"Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "ATI Launchpad" = "(empty string)" [file not found] "MsServer" = "msfun80.exe" [null data] "DAEMON Tools Lite" = ""E:\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"] "SpybotSD TeaTimer" = "E:\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] "AlcoholAutomount" = ""C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} "this" = "C:\Program Files\Web Technologies\wcs.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATIPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."] "ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data] "C:\WINDOWS\system32\kdhml.exe" = "C:\WINDOWS\system32\kdhml.exe" [null data] "IMJPMIG8.2" = "msime82.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar Loader" -> {HKLM...CLSID} = "Winamp Toolbar Loader" \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "E:\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {96372AB6-15EB-4316-B497-71C741BC548C}\(Default) = (no title provided) -> {HKLM...CLSID} = "Easy Gif Animator Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Easy Gif Animator Extension\v3.3.0.1\EasyGifAnimator_Toolbar.dll" [null data] {99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\(Default) = (no title provided) -> {HKLM...CLSID} = "solution Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\3hp8jMQg.dll" ["TODO: <Company name>"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" [null data] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string] HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\ <<!>> "System" = "kdhml.exe" [null data] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoSMBalloonTip" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoSaveSettings" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Desktop| Don't save settings at exit} "NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoStrCmpLogical" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoResolveSearch" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\ "NoBrowserOptions" = (REG_DWORD) dword:0x00000001 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Browser Menus| Tools menu: Disable Internet Options... menu option} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "SynchronousMachineGroupPolicy" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "SynchronousUserGroupPolicy" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\liczkowscy\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ IviDVDEventHandler\ "Provider" = "InterVideo WinDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\DVD\shell\play\command\(Default) = ""C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"" [MS] MPCPlayCDAudioOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayCDAudio" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Program Files\<a href="http://www.download.net.pl/105/K-Lite-Codec-Pack/">K-Lite Codec Pack</a>\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"] MPCPlayDVDMovieOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayDVDMovie" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Program Files\<a href="http://www.download.net.pl/105/K-Lite-Codec-Pack/">K-Lite Codec Pack</a>\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"] MPCPlayMusicFilesOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayMusicFiles" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Program Files\<a href="http://www.download.net.pl/105/K-Lite-Codec-Pack/">K-Lite Codec Pack</a>\Media Player Classic\mplayerc.exe" %1" ["Gabest"] MPCPlayVideoFilesOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayVideoFiles" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Program Files\<a href="http://www.download.net.pl/105/K-Lite-Codec-Pack/">K-Lite Codec Pack</a>\Media Player Classic\mplayerc.exe" %1" ["Gabest"] NeroAutoPlay2CDAudio\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay2" "InvokeVerb" = "HandleCDBurningOnArrival_CDAudio" HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"] NeroAutoPlay2CopyCD\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay2" "InvokeVerb" = "PlayCDAudioOnArrival_CopyCD" HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"] NeroAutoPlay2DataDisc\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay2" "InvokeVerb" = "HandleCDBurningOnArrival_DataDisc" HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"] NeroAutoPlay2LaunchNeroStartSmart\ "Provider" = "Nero StartSmart" "InvokeProgID" = "Nero.AutoPlay2" "InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart" HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "F:\Program Files\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""F:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""F:\Program Files\Winamp\winamp.exe"" ["Nullsoft"] Startup items in "liczkowscy" & "All Users" startup folders: ------------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] "At1" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At10" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At11" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At12" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At13" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At14" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At15" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At16" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At17" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At18" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At19" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At2" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At20" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At21" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At22" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At23" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At24" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At25" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At26" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At27" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At28" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At29" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At3" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At30" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At31" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At32" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At33" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At34" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At35" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At36" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At37" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At38" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At39" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At4" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At40" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At41" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At42" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At43" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At44" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At45" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At46" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At47" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At48" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At49" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At5" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At50" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At51" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At52" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At53" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At54" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At55" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At56" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At57" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At58" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At59" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At6" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At60" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At61" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At62" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At63" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At64" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At65" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At66" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At67" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At68" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At69" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At7" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At70" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At71" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At72" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At73" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At74" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At75" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At76" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At77" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At78" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At79" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At8" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At80" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At81" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At82" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At83" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At84" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At85" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At86" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At87" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At88" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At89" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At9" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data] "At90" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At91" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At92" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At93" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At94" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At95" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "At96" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found] "Spybot - Search & Destroy - Scheduled Task" -> launches: "E:\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" -> {HKLM...CLSID} = "Winamp Toolbar" \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."] "{35065594-9169-4A34-B167-FC4865038E53}" -> {HKLM...CLSID} = "Easy Gif Animator Toolbar" \InProcServer32\(Default) = "C:\Program Files\Easy Gif Animator Extension\v3.3.0.1\EasyGifAnimator_Toolbar.dll" [null data] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar" -> {HKLM...CLSID} = "Winamp Toolbar" \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."] "{35065594-9169-4A34-B167-FC4865038E53}" = "Easy Gif Animator Toolbar" -> {HKLM...CLSID} = "Easy Gif Animator Toolbar" \InProcServer32\(Default) = "C:\Program Files\Easy Gif Animator Extension\v3.3.0.1\EasyGifAnimator_Toolbar.dll" [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."] {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ "MenuText" = "Spybot - Search & Destroy Configuration" "CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}" -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "E:\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\ <<H>> "Tabs" = "res://ieframe.dll/tabswelcome.htm" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."] LightScribeService Direct Disc Labeling Service, LightScribeService, "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" ["Hewlett-Packard Company"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] ---------- (launch time: 2008-08-09 23:35:26) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 160 seconds. ---------- (total run time: 213 seconds)
Logi - Dziwny proces
#1
Napisano 09 08 2008 - 23:41
#2
Napisano 10 08 2008 - 07:03
Po jego użyciu może zajść potrzeba ustawiania od nowa DNS Twojego dostawcy internetowego.
-->Jak przywrócić prawidłowe DNS.
2) Zamknij robaczywe porty przy pomocy --> Windows Worms Doors Cleaner
Ustaw znaczki na zielono, Netbios może być na żółto.
Po użyciu narzędzia wymagany jest restart.
3) Ściągnij ComboFix
Wklej do Notatnika:
File:: C:\WINDOWS\system32\msime82.exe C:\WINDOWS\system32\msfun80.exe C:\WINDOWS\msfun80.exe C:\Program Files\Web Technologies\wcs.exe C:\WINDOWS\system32\kdhml.exe C:\WINDOWS\system32\3hp8jMQg.dll C:\WINDOWS\Tasks\At21.job C:\WINDOWS\Tasks\At1.job C:\WINDOWS\Tasks\At10.job C:\WINDOWS\Tasks\At11.job C:\WINDOWS\Tasks\At12.job C:\WINDOWS\Tasks\At13.job C:\WINDOWS\Tasks\At14.job C:\WINDOWS\Tasks\At15.job C:\WINDOWS\Tasks\At16.job C:\WINDOWS\Tasks\At17.job C:\WINDOWS\Tasks\At18.job C:\WINDOWS\Tasks\At19.job C:\WINDOWS\Tasks\At2.job C:\WINDOWS\Tasks\At20.job C:\WINDOWS\Tasks\At21.job C:\WINDOWS\Tasks\At22.job C:\WINDOWS\Tasks\At23.job C:\WINDOWS\Tasks\At24.job C:\WINDOWS\Tasks\At25.job C:\WINDOWS\Tasks\At26.job C:\WINDOWS\Tasks\At27.job C:\WINDOWS\Tasks\At28.job C:\WINDOWS\Tasks\At29.job C:\WINDOWS\Tasks\At3.job C:\WINDOWS\Tasks\At30.job C:\WINDOWS\Tasks\At31.job C:\WINDOWS\Tasks\At32.job C:\WINDOWS\Tasks\At33.job C:\WINDOWS\Tasks\At34.job C:\WINDOWS\Tasks\At35.job C:\WINDOWS\Tasks\At36.job C:\WINDOWS\Tasks\At37.job C:\WINDOWS\Tasks\At38.job C:\WINDOWS\Tasks\At39.job C:\WINDOWS\Tasks\At4.job C:\WINDOWS\Tasks\At40.job C:\WINDOWS\Tasks\At41.job C:\WINDOWS\Tasks\At42.job C:\WINDOWS\Tasks\At43.job C:\WINDOWS\Tasks\At44.job C:\WINDOWS\Tasks\At45.job C:\WINDOWS\Tasks\At46.job C:\WINDOWS\Tasks\At47.job C:\WINDOWS\Tasks\At48.job C:\WINDOWS\Tasks\At49.job C:\WINDOWS\Tasks\At5.job C:\WINDOWS\Tasks\At50.job C:\WINDOWS\Tasks\At51.job C:\WINDOWS\Tasks\At52.job C:\WINDOWS\Tasks\At53.job C:\WINDOWS\Tasks\At54.job C:\WINDOWS\Tasks\At55.job C:\WINDOWS\Tasks\At56.job C:\WINDOWS\Tasks\At57.job C:\WINDOWS\Tasks\At58.job C:\WINDOWS\Tasks\At59.job C:\WINDOWS\Tasks\At6.job C:\WINDOWS\Tasks\At60.job C:\WINDOWS\Tasks\At61.job C:\WINDOWS\Tasks\At62.job C:\WINDOWS\Tasks\At63.job C:\WINDOWS\Tasks\At64.job C:\WINDOWS\Tasks\At65.job C:\WINDOWS\Tasks\At66.job C:\WINDOWS\Tasks\At67.job C:\WINDOWS\Tasks\At68.job C:\WINDOWS\Tasks\At69.job C:\WINDOWS\Tasks\At7.job C:\WINDOWS\Tasks\At70.job C:\WINDOWS\Tasks\At71.job C:\WINDOWS\Tasks\At72.job C:\WINDOWS\Tasks\At73.job C:\WINDOWS\Tasks\At74.job C:\WINDOWS\Tasks\At75.job C:\WINDOWS\Tasks\At76.job C:\WINDOWS\Tasks\At77.job C:\WINDOWS\Tasks\At78.job C:\WINDOWS\Tasks\At79.job C:\WINDOWS\Tasks\At8.job C:\WINDOWS\Tasks\At80.job C:\WINDOWS\Tasks\At81.job C:\WINDOWS\Tasks\At82.job C:\WINDOWS\Tasks\At83.job C:\WINDOWS\Tasks\At84.job C:\WINDOWS\Tasks\At85.job C:\WINDOWS\Tasks\At86.job C:\WINDOWS\Tasks\At87.job C:\WINDOWS\Tasks\At88.job C:\WINDOWS\Tasks\At89.job C:\WINDOWS\Tasks\At9.job C:\WINDOWS\Tasks\At90.job C:\WINDOWS\Tasks\At91.job C:\WINDOWS\Tasks\At92.job C:\WINDOWS\Tasks\At93.job C:\WINDOWS\Tasks\At94.job C:\WINDOWS\Tasks\At95.job C:\WINDOWS\Tasks\At96.job C:\WINDOWS\system32\L18E0mq0.exe C:\WINDOWS\system32\2lRS3447.exe Folder:: C:\Program Files\Web Technologies Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsServer"=- "ATI Launchpad"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] "this"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "C:\WINDOWS\system32\kdhml.exe"=- "IMJPMIG8.2"=- [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\99C6D1BB-7555-474C-91DA-D8FB62A9CC75}] ]>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
? podobnie jak na tym obrazku -->
Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C:\Qoobox.
Daj ten log, króry powstanie w trakcie usuwania.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "kdhml.exe" [null data]
To powinno samo zniknąć po usunięciu ukraińskiego Rootkita przez Fixwareout.
Daj też raport z C:\Fixwareout.txt.
ordynat
#3
Napisano 10 08 2008 - 13:33
Username "liczkowscy" - 2008-08-10 12:59:16 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check HKLM\SOFTWARE\~\Winlogon\ "System"="kdhml.exe" Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "system"="" .... .... ~~~~~ Misc files. .... ~~~~~ Checking for older varients. .... ~~~~~ Other C:\WINDOWS\Temp\kdhml.ren 62976 2007-06-13 ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="atiptaxx.exe" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\"" "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay" "C:\\WINDOWS\\system32\\kdhml.exe"="C:\\WINDOWS\\system32\\kdhml.exe" "IMJPMIG8.2"="msime82.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "ATI Launchpad"="" "MsServer"="msfun80.exe" "DAEMON Tools Lite"="\"E:\\DAEMON Tools Lite\\daemon.exe\" -autorun" "SpybotSD TeaTimer"="E:\\Spybot - Search & Destroy\\TeaTimer.exe" "AlcoholAutomount"="\"C:\\Program Files\\Alcohol Soft\\Alcohol 120\\axcmd.exe\" /automount" .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~A teraz ComboFix
ComboFix 08-08-09.06 - liczkowscy 2008-08-10 13:15:28.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.276 [GMT 2:00] Running from: E:\Obrazki, instalki i inne\ComboFix.exe Command switches used :: E:\Obrazki, instalki i inne\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color] FILE :: C:\Program Files\Web Technologies\wcs.exe C:\WINDOWS\msfun80.exe C:\WINDOWS\system32\2lRS3447.exe C:\WINDOWS\system32\3hp8jMQg.dll C:\WINDOWS\system32\kdhml.exe C:\WINDOWS\system32\L18E0mq0.exe C:\WINDOWS\system32\msfun80.exe C:\WINDOWS\system32\msime82.exe C:\WINDOWS\Tasks\At1.job C:\WINDOWS\Tasks\At10.job C:\WINDOWS\Tasks\At11.job C:\WINDOWS\Tasks\At12.job C:\WINDOWS\Tasks\At13.job C:\WINDOWS\Tasks\At14.job C:\WINDOWS\Tasks\At15.job C:\WINDOWS\Tasks\At16.job C:\WINDOWS\Tasks\At17.job C:\WINDOWS\Tasks\At18.job C:\WINDOWS\Tasks\At19.job C:\WINDOWS\Tasks\At2.job C:\WINDOWS\Tasks\At20.job C:\WINDOWS\Tasks\At21.job C:\WINDOWS\Tasks\At22.job C:\WINDOWS\Tasks\At23.job C:\WINDOWS\Tasks\At24.job C:\WINDOWS\Tasks\At25.job C:\WINDOWS\Tasks\At26.job C:\WINDOWS\Tasks\At27.job C:\WINDOWS\Tasks\At28.job C:\WINDOWS\Tasks\At29.job C:\WINDOWS\Tasks\At3.job C:\WINDOWS\Tasks\At30.job C:\WINDOWS\Tasks\At31.job C:\WINDOWS\Tasks\At32.job C:\WINDOWS\Tasks\At33.job C:\WINDOWS\Tasks\At34.job C:\WINDOWS\Tasks\At35.job C:\WINDOWS\Tasks\At36.job C:\WINDOWS\Tasks\At37.job C:\WINDOWS\Tasks\At38.job C:\WINDOWS\Tasks\At39.job C:\WINDOWS\Tasks\At4.job C:\WINDOWS\Tasks\At40.job C:\WINDOWS\Tasks\At41.job C:\WINDOWS\Tasks\At42.job C:\WINDOWS\Tasks\At43.job C:\WINDOWS\Tasks\At44.job C:\WINDOWS\Tasks\At45.job C:\WINDOWS\Tasks\At46.job C:\WINDOWS\Tasks\At47.job C:\WINDOWS\Tasks\At48.job C:\WINDOWS\Tasks\At49.job C:\WINDOWS\Tasks\At5.job C:\WINDOWS\Tasks\At50.job C:\WINDOWS\Tasks\At51.job C:\WINDOWS\Tasks\At52.job C:\WINDOWS\Tasks\At53.job C:\WINDOWS\Tasks\At54.job C:\WINDOWS\Tasks\At55.job C:\WINDOWS\Tasks\At56.job C:\WINDOWS\Tasks\At57.job C:\WINDOWS\Tasks\At58.job C:\WINDOWS\Tasks\At59.job C:\WINDOWS\Tasks\At6.job C:\WINDOWS\Tasks\At60.job C:\WINDOWS\Tasks\At61.job C:\WINDOWS\Tasks\At62.job C:\WINDOWS\Tasks\At63.job C:\WINDOWS\Tasks\At64.job C:\WINDOWS\Tasks\At65.job C:\WINDOWS\Tasks\At66.job C:\WINDOWS\Tasks\At67.job C:\WINDOWS\Tasks\At68.job C:\WINDOWS\Tasks\At69.job C:\WINDOWS\Tasks\At7.job C:\WINDOWS\Tasks\At70.job C:\WINDOWS\Tasks\At71.job C:\WINDOWS\Tasks\At72.job C:\WINDOWS\Tasks\At73.job C:\WINDOWS\Tasks\At74.job C:\WINDOWS\Tasks\At75.job C:\WINDOWS\Tasks\At76.job C:\WINDOWS\Tasks\At77.job C:\WINDOWS\Tasks\At78.job C:\WINDOWS\Tasks\At79.job C:\WINDOWS\Tasks\At8.job C:\WINDOWS\Tasks\At80.job C:\WINDOWS\Tasks\At81.job C:\WINDOWS\Tasks\At82.job C:\WINDOWS\Tasks\At83.job C:\WINDOWS\Tasks\At84.job C:\WINDOWS\Tasks\At85.job C:\WINDOWS\Tasks\At86.job C:\WINDOWS\Tasks\At87.job C:\WINDOWS\Tasks\At88.job C:\WINDOWS\Tasks\At89.job C:\WINDOWS\Tasks\At9.job C:\WINDOWS\Tasks\At90.job C:\WINDOWS\Tasks\At91.job C:\WINDOWS\Tasks\At92.job C:\WINDOWS\Tasks\At93.job C:\WINDOWS\Tasks\At94.job C:\WINDOWS\Tasks\At95.job C:\WINDOWS\Tasks\At96.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\Program Files\Web Technologies C:\Program Files\Web Technologies\wcs.exe C:\Program Files\Web Technologies\wcu.exe C:\WINDOWS\system32\2lRS3447.exe C:\WINDOWS\system32\3hp8jMQg.dll C:\WINDOWS\system32\L18E0mq0.exe C:\WINDOWS\system32\msfun80.exe C:\WINDOWS\system32\msime82.exe C:\WINDOWS\Tasks\At1.job C:\WINDOWS\Tasks\At10.job C:\WINDOWS\Tasks\At11.job C:\WINDOWS\Tasks\At12.job C:\WINDOWS\Tasks\At13.job C:\WINDOWS\Tasks\At14.job C:\WINDOWS\Tasks\At15.job C:\WINDOWS\Tasks\At16.job C:\WINDOWS\Tasks\At17.job C:\WINDOWS\Tasks\At18.job C:\WINDOWS\Tasks\At19.job C:\WINDOWS\Tasks\At2.job C:\WINDOWS\Tasks\At20.job C:\WINDOWS\Tasks\At21.job C:\WINDOWS\Tasks\At22.job C:\WINDOWS\Tasks\At23.job C:\WINDOWS\Tasks\At24.job C:\WINDOWS\Tasks\At25.job C:\WINDOWS\Tasks\At26.job C:\WINDOWS\Tasks\At27.job C:\WINDOWS\Tasks\At28.job C:\WINDOWS\Tasks\At29.job C:\WINDOWS\Tasks\At3.job C:\WINDOWS\Tasks\At30.job C:\WINDOWS\Tasks\At31.job C:\WINDOWS\Tasks\At32.job C:\WINDOWS\Tasks\At33.job C:\WINDOWS\Tasks\At34.job C:\WINDOWS\Tasks\At35.job C:\WINDOWS\Tasks\At36.job C:\WINDOWS\Tasks\At37.job C:\WINDOWS\Tasks\At38.job C:\WINDOWS\Tasks\At39.job C:\WINDOWS\Tasks\At4.job C:\WINDOWS\Tasks\At40.job C:\WINDOWS\Tasks\At41.job C:\WINDOWS\Tasks\At42.job C:\WINDOWS\Tasks\At43.job C:\WINDOWS\Tasks\At44.job C:\WINDOWS\Tasks\At45.job C:\WINDOWS\Tasks\At46.job C:\WINDOWS\Tasks\At47.job C:\WINDOWS\Tasks\At48.job C:\WINDOWS\Tasks\At49.job C:\WINDOWS\Tasks\At5.job C:\WINDOWS\Tasks\At50.job C:\WINDOWS\Tasks\At51.job C:\WINDOWS\Tasks\At52.job C:\WINDOWS\Tasks\At53.job C:\WINDOWS\Tasks\At54.job C:\WINDOWS\Tasks\At55.job C:\WINDOWS\Tasks\At56.job C:\WINDOWS\Tasks\At57.job C:\WINDOWS\Tasks\At58.job C:\WINDOWS\Tasks\At59.job C:\WINDOWS\Tasks\At6.job C:\WINDOWS\Tasks\At60.job C:\WINDOWS\Tasks\At61.job C:\WINDOWS\Tasks\At62.job C:\WINDOWS\Tasks\At63.job C:\WINDOWS\Tasks\At64.job C:\WINDOWS\Tasks\At65.job C:\WINDOWS\Tasks\At66.job C:\WINDOWS\Tasks\At67.job C:\WINDOWS\Tasks\At68.job C:\WINDOWS\Tasks\At69.job C:\WINDOWS\Tasks\At7.job C:\WINDOWS\Tasks\At70.job C:\WINDOWS\Tasks\At71.job C:\WINDOWS\Tasks\At72.job C:\WINDOWS\Tasks\At73.job C:\WINDOWS\Tasks\At74.job C:\WINDOWS\Tasks\At75.job C:\WINDOWS\Tasks\At76.job C:\WINDOWS\Tasks\At77.job C:\WINDOWS\Tasks\At78.job C:\WINDOWS\Tasks\At79.job C:\WINDOWS\Tasks\At8.job C:\WINDOWS\Tasks\At80.job C:\WINDOWS\Tasks\At81.job C:\WINDOWS\Tasks\At82.job C:\WINDOWS\Tasks\At83.job C:\WINDOWS\Tasks\At84.job C:\WINDOWS\Tasks\At85.job C:\WINDOWS\Tasks\At86.job C:\WINDOWS\Tasks\At87.job C:\WINDOWS\Tasks\At88.job C:\WINDOWS\Tasks\At89.job C:\WINDOWS\Tasks\At9.job C:\WINDOWS\Tasks\At90.job C:\WINDOWS\Tasks\At91.job C:\WINDOWS\Tasks\At92.job C:\WINDOWS\Tasks\At93.job C:\WINDOWS\Tasks\At94.job C:\WINDOWS\Tasks\At95.job C:\WINDOWS\Tasks\At96.job C:\WINDOWS\ufdata2000.log E:\AUTORUN.INF F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 ))))))))))))))))))))))))))))))) . 2008-08-10 12:58 . 2008-08-10 13:05 <DIR> d-------- C:\fixwareout 2008-08-09 19:23 . 2008-08-09 19:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-08-09 19:23 . 2008-08-09 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab 2008-08-05 22:07 . 2008-08-05 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2008-08-05 18:50 . 2008-08-05 18:50 <DIR> d-------- C:\Program Files\ReflexiveArcade 2008-08-01 15:20 . 2008-08-01 15:20 96 --a------ C:\WINDOWS\cool.ini 2008-08-01 15:19 . 1996-11-25 09:06 140,288 --a------ C:\WINDOWS\system32\ra3214_4.dll 2008-08-01 15:19 . 1996-11-25 09:06 90,624 --a------ C:\WINDOWS\system32\pnc32301.dll 2008-08-01 15:19 . 1996-11-25 09:06 85,504 --a------ C:\WINDOWS\system32\encdnet.dll 2008-08-01 15:19 . 1996-11-25 09:06 82,398 --a------ C:\WINDOWS\c96unins.exe 2008-08-01 15:19 . 1996-11-25 09:06 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll 2008-08-01 15:19 . 1996-11-25 09:06 13,824 --a------ C:\WINDOWS\system32\ra32dnet.dll 2008-07-30 19:51 . 2008-07-30 19:51 <DIR> d-------- C:\Documents and Settings\liczkowscy\Dane aplikacji\DAEMON Tools 2008-07-24 20:54 . 2008-08-06 18:28 13,030 --a------ C:\PDOXUSRS.NET 2008-07-24 19:58 . 2008-07-24 19:58 <DIR> d-------- C:\Program Files\Common Files\grafa 2008-07-24 19:58 . 2008-07-24 19:58 <DIR> d-------- C:\Program Files\Common Files\Borland Shared 2008-07-24 19:55 . 2008-07-24 19:55 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2008-07-23 20:15 . 2008-07-23 20:15 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione 2008-07-23 14:12 . 2008-08-10 10:10 <DIR> d-------- C:\Metin2_PL 2008-07-23 12:36 . 2008-07-23 12:36 1,720,086 --a------ C:\WINDOWS\system32\TmpA10893140 2008-07-21 22:07 . 2008-07-21 22:07 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-07-21 22:07 . 2008-07-21 22:07 <DIR> d-------- C:\Documents and Settings\liczkowscy\SystemRequirementsLab 2008-07-20 20:59 . 2008-07-20 20:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-07-16 15:44 . 2008-07-16 15:44 0 --a------ C:\WINDOWS\system32\L18E0mq0.exe.a_a 2008-07-16 13:00 . 2008-07-16 13:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione 2008-07-15 22:48 . 2008-07-15 22:48 0 --a------ C:\WINDOWS\system32\2lRS3447.exe.a_a . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-05 16:39 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-31 18:33 --------- d-----w C:\Documents and Settings\liczkowscy\Dane aplikacji\Hamachi 2008-07-31 10:08 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys 2008-07-30 17:51 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-07-23 10:40 --------- d-----w C:\Program Files\Image-Line 2008-07-17 21:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ATI MMC 2008-07-17 20:14 --------- d-----w C:\Program Files\NetPanel 2008-07-01 19:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2008-07-01 19:15 --------- d-----w C:\Program Files\Lavasoft 2008-07-01 19:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-24 18:07 49,152 --sh--w C:\fun.xls.exe 2008-06-22 20:53 --------- d-----w C:\Program Files\CyberLink 2008-06-22 16:20 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-14 12:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer 2008-05-25 12:59 234,418 ----a-w C:\WINDOWS\EasyGifAnimator_Toolbar_Uninstaller_7109.exe 2008-02-28 22:35 0 ----a-w C:\Documents and Settings\liczkowscy\tree.dat 2007-11-17 12:44 19,552 ----a-w C:\Documents and Settings\liczkowscy\Dane aplikacji\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360] "DAEMON Tools Lite"="E:\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952] "SpybotSD TeaTimer"="E:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056] "ATIPTA"="atiptaxx.exe" [2006-02-22 02:05 344064 C:\WINDOWS\system32\atiptaxx.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 15:44:06 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 1 (0x1) "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "E:\\Gadu-Gadu\\gg.exe"= "F:\\Program Files\\Soulseek\\slsk.exe"= "F:\\CS 1.6\\hl.exe"= "E:\\Liero\\LieroX.exe"= "C:\\Metin2_PL\\metin2.bin"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1454:UDP"= 1454:UDP:Windows Media Format SDK (firefox.exe) "1455:UDP"= 1455:UDP:Windows Media Format SDK (firefox.exe) "22049:TCP"= 22049:TCP:BitComet 22049 TCP "22049:UDP"= 22049:UDP:BitComet 22049 UDP "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{268384ab-9128-11dc-b43c-00e04c041f0b}] \Shell\Auto\command - G:\fun.xls.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35428b1a-5e61-11dd-b636-001bbf597f60}] \Shell\Auto\command - G:\fun.xls.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f09ec8a-5728-11dd-b61f-001bbf597f60}] \Shell\Auto\command - G:\fun.xls.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74f77f1e-6520-11dd-b643-001bbf597f60}] \Shell\Auto\command - G:\fun.xls.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c51083e-2a82-11dd-b5b3-001bbf597f60}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e906c680-48ec-11dd-b601-001bbf597f60}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe . Contents of the 'Scheduled Tasks' folder 2008-07-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-08-09 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - E:\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43] . - - - - ORPHANS REMOVED - - - - BHO-{99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - (no file) HKCU-Run-AlcoholAutomount - C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe HKLM-Run-C:\WINDOWS\system32\kdhml.exe - C:\WINDOWS\system32\kdhml.exe HKLM-Run-IMJPMIG8.2 - msime82.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-10 13:23:51 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\SYZ_DAT C:\WINDOWS\system32\drivers\MFX.sys 45824 bytes executable scan completed successfully hidden files: 2 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "C:\\WINDOWS\\system32\\kdhml.exe"="C:\\WINDOWS\\system32\\kdhml.exe" . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\verclsid.exe . ************************************************************************** . Completion time: 2008-08-10 13:29:53 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-10 11:29:48 Pre-Run: 249,245,696 bajtów wolnych Post-Run: 505,552,896 bajt˘w wolnych 382 --- E O F --- 2008-07-12 11:05:47
Dodam że już odczuwalnie komputer przyspieszył ^^ Dzięki wielkie ^^
#4
Napisano 10 08 2008 - 14:17
Nie wiem, co to za plik, o takim ogromnym rozmiarze. Być może utworzył go jakiś Twój program ukrywający?2008-07-23 12:36 . 2008-07-23 12:36 1,720,086 --a------ C:\WINDOWS\system32\TmpA10893140
Sprawdź go na --> http://virusscan.jotti.org/
albo na http://www.virustotal.com/en/indexf.html.
Wklej do Notatnika:
File:: C:\fun.xls.exe C:\WINDOWS\system32\L18E0mq0.exe.a_a C:\WINDOWS\system32\2lRS3447.exe.a_a G:\fun.xls.exe d:\fun.xls.exe C:\\WINDOWS\\system32\\kdhml.exe Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{268384ab-9128-11dc-b43c-00e04c041f0b}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35428b1a-5e61-11dd-b636-001bbf597f60}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f09ec8a-5728-11dd-b61f-001bbf597f60}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74f77f1e-6520-11dd-b643-001bbf597f60}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c51083e-2a82-11dd-b5b3-001bbf597f60}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e906c680-48ec-11dd-b601-001bbf597f60}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "C:\WINDOWS\system32\kdhml.exe"=->>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
? podobnie jak na tym obrazku -->
Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C:\Qoobox.
Daj ten log, króry powstanie w trakcie usuwania.
ordynat
#5
Napisano 11 08 2008 - 19:22
#6
Napisano 11 08 2008 - 20:00
#7
Napisano 11 08 2008 - 23:04
ComboFix 08-08-10.02 - liczkowscy 2008-08-11 12:10:55.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.283 [GMT 2:00] Running from: E:\Obrazki, instalki i inne\ComboFix.exe Command switches used :: E:\Obrazki, instalki i inne\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color] FILE :: C:\\WINDOWS\\system32\\kdhml.exe C:\fun.xls.exe C:\WINDOWS\system32\2lRS3447.exe.a_a C:\WINDOWS\system32\L18E0mq0.exe.a_a d:\fun.xls.exe G:\fun.xls.exe .
#8
Napisano 12 08 2008 - 01:15
ordynat
#9
Napisano 13 08 2008 - 11:24
ComboFix 08-08-12.01 - liczkowscy 2008-08-13 11:05:05.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.285 [GMT 2:00] Running from: E:\Obrazki, instalki i inne\ComboFix.exe Command switches used :: E:\Obrazki, instalki i inne\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color] FILE :: C:\\WINDOWS\\system32\\kdhml.exe C:\fun.xls.exe C:\WINDOWS\system32\2lRS3447.exe.a_a C:\WINDOWS\system32\L18E0mq0.exe.a_a d:\fun.xls.exe G:\fun.xls.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\AUTORUN.INF C:\fun.xls.exe C:\WINDOWS\ufdata2000.log E:\AUTORUN.INF F:\Autorun.inf . ---- Previous Run ------- . C:\autorun.inf C:\fun.xls.exe C:\WINDOWS\system32\2lRS3447.exe.a_a C:\WINDOWS\system32\L18E0mq0.exe.a_a C:\WINDOWS\ufdata2000.log E:\AUTORUN.INF F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 ))))))))))))))))))))))))))))))) . 2008-08-13 11:11 . 2008-08-13 11:11 49,152 ---hs---- C:\fun.xls.exe 2008-08-13 11:11 . 2008-08-13 11:11 129 ---hs---- C:\AUTORUN.INF 2008-08-12 12:03 . 2008-08-12 12:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-12 12:03 . 2008-08-12 12:03 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-11 11:15 . 2008-08-11 11:15 49,152 --a------ C:\WINDOWS\system32\msime82.exe 2008-08-11 11:15 . 2008-08-11 11:15 49,152 --a------ C:\WINDOWS\system32\msfun80.exe 2008-08-10 12:58 . 2008-08-10 13:05 <DIR> d-------- C:\fixwareout 2008-08-09 19:23 . 2008-08-09 19:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-08-09 19:23 . 2008-08-09 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab 2008-08-05 22:07 . 2008-08-05 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2008-08-05 18:50 . 2008-08-05 18:50 <DIR> d-------- C:\Program Files\ReflexiveArcade 2008-08-01 15:20 . 2008-08-01 15:20 96 --a------ C:\WINDOWS\cool.ini 2008-08-01 15:19 . 1996-11-25 09:06 140,288 --a------ C:\WINDOWS\system32\ra3214_4.dll 2008-08-01 15:19 . 1996-11-25 09:06 90,624 --a------ C:\WINDOWS\system32\pnc32301.dll 2008-08-01 15:19 . 1996-11-25 09:06 85,504 --a------ C:\WINDOWS\system32\encdnet.dll 2008-08-01 15:19 . 1996-11-25 09:06 82,398 --a------ C:\WINDOWS\c96unins.exe 2008-08-01 15:19 . 1996-11-25 09:06 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll 2008-08-01 15:19 . 1996-11-25 09:06 13,824 --a------ C:\WINDOWS\system32\ra32dnet.dll 2008-07-30 19:51 . 2008-07-30 19:51 <DIR> d-------- C:\Documents and Settings\liczkowscy\Dane aplikacji\DAEMON Tools 2008-07-24 20:54 . 2008-08-11 22:47 13,030 --a------ C:\PDOXUSRS.NET 2008-07-24 19:58 . 2008-07-24 19:58 <DIR> d-------- C:\Program Files\Common Files\grafa 2008-07-24 19:58 . 2008-07-24 19:58 <DIR> d-------- C:\Program Files\Common Files\Borland Shared 2008-07-24 19:55 . 2008-07-24 19:55 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2008-07-23 20:15 . 2008-07-23 20:15 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione 2008-07-23 14:12 . 2008-08-12 14:26 <DIR> d-------- C:\Metin2_PL 2008-07-23 12:36 . 2008-07-23 12:36 1,720,086 --a------ C:\WINDOWS\system32\TmpA10893140 2008-07-21 22:07 . 2008-07-21 22:07 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-07-21 22:07 . 2008-07-21 22:07 <DIR> d-------- C:\Documents and Settings\liczkowscy\SystemRequirementsLab 2008-07-20 20:59 . 2008-07-20 20:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-07-16 13:00 . 2008-07-16 13:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-05 16:39 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-31 18:33 --------- d-----w C:\Documents and Settings\liczkowscy\Dane aplikacji\Hamachi 2008-07-31 10:08 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys 2008-07-30 17:51 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-07-23 10:40 --------- d-----w C:\Program Files\Image-Line 2008-07-17 21:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ATI MMC 2008-07-17 20:14 --------- d-----w C:\Program Files\NetPanel 2008-07-01 19:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2008-07-01 19:15 --------- d-----w C:\Program Files\Lavasoft 2008-07-01 19:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-22 20:53 --------- d-----w C:\Program Files\CyberLink 2008-06-22 16:20 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-14 12:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer 2008-05-25 12:59 234,418 ----a-w C:\WINDOWS\EasyGifAnimator_Toolbar_Uninstaller_7109.exe 2008-02-28 22:35 0 ----a-w C:\Documents and Settings\liczkowscy\tree.dat 2007-11-17 12:44 19,552 ----a-w C:\Documents and Settings\liczkowscy\Dane aplikacji\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360] "DAEMON Tools Lite"="E:\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952] "SpybotSD TeaTimer"="E:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [BU] "MsServer"="msfun80.exe" [2008-08-11 11:15 49152 C:\WINDOWS\system32\msfun80.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056] "ATIPTA"="atiptaxx.exe" [2006-02-22 02:05 344064 C:\WINDOWS\system32\atiptaxx.exe] "IMJPMIG8.2"="msime82.exe" [2008-08-11 11:15 49152 C:\WINDOWS\system32\msime82.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 15:44:06 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 1 (0x1) "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "E:\\Gadu-Gadu\\gg.exe"= "F:\\Program Files\\Soulseek\\slsk.exe"= "F:\\CS 1.6\\hl.exe"= "C:\\Metin2_PL\\metin2.bin"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1454:UDP"= 1454:UDP:Windows Media Format SDK (firefox.exe) "1455:UDP"= 1455:UDP:Windows Media Format SDK (firefox.exe) "22049:TCP"= 22049:TCP:BitComet 22049 TCP "22049:UDP"= 22049:UDP:BitComet 22049 UDP "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . Contents of the 'Scheduled Tasks' folder 2008-07-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-08-09 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - E:\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43] . - - - - ORPHANS REMOVED - - - - BHO-{99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - (no file) HKLM-Run-C:\WINDOWS\system32\kdhml.exe - C:\WINDOWS\system32\kdhml.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-13 11:11:47 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run MsServer = msfun80.exe???. scanning hidden files ... C:\SYZ_DAT C:\WINDOWS\system32\drivers\MFX.sys 45824 bytes executable scan completed successfully hidden files: 2 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "C:\\WINDOWS\\system32\\kdhml.exe"="C:\\WINDOWS\\system32\\kdhml.exe" . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\algsrvs.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-08-13 11:17:45 - machine was rebooted [liczkowscy] ComboFix-quarantined-files.txt 2008-08-13 09:17:40 ComboFix2.txt 2008-08-10 11:29:54 Pre-Run: 589,070,336 bajtów wolnych Post-Run: 637,968,384 bajt˘w wolnych 181 --- E O F --- 2008-07-12 11:05:47
Jeszcze raz ordynat dzięki za całą pomoc. Nie wiem co bym bez ciebie zrobił
#10
Napisano 13 08 2008 - 12:00
>START>Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy "Wyłącz przywracanie na wszystkich dyskach">Zastosuj>OK.
Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka) - ale dopiero po usuwaniu!.
Wklej do Notatnika:
File:: C:\fun.xls.exe e:\fun.xls.exe f:\fun.xls.exe C:\AUTORUN.INF C:\WINDOWS\system32\msime82.exe C:\WINDOWS\system32\msfun80.exe C:\\WINDOWS\\system32\\kdhml.exe Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsServer"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.2"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "C:\\WINDOWS\\system32\\kdhml.exe"=->>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.
ordynat
#11
Napisano 13 08 2008 - 21:16
ComboFix 08-08-12.01 - liczkowscy 2008-08-13 21:09:23.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.315 [GMT 2:00] Running from: E:\Obrazki, instalki i inne\ComboFix.exe Command switches used :: E:\Obrazki, instalki i inne\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color] FILE :: C:\\WINDOWS\\system32\\kdhml.exe C:\AUTORUN.INF C:\fun.xls.exe C:\WINDOWS\system32\msfun80.exe C:\WINDOWS\system32\msime82.exe e:\fun.xls.exe f:\fun.xls.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\AUTORUN.INF C:\fun.xls.exe C:\WINDOWS\system32\msfun80.exe C:\WINDOWS\system32\msime82.exe C:\WINDOWS\ufdata2000.log E:\Autorun.inf e:\fun.xls.exe F:\Autorun.inf f:\fun.xls.exe . ((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 ))))))))))))))))))))))))))))))) . 2008-08-12 12:03 . 2008-08-12 12:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-12 12:03 . 2008-08-12 12:03 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-10 12:58 . 2008-08-10 13:05 <DIR> d-------- C:\fixwareout 2008-08-09 19:23 . 2008-08-09 19:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-08-09 19:23 . 2008-08-09 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab 2008-08-05 22:07 . 2008-08-05 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2008-08-05 18:50 . 2008-08-05 18:50 <DIR> d-------- C:\Program Files\ReflexiveArcade 2008-08-01 15:20 . 2008-08-01 15:20 96 --a------ C:\WINDOWS\cool.ini 2008-08-01 15:19 . 1996-11-25 09:06 140,288 --a------ C:\WINDOWS\system32\ra3214_4.dll 2008-08-01 15:19 . 1996-11-25 09:06 90,624 --a------ C:\WINDOWS\system32\pnc32301.dll 2008-08-01 15:19 . 1996-11-25 09:06 85,504 --a------ C:\WINDOWS\system32\encdnet.dll 2008-08-01 15:19 . 1996-11-25 09:06 82,398 --a------ C:\WINDOWS\c96unins.exe 2008-08-01 15:19 . 1996-11-25 09:06 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll 2008-08-01 15:19 . 1996-11-25 09:06 13,824 --a------ C:\WINDOWS\system32\ra32dnet.dll 2008-07-30 19:51 . 2008-07-30 19:51 <DIR> d-------- C:\Documents and Settings\liczkowscy\Dane aplikacji\DAEMON Tools 2008-07-24 20:54 . 2008-08-11 22:47 13,030 --a------ C:\PDOXUSRS.NET 2008-07-24 19:58 . 2008-07-24 19:58 <DIR> d-------- C:\Program Files\Common Files\grafa 2008-07-24 19:58 . 2008-07-24 19:58 <DIR> d-------- C:\Program Files\Common Files\Borland Shared 2008-07-24 19:55 . 2008-07-24 19:55 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2008-07-23 20:15 . 2008-07-23 20:15 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione 2008-07-23 14:12 . 2008-08-13 15:45 <DIR> d-------- C:\Metin2_PL 2008-07-23 12:36 . 2008-07-23 12:36 1,720,086 --a------ C:\WINDOWS\system32\TmpA10893140 2008-07-21 22:07 . 2008-07-21 22:07 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-07-21 22:07 . 2008-07-21 22:07 <DIR> d-------- C:\Documents and Settings\liczkowscy\SystemRequirementsLab 2008-07-20 20:59 . 2008-07-20 20:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-07-16 13:00 . 2008-07-16 13:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-05 16:39 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-31 18:33 --------- d-----w C:\Documents and Settings\liczkowscy\Dane aplikacji\Hamachi 2008-07-31 10:08 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys 2008-07-30 17:51 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-07-23 10:40 --------- d-----w C:\Program Files\Image-Line 2008-07-17 21:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ATI MMC 2008-07-17 20:14 --------- d-----w C:\Program Files\NetPanel 2008-07-01 19:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2008-07-01 19:15 --------- d-----w C:\Program Files\Lavasoft 2008-07-01 19:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-24 18:07 49,152 ----a-w C:\WINDOWS\system32\algsrvs.exe 2008-06-22 20:53 --------- d-----w C:\Program Files\CyberLink 2008-06-22 16:20 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink 2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-14 12:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer 2008-05-27 14:13 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-05-25 12:59 234,418 ----a-w C:\WINDOWS\EasyGifAnimator_Toolbar_Uninstaller_7109.exe 2008-02-28 22:35 0 ----a-w C:\Documents and Settings\liczkowscy\tree.dat 2007-11-17 12:44 19,552 ----a-w C:\Documents and Settings\liczkowscy\Dane aplikacji\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360] "DAEMON Tools Lite"="E:\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952] "SpybotSD TeaTimer"="E:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056] "ATIPTA"="atiptaxx.exe" [2006-02-22 02:05 344064 C:\WINDOWS\system32\atiptaxx.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 15:44:06 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 1 (0x1) "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "E:\\Gadu-Gadu\\gg.exe"= "F:\\Program Files\\Soulseek\\slsk.exe"= "F:\\CS 1.6\\hl.exe"= "C:\\Metin2_PL\\metin2.bin"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1454:UDP"= 1454:UDP:Windows Media Format SDK (firefox.exe) "1455:UDP"= 1455:UDP:Windows Media Format SDK (firefox.exe) "22049:TCP"= 22049:TCP:BitComet 22049 TCP "22049:UDP"= 22049:UDP:BitComet 22049 UDP "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . Contents of the 'Scheduled Tasks' folder 2008-07-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-08-09 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - E:\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43] . - - - - ORPHANS REMOVED - - - - HKCU-Run-AlcoholAutomount - C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-13 21:11:55 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\SYZ_DAT C:\WINDOWS\system32\drivers\MFX.sys 45824 bytes executable scan completed successfully hidden files: 2 ************************************************************************** . Completion time: 2008-08-13 21:14:16 ComboFix-quarantined-files.txt 2008-08-13 19:13:36 ComboFix2.txt 2008-08-13 09:17:46 Pre-Run: 561,057,792 bajtów wolnych Post-Run: 556,376,064 bajtów wolnych 154 --- E O F --- 2008-07-12 11:05:47
#12
Napisano 14 08 2008 - 07:21
Nie napisałeś nic o wynikach sprawdzania tego pliku.C:\WINDOWS\system32\TmpA10893140
Wklej do Notatnika:
File:: C:\WINDOWS\system32\algsrvs.exe>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.
ordynat
Użytkownicy przeglądający ten temat: 0
0 użytkowników, 0 gości, 0 anonimowych