINDOWS\AppPatch\AcPlugin.dll 2008-06-04 07:05 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll 2008-06-03 18:39 13,824 ----a-w C:\WINDOWS\AppPatch\Jview.dll 2008-06-02 21:21 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-02 21:21 --------- d-----w C:\Program Files\My Company Name 2008-06-02 21:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-02 21:15 --------- d-----w C:\Program Files\Realtek 2008-06-02 21:13 --------- d-----w C:\Program Files\AMD 2008-06-02 21:12 4,501 ----a-w C:\WINDOWS\gdrv.sys 2008-06-02 21:07 --------- d-----w C:\Program Files\microsoft frontpage 2008-06-02 21:05 --------- d-----w C:\Program Files\Usługi online 2004-08-08 18:40 538,120 --sh--w C:\WINDOWS\system32\mnmhgsrv.dll . ((((((((((((((((((((((((((((( snapshot@2008-06-03_15.05.38.45 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-03 13:05:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-04 07:13:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-02 21:32:57 45,056 ----a-w C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll + 2008-06-03 19:40:40 45,056 ----a-w C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll + 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}] 2004-08-08 20:40 538120 ---hs---- C:\WINDOWS\system32\mnmhgsrv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}] 2008-06-03 21:40 45056 --a------ C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-05-27 04:47 16208384 C:\WINDOWS\RTHDCPL.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22 7618560] "nwiz"="nwiz.exe" [2006-06-01 11:22 1519616 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 11:22 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"= C:\WINDOWS\system32\mnmhgsrv.dll [2004-08-08 20:40 538120] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [2008-06-03 20:39 13824] "ThunderAdvise"= {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [2008-06-03 21:40 45056] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-06-02 23:12] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-04 09:13:53 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\ATKKBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-06-04 9:14:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-04 07:14:20 ComboFix2.txt 2008-06-03 18:29:51 ComboFix3.txt 2008-06-03 13:05:48 Pre-Run: 7,392,276,480 bajtów wolnych Post-Run: 7,383,597,056 bajt˘w wolnych 128

Oto raport z Kasperskiego:

Kod: Zaznacz wszystko: 4 czerwiec 2008 10:18:52 System operacyjny: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600) Kaspersky Online Scanner wersja: 5.0.98.0 Ostatnia aktualizacja Kaspersky Anti-Virus 4/06/2008 Liczba wpisów w bazie danych Kaspersky Anti-Virus828169 Ustawienia skanowania Skanowanie przy użyciu następujących baz danych rozszerzone Skanuj archiwa tak Skanuj pocztowe bazy danych tak Obszar skanowania Mój komputer A:\ C:\ D:\ E:\ Statystyki skanowania Liczba skanowanych obiektów 32686 Liczba wykrytych wirusów 49 Liczba zainfekowanych obiektów 139 Liczba podejrzanych obiektów 0 Czas trwania skanowania 00:11:05 Nazwa zainfekowanego obiektu Nazwa wirusa Ostatnie działanie C:\Documents and Settings\Admin\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\cert8.db Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\formhistory.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\history.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\key3.db Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\parent.lock Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\search.sqlite Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\urlclassifier2.sqlite Object is locked pominięty C:\Documents and Settings\Admin\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_001_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_002_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_003_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_MAP_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Historia\History.IE5\MSHist012008060420080605\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\wmsetup.dll Zainfekowanych: Trojan-Downloader.Win32.Murlo.nn pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\01Q3STEF\root[1].gif Zainfekowanych: Trojan-Downloader.Win32.Murlo.nn pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\01Q3STEF\update[1].gif Zainfekowanych: Trojan-Downloader.Win32.Agent.qpv pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\0DA3SHI3\1[1].gif Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzp pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\0TA34DQN\root[1].gif Zainfekowanych: Trojan-Downloader.Win32.Murlo.nn pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4LUBC96F\update[1].gif Zainfekowanych: Trojan-Downloader.Win32.Agent.qpv pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AcXtrnel.dll.vir Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\QooBox\Quarantine\C\WINDOWS\linkinfo.dll.vir Zainfekowanych: Trojan-Downloader.Win32.Agent.erl pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\aitlasys.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajop pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\apsgdjba.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akbq pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\axptajpg.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajpx pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\azcbaime.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akry pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\azwmaime.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akry pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\crugd.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\dfqnabib.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alaz pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\cdralw.sys.vir Zainfekowanych: Virus.Win32.Alman.b pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\ghwxattb.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajom pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\hhrdxd.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alpl pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\hjmh.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akzq pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\ismhasrv.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzp pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\jhrcar.dll.vir Zainfekowanych: Trojan.Win32.Agent.qwf pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\lariytrz.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyk pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\lpmxajkl.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.almn pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\lpsgajba.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akwe pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\mnmhgsrv.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzc pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\nhmxbjkl.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.almo pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\oqrthc.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alcw pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\oswxcttb.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajww pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\ozfydbyt.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aexj pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\sefawe.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aeoy pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\sfsxachu.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajpy pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\skqncbib.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alhk pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\swsxachu.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aicw pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\tjfyabyt.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajpw pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\ukrth.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akzq pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\wyrsdj.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alrp pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\ypdjfbmp.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ahvx pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\yxcschlp.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.affc pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\yxfhcjpg.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajqe pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\zdesfx.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alqh pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\zptlcsys.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aepy pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\zsdjabmp.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajoi pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\zxcsahlp.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajod pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\zxfhajpg.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajqe pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\zxptejpg.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aeox pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\zycbdime.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.almv pominięty C:\QooBox\Quarantine\C\WINDOWS\system32\zywmfime.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aipb pominięty C:\QooBox\Quarantine\C\yo2mq6.exe.vir Zainfekowanych: Virus.Win32.Alman.b pominięty C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000542.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000562.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alpl pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000563.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alpt pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000564.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alqh pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000634.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000635.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000636.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000639.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyl pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000641.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyk pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000680.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjg pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000681.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000694.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000695.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000815.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-1.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-10.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-11.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyk pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-12.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akzp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-13.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjl pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-14.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-15.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-2.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-3.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-4.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-6.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alcw pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-7.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alqx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-8.DAT Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyl pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000825.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alcw pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000826.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyk pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000827.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000828.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000830.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000832.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajop pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000834.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akbq pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000835.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajpx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000836.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akry pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000837.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akry pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000839.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alaz pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000844.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajom pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000846.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alpl pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000847.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akzq pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000849.dll Zainfekowanych: Trojan.Win32.Agent.qwf pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000850.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.almn pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000851.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akwe pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000852.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzc pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000854.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.almo pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000855.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajww pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000856.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aexj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000859.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aeoy pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000860.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajpy pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000861.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alhk pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000863.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aicw pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000864.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajpw pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000866.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akzq pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000868.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alrp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000872.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ahvx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000873.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.affc pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000874.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajqe pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000875.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alqh pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000876.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aepy pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000877.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajoi pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000878.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajod pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000879.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ajqe pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000880.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aeox pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000881.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.almv pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000882.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.aipb pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000883.exe Zainfekowanych: Virus.Win32.Alman.b pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000931.sys Zainfekowanych: Virus.Win32.Alman.b pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000932.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000946.sys Zainfekowanych: Virus.Win32.Alman.b pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000947.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000972.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.erl pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000973.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000983.sys Zainfekowanych: Virus.Win32.Alman.b pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000996.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\change.log Object is locked pominięty C:\WINDOWS\AppPatch\AcPlugin.dll Zainfekowanych: Trojan-Spy.Win32.FtpSend.b pominięty C:\WINDOWS\AppPatch\AcSpecf.dll Zainfekowanych: Trojan-Downloader.Win32.Small.hlp pominięty C:\WINDOWS\AppPatch\AcXtrnel.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty C:\WINDOWS\SchedLgU.Txt Object is locked pominięty C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\default Object is locked pominięty C:\WINDOWS\system32\config\default.LOG Object is locked pominięty C:\WINDOWS\system32\config\SAM Object is locked pominięty C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\SECURITY Object is locked pominięty C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty C:\WINDOWS\system32\config\software Object is locked pominięty C:\WINDOWS\system32\config\software.LOG Object is locked pominięty C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\system Object is locked pominięty C:\WINDOWS\system32\config\system.LOG Object is locked pominięty C:\WINDOWS\system32\dehkj.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\WINDOWS\system32\dtrgjy.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\WINDOWS\system32\fydgky.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\WINDOWS\system32\h323log.txt Object is locked pominięty C:\WINDOWS\system32\ismhasrv.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzp pominięty C:\WINDOWS\system32\jkhjsd.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\WINDOWS\system32\kduy.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akzp pominięty C:\WINDOWS\system32\mnmhgsrv.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzc pominięty C:\WINDOWS\system32\sthth.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjl pominięty C:\WINDOWS\system32\thef.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alqx pominięty C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty C:\WINDOWS\system32\ydgn.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyl pominięty C:\WINDOWS\TEMP\wmsetup.dll Zainfekowanych: Trojan-Downloader.Win32.Murlo.nn pominięty C:\WINDOWS\WindowsUpdate.log Object is locked pominięty D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000962.exe Zainfekowanych: Virus.Win32.Alman.b pominięty D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\change.log Object is locked pominięty D:\yo2mq6.exe Zainfekowanych: Virus.Win32.Alman.b pominięty

Czy da rade jakoś uleczyć dysk D:\ a C:\ bym po prostu sformatował??

przez **huber2t** » 04 Cze 2008, 16:39

narazie nie formatuj

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko: File:: C:\WINDOWS\system32\mnmhgsrv.dll C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\wmsetup.dll C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\01Q3STEF\root[1].gif C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\01Q3STEF\update[1].gif C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\0DA3SHI3\1[1].gif C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\0TA34DQN\root[1].gif C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4LUBC96F\update[1].gif C:\WINDOWS\system32\dehkj.dll C:\WINDOWS\system32\dtrgjy.dll C:\WINDOWS\system32\fydgky.dll C:\WINDOWS\system32\ismhasrv.exe C:\WINDOWS\system32\jkhjsd.dll C:\WINDOWS\system32\kduy.dll C:\WINDOWS\system32\mnmhgsrv.dl C:\WINDOWS\system32\sthth.dll C:\WINDOWS\system32\thef.dll C:\WINDOWS\system32\ydgn.dll C:\WINDOWS\TEMP\wmsetup.dll Folder:: C:\WINDOWS\Downloaded Program Files C:\WINDOWS\AppPatch C:\QooBox C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8 D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7 D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "JavaView"=- "ThunderAdvise"=-

Plik

zapisz jako

CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

Po tym daj log z combofix i log nowy z kasperskiego

przez **PawelG** » 04 Cze 2008, 17:11

[code]ComboFix 08-06-01.6 - Admin 2008-06-04 16:43:19.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.589 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Pulpit\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\wmsetup.dll
C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\[u]0[/u]1Q3STEF\root[1].gif
C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\[u]0[/u]1Q3STEF\update[1].gif
C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\[u]0[/u]DA3SHI3\1[1].gif
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\[u]0[/u]TA34DQN\root[1].gif
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4LUBC96F\update[1].gif
C:\WINDOWS\system32\dehkj.dll
C:\WINDOWS\system32\dtrgjy.dll
C:\WINDOWS\system32\fydgky.dll
C:\WINDOWS\system32\ismhasrv.exe
C:\WINDOWS\system32\jkhjsd.dll
C:\WINDOWS\system32\kduy.dll
C:\WINDOWS\system32\mnmhgsrv.dl
C:\WINDOWS\system32\mnmhgsrv.dll
C:\WINDOWS\system32\sthth.dll
C:\WINDOWS\system32\thef.dll
C:\WINDOWS\system32\ydgn.dll
C:\WINDOWS\TEMP\wmsetup.dll
C:\WINDOWS\Downloaded Program Files :#:
C:\WINDOWS\AppPatch :#:
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\wmsetup.dll
C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\[u]0[/u]1Q3STEF\root[1].gif
C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\[u]0[/u]DA3SHI3\1[1].gif
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\[u]0[/u]TA34DQN\root[1].gif
C:\QooBox
C:\QooBox\BackEnv\appdata.folder.dat
C:\QooBox\BackEnv\cache.folder.dat
C:\QooBox\BackEnv\desktop.folder.dat
C:\QooBox\BackEnv\favorites.folder.dat
C:\QooBox\BackEnv\localappdata.folder.dat
C:\QooBox\BackEnv\localsettings.folder.dat
C:\QooBox\BackEnv\mypictures.folder.dat
C:\QooBox\BackEnv\personal.folder.dat
C:\QooBox\BackEnv\profiles.folder.dat
C:\QooBox\BackEnv\programs.folder.dat
C:\QooBox\BackEnv\SetPath.bat
C:\QooBox\BackEnv\startmenu.folder.dat
C:\QooBox\BackEnv\startup.folder.dat
C:\QooBox\BackEnv\SysPath.dat
C:\QooBox\BackEnv\templates.folder.dat
C:\QooBox\[email protected]
C:\QooBox\[email protected]
C:\QooBox\[email protected]
C:\QooBox\ComboFix-quarantined-files.txt
C:\QooBox\ComboFix2.txt
C:\QooBox\ComboFix3.txt
C:\QooBox\ComboFix4.txt
C:\QooBox\lastrun\drevB.dat
C:\QooBox\snapshot@2008-06-03_15.05.38.45.dat
C:\QooBox\snapshot@2008-06-03_15.05.38.45_B.dat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000139.PNF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000140.rgs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000141.rbf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000142.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000143.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000144.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000145.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000146.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000147.PNF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000148.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000149.PNF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000150.PNF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000151.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000152.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000153.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000154.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000155.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000156.PNF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000157.PNF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000164.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000165.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000166.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000167.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000173.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000196.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000197.INI
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000396.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000397.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000398.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000399.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000405.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000435.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000442.PNF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000443.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000444.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000445.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000446.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000453.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000462.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000463.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000524.lnk
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000525.lnk
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000526.lnk
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000527.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000529.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000530.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000531.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000532.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000533.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000534.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000535.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000536.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000539.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000540.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000542.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000545.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000558.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000559.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000560.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000562.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000563.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000564.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000565.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000567.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000568.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000569.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000628.lnk
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000630.mfl
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000631.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000634.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000635.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000636.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000639.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000641.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000642.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000643.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000644.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000645.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000646.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000647.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000648.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000649.reg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000650.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000651.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000652.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000653.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000654.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000655.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000656.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000657.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000658.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000659.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000660.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000661.com
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000662.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000663.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000664.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000665.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000666.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000667.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000668.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000669.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\A0000670.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\change.log.1
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\change.log.2
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\change.log.3
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\change.log.4
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\change.log.5
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\change.log.6
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\change.log.7
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\drivetable.txt
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\RestorePointSize
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\rp.log
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_MACHINE_SAM
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_MACHINE_SECURITY
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_MACHINE_SOFTWARE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_MACHINE_SYSTEM
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_USER_.DEFAULT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1801674531-1390067357-725345543-1003
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1801674531-1390067357-725345543-1003
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\ComDb.Dat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\domain.txt
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\Repository\$WinMgmt.CFG
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\Repository\FS\INDEX.BTR
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\Repository\FS\INDEX.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\Repository\FS\MAPPING.VER
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\Repository\FS\MAPPING1.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\Repository\FS\MAPPING2.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\Repository\FS\OBJECTS.DATA
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP5\snapshot\Repository\FS\OBJECTS.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000671.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000675.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000676.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000677.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000679.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000680.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000681.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000682.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000683.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000685.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000689.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000690.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000691.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000692.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000694.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000695.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000696.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000697.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000698.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000699.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000700.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000701.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000702.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000703.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000704.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000705.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000706.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000707.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000708.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000710.old
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000711.old
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000712.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000714.EXE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000715.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000716.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000717.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000718.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000719.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000720.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000721.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000722.reg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000723.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000724.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000725.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000726.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000727.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000728.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000729.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000730.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000731.reg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000732.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000733.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000734.com
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000735.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000736.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000737.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000738.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000739.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000740.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000741.mfl
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000805.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000806.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000807.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000808.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000809.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000810.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000811.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000812.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000813.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000814.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000815.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000816.inf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000817.PNF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000818.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000819.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000820.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\A0000821.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\change.log.1
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\change.log.2
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\change.log.3
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\drivetable.txt
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\RestorePointSize
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\rp.log
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_MACHINE_SAM
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_MACHINE_SECURITY
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_MACHINE_SOFTWARE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_MACHINE_SYSTEM
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_USER_.DEFAULT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1801674531-1390067357-725345543-1003
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1801674531-1390067357-725345543-1003
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\ComDb.Dat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\domain.txt
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-1.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-10.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-11.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-12.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-13.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-14.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-15.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-16.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-2.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-3.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-4.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-5.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-6.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-7.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-8.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\MFEX-9.DAT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\Repository\$WinMgmt.CFG
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\Repository\FS\INDEX.BTR
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\Repository\FS\INDEX.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\Repository\FS\MAPPING.VER
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\Repository\FS\MAPPING1.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\Repository\FS\MAPPING2.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\Repository\FS\OBJECTS.DATA
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP6\snapshot\Repository\FS\OBJECTS.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000822.EXE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000823.INF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000824.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000825.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000826.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000827.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000828.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000829.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000830.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000831.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000832.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000833.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000834.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000835.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000836.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000837.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000838.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000839.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000840.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000841.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000842.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000843.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000844.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000845.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000846.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000847.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000848.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000849.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000850.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000851.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000852.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000853.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000854.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000855.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000856.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000857.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000858.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000859.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000860.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000861.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000862.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000863.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000864.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000865.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000866.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000867.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000868.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000869.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000870.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000871.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000872.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000873.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000874.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000875.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000876.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000877.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000878.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000879.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000880.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000881.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000882.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000883.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000884.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000885.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000886.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000887.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000888.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000889.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000890.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000891.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000892.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000893.old
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000894.old
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000895.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000897.EXE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000898.cf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000899.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000900.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000901.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000902.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000903.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000904.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000905.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000906.reg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000907.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000908.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000909.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000910.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000911.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000912.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000913.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000914.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000915.reg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000916.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000917.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000918.com
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000919.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000920.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000921.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000922.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000923.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000924.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000925.cmd
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000926.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000927.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000928.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000929.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000930.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000931.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000932.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000942.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000943.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000944.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000945.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000946.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000947.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000963.lnk
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000964.lnk
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000965.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000966.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000967.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000968.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\change.log.1
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\change.log.2
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\change.log.3
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\change.log.4
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\drivetable.txt
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\RestorePointSize
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\rp.log
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_MACHINE_SAM
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_MACHINE_SECURITY
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_MACHINE_SOFTWARE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_MACHINE_SYSTEM
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_USER_.DEFAULT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1801674531-1390067357-725345543-1003
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1801674531-1390067357-725345543-1003
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\ComDb.Dat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\domain.txt
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\Repository\$WinMgmt.CFG
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\Repository\FS\INDEX.BTR
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\Repository\FS\INDEX.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\Repository\FS\MAPPING.VER
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\Repository\FS\MAPPING1.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\Repository\FS\MAPPING2.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\Repository\FS\OBJECTS.DATA
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\snapshot\Repository\FS\OBJECTS.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000969.EXE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000970.INF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000971.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000972.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000973.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000974.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000975.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000976.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000977.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000978.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000979.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000980.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000981.cfg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000982.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000983.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000985.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000986.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000987.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000988.EXE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000989.INF
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000990.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000991.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000992.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000993.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000994.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000995.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000996.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000997.old
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000998.old
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001000.EXE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001001.cf
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001002.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001003.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001004.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001005.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001006.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001007.sys
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001008.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001009.reg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001010.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001011.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001012.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001013.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001014.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001015.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001016.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001017.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001018.reg
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001019.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001020.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001021.com
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001022.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001023.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001024.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001025.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001026.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001027.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001028.cmd
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001029.vbs
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001030.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001031.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001032.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001033.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001034.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001035.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001036.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001037.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001038.ini
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001039.dll
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001040.lnk
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001041.lnk
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001042.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001043.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001044.exe
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0001045.bat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\change.log.1
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\change.log.2
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\change.log.3
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\change.log.4
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\drivetable.txt
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\RestorePointSize
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\rp.log
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_MACHINE_SAM
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_MACHINE_SECURITY
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_MACHINE_SOFTWARE
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_MACHINE_SYSTEM
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_USER_.DEFAULT
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1801674531-1390067357-725345543-1003
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1801674531-1390067357-725345543-1003
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\ComDb.Dat
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\domain.txt
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\Repository\$WinMgmt.CFG
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\Repository\FS\INDEX.BTR
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\Repository\FS\INDEX.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\Repository\FS\MAPPING.VER
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\Repository\FS\MAPPING1.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\Repository\FS\MAPPING2.MAP
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\Repository\FS\OBJECTS.DATA
C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\snapshot\Repository\FS\OBJECTS.MAP
C:\WINDOWS\system32\dehkj.dll
C:\WINDOWS\system32\dtrgjy.dll
C:\WINDOWS\system32\fydgky.dll
C:\WINDOWS\system32\ismhasrv.exe
C:\WINDOWS\system32\jkhjsd.dll
C:\WINDOWS\system32\kduy.dll
C:\WINDOWS\system32\mnmhgsrv.dll
C:\WINDOWS\system32\smmhbsrv.sys
C:\WINDOWS\system32\sthth.dll
C:\WINDOWS\system32\thef.dll
C:\WINDOWS\system32\ydgn.dll
C:\WINDOWS\TEMP\wmsetup.dll
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\A0000896.ini
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\change.log.1
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\change.log.2
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\change.log.3
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP7\RestorePointSize
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000984.inf
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\A0000999.ini
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\change.log.1
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\change.log.2
D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP8\RestorePointSize

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-03 15:15 . 2008-06-03 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 15:15 . 2008-06-03 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-03 14:31 . 2008-06-03 14:50 <DIR> d-------- C:\Program Files\SkanerOnline
2008-06-03 14:30 . 2008-06-03 14:30 280 ---hs---- C:\WINDOWS\system32\sthth.cfg
2008-06-03 08:49 . 2008-06-03 08:49 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-03 08:47 . 2008-06-03 08:47 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-06-03 08:47 . 2008-06-03 08:48 <DIR> d-------- C:\Documents and Settings\Admin\Gadu-Gadu
2008-06-03 08:46 . 2008-06-03 08:46 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\Talkback
2008-06-03 08:45 . 2008-06-03 08:45 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 14:43 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-06-04 07:10 9,728 ----a-w C:\WINDOWS\AppPatch\AcSpecf.dll
2008-06-04 07:10 27,136 ----a-w C:\WINDOWS\AppPatch\AcPlugin.dll
2008-06-03 18:39 13

przez **huber2t** » 04 Cze 2008, 17:16

Daj nowego loga z combofix i log z Kasperskiego

przez **PawelG** » 04 Cze 2008, 17:20

Kod: Zaznacz wszystko: 13,824 ----a-w C:\WINDOWS\AppPatch\Jview.dll 2008-06-02 21:21 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-02 21:21 --------- d-----w C:\Program Files\My Company Name 2008-06-02 21:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-02 21:15 --------- d-----w C:\Program Files\Realtek 2008-06-02 21:13 --------- d-----w C:\Program Files\AMD 2008-06-02 21:12 4,501 ----a-w C:\WINDOWS\gdrv.sys 2008-06-02 21:07 --------- d-----w C:\Program Files\microsoft frontpage 2008-06-02 21:05 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-05-27 04:47 16208384 C:\WINDOWS\RTHDCPL.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22 7618560] "nwiz"="nwiz.exe" [2006-06-01 11:22 1519616 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 11:22 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-06-02 23:12] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-04 16:45:35 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\ATKKBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-06-04 16:46:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-04 14:46:02 Pre-Run: 7,354,228,736 bajtów wolnych Post-Run: 7,429,771,264 bajt˘w wolnych 670

Raport z Kasperskiego:

Kod: Zaznacz wszystko: 4 czerwiec 2008 17:09:32 System operacyjny: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600) Kaspersky Online Scanner wersja: 5.0.98.0 Ostatnia aktualizacja Kaspersky Anti-Virus 4/06/2008 Liczba wpisów w bazie danych Kaspersky Anti-Virus828899 Ustawienia skanowania Skanowanie przy użyciu następujących baz danych rozszerzone Skanuj archiwa tak Skanuj pocztowe bazy danych tak Obszar skanowania Mój komputer A:\ C:\ D:\ E:\ Statystyki skanowania Liczba skanowanych obiektów 32102 Liczba wykrytych wirusów 12 Liczba zainfekowanych obiektów 15 Liczba podejrzanych obiektów 0 Czas trwania skanowania 00:10:51 Nazwa zainfekowanego obiektu Nazwa wirusa Ostatnie działanie C:\Documents and Settings\Admin\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\cert8.db Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\formhistory.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\history.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\key3.db Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\parent.lock Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\search.sqlite Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\urlclassifier2.sqlite Object is locked pominięty C:\Documents and Settings\Admin\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_001_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_002_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_003_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_MAP_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Historia\History.IE5\MSHist012008060420080605\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001050.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001051.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001053.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001054.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001055.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001056.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001057.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akzp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001058.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzc pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001059.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjl pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001060.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alqx pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001061.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyl pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\change.log Object is locked pominięty C:\WINDOWS\AppPatch\AcPlugin.dll Zainfekowanych: Trojan-Spy.Win32.FtpSend.b pominięty C:\WINDOWS\AppPatch\AcSpecf.dll Zainfekowanych: Trojan-Downloader.Win32.Small.hlp pominięty C:\WINDOWS\AppPatch\AcXtrnel.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty C:\WINDOWS\SchedLgU.Txt Object is locked pominięty C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\default Object is locked pominięty C:\WINDOWS\system32\config\default.LOG Object is locked pominięty C:\WINDOWS\system32\config\SAM Object is locked pominięty C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\SECURITY Object is locked pominięty C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty C:\WINDOWS\system32\config\software Object is locked pominięty C:\WINDOWS\system32\config\software.LOG Object is locked pominięty C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\system Object is locked pominięty C:\WINDOWS\system32\config\system.LOG Object is locked pominięty C:\WINDOWS\system32\h323log.txt Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty C:\WINDOWS\WindowsUpdate.log Object is locked pominięty D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\change.log Object is locked pominięty D:\yo2mq6.exe Zainfekowanych: Virus.Win32.Alman.b pominięty Proces skanowania został zakończony.

przez **huber2t** » 04 Cze 2008, 17:26

Do wyleczenia pendrive z wirusów użyj
Perlovga Removal Tool
Flash Disinfector
lub format

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko: File:: C:\WINDOWS\AppPatch\AcPlugin.dll C:\WINDOWS\AppPatch\AcSpecf.dll C:\WINDOWS\AppPatch\AcXtrnel.dll C:\WINDOWS\AppPatch\Jview.dll D:\yo2mq6.exe Folder:: C:\WINDOWS\AppPatch C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9

Plik

zapisz jako

CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

przez **PawelG** » 04 Cze 2008, 17:50

Kod: Zaznacz wszystko: ComboFix 08-06-01.6 - Admin 2008-06-04 17:47:48.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.607 [GMT 2:00] Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Admin\Pulpit\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\AppPatch\AcPlugin.dll C:\WINDOWS\AppPatch\AcSpecf.dll C:\WINDOWS\AppPatch\AcXtrnel.dll C:\WINDOWS\AppPatch\Jview.dll D:\yo2mq6.exe C:\WINDOWS\AppPatch :#: . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001046.EXE C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001047.INF C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001048.vbs C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001049.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001050.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001051.exe C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001052.sys C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001053.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001054.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001055.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001056.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001057.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001058.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001059.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001060.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001061.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001062.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001063.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001064.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001065.ini C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001066.sys C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001067.ini C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001068.ini C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001069.ini C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001070.old C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001071.old C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001072.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001073.ini C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001075.EXE C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001076.cf C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001077.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001078.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001079.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001080.exe C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001081.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001082.sys C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001083.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001084.reg C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001085.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001086.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001087.vbs C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001088.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001089.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001090.vbs C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001091.vbs C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001092.vbs C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001093.reg C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001094.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001095.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001096.com C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001097.vbs C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001098.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001099.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001100.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001101.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001102.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001103.cmd C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001104.vbs C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001105.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001106.dll C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001107.lnk C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001108.lnk C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001109.lnk C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001110.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001111.exe C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001112.exe C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001113.bat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\change.log.1 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\change.log.2 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\drivetable.txt C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\RestorePointSize C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\rp.log C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_MACHINE_SAM C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_MACHINE_SECURITY C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_MACHINE_SOFTWARE C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_MACHINE_SYSTEM C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_USER_.DEFAULT C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1801674531-1390067357-725345543-1003 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1801674531-1390067357-725345543-1003 C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\ComDb.Dat C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\domain.txt C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\Repository\$WinMgmt.CFG C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\Repository\FS\INDEX.BTR C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\Repository\FS\INDEX.MAP C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\Repository\FS\MAPPING.VER C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\Repository\FS\MAPPING1.MAP C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\Repository\FS\MAPPING2.MAP C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\Repository\FS\OBJECTS.DATA C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\snapshot\Repository\FS\OBJECTS.MAP C:\WINDOWS\AppPatch\AcPlugin.dll C:\WINDOWS\AppPatch\AcSpecf.dll C:\WINDOWS\AppPatch\AcXtrnel.dll C:\WINDOWS\AppPatch\Jview.dll D:\yo2mq6.exe . ((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 ))))))))))))))))))))))))))))))) . 2008-06-03 15:15 . 2008-06-03 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-06-03 15:15 . 2008-06-03 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab 2008-06-03 14:31 . 2008-06-03 14:50 <DIR> d-------- C:\Program Files\SkanerOnline 2008-06-03 14:30 . 2008-06-03 14:30 280 ---hs---- C:\WINDOWS\system32\sthth.cfg 2008-06-03 08:49 . 2008-06-03 08:49 1,160 --a------ C:\WINDOWS\mozver.dat 2008-06-03 08:47 . 2008-06-03 08:47 <DIR> d-------- C:\Program Files\Gadu-Gadu 2008-06-03 08:47 . 2008-06-03 08:48 <DIR> d-------- C:\Documents and Settings\Admin\Gadu-Gadu 2008-06-03 08:46 . 2008-06-03 08:46 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\Talkback 2008-06-03 08:45 . 2008-06-03 08:45 0 --a------ C:\WINDOWS\nsreg.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-02 21:21 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-02 21:21 --------- d-----w C:\Program Files\My Company Name 2008-06-02 21:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-02 21:15 --------- d-----w C:\Program Files\Realtek 2008-06-02 21:13 --------- d-----w C:\Program Files\AMD 2008-06-02 21:12 4,501 ----a-w C:\WINDOWS\gdrv.sys 2008-06-02 21:07 --------- d-----w C:\Program Files\microsoft frontpage 2008-06-02 21:05 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-05-27 04:47 16208384 C:\WINDOWS\RTHDCPL.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22 7618560] "nwiz"="nwiz.exe" [2006-06-01 11:22 1519616 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 11:22 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-06-02 23:12] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-04 17:48:20 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-04 17:48:34 ComboFix-quarantined-files.txt 2008-06-04 15:48:32 ComboFix2.txt 2008-06-04 14:46:05 Pre-Run: 7,439,589,376 bajtów wolnych Post-Run: 7,431,475,200 bajtów wolnych 177

przez **huber2t** » 04 Cze 2008, 18:12

Pliki się pousuwały przeskanuj Kasperskim i daj log na forum

przez **PawelG** » 04 Cze 2008, 18:14

Raport z Kasperskiego:

Kod: Zaznacz wszystko: 4 czerwiec 2008 18:12:22 System operacyjny: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600) Kaspersky Online Scanner wersja: 5.0.98.0 Ostatnia aktualizacja Kaspersky Anti-Virus 4/06/2008 Liczba wpisów w bazie danych Kaspersky Anti-Virus828899 Ustawienia skanowania Skanowanie przy użyciu następujących baz danych rozszerzone Skanuj archiwa tak Skanuj pocztowe bazy danych tak Obszar skanowania Mój komputer A:\ C:\ D:\ E:\ Statystyki skanowania Liczba skanowanych obiektów 32212 Liczba wykrytych wirusów 12 Liczba zainfekowanych obiektów 20 Liczba podejrzanych obiektów 0 Czas trwania skanowania 00:10:51 Nazwa zainfekowanego obiektu Nazwa wirusa Ostatnie działanie C:\Documents and Settings\Admin\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\cert8.db Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\formhistory.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\history.dat Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\key3.db Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\parent.lock Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\search.sqlite Object is locked pominięty C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\urlclassifier2.sqlite Object is locked pominięty C:\Documents and Settings\Admin\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_001_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_002_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_003_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\4x5modk7.default\Cache\_CACHE_MAP_ Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Historia\History.IE5\MSHist012008060420080605\index.dat Object is locked pominięty C:\Documents and Settings\Admin\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001050.dll.vir Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001051.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzp pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001053.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001054.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjj pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001055.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001056.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alwx pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001057.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.akzp pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001058.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alzc pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001059.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.amjl pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001060.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alqx pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001061.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.alyl pominięty C:\qoobox\Quarantine\C\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP9\A0001106.dll.vir Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\qoobox\Quarantine\C\WINDOWS\AppPatch\AcPlugin.dll.vir Zainfekowanych: Trojan-Spy.Win32.FtpSend.b pominięty C:\qoobox\Quarantine\C\WINDOWS\AppPatch\AcSpecf.dll.vir Zainfekowanych: Trojan-Downloader.Win32.Small.hlp pominięty C:\qoobox\Quarantine\C\WINDOWS\AppPatch\AcXtrnel.dll.vir Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\qoobox\Quarantine\D\yo2mq6.exe.vir Zainfekowanych: Virus.Win32.Alman.b pominięty C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10\A0001117.dll Zainfekowanych: Trojan-Spy.Win32.FtpSend.b pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10\A0001118.dll Zainfekowanych: Trojan-Downloader.Win32.Small.hlp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10\A0001119.dll Zainfekowanych: Trojan-Downloader.Win32.Agent.rnp pominięty C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10\change.log Object is locked pominięty C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty C:\WINDOWS\SchedLgU.Txt Object is locked pominięty C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\default Object is locked pominięty C:\WINDOWS\system32\config\default.LOG Object is locked pominięty C:\WINDOWS\system32\config\SAM Object is locked pominięty C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\SECURITY Object is locked pominięty C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty C:\WINDOWS\system32\config\software Object is locked pominięty C:\WINDOWS\system32\config\software.LOG Object is locked pominięty C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty C:\WINDOWS\system32\config\system Object is locked pominięty C:\WINDOWS\system32\config\system.LOG Object is locked pominięty C:\WINDOWS\system32\h323log.txt Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty C:\WINDOWS\WindowsUpdate.log Object is locked pominięty D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10\A0001121.exe Zainfekowanych: Virus.Win32.Alman.b pominięty D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10\change.log Object is locked pominięty Proces skanowania został zakończony.

przez **huber2t** » 04 Cze 2008, 19:37

Pobierz The Avenger

wklej do niego ten tekst:

Kod: Zaznacz wszystko: Folders to delete: C:\qoobox C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10 D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10

kopiuj to i klikasz na Paste Script from Clipboard wybierasz Execute oraz Potwierdzasz i zgadzasz się na restart klikając OK.
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

przez **PawelG** » 04 Cze 2008, 20:26

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\qoobox" deleted successfully.

Error: could not delete folder "C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10"
Deletion of folder "C:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Folder "D:\System Volume Information\_restore{C666860B-EAB8-4263-A9AE-828CEF86A140}\RP10" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Prośba o sprawdzenie loga

Prośba o sprawdzenie loga

Kto jest na forum