Wykryto wyłączony javascript

Aktualnie masz wyłączony javascript. Kilka funkcji może nie działać. Włącz ponownie javascript, aby korzystać z pełnej funkcjonalności.

[wirus]pozaostałosci po wirusie

Rozpoczęty przez mikiel , 25 05 2008 13:52

Temat jest zamknięty

14 odpowiedzi w tym temacie

#1 mikiel

Początkujący

51 postów

Napisano 25 05 2008 - 13:52

mailem takiego wirusa co mi blokował managera i regedit, usuną mi wszystkie skróty z pulpitu i zlikwidował mi klawisze wyloguj ale sobie poradziłem... uff
ale tego nie umiem
jak sie tego napisu pozbyć

virus alert

a tu zapodaje loga na wszelaki

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09: VIRUS ALERT!, on 2008-05-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Startup: Skrót do ccApp.lnk = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Tomek\Dane aplikacji\Dealio\kb124\res\DealioSearch.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O21 - SSODL: vregfwlx - {2E2FD5BA-3AE4-45EB-B52B-FADA0B9441C2} - C:\WINDOWS\vregfwlx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Usługa iPod (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton\Norton Utilities\NPROTECT.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 4155 bytes

0

Do góry

#2 ordynat

Zaawansowany użytkownik

804 postów

Napisano 25 05 2008 - 15:39

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

>>Hijack>>scan(Do a system scan only)>>zaznacz go >>Fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O21 - SSODL: vregfwlx - {2E2FD5BA-3AE4-45EB-B52B-FADA0B9441C2} - C:\WINDOWS\vregfwlx.dll

Ściągnij >ComboFix, nie uruchamiaj.
Wklej do Notatnika:

File::
C:\WINDOWS\vregfwlx.dll

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vregfwlx"=-

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafika

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat

0

Do góry

#3 mikiel

Początkujący

51 postów

Napisano 25 05 2008 - 15:49

zrobilem tak jak kazales

"Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe "

zadnego raportu nie bylo tylko takie okno wyskoczylo

0

Do góry

#4 ordynat

Zaawansowany użytkownik

804 postów

Napisano 25 05 2008 - 15:57

W takim razie użyj Scriptu jescze raz, ale przedtem popatrz, co klikać w czasie usuwania:
>http://forum.idg.pl/index.php?showtopic=118804
Tam jest bardziej aktualny opis.

ordynat

0

Do góry

#5 mikiel

Początkujący

51 postów

Napisano 25 05 2008 - 16:20

ComboFix 08-05-24.1 - Tomek 2008-05-25 16:16:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.571 [GMT 2:00]
Running from: C:\Documents and Settings\Tomek\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tomek\Pulpit\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::
C:\WINDOWS\vregfwlx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Tomek\USTAWI~1\Temp\E_4
C:\DOCUME~1\Tomek\USTAWI~1\Temp\E_4\HtmlView.fne
C:\DOCUME~1\Tomek\USTAWI~1\Temp\E_4\iext.fnr
C:\DOCUME~1\Tomek\USTAWI~1\Temp\E_4\krnln.fnr
C:\Documents and Settings\Jola\Ulubione\Error Cleaner.url
C:\Documents and Settings\Jola\Ulubione\Privacy Protector.url
C:\Documents and Settings\Jola\Ulubione\Spyware&Malware Protection.url
C:\Documents and Settings\Tomek\Dane aplikacji\inst.exe
C:\Documents and Settings\Tomek\Ulubione\Error Cleaner.url
C:\Documents and Settings\Tomek\Ulubione\Privacy Protector.url
C:\Documents and Settings\Tomek\Ulubione\Spyware&Malware Protection.url
C:\WINDOWS\system32\awtRjggf.dll
C:\WINDOWS\system32\fggjRtwa.ini
C:\WINDOWS\system32\fggjRtwa.ini2
C:\WINDOWS\system32\gocdroye.ini
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\ycxwblyt.ini
C:\WINDOWS\system32\yejdvoxv.ini
C:\WINDOWS\vregfwlx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAPSVC
-------\Service_navapsvc

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 16:25 . 2008-05-25 16:25 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dl_
2008-05-25 16:05 . 2008-05-25 16:05 90,624 --a------ C:\WINDOWS\system32\eyordcog.dll
2008-05-25 15:04 . 2008-05-25 15:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-25 15:04 . 2008-05-25 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-05-25 12:54 . 2008-05-25 16:24 27,008 --a------ C:\WINDOWS\system32\drivers\Taf37.sys
2008-05-25 12:53 . 2008-05-25 16:25 29,056 --a------ C:\WINDOWS\system32\drivers\msX16.sys
2008-05-25 12:39 . 2008-05-25 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-05-25 11:25 . 2008-05-25 14:10 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-25 11:11 . 2008-05-25 11:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 10:32 . 2008-05-25 10:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-25 10:17 . 2008-05-25 13:05 <DIR> d-------- C:\Documents and Settings\Jola\Dane aplikacji\TmpRecentIcons
2008-05-25 10:02 . 2008-05-25 10:02 91,136 --a------ C:\WINDOWS\system32\tylbwxcy.dll
2008-05-25 09:48 . 2008-05-25 09:48 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\TmpRecentIcons
2008-05-25 08:37 . 2008-05-25 16:22 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-05-25 08:37 . 2006-12-26 17:45 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-05-25 08:37 . 2007-01-03 01:37 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-05-25 08:37 . 2008-05-25 08:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-25 08:28 . 2008-05-25 08:28 91,136 --a------ C:\WINDOWS\system32\vxovdjey.dll
2008-05-25 08:23 . 2008-05-25 08:24 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-25 08:23 . 2008-05-25 08:23 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-25 08:23 . 2008-05-25 08:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2008-05-25 08:22 . 2008-05-24 17:19 368,640 --a------ C:\WINDOWS\vltdfabw.dll
2008-05-25 08:22 . 2008-05-24 17:19 266,240 --a------ C:\WINDOWS\boqnrwdmstg.dll
2008-05-25 08:22 . 2008-05-24 17:20 188,416 --a------ C:\WINDOWS\atfxqogp.dll
2008-05-25 08:22 . 2008-05-24 17:19 159,744 --a------ C:\WINDOWS\edwf.exe
2008-05-25 08:22 . 2008-05-24 17:20 94,208 --a------ C:\WINDOWS\xmpstean.exe
2008-05-25 08:22 . 2008-05-25 08:22 29,824 --a------ C:\WINDOWS\system32\rqRJDtro.dll
2008-05-25 08:22 . 2008-05-25 16:24 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-21 14:24 . 2008-05-21 14:28 <DIR> d-------- C:\Program Files\ATI
2008-05-21 14:02 . 2008-05-21 14:02 <DIR> d-------- C:\Program Files\NEC DISPLAY SOLUTIONS
2008-05-21 13:59 . 2008-05-21 13:59 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\ATI
2008-05-21 13:59 . 2008-05-21 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ATI
2008-05-21 13:58 . 2008-05-21 13:58 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-05-21 13:48 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-05-21 13:47 . 2008-03-28 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-05-21 13:46 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\ATI Technologies
2008-05-21 13:46 . 2007-12-21 04:35 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-05-21 13:46 . 2007-12-21 04:35 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-05-21 13:46 . 2007-12-21 04:35 887,724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-05-21 13:46 . 2008-03-29 06:05 372,736 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-21 13:46 . 2008-03-29 05:39 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2008-05-21 13:46 . 2008-03-06 16:40 168,883 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-05-21 13:46 . 2008-01-21 15:48 12,477 --a------ C:\WINDOWS\atiogl.xml
2008-05-21 13:46 . 2007-08-31 16:20 7,167 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-05-13 18:43 . 2008-05-13 18:44 <DIR> d-------- C:\Program Files\Pet Soccer
2008-05-11 13:58 . 2008-05-11 13:58 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\teamspeak2
2008-05-09 12:14 . 2008-05-09 12:14 <DIR> d-------- C:\Program Files\Sports Interactive
2008-05-09 12:10 . 2008-05-09 12:18 <DIR> d-------- C:\Documents and Settings\Karol\Dane aplikacji\Sports Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 14:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 14:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 11:42 --------- d-----w C:\Program Files\Norton
2008-05-25 11:22 --------- d-----w C:\Documents and Settings\Tomek\Dane aplikacji\Lavasoft
2008-05-25 06:12 --------- d-----w C:\Program Files\Blaze Media Pro
2008-05-21 12:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 20:36 --------- d-----w C:\Program Files\mIRC
2008-05-10 06:12 --------- d-----w C:\Program Files\BearShare
2008-04-30 21:32 --------- d-----w C:\Documents and Settings\Karol\Dane aplikacji\teamspeak2
2008-04-22 13:39 98,304 ----a-w C:\WINDOWS\DUMP4a95.tmp
2008-04-21 14:56 --------- d-----w C:\Program Files\AV Vcs 6.0 GOLD
2008-04-17 07:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-04-11 18:27 --------- d-----w C:\Documents and Settings\Jola\Dane aplikacji\ArcSoft
2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-03-28 16:35 --------- d-----w C:\Documents and Settings\Karol\Dane aplikacji\ArcSoft
2008-03-28 16:34 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-03-28 16:34 --------- d-----w C:\Program Files\ArcSoft
2008-03-26 23:57 --------- d-----w C:\Program Files\WinSCP
2008-02-13 23:44 47,360 ----a-w C:\Documents and Settings\Tomek\Dane aplikacji\pcouffin.sys
2008-01-05 16:55 52,440 ----a-w C:\Documents and Settings\Karol\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-11-07 06:42 49,176 ----a-w C:\Documents and Settings\Tomek\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-03-17 07:55 397,312 ----a-w C:\Documents and Settings\Tomek\jogl.dll
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-12-29 08:37 32 --sha-w C:\WINDOWS\{20B102E0-E565-42D0-895C-84EE9430DC4D}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{26440D04-D04D-48BB-A471-CC8AF3386392}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{311DCC95-A844-49CF-B918-4BC02D9EF2E3}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{5C67A0B8-6C00-473D-99F0-31E687E1CFAD}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{7F5434EA-AEE2-4D9E-A184-997666982582}.dat
2007-12-29 08:38 32 --sha-w C:\WINDOWS\{8E3FB993-ED7B-49FF-A5A7-77EBE0569885}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\{D70A6BA9-F075-43B5-A6B4-7C16DCD3F736}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{1951497B-2534-4325-87E1-EE14DDB07E1F}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\system32\{87DBE9CB-9866-46F9-BA5C-71268F55D7F7}.dat
2007-12-29 08:38 32 --sha-w C:\WINDOWS\system32\{AE9C1732-8149-4B01-989B-AFEA7AE78B48}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{CABB3FEE-57AC-416C-9F5E-4D040C4B57F3}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{E02D4FDD-4A10-42C8-85C9-C15C51B59CA1}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{E28D228B-E848-49AA-9958-D730406FAD42}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\system32\{FB8742DE-BEFA-4E82-9590-22B40B07A27D}.dat
.

------- Sigcheck -------

2002-09-29 00:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 28f288e08a098df3c0eb6aa813bb41fd C:\WINDOWS\system32\drivers\tcpip.sys

2002-09-29 00:00 13312 0c4c012b0a8960f48a666c240a7baa3d C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 01:44 15360 cbfa30492d70ce3938d8a7783d0c0436 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}]
2008-05-25 08:22 29824 --a------ C:\WINDOWS\system32\rqRJDtro.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}]
2008-05-24 17:19 266240 --a------ C:\WINDOWS\boqnrwdmstg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-04-19 17:43 2101248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eca2046e"="C:\WINDOWS\system32\eyordcog.dll" [2008-05-25 16:05 90624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}"= C:\WINDOWS\system32\rqRJDtro.dll [2008-05-25 08:22 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJDtro]
rqRJDtro.dll 2008-05-25 08:22 29824 C:\WINDOWS\system32\rqRJDtro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2008-05-25 16:24 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geBtTLee

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\diO73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msX16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ouA61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pvb38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxE61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Taf37.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\taF62.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Norton System Doctor.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Norton System Doctor.LNK
backup=C:\WINDOWS\pss\Norton System Doctor.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Przyspieszenie uruchomienia programu AutoCAD.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Przyspieszenie uruchomienia programu AutoCAD.lnk
backup=C:\WINDOWS\pss\Przyspieszenie uruchomienia programu AutoCAD.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Karol^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Tribes of the East.LNK]
path=C:\Documents and Settings\Karol\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Tribes of the East.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Tribes of the East.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tomek^Menu Start^Programy^Autostart^Norton Disk Doctor.lnk]
path=C:\Documents and Settings\Tomek\Menu Start\Programy\Autostart\Norton Disk Doctor.lnk
backup=C:\WINDOWS\pss\Norton Disk Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\Tomek\USTAWI~1\Temp\rbnpsrv.exe/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DelayLoad]
C:\DOCUME~1\Tomek\USTAWI~1\Temp\msprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eca2046e]
--a------ 2008-05-25 08:28 91136 C:\WINDOWS\system32\vxovdjey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-12-05 02:39 461584 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-12-26 18:23 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Topic MSNGR32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-04-02 04:20 12288 C:\Program Files\Winamp\Winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=

R0 msX16;msX16;C:\WINDOWS\system32\Drivers\msX16.sys [2008-05-25 16:25]
R0 Taf37;Taf37;C:\WINDOWS\system32\Drivers\Taf37.sys [2008-05-25 16:24]
S0 diO73;diO73;C:\WINDOWS\system32\Drivers\diO73.sys []
S0 ouA61;ouA61;C:\WINDOWS\system32\Drivers\ouA61.sys []
S0 Pvb38;Pvb38;C:\WINDOWS\system32\Drivers\Pvb38.sys []
S0 sxE61;sxE61;C:\WINDOWS\system32\Drivers\sxE61.sys []
S0 taF62;taF62;C:\WINDOWS\system32\Drivers\taF62.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 18:00:24 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\Norton\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-23 15:32:54 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton\OBC.exe
"2008-05-25 14:26:32 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 16:25:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\gocdroye.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rqRJDtro.dll
-> C:\WINDOWS\system32\WinCtrl32.dll
-> C:\WINDOWS\system32\WLCtrl32.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ydhdwfso.dll
-> C:\WINDOWS\system32\geBtTLee.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-25 16:32:53 - machine was rebooted [Tomek]
ComboFix-quarantined-files.txt 2008-05-25 14:32:43

Pre-Run: 23,164,817,408 bajtów wolnych
Post-Run: 23,808,221,184 bajt˘w wolnych

338

0

Do góry

#6 ordynat

Zaawansowany użytkownik

804 postów

Napisano 25 05 2008 - 16:38

Widzę, że masz trochę tych infekcji, i to, co jedna, to gorsza...!
Do usuwania daję też puste, zbędne już klucze "msconfig".

Wklej do Notatnika:

File::
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\eyordcog.dll
C:\WINDOWS\system32\drivers\Taf37.sys
C:\WINDOWS\system32\drivers\msX16.sys
C:\WINDOWS\system32\tylbwxcy.dll
C:\WINDOWS\system32\vxovdjey.dll
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\boqnrwdmstg.dll
C:\WINDOWS\atfxqogp.dll
C:\WINDOWS\edwf.exe
C:\WINDOWS\xmpstean.exe
C:\WINDOWS\system32\rqRJDtro.dll
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\gocdroye.ini
C:\WINDOWS\system32\rqRJDtro.dll
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\ydhdwfso.dll
C:\WINDOWS\system32\geBtTLee.dll

Driver::
msX16
Taf37
diO73
ouA61
Pvb38
sxE61
taF62

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eca2046e"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJDtro]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\diO73.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msX16.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ouA61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pvb38.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxE61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Taf37.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\taF62.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DelayLoad]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eca2046e]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Topic MSNGR32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafika

Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat

0

Do góry

#7 mikiel

Początkujący

51 postów

Napisano 25 05 2008 - 16:55

aa juz ropbie co zaleciles zle przeczytalem posta

0

Do góry

#8 ordynat

Zaawansowany użytkownik

804 postów

Napisano 25 05 2008 - 17:08

Zrób tylko to ze Scriptem - to usunie wszystko.

ordynat

0

Do góry

#9 mikiel

Początkujący

51 postów

Napisano 25 05 2008 - 17:26

to i log

ComboFix 08-05-24.1 - Tomek 2008-05-25 17:26:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.719 [GMT 2:00]
Running from: C:\Documents and Settings\Tomek\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tomek\Pulpit\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::
C:\WINDOWS\atfxqogp.dll
C:\WINDOWS\boqnrwdmstg.dll
C:\WINDOWS\edwf.exe
C:\WINDOWS\system32\drivers\msX16.sys
C:\WINDOWS\system32\drivers\Taf37.sys
C:\WINDOWS\system32\eyordcog.dll
C:\WINDOWS\system32\geBtTLee.dll
C:\WINDOWS\system32\gocdroye.ini
C:\WINDOWS\system32\rqRJDtro.dll
C:\WINDOWS\system32\tylbwxcy.dll
C:\WINDOWS\system32\vxovdjey.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\ydhdwfso.dll
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\xmpstean.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\atfxqogp.dll
C:\WINDOWS\boqnrwdmstg.dll
C:\WINDOWS\edwf.exe
C:\WINDOWS\system32\drivers\msX16.sys
C:\WINDOWS\system32\drivers\Taf37.sys
C:\WINDOWS\system32\gocdroye.ini
C:\WINDOWS\system32\rqRJDtro.dll
C:\WINDOWS\system32\tylbwxcy.dll
C:\WINDOWS\system32\vxovdjey.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\ydhdwfso.dll
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\xmpstean.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSX16
-------\Legacy_SXE61
-------\Legacy_TAF37
-------\Service_diO73
-------\Service_msX16
-------\Service_ouA61
-------\Service_Pvb38
-------\Service_sxE61
-------\Service_Taf37
-------\Service_taF62

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 15:04 . 2008-05-25 15:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-25 15:04 . 2008-05-25 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-05-25 12:39 . 2008-05-25 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-05-25 11:25 . 2008-05-25 14:10 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-25 11:11 . 2008-05-25 11:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 10:32 . 2008-05-25 10:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-25 10:17 . 2008-05-25 13:05 <DIR> d-------- C:\Documents and Settings\Jola\Dane aplikacji\TmpRecentIcons
2008-05-25 09:48 . 2008-05-25 09:48 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\TmpRecentIcons
2008-05-25 08:37 . 2008-05-25 17:07 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-05-25 08:37 . 2006-12-26 17:45 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-05-25 08:37 . 2007-01-03 01:37 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-05-25 08:37 . 2008-05-25 08:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-25 08:23 . 2008-05-25 08:24 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-25 08:23 . 2008-05-25 08:23 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-25 08:23 . 2008-05-25 08:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2008-05-21 14:24 . 2008-05-21 14:28 <DIR> d-------- C:\Program Files\ATI
2008-05-21 14:02 . 2008-05-21 14:02 <DIR> d-------- C:\Program Files\NEC DISPLAY SOLUTIONS
2008-05-21 13:59 . 2008-05-21 13:59 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\ATI
2008-05-21 13:59 . 2008-05-21 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ATI
2008-05-21 13:58 . 2008-05-21 13:58 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-05-21 13:48 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-05-21 13:47 . 2008-03-28 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-05-21 13:46 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\ATI Technologies
2008-05-21 13:46 . 2007-12-21 04:35 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-05-21 13:46 . 2007-12-21 04:35 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-05-21 13:46 . 2007-12-21 04:35 887,724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-05-21 13:46 . 2008-03-29 06:05 372,736 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-21 13:46 . 2008-03-29 05:39 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2008-05-21 13:46 . 2008-03-06 16:40 168,883 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-05-21 13:46 . 2008-01-21 15:48 12,477 --a------ C:\WINDOWS\atiogl.xml
2008-05-21 13:46 . 2007-08-31 16:20 7,167 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-05-13 18:43 . 2008-05-13 18:44 <DIR> d-------- C:\Program Files\Pet Soccer
2008-05-11 13:58 . 2008-05-11 13:58 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\teamspeak2
2008-05-09 12:14 . 2008-05-09 12:14 <DIR> d-------- C:\Program Files\Sports Interactive
2008-05-09 12:10 . 2008-05-09 12:18 <DIR> d-------- C:\Documents and Settings\Karol\Dane aplikacji\Sports Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 15:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 14:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 11:42 --------- d-----w C:\Program Files\Norton
2008-05-25 11:22 --------- d-----w C:\Documents and Settings\Tomek\Dane aplikacji\Lavasoft
2008-05-25 06:12 --------- d-----w C:\Program Files\Blaze Media Pro
2008-05-21 12:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 20:36 --------- d-----w C:\Program Files\mIRC
2008-05-10 06:12 --------- d-----w C:\Program Files\BearShare
2008-04-30 21:32 --------- d-----w C:\Documents and Settings\Karol\Dane aplikacji\teamspeak2
2008-04-22 13:39 98,304 ----a-w C:\WINDOWS\DUMP4a95.tmp
2008-04-21 14:56 --------- d-----w C:\Program Files\AV Vcs 6.0 GOLD
2008-04-17 07:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-04-11 18:27 --------- d-----w C:\Documents and Settings\Jola\Dane aplikacji\ArcSoft
2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-03-28 16:35 --------- d-----w C:\Documents and Settings\Karol\Dane aplikacji\ArcSoft
2008-03-28 16:34 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-03-28 16:34 --------- d-----w C:\Program Files\ArcSoft
2008-03-26 23:57 --------- d-----w C:\Program Files\WinSCP
2008-02-13 23:44 47,360 ----a-w C:\Documents and Settings\Tomek\Dane aplikacji\pcouffin.sys
2008-01-05 16:55 52,440 ----a-w C:\Documents and Settings\Karol\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-11-07 06:42 49,176 ----a-w C:\Documents and Settings\Tomek\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-03-17 07:55 397,312 ----a-w C:\Documents and Settings\Tomek\jogl.dll
2007-12-29 08:37 32 --sha-w C:\WINDOWS\{20B102E0-E565-42D0-895C-84EE9430DC4D}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{26440D04-D04D-48BB-A471-CC8AF3386392}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{311DCC95-A844-49CF-B918-4BC02D9EF2E3}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{5C67A0B8-6C00-473D-99F0-31E687E1CFAD}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{7F5434EA-AEE2-4D9E-A184-997666982582}.dat
2007-12-29 08:38 32 --sha-w C:\WINDOWS\{8E3FB993-ED7B-49FF-A5A7-77EBE0569885}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\{D70A6BA9-F075-43B5-A6B4-7C16DCD3F736}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{1951497B-2534-4325-87E1-EE14DDB07E1F}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\system32\{87DBE9CB-9866-46F9-BA5C-71268F55D7F7}.dat
2007-12-29 08:38 32 --sha-w C:\WINDOWS\system32\{AE9C1732-8149-4B01-989B-AFEA7AE78B48}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{CABB3FEE-57AC-416C-9F5E-4D040C4B57F3}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{E02D4FDD-4A10-42C8-85C9-C15C51B59CA1}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{E28D228B-E848-49AA-9958-D730406FAD42}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\system32\{FB8742DE-BEFA-4E82-9590-22B40B07A27D}.dat
.

------- Sigcheck -------

2002-09-29 00:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 28f288e08a098df3c0eb6aa813bb41fd C:\WINDOWS\system32\drivers\tcpip.sys

2002-09-29 00:00 13312 0c4c012b0a8960f48a666c240a7baa3d C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 01:44 15360 cbfa30492d70ce3938d8a7783d0c0436 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-25_17.05.28.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 14:57:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 15:32:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-04-19 17:43 2101248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Norton System Doctor.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Norton System Doctor.LNK
backup=C:\WINDOWS\pss\Norton System Doctor.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Przyspieszenie uruchomienia programu AutoCAD.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Przyspieszenie uruchomienia programu AutoCAD.lnk
backup=C:\WINDOWS\pss\Przyspieszenie uruchomienia programu AutoCAD.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Karol^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Tribes of the East.LNK]
path=C:\Documents and Settings\Karol\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Tribes of the East.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Tribes of the East.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tomek^Menu Start^Programy^Autostart^Norton Disk Doctor.lnk]
path=C:\Documents and Settings\Tomek\Menu Start\Programy\Autostart\Norton Disk Doctor.lnk
backup=C:\WINDOWS\pss\Norton Disk Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-12-05 02:39 461584 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-12-26 18:23 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-04-02 04:20 12288 C:\Program Files\Winamp\Winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 18:00:24 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\Norton\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-23 15:32:54 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton\OBC.exe
"2008-05-25 15:34:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 17:33:15
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-25 17:37:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 15:37:47
ComboFix2.txt 2008-05-25 15:07:05
ComboFix3.txt 2008-05-25 14:32:55

Pre-Run: 28,974,772,224 bajtów wolnych
Post-Run: 28,912,394,240 bajt˘w wolnych

262

robie res

0

Do góry

#10 ordynat

Zaawansowany użytkownik

804 postów

Napisano 25 05 2008 - 17:37

Wg mnie - log jest już czysty.

ordynat

0

Do góry

#11 mikiel

Początkujący

51 postów

Napisano 25 05 2008 - 17:46

Wiec tak z tym virusem walcz dzis o 9 rano, przeszukalem juz cale google (prawie) i wydaje mi sie ze obronilem sie przed nim bo poznikaly mi przyciski regedit i manager nie chcial sie otworzyc msvir nic nie pkazuje i gdyby nie ten napis kolo zegara VIRUS aALERT nie wiedziel bym ze mam wirusy jakies. Jak ComboFix.exe po restarcie robi log to nie ma tego napisu, napis powstaje jak zakonczy "robic" log

jakies sugestie ?

0

Do góry

#12 ordynat

Zaawansowany użytkownik

804 postów

Napisano 25 05 2008 - 17:57

Ja nie widzę żadnego powodu, by taki Komunikat się wyświetlał.
Czy jest tam może podana ścieżka?

ordynat

0

Do góry

#13 mikiel

Początkujący

51 postów

Napisano 25 05 2008 - 18:01

nie wlasnie nic, ten komunikac jest podany na stale w godzinie, nawet jak drukuje cos i na dole kartki jest podana godzina wudruku to obok jest napis virus alert mi sie wydaje ze wirus ktory to zrobil zostal usunuety ale zostawil takie male "chaselko" ktore jakos trezba usunac w windowsie ale ja nie umiem

0

Do góry

#14 ordynat

Zaawansowany użytkownik

804 postów

Napisano 25 05 2008 - 18:12

Ale nawet gdyby zostawił takie coś, to powinno to być widoczne w logu ComboFixa.

1) użyj SmitfraudFix
Daj z niego Raport.txt.

2) Jeśli to dalej nie zniknie, to dasz jeszcze log z SillentRunners

ordynat

0

Do góry

#15 mikiel

Początkujący

51 postów

Napisano 25 05 2008 - 18:36

i oto log z SmitfraudFix

nic nie pomogl

SmitFraudFix v2.322

Scan done at 18:39:30,37, 2008-05-25
Run from C:\Documents and Settings\Tomek\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
Dołączona grafika

!Attention, following keys are not inevitably infected! Dołączona grafika

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
Dołączona grafika

!Attention, following keys are not inevitably infected! Dołączona grafika

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning not selected.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
Dołączona grafika

!Attention, following keys are not inevitably infected! Dołączona grafika

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

niestety juz musze wyjsc wiec ten drugi program uruchomie jutro dopiero ..