samo instalujace sie programy,dzwine"dymki" i prze

**Posty:** 17 · przez **majkel_vega** 30 Sty 2008, 23:48

Witam
Mam problem kiedy net jet podlaczony z paska pojaiwaja sie dymki o dziwnej tersci informujace niby o wirusach przy korzystaniu z wyszukiwarki (zwłaszcza google) po kliknieciu na link zamiast prawidłowej otwiera sie stronka i po jej załadowaniu zaczynaja sie instalowac programy niby anty wiry
Avast poinformował mnie o "wirusie w pamieci" ale nie moze go usunac
Załaczam logi z
Hijacka
http://www.wklej.org/id/b721ac1586
Combofix
http://www.wklej.org/id/74bc25e16c

Bardzo prosze o pomoc w usunieciu tego wirusa z gory wielkie dzieki za pomoc i sorry za ewentulane "wykroczenia" jestem tu świeży

**Posty:** 3854 · przez **Dzi@dek** 31 Sty 2008, 00:20

Wklej logi na forum z tagach [code] lub [quote]

**Posty:** 7838 · przez **Lukesh** 31 Sty 2008, 00:27

Zastosuj sie do wskazowek z tematu: http://forum.programosy.pl/bad-generic-host-process-for-win32-services-vt79489.html
:arrow:

Zrob skan on-line www.ewido.com
:arrow:

Pokaz log z ComboFix: http://www.programosy.pl/program,combofix.html
:arrow:

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

zastosuj:
smitfraudfix z opcji 2

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt

:arrow:

na sam koniec wstaw CALE logi wg opisu: http://forum.programosy.pl/hijackthis-amp-silent-runners-gtobsuga-i-umieszczanie-vt9452.html

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 00:28

ok juz sie poprawiam

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30:31, on 2008-01-30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {454D071C-7464-46B7-8896-2BC18E7008A0} - C:\WINDOWS\System32\comdlg3.dll
O2 - BHO: (no name) - {FFAC9C09-29E5-33D2-F2CA-88A52F58A808} - C:\WINDOWS\system32\msadblock32.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [MSCTFMON] C:\WINDOWS\SYSTEM32\msevt32.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\System32\sysrest32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Autoochrona programu Norton AntiVirus.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinIRXHelper.lnk = C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201615276300
O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\MKS\Bin\mks_scan.exe (file missing)
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Alarm NAV (NAV Alert) - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: Autoochrona programu NAV (NAV Auto-Protect) - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Norton Scheduler (Norton Program Scheduler) - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6637 bytes

ComboFix 08-01-29.3 - WŁODEK 2008-01-29 14:09:02.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.74 [GMT 1:00]
Running from: C:\Documents and Settings\WŁODEK\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Dll.dll
C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\system32\KernelDrv.exe
C:\WINDOWS\system32\ksvcl.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\qmopt.dll
C:\9.tmp
C:\B.tmp
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\WŁODEK\Dane aplikacji\install.dat
C:\Program Files\bravesentry
C:\Program Files\bravesentry\BraveSentry0.bs
C:\Program Files\bravesentry\BraveSentry1.bs
C:\WINDOWS\~tmp1174.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\Help\agt037b.hlp
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kus109.dat
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_20.exe
C:\WINDOWS\NDNuninstall6_98.exe
C:\WINDOWS\NDNuninstall7_44.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\11300.exe
C:\WINDOWS\system32\34679.exe
C:\WINDOWS\system32\61418.exe
C:\WINDOWS\system32\74549.exe
C:\WINDOWS\system32\adult.txt
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\drivers\Vch26.sys
C:\WINDOWS\system32\finance.txt
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\ksvcl.dll
C:\WINDOWS\system32\kus109.dat
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\other.txt
C:\WINDOWS\system32\pharma.txt
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

----- BITS: Possible infected sites -----

hxxp://www.meoryprof.info
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_LANMANDRV
-------\LEGACY_RUNTIME
-------\lanmandrv
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 13:59 . 2008-01-29 13:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 00:49 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 00:49 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 00:49 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 00:49 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 00:49 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 00:49 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 00:48 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 00:48 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-23 19:39 . 2008-01-23 19:39 77,890 --a------ C:\WINDOWS\system32\msevt32.exe
2008-01-18 17:44 . 2008-01-18 17:44 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\ubi.com
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-01-18 15:54 . 2008-01-18 15:54 180,224 --ah----- C:\WINDOWS\system32\BIT35.tmp
2008-01-18 15:54 . 2008-01-18 15:54 0 --a------ C:\WINDOWS\system32\MI34.tmp
2008-01-18 15:53 . 2008-01-18 15:53 4,608 --a------ C:\winlbav.exe
2008-01-18 15:47 . 2008-01-18 15:47 4,608 --a------ C:\winbsqu.exe
2008-01-18 15:47 . 2008-01-18 15:47 0 --a------ C:\WINDOWS\system32\MI31.tmp
2008-01-18 15:41 . 2008-01-18 15:41 0 --a------ C:\WINDOWS\system32\MI2E.tmp
2008-01-18 15:40 . 2008-01-18 15:40 4,608 --a------ C:\wincoub.exe
2008-01-18 15:35 . 2008-01-18 15:35 7,040 --a------ C:\WINDOWS\system32\drivers\ndisaluo.sys
2008-01-18 15:31 . 2008-01-18 15:32 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-01-18 15:30 . 2008-01-18 15:30 0 --a------ C:\25.tmp
2008-01-18 15:30 . 2008-01-18 15:30 0 --a------ C:\24.tmp
2008-01-18 15:30 . 2008-01-18 15:30 0 --a------ C:\23.tmp
2008-01-18 15:30 . 2008-01-18 15:30 0 --a------ C:\22.tmp
2008-01-18 15:28 . 2008-01-18 15:28 0 --a------ C:\20.tmp
2008-01-18 15:28 . 2008-01-18 15:28 0 --a------ C:\1F.tmp
2008-01-18 15:27 . 2008-01-18 15:27 0 --a------ C:\1E.tmp
2008-01-18 15:27 . 2008-01-18 15:27 0 --a------ C:\1D.tmp
2008-01-18 15:27 . 2008-01-18 15:27 0 --a------ C:\1C.tmp
2008-01-18 15:27 . 2008-01-18 15:27 0 --a------ C:\1B.tmp
2008-01-18 15:27 . 2008-01-18 15:27 0 --a------ C:\1A.tmp
2008-01-18 15:26 . 2008-01-18 15:26 0 --a------ C:\18.tmp
2008-01-18 15:26 . 2008-01-18 15:26 0 --a------ C:\17.tmp
2008-01-18 15:26 . 2008-01-18 15:26 0 --a------ C:\16.tmp
2008-01-18 15:26 . 2008-01-18 15:26 0 --a------ C:\15.tmp
2008-01-18 15:26 . 2008-01-18 15:26 0 --a------ C:\14.tmp
2008-01-18 15:26 . 2008-01-18 15:26 0 --a------ C:\13.tmp
2008-01-18 15:25 . 2008-01-18 15:25 0 --a------ C:\F.tmp
2008-01-18 15:25 . 2008-01-18 15:25 0 --a------ C:\E.tmp
2008-01-18 15:25 . 2008-01-18 15:25 0 --a------ C:\12.tmp
2008-01-18 15:25 . 2008-01-18 15:25 0 --a------ C:\11.tmp
2008-01-18 15:25 . 2008-01-18 15:25 0 --a------ C:\10.tmp
2008-01-18 15:24 . 2008-01-18 15:24 <DIR> d-------- C:\WINDOWS\system32\ro0
2008-01-18 15:24 . 2008-01-18 15:26 40 --a------ C:\WINDOWS\system32\svchost.t__
2008-01-18 15:24 . 2008-01-18 15:24 0 --a------ C:\D.tmp
2008-01-18 15:24 . 2008-01-18 15:24 0 --a------ C:\C.tmp
2008-01-18 15:24 . 2008-01-18 15:24 0 --a------ C:\6.tmp
2008-01-18 15:24 . 2008-01-18 15:24 0 --a------ C:\5.tmp
2008-01-18 15:23 . 2008-01-18 16:40 434 --a------ C:\WINDOWS\system32\svchost.tmp
2008-01-16 19:44 . 2008-01-16 19:44 716 --a------ C:\WINDOWS\unins001.dat
2008-01-13 00:30 . 2008-01-13 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-12 17:56 . 2008-01-12 17:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-10 14:57 . 2008-01-29 13:00 25,513 --a------ C:\WINDOWS\system32\kcopt.dll
2008-01-10 14:39 . 19,456 C:\WINDOWS\system32\drivers\ipserdvm.dat
2008-01-10 14:33 . 2002-09-29 00:00 84,480 --a------ C:\WINDOWS\system32\comdlg3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 13:16 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2008-01-29 12:07 15,328 ----a-w C:\WINDOWS\system32\sysrest.sys
2008-01-25 11:49 29,184 ----a-w C:\WINDOWS\system32\sysrest32.exe
2004-11-10 22:37 4 ----a-w C:\Program Files\index.tmp
2003-10-07 22:08 17 ----a-w C:\Program Files\stinger.opt
2003-09-10 12:45 1,164,880 ----a-w C:\Program Files\tleninst402.exe
2003-09-03 19:02 2,486,784 ----a-w C:\Program Files\DivX505Bundle.exe
2003-07-30 15:36 1,259,448 ----a-w C:\Program Files\winzip80.exe
2003-06-20 13:56 1,177,722 ----a-w C:\Program Files\Common Files\tleninst390.exe
2002-02-14 14:42 271 --sh--w C:\Program Files\desktop.ini
2002-02-14 14:42 23,453 ---h--w C:\Program Files\folder.htt
1998-08-24 11:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{454D071C-7464-46B7-8896-2BC18E7008A0}]
2002-09-29 00:00 84480 --a------ C:\WINDOWS\System32\comdlg3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFAC9C09-29E5-33D2-F2CA-88A52F58A808}]
C:\WINDOWS\system32\msadblock32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-29 00:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NPS Event Checker"="C:\PROGRA~1\Navnt\npscheck.exe" [ ]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 05:35 429568]
"Gnetmous"="C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe" [2002-08-02 10:34 153088]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"Norton eMail Protect"="C:\Program Files\Navnt\POPROXY.EXE" [2001-03-01 13:24 77824]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"P2P Networking"="C:\WINDOWS\System32\P2P Networking\P2P Networking.exe" [ ]
"ctfmona"="C:\WINDOWS\System32\ctfmona.exe" [ ]
"MSCTFMON"="C:\WINDOWS\SYSTEM32\msevt32.exe" [2008-01-23 19:39 77890]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"combofix"="C:\ComboFix\kmd.exe" [2002-09-29 00:00 382976]
"lanmanwrk.exe"="C:\WINDOWS\System32\lanmanwrk.exe" [ ]
"KernelDrv.exe"="C:\WINDOWS\System32\KernelDrv.exe" [ ]
"KernelDrv.exe"="C:\WINDOWS\System32\KernelDrv.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-29 00:00 13312]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whAgent.exe

R0 vxjethsk;vxjethsk;C:\WINDOWS\System32\drivers\ipserdvm.dat []
R3 sysrest.sys;sysrest.sys;C:\WINDOWS\System32\sysrest.sys [2008-01-29 14:16]
S2 BulkUsb;USB Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
S2 NAV Auto-Protect;Autoochrona programu NAV;C:\PROGRA~1\Navnt\navapsvc.exe []
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\System32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S4 cdawdm;CDAWDM;C:\WINDOWS\System32\DRIVERS\CDAWDM.sys []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2005-09-28 21:04:12 C:\WINDOWS\Tasks\mks_vir - Zadanie 0.job"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 14:16:58
Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"sysrest32.exe"="C:\\WINDOWS\\System32\\sysrest32.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SYSTEM32\msevt32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe
.
**************************************************************************
.
Completion time: 2008-01-29 14:19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 13:19:10

**Posty:** 3854 · przez **Dzi@dek** 31 Sty 2008, 00:31

Zastosuj SDFix . Po pobraniu uruchom go - rozpakuje się do C:\SDFix.
Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w trybie awaryjnym uruchom plik

RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zrestartuje.

Później wejdź do folderu C:\SDFix i wrzuć zawartość pliku Report.txt

Lukesh napisał(a):Zastosuj sie do wskazowek z tematu: http://forum.programosy.pl/bad-generic-host-process-for-win32-services-vt79489.html
Zrob skan on-line www.ewido.com

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 12:39

Wykonalem wszystko jak zlecono
nadal tak samo wyskakuja dymki po uruchomieniu przegladarki

Wklejam logi

Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:29:29, on 2008-01-31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {454D071C-7464-46B7-8896-2BC18E7008A0} - C:\WINDOWS\System32\comdlg3.dll
O2 - BHO: (no name) - {699C20C5-1605-43F0-9D5E-773FE5C7071F} - C:\WINDOWS\System32\comdlg3.dll
O2 - BHO: (no name) - {FFAC9C09-29E5-33D2-F2CA-88A52F58A808} - C:\WINDOWS\system32\msadblock32.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSCTFMON] C:\WINDOWS\SYSTEM32\msevt32.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\System32\sysrest32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Autoochrona programu Norton AntiVirus.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinIRXHelper.lnk = C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201615276300
O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\MKS\Bin\mks_scan.exe (file missing)
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Alarm NAV (NAV Alert) - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: Autoochrona programu NAV (NAV Auto-Protect) - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Norton Scheduler (Norton Program Scheduler) - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6502 bytes

Combofix

ComboFix 08-01-29.3 - WŁODEK 2008-01-31 1:25:58.3 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.141 [GMT 1:00]
Running from: C:\Documents and Settings\WŁODEK\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 01:21 . 2008-01-31 01:21 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-31 01:03 . 2008-01-31 01:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-30 13:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-30 13:58 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-30 13:26 . 2008-01-30 13:26 <DIR> d--hs---- C:\FOUND.000
2008-01-29 23:01 . 2008-01-29 23:01 <DIR> d-------- C:\!KillBox
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\WúODEK\Ustawienia lokalne
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\MICHAú\Ustawienia lokalne
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\MICHAú.WLODEK-52A66A7C\Ustawienia lokalne
2008-01-29 13:59 . 2008-01-29 13:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 00:49 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 00:49 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 00:49 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 00:49 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 00:49 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 00:49 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 00:48 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 00:48 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-25 12:50 . 2008-01-25 12:49 29,184 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-01-25 12:50 . 2008-01-30 23:34 15,328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-01-23 19:39 . 2008-01-23 19:39 77,890 --a------ C:\WINDOWS\system32\msevt32.exe
2008-01-22 12:35 . 2008-01-22 12:35 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\spy-rid.com
2008-01-22 12:35 . 2008-01-22 12:35 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\spy-rid.com
2008-01-22 12:35 . 2008-01-22 12:35 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\spy-rid.com
2008-01-19 21:15 . 2008-01-19 21:15 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\EasySpywareCleaner.com
2008-01-19 21:15 . 2008-01-19 21:15 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\EasySpywareCleaner.com
2008-01-19 21:15 . 2008-01-19 21:15 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\EasySpywareCleaner.com
2008-01-19 18:15 . 2008-01-19 18:15 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\InfeStop.com
2008-01-19 18:15 . 2008-01-19 18:15 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\InfeStop.com
2008-01-19 18:15 . 2008-01-19 18:15 <DIR> d-------- C:\Documents and Settings\WŁODEK\Dane aplikacji\InfeStop.com
2008-01-18 17:44 . 2008-01-18 17:44 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\ubi.com
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-01-18 15:54 . 2008-01-18 15:54 180,224 --ah----- C:\WINDOWS\system32\BIT35.tmp
2008-01-18 15:54 . 2008-01-18 15:54 0 --a------ C:\WINDOWS\system32\MI34.tmp
2008-01-18 15:53 . 2008-01-18 15:53 4,608 --a------ C:\winlbav.exe
2008-01-18 15:47 . 2008-01-18 15:47 4,608 --a------ C:\winbsqu.exe
2008-01-18 15:47 . 2008-01-18 15:47 0 --a------ C:\WINDOWS\system32\MI31.tmp
2008-01-18 15:41 . 2008-01-18 15:41 0 --a------ C:\WINDOWS\system32\MI2E.tmp
2008-01-18 15:40 . 2008-01-18 15:40 4,608 --a------ C:\wincoub.exe
2008-01-18 15:31 . 2008-01-18 15:32 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-01-16 19:44 . 2008-01-16 19:44 716 --a------ C:\WINDOWS\unins001.dat
2008-01-13 00:30 . 2008-01-13 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-12 17:56 . 2008-01-12 17:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-10 14:57 . 2008-01-29 13:00 25,513 --a------ C:\WINDOWS\system32\kcopt.dll
2008-01-10 14:33 . 2002-09-29 00:00 84,480 --a------ C:\WINDOWS\system32\comdlg3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 00:13 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2004-11-10 22:37 4 ----a-w C:\Program Files\index.tmp
2003-10-07 22:08 17 ----a-w C:\Program Files\stinger.opt
2003-09-10 12:45 1,164,880 ----a-w C:\Program Files\tleninst402.exe
2003-09-03 19:02 2,486,784 ----a-w C:\Program Files\DivX505Bundle.exe
2003-07-30 15:36 1,259,448 ----a-w C:\Program Files\winzip80.exe
2003-06-20 13:56 1,177,722 ----a-w C:\Program Files\Common Files\tleninst390.exe
2002-02-14 14:42 271 --sh--w C:\Program Files\desktop.ini
2002-02-14 14:42 23,453 ---h--w C:\Program Files\folder.htt
1998-08-24 11:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{454D071C-7464-46B7-8896-2BC18E7008A0}]
2002-09-29 00:00 84480 --a------ C:\WINDOWS\System32\comdlg3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{699C20C5-1605-43F0-9D5E-773FE5C7071F}]
2002-09-29 00:00 84480 --a------ C:\WINDOWS\System32\comdlg3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFAC9C09-29E5-33D2-F2CA-88A52F58A808}]
C:\WINDOWS\system32\msadblock32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-29 00:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NPS Event Checker"="C:\PROGRA~1\Navnt\npscheck.exe" [ ]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 05:35 429568]
"Gnetmous"="C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe" [2002-08-02 10:34 153088]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"Norton eMail Protect"="C:\Program Files\Navnt\POPROXY.EXE" [2001-03-01 13:24 77824]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"MSCTFMON"="C:\WINDOWS\SYSTEM32\msevt32.exe" [2008-01-23 19:39 77890]
"sysrest32.exe"="C:\WINDOWS\System32\sysrest32.exe" [2008-01-25 12:49 29184]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"KernelDrv.exe"="C:\WINDOWS\System32\KernelDrv.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-29 00:00 13312]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whAgent.exe

S2 BulkUsb;USB Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
S2 NAV Auto-Protect;Autoochrona programu NAV;C:\PROGRA~1\Navnt\navapsvc.exe []
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\System32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 sysrest.sys;sysrest.sys;C:\WINDOWS\System32\sysrest.sys [2008-01-30 23:34]
S4 cdawdm;CDAWDM;C:\WINDOWS\System32\DRIVERS\CDAWDM.sys []

.
Contents of the 'Scheduled Tasks' folder
"2005-09-28 21:04:12 C:\WINDOWS\Tasks\mks_vir - Zadanie 0.job"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 01:27:50
Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 1:28:42
ComboFix-quarantined-files.txt 2008-01-31 00:28:38
ComboFix2.txt 2008-01-30 12:39:00
.
2008-01-29 15:02:13 --- E O F ---

SDFix

SDFix: Version 1.133

Run by WŁODEK on 2008-01-31 at 01:04

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
vxjethsk

Path:
system32\drivers\ipserdvm.dat

vxjethsk - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service vxjethsk - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\drivers\ipserdvm.dat - Deleted
C:\5.TMP - Deleted
C:\6.TMP - Deleted
C:\1A.TMP - Deleted
C:\1B.TMP - Deleted
C:\C.TMP - Deleted
C:\D.TMP - Deleted
C:\11.TMP - Deleted
C:\E.TMP - Deleted
C:\F.TMP - Deleted
C:\10.TMP - Deleted
C:\12.TMP - Deleted
C:\13.TMP - Deleted
C:\14.TMP - Deleted
C:\15.TMP - Deleted
C:\16.TMP - Deleted
C:\17.TMP - Deleted
C:\18.TMP - Deleted
C:\1C.TMP - Deleted
C:\1D.TMP - Deleted
C:\1E.TMP - Deleted
C:\1F.TMP - Deleted
C:\20.TMP - Deleted
C:\22.TMP - Deleted
C:\23.TMP - Deleted
C:\24.TMP - Deleted
C:\25.TMP - Deleted
C:\WINDOWS\system32\TFTP3940 - Deleted
C:\WINDOWS\system32\TFTP216 - Deleted
C:\WINDOWS\system32\svchost.t__ - Deleted
C:\WINDOWS\system32\svchost.tmp - Deleted
C:\WINDOWS\system32\ro0\Report.log - Deleted
C:\WINDOWS\system32\drivers\ndisaluo.sys - Deleted

Folder C:\Documents and Settings\All Users\Dokumenty\Settings - Removed
Folder C:\WINDOWS\system32\ro0 - Removed

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 01:10:27
Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 14 Feb 2002 1,660 ..SHR --- "C:\MSDOS.BAK"
Sat 20 Apr 2002 223 ..SH. --- "C:\AUTOEXEC.BAK"
Thu 8 Jun 2000 95,040 ..SH. --- "C:\command.com"
Thu 8 Jun 2000 53,248 ...H. --- "C:\Program Files\Accessories\mspcx32.dll"
Fri 18 Jan 2008 180,224 A..H. --- "C:\WINDOWS\system32\BIT35.tmp"
Fri 11 Jun 2004 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Fri 11 Jun 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sat 5 Jun 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Sun 2 Mar 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 30 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\69d36bfb88bb6252fc5b48610fdd4093\BIT2.tmp"

Finished!

SmithFraudFix

SmitFraudFix v2.277

Scan done at 1:21:34,45, 2008-01-31
Run from C:\Documents and Settings\WŁODEK\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{4636D9F5-86E9-4254-A39B-A991F4ECF7BC}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Prosze o sprawdzenie tych logów i dalsze wskazówki

**Posty:** 18165 · przez **wojtas** 31 Sty 2008, 12:52

skasuj:

R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O2 - BHO: (no name) - {454D071C-7464-46B7-8896-2BC18E7008A0} - C:\WINDOWS\System32\comdlg3.dll
O2 - BHO: (no name) - {699C20C5-1605-43F0-9D5E-773FE5C7071F} - C:\WINDOWS\System32\comdlg3.dll
O2 - BHO: (no name) - {FFAC9C09-29E5-33D2-F2CA-88A52F58A808} - C:\WINDOWS\system32\msadblock32.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [MSCTFMON] C:\WINDOWS\SYSTEM32\msevt32.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\System32\sysrest32.exe
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - Global Startup: Autoochrona programu Norton AntiVirus.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\MKS\Bin\mks_scan.exe (file missing)
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Alarm NAV (NAV Alert) - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: Autoochrona programu NAV (NAV Auto-Protect) - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Norton Scheduler (Norton Program Scheduler) - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)

Otworz notatnik i wklej w nim to:

File::
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\msevt32.exe
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\comdlg3.dll
C:\WINDOWS\system32\BIT35.tmp
C:\WINDOWS\system32\MI34.tmp
C:\winlbav.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\winbsqu.exe
C:\WINDOWS\system32\MI31.tmp
C:\WINDOWS\system32\MI2E.tmp
C:\wincoub.exe

Folder::
C:\Documents and Settings\WŁODEK\Dane aplikacji\spy-rid.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\spy-rid.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\spy-rid.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\EasySpywareCleaner.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\EasySpywareCleaner.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\EasySpywareCleaner.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\InfeStop.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\InfeStop.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\InfeStop.com
C:\Program Files\Navnt

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFAC9C09-29E5-33D2-F2CA-88A52F58A808}]

Driver::
NAV Alert
NAV Auto-Protect
mnmsrvc
Norton Program Scheduler

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . Potwierdz >>> zresetuje sie komputer

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER). Rozpocznie się proces usuwania
Potem nowy log z hijacka oraz combofixa

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 15:39

zrobiłem zgodnie ze wskazówkami
narazie wyglada ze jest ok

załaczam logi

Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:29:31, on 2008-01-31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E5AA81FB-7BFD-420B-9C19-BA7C77A11907} - C:\WINDOWS\System32\comdlg3.dll
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinIRXHelper.lnk = C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201615276300
O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\MKS\Bin\mks_scan.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4933 bytes

Combofix

ComboFix 08-01-29.3 - WŁODEK 2008-01-31 14:13:57.4 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.139 [GMT 1:00]
Running from: C:\Documents and Settings\WŁODEK\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\WŁODEK\Pulpit\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\winbsqu.exe
C:\wincoub.exe
C:\WINDOWS\system32\BIT35.tmp
C:\WINDOWS\system32\comdlg3.dll
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\MI2E.tmp
C:\WINDOWS\system32\MI31.tmp
C:\WINDOWS\system32\MI34.tmp
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\msevt32.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\winlbav.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\WŁODEK\Dane aplikacji\EasySpywareCleaner.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\InfeStop.com
C:\Documents and Settings\WŁODEK\Dane aplikacji\spy-rid.com
C:\Program Files\Navnt
C:\Program Files\Navnt\DEC2.DLL
C:\Program Files\Navnt\DEC2GZIP.DLL
C:\Program Files\Navnt\DEC2HQX.DLL
C:\Program Files\Navnt\DEC2LHA.DLL
C:\Program Files\Navnt\DEC2LZ.DLL
C:\Program Files\Navnt\DEC2MIME.DLL
C:\Program Files\Navnt\DEC2MSG.DLL
C:\Program Files\Navnt\DEC2OLE1.DLL
C:\Program Files\Navnt\DEC2RAR.DLL
C:\Program Files\Navnt\DEC2RTF.DLL
C:\Program Files\Navnt\DEC2SS.DLL
C:\Program Files\Navnt\DEC2TAR.DLL
C:\Program Files\Navnt\DEC2TNEF.DLL
C:\Program Files\Navnt\DEC2UUE.DLL
C:\Program Files\Navnt\DEC2ZIP.DLL
C:\Program Files\Navnt\DEFANNRS.DLL
C:\Program Files\Navnt\EMAILCFG.DLL
C:\Program Files\Navnt\EmailRes.dll
C:\Program Files\Navnt\END_USER.TXT
C:\Program Files\Navnt\FSLINK.DLL
C:\Program Files\Navnt\In_Rcsp.pdf
C:\Program Files\Navnt\LA_Rcsp.pdf
C:\Program Files\Navnt\LITESCAN.DLL
C:\Program Files\Navnt\LiveMail.ico
C:\Program Files\Navnt\LOGO_OFF.REG
C:\Program Files\Navnt\LOGO_ON.REG
C:\Program Files\Navnt\N32ALERT.DLL
C:\Program Files\Navnt\N32CALL.DLL
C:\Program Files\Navnt\N32PDLL.DLL
C:\Program Files\Navnt\N32SECUR.DLL
C:\Program Files\Navnt\n32userl.dll
C:\Program Files\Navnt\N32VLIST.DLL
C:\Program Files\Navnt\N32ZIP.DLL
C:\Program Files\Navnt\NALERT.MIB
C:\Program Files\Navnt\NAV7Plgs.pdf
C:\Program Files\Navnt\NAV7Plu.pdf
C:\Program Files\Navnt\NAVABOUT.DLL
C:\Program Files\Navnt\NAVAP32.DLL
C:\Program Files\Navnt\NAVINSNT.DLL
C:\Program Files\Navnt\NAVLU32.HLP
C:\Program Files\Navnt\navlucbk.dll
C:\Program Files\Navnt\NAVLWAPI.DLL
C:\Program Files\Navnt\navnt.isu
C:\Program Files\Navnt\NAVNTUTL.DLL
C:\Program Files\Navnt\NAVRPC.DLL
C:\Program Files\Navnt\NAVSHELL.DLL
C:\Program Files\Navnt\NAVTASKS.DLL
C:\Program Files\Navnt\navwnt.cnt
C:\Program Files\Navnt\NETBREXT.DLL
C:\Program Files\Navnt\NsPlugIn.ini
C:\Program Files\Navnt\OFFICEAV.DLL
C:\Program Files\Navnt\OPTSSTUB.DLL
C:\Program Files\Navnt\PATCH32I.DLL
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Navnt\QCONRES.DLL
C:\Program Files\Navnt\QUAR32.DLL
C:\Program Files\Navnt\README.TXT
C:\Program Files\Navnt\REC2.DLL
C:\Program Files\Navnt\S32ALOGO.DLL
C:\Program Files\Navnt\S32INTEG.DLL
C:\Program Files\Navnt\S32NAVO.DLL
C:\Program Files\Navnt\SCANDLVR.DLL
C:\Program Files\Navnt\SCANDRES.DLL
C:\Program Files\Navnt\Schedule.Bak
C:\Program Files\Navnt\scriptui.dll
C:\Program Files\Navnt\SDFLT32I.DLL
C:\Program Files\Navnt\SDPCK32I.DLL
C:\Program Files\Navnt\SDSND32I.DLL
C:\Program Files\Navnt\SDSOK32I.DLL
C:\Program Files\Navnt\SDSTP32I.DLL
C:\Program Files\Navnt\SFSTR32I.DLL
C:\Program Files\Navnt\SMSTR32I.DLL
C:\Program Files\Navnt\support.cnt
C:\Program Files\Navnt\SUPPORT.GID
C:\Program Files\Navnt\support.hlp
C:\Program Files\Navnt\SWPLUGIN.DLL
C:\Program Files\Navnt\SYMAMG32.DLL
C:\Program Files\Navnt\SYMGLOSS.HLP
C:\Program Files\Navnt\SYMGZIP.DLL
C:\Program Files\Navnt\SYMLHA.DLL
C:\Program Files\Navnt\SYMRAR.DLL
C:\Program Files\Navnt\V32SCAN.DLL
C:\Program Files\Navnt\XNTEXCLU.DLL
C:\Program Files\Navnt\XNTXUTIL.DLL
C:\winbsqu.exe
C:\wincoub.exe
C:\WINDOWS\system32\BIT35.tmp
C:\WINDOWS\system32\comdlg3.dll . . . . failed to delete
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\MI2E.tmp
C:\WINDOWS\system32\MI31.tmp
C:\WINDOWS\system32\MI34.tmp
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\msevt32.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\winlbav.exe
C:\WINDOWS\system32\comdlg3.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NAV_ALERT
-------\LEGACY_NAV_AUTO-PROTECT
-------\LEGACY_NORTON_PROGRAM_SCHEDULER
-------\mnmsrvc
-------\NAV Alert
-------\NAV Auto-Protect
-------\Norton Program Scheduler

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 11:25 . 19,584 C:\WINDOWS\system32\drivers\ipserdvm.dat
2008-01-31 01:21 . 2008-01-31 01:21 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-31 01:03 . 2008-01-31 01:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-30 13:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-30 13:58 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-30 13:26 . 2008-01-30 13:26 <DIR> d--hs---- C:\FOUND.000
2008-01-29 23:01 . 2008-01-29 23:01 <DIR> d-------- C:\!KillBox
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-01-29 14:19 . <DIR> C:\Documents and Settings\WúODEK\Ustawienia lokalne
2008-01-29 14:19 . <DIR> C:\Documents and Settings\WúODEK\Ustawienia lokalne
2008-01-29 14:19 . <DIR> C:\Documents and Settings\MICHAú\Ustawienia lokalne
2008-01-29 14:19 . <DIR> C:\Documents and Settings\MICHAú.WLODEK-52A66A7C\Ustawienia lokalne
2008-01-29 14:19 . <DIR> C:\Documents and Settings\MICHAú.WLODEK-52A66A7C\Ustawienia lokalne
2008-01-29 13:59 . 2008-01-29 13:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 00:49 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 00:49 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 00:49 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 00:49 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 00:49 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 00:49 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 00:48 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 00:48 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-18 17:44 . 2008-01-18 17:44 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\ubi.com
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-01-18 15:31 . 2008-01-18 15:32 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-01-16 19:44 . 2008-01-16 19:44 716 --a------ C:\WINDOWS\unins001.dat
2008-01-13 00:30 . 2008-01-13 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-12 17:56 . 2008-01-12 17:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-10 14:33 . 2008-01-31 14:16 84,480 --a------ C:\WINDOWS\system32\comdlg3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 13:21 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2004-11-10 22:37 4 ----a-w C:\Program Files\index.tmp
2003-10-07 22:08 17 ----a-w C:\Program Files\stinger.opt
2003-09-10 12:45 1,164,880 ----a-w C:\Program Files\tleninst402.exe
2003-09-03 19:02 2,486,784 ----a-w C:\Program Files\DivX505Bundle.exe
2003-07-30 15:36 1,259,448 ----a-w C:\Program Files\winzip80.exe
2003-06-20 13:56 1,177,722 ----a-w C:\Program Files\Common Files\tleninst390.exe
2002-02-14 14:42 271 --sh--w C:\Program Files\desktop.ini
2002-02-14 14:42 23,453 ---h--w C:\Program Files\folder.htt
1998-08-24 11:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5AA81FB-7BFD-420B-9C19-BA7C77A11907}]
2008-01-31 14:16 84480 --a------ C:\WINDOWS\System32\comdlg3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-29 00:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 05:35 429568]
"Gnetmous"="C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe" [2002-08-02 10:34 153088]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"combofix"="C:\ComboFix\kmd.exe" [2002-09-29 00:00 382976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-29 00:00 13312]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
WinIRXHelper.lnk - C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe [2003-09-06 16:25:56 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe

R0 vxjethsk;vxjethsk;C:\WINDOWS\System32\drivers\ipserdvm.dat []
S2 BulkUsb;USB Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\System32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 sysrest.sys;sysrest.sys;C:\WINDOWS\System32\sysrest.sys []
S4 cdawdm;CDAWDM;C:\WINDOWS\System32\DRIVERS\CDAWDM.sys []

.
Contents of the 'Scheduled Tasks' folder
"2005-09-28 21:04:12 C:\WINDOWS\Tasks\mks_vir - Zadanie 0.job"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 14:20:30
Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe
.
**************************************************************************
.
Completion time: 2008-01-31 14:24:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 13:23:58
ComboFix3.txt 2008-01-30 12:39:00
ComboFix2.txt 2008-01-31 00:28:44
.
2008-01-29 15:02:13 --- E O F ---

Prosze o sprawdzenie tych logów i diagnoze czy juz jest wszystko ok
Wielkie Dzieki za pomoc

**Posty:** 18165 · przez **wojtas** 31 Sty 2008, 15:46

skasuj te wpisy:

O2 - BHO: (no name) - {E5AA81FB-7BFD-420B-9C19-BA7C77A11907} - C:\WINDOWS\System32\comdlg3.dll
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\MKS\Bin\mks_scan.exe (file missing)

Start => Uruchom => cmd =>

sc stop sysrest

enter

sc delete sysrest

enter

Ściągnij OTMoveIt W okienko po lewej Paste List of Files/Folders to be Moved wklej

C:\WINDOWS\system32\drivers\ipserdvm.dat
C:\WINDOWS\system32\comdlg3.dll
C:\WINDOWS\System32\sysrest.sys
C:\WINDOWS\Tasks\mks_vir - Zadanie 0.job

Następnie naciskamy - MoveIt!. Pliki zostały przeniesione. Wynik operacji zobaczymy w prawym oknie Results.
Log po pracy programu zobaczymy w lokalizacji - C:\_OTMoveIt\MovedFiles
Po całej operacji należy zresetować komputer

wracasz z logami z hj oraz combo

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 16:39

Mam problem ze sciagnieciem tego

Ściągnij OTMoveIt

programu
po kliknieci info ze strona

Strona, której szukasz, mogła zostać usunięta, zmieniono jej nazwę lub jest tymczasowo niedostępna.

a na strone głowna odmawia dostepu
co robic ?

**Posty:** 18165 · przez **wojtas** 31 Sty 2008, 16:50

tu masz ten progs:

http://cybertrash.pl/downloads.php?cat_id=14&download_id=60

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 17:21

Zrobiłem wszystko wedlug opisu
ale chyba nie wszystko jest jeszcze ok

Logi
Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:07:07, on 2008-01-31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E5AA81FB-7BFD-420B-9C19-BA7C77A11907} - C:\WINDOWS\System32\comdlg3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinIRXHelper.lnk = C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201615276300
O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4845 bytes

Combofix

ComboFix 08-01-29.3 - WŁODEK 2008-01-31 16:08:31.5 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.141 [GMT 1:00]
Running from: C:\Documents and Settings\WŁODEK\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 11:25 . 19,584 C:\WINDOWS\system32\drivers\ipserdvm.dat
2008-01-31 01:21 . 2008-01-31 01:21 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-31 01:03 . 2008-01-31 01:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-30 13:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-30 13:58 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-30 13:26 . 2008-01-30 13:26 <DIR> d--hs---- C:\FOUND.000
2008-01-29 23:01 . 2008-01-29 23:01 <DIR> d-------- C:\!KillBox
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\WúODEK\Ustawienia lokalne
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\MICHAú\Ustawienia lokalne
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\MICHAú.WLODEK-52A66A7C\Ustawienia lokalne
2008-01-29 13:59 . 2008-01-29 13:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 00:49 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 00:49 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 00:49 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 00:49 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 00:49 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 00:49 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 00:48 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 00:48 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-18 17:44 . 2008-01-18 17:44 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\ubi.com
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-01-18 15:31 . 2008-01-18 15:32 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-01-16 19:44 . 2008-01-16 19:44 716 --a------ C:\WINDOWS\unins001.dat
2008-01-13 00:30 . 2008-01-13 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-12 17:56 . 2008-01-12 17:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-10 14:33 . 2008-01-31 14:16 84,480 --a------ C:\WINDOWS\system32\comdlg3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 14:51 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2004-11-10 22:37 4 ----a-w C:\Program Files\index.tmp
2003-10-07 22:08 17 ----a-w C:\Program Files\stinger.opt
2003-09-10 12:45 1,164,880 ----a-w C:\Program Files\tleninst402.exe
2003-09-03 19:02 2,486,784 ----a-w C:\Program Files\DivX505Bundle.exe
2003-07-30 15:36 1,259,448 ----a-w C:\Program Files\winzip80.exe
2003-06-20 13:56 1,177,722 ----a-w C:\Program Files\Common Files\tleninst390.exe
2002-02-14 14:42 271 --sh--w C:\Program Files\desktop.ini
2002-02-14 14:42 23,453 ---h--w C:\Program Files\folder.htt
1998-08-24 11:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5AA81FB-7BFD-420B-9C19-BA7C77A11907}]
2008-01-31 14:16 84480 --a------ C:\WINDOWS\System32\comdlg3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-29 00:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 05:35 429568]
"Gnetmous"="C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe" [2002-08-02 10:34 153088]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-29 00:00 13312]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
WinIRXHelper.lnk - C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe [2003-09-06 16:25:56 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe

R0 vxjethsk;vxjethsk;C:\WINDOWS\System32\drivers\ipserdvm.dat []
S2 BulkUsb;USB Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\System32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 sysrest.sys;sysrest.sys;C:\WINDOWS\System32\sysrest.sys []
S4 cdawdm;CDAWDM;C:\WINDOWS\System32\DRIVERS\CDAWDM.sys []

*Newly Created Service* - PSEXESVC
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 16:10:39
Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 16:11:48
ComboFix-quarantined-files.txt 2008-01-31 15:11:44
ComboFix3.txt 2008-01-30 12:39:00
ComboFix2.txt 2008-01-31 00:28:44
.
2008-01-29 15:02:13 --- E O F ---

OTMoveIt

File move failed. C:\WINDOWS\system32\drivers\ipserdvm.dat scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\comdlg3.dll
C:\WINDOWS\system32\comdlg3.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\comdlg3.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\System32\sysrest.sys not found.
C:\WINDOWS\Tasks\mks_vir - Zadanie 0.job moved successfully.

Created on 01-31-2008 16:02:02

Prosze o sprawdzenie i dlasze wskazówki
wielkie dzieki

**Posty:** 18165 · przez **wojtas** 31 Sty 2008, 18:16

Wklejasz do Notatnika:

DISABLE vxjethsk
DISABLE sysrest
ATTRIB -R-S-H C:\WINDOWS\system32\comdlg3.dll
ATTRIB -R-S-H C:\WINDOWS\System32\sysrest.sys
ATTRIB -R-S-H C:\WINDOWS\System32\drivers\ipserdvm.dat
DEL C:\WINDOWS\system32\comdlg3.dll
DEL C:\WINDOWS\System32\sysrest.sys
DEL C:\WINDOWS\System32\drivers\ipserdvm.dat

Zapisujesz jako plik DEL.TXT i umieszczasz go w C:\WINDOWS

Startujesz z CD XP do konsoli odzyskiwania .Jak już będziesz w linii komend, wpisujesz

BATCH DEL.TXT

Czekasz aż komp się samoczynnie zresetuje. potem nowe logi

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 18:18

Nie mam płyty od XP
niestety
co robić?

**Posty:** 18165 · przez **wojtas** 31 Sty 2008, 18:21

sciagnij gmera

Wklej do notatnika

gmer -del service sysrest
gmer -del service vxjethsk
gmer -del file C:\WINDOWS\system32\comdlg3.dll
gmer -del file C:\WINDOWS\System32\sysrest.sys
gmer -del file C:\WINDOWS\System32\drivers\ipserdvm.dat
gmer –reboot

Plik >>> zapisz jako >>> zmien rozszerzenie z TXT na wszystkie typy plików >>> zapisz pod nazwa FIX.BAT

Uruchamiasz Gmera, w zakładce Procesy wybierasz opcje Gmer Awaryjny. Komputer się zresetuje i uruchomi się Gmer. Wybierasz znów zakładke Procesy i na dole w poleceniu przez trzy kropki wskaz plik FIX.BAT i go uruchom.

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 18:46

Zrobiłem
daje logi

Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36:54, on 2008-01-31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E5AA81FB-7BFD-420B-9C19-BA7C77A11907} - C:\WINDOWS\System32\comdlg3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinIRXHelper.lnk = C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201615276300
O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4860 bytes

Combofix

ComboFix 08-01-29.3 - WŁODEK 2008-01-31 17:38:44.6 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.140 [GMT 1:00]
Running from: C:\Documents and Settings\WŁODEK\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 17:27 . 2008-01-31 17:29 250 --a------ C:\WINDOWS\gmer.ini
2008-01-31 01:21 . 2008-01-31 01:21 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-31 01:03 . 2008-01-31 01:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-30 13:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-30 13:58 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-30 13:26 . 2008-01-30 13:26 <DIR> d--hs---- C:\FOUND.000
2008-01-29 23:01 . 2008-01-29 23:01 <DIR> d-------- C:\!KillBox
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\WúODEK\Ustawienia lokalne
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\MICHAú\Ustawienia lokalne
2008-01-29 14:19 . 2008-01-29 14:19 <DIR> d-------- C:\Documents and Settings\MICHAú.WLODEK-52A66A7C\Ustawienia lokalne
2008-01-29 13:59 . 2008-01-29 13:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 00:49 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 00:49 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 00:49 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 00:49 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 00:49 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 00:49 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 00:48 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 00:48 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-18 17:44 . 2008-01-18 17:44 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\ubi.com
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-01-18 15:31 . 2008-01-18 15:32 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-01-16 19:44 . 2008-01-16 19:44 716 --a------ C:\WINDOWS\unins001.dat
2008-01-13 00:30 . 2008-01-13 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-12 17:56 . 2008-01-12 17:56 <DIR> d-------- C:\Program Files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 16:37 4,861 ----a-w C:\Program Files\hijackthis.log23.txt
2008-01-31 15:16 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2004-11-10 22:37 4 ----a-w C:\Program Files\index.tmp
2003-10-07 22:08 17 ----a-w C:\Program Files\stinger.opt
2003-09-10 12:45 1,164,880 ----a-w C:\Program Files\tleninst402.exe
2003-09-03 19:02 2,486,784 ----a-w C:\Program Files\DivX505Bundle.exe
2003-07-30 15:36 1,259,448 ----a-w C:\Program Files\winzip80.exe
2003-06-20 13:56 1,177,722 ----a-w C:\Program Files\Common Files\tleninst390.exe
2002-02-14 14:42 271 --sh--w C:\Program Files\desktop.ini
2002-02-14 14:42 23,453 ---h--w C:\Program Files\folder.htt
1998-08-24 11:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5AA81FB-7BFD-420B-9C19-BA7C77A11907}]
C:\WINDOWS\System32\comdlg3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-29 00:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 05:35 429568]
"Gnetmous"="C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe" [2002-08-02 10:34 153088]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-29 00:00 13312]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
WinIRXHelper.lnk - C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe [2003-09-06 16:25:56 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe

S0 vxjethsk;vxjethsk;C:\WINDOWS\System32\drivers\ipserdvm.dat []
S2 BulkUsb;USB Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\System32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 sysrest.sys;sysrest.sys;C:\WINDOWS\System32\sysrest.sys []
S4 cdawdm;CDAWDM;C:\WINDOWS\System32\DRIVERS\CDAWDM.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 17:40:31
Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 17:41:24
ComboFix-quarantined-files.txt 2008-01-31 16:41:20
ComboFix3.txt 2008-01-30 12:39:00
ComboFix2.txt 2008-01-31 00:28:44
.
2008-01-29 15:02:13 --- E O F ---

**Posty:** 18165 · przez **wojtas** 31 Sty 2008, 19:11

skasuj wpis:

O2 - BHO: (no name) - {E5AA81FB-7BFD-420B-9C19-BA7C77A11907} - C:\WINDOWS\System32\comdlg3.dll (file missing)

Otworz notatnik i wklej w nim to:

Driver::
sysrest.sys
vxjethsk

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . Potwierdz >>> zresetuje sie komputer

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER). Rozpocznie się proces usuwania
Potem nowy log z hijacka oraz combofixa

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 19:45

Wykonałem

Wstawiam Logi

Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:17, on 2008-01-31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinIRXHelper.lnk = C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\MICHAŁ.WLODEK-52A66A7C\Pulpit\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201615276300
O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4749 bytes

Combofix

ComboFix 08-01-29.3 - WŁODEK 2008-01-31 18:26:38.7 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.137 [GMT 1:00]
Running from: C:\Documents and Settings\WŁODEK\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\WŁODEK\Pulpit\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 17:27 . 2008-01-31 17:29 250 --a------ C:\WINDOWS\gmer.ini
2008-01-31 01:21 . 2008-01-31 01:21 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-31 01:03 . 2008-01-31 01:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-30 20:42 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-30 13:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-30 13:58 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-30 13:26 . 2008-01-30 13:26 <DIR> d--hs---- C:\FOUND.000
2008-01-29 23:01 . 2008-01-29 23:01 <DIR> d-------- C:\!KillBox
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-01-29 14:40 . 2002-04-22 11:56 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-01-29 14:19 . <DIR> C:\Documents and Settings\WúODEK\Ustawienia lokalne
2008-01-29 14:19 . <DIR> C:\Documents and Settings\WúODEK\Ustawienia lokalne
2008-01-29 14:19 . <DIR> C:\Documents and Settings\MICHAú\Ustawienia lokalne
2008-01-29 14:19 . <DIR> C:\Documents and Settings\MICHAú.WLODEK-52A66A7C\Ustawienia lokalne
2008-01-29 14:19 . <DIR> C:\Documents and Settings\MICHAú.WLODEK-52A66A7C\Ustawienia lokalne
2008-01-29 13:59 . 2008-01-29 13:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 00:49 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 00:49 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 00:49 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 00:49 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 00:49 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 00:49 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 00:48 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 00:48 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-18 17:44 . 2008-01-18 17:44 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\ubi.com
2008-01-18 17:43 . 2008-01-18 17:43 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2008-01-18 15:31 . 2008-01-18 15:32 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-01-16 19:44 . 2008-01-16 19:44 716 --a------ C:\WINDOWS\unins001.dat
2008-01-13 00:30 . 2008-01-13 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-12 17:56 . 2008-01-12 17:56 <DIR> d-------- C:\Program Files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 16:43 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2008-01-31 16:37 4,861 ----a-w C:\Program Files\hijackthis.log23.txt
2004-11-10 22:37 4 ----a-w C:\Program Files\index.tmp
2003-10-07 22:08 17 ----a-w C:\Program Files\stinger.opt
2003-09-10 12:45 1,164,880 ----a-w C:\Program Files\tleninst402.exe
2003-09-03 19:02 2,486,784 ----a-w C:\Program Files\DivX505Bundle.exe
2003-07-30 15:36 1,259,448 ----a-w C:\Program Files\winzip80.exe
2003-06-20 13:56 1,177,722 ----a-w C:\Program Files\Common Files\tleninst390.exe
2002-02-14 14:42 271 --sh--w C:\Program Files\desktop.ini
2002-02-14 14:42 23,453 ---h--w C:\Program Files\folder.htt
1998-08-24 11:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-29 00:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 05:35 429568]
"Gnetmous"="C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe" [2002-08-02 10:34 153088]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-29 00:00 13312]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
WinIRXHelper.lnk - C:\Program Files\MSI\Media Center Deluxe II\WinIRXHelper.exe [2003-09-06 16:25:56 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe

S2 BulkUsb;USB Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\System32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S4 cdawdm;CDAWDM;C:\WINDOWS\System32\DRIVERS\CDAWDM.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 18:35:37
Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
.
**************************************************************************
.
Completion time: 2008-01-31 18:37:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 17:37:16
ComboFix4.txt 2008-01-30 12:39:00
ComboFix3.txt 2008-01-31 00:28:44
ComboFix2.txt 2008-01-31 16:41:26
.
2008-01-29 15:02:13 --- E O F ---

Czekam na sprawdzenie i ocene czy ok
jeszcze raz ogromne dzieki

**Posty:** 18165 · przez **wojtas** 31 Sty 2008, 21:42

czysto juz

pozdro

**Posty:** 17 · przez **majkel_vega** 31 Sty 2008, 21:48

Stary wielkie wielkie dzieki za sprawna i ekspercka pomoc przyznaj Sobie lub nie wiem jak to tam jaks git pochwałe
Wielki szacunek za to co Robisz i robicie tu
Pozdrawiam Serdecznie i dzieki jeszcze raz

samo instalujace sie programy,dzwine"dymki" i prze

samo instalujace sie programy,dzwine"dymki" i prze

Kto jest na forum