Sality, Wukill-B, Malware-gen oraz 6 innych

[lukasz8]

Avast wykrył na komputerze następujące infekcje:

Java:Downloader-DN, VBS:Malware-gen, Win32:Injector-ATA, Win32:Malware-gen, Win32:Neclsym-EP, Win32: Sality, Win32:VB-EAA, Win32:Wuklill-B.

Użyłem Sality-Killer oraz Malwarebytes Anti-Malware.

To co mogłem przerzuciłem do kwarantanny avasta.

Część oryginalnych plików przerzuconych do kwarantanny posiadam, ale przed ich kopiowaniem wolę się upewnić czy gdzieś jeszcze nie czai się ukryta infekcja.

Wymagane logi: http://wklej.org/id/809018/

[Conor29134]

Uważaj na partycje bo masz je zaminowane szkodliwymi plikami .

Nie jestem uprawniony do pomocy no ale wyskanuj system skanerem dr.web cureIT wykonaj pełne skanowanie pliki zainfekowane Lecz a co się nie da usuwaj.

Te autoruny to twoje ?

[lukasz8]

Co mogłem to już poleczyłem lub posuwałem. Te logi są już teoretycznie po "leczeniu".

Na razie staram się nic nie uruchamiać, oprócz programów antywirusowych itp.

"Autoruny" starałem się wszystkie usunąć, ale jakie szkodliwe pliki masz na myśli??

[Conor29134]

Autoruny:

O32 - AutoRun File - [2010-07-05 11:24:08 | 000,000,011 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2010-07-05 11:24:55 | 000,000,013 | -HS- | M] () - E:\autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2010-07-05 11:26:58 | 000,000,011 | -HS- | M] () - F:\autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2011-06-16 07:51:50 | 000,000,037 | ---- | M] () - G:\autorun.txt -- [ FAT ]

 

 

Te szkodliwe pliki mogą już nie istnieć bo były w wpisach automontowania.

między innymi:

G:\2fiy.bat

G:\qwfqcu.pif

G:\n1deiect.com

G:\-.exe

G:\qrydtb.pif

G:\Recycled\ctfmon.exe

 

To G to dysk wymienny ?

 

Cóż jak wrócą specjaliści to ci pomogą bo się na tym zanają

[lukasz8]

Tak, G:\ to dysk wymienny, teoretycznie przynajmniej sprawdzony przed umieszczeniem w USB.

Czekam na specjalistów i rozpocząłem ściąganie Dr.Web CureIT

[Landuss]

1. Pobierz SalityKiller. Wykonaj nim skan powtarzany tyle razy, dopóki nie uzyskasz zwrotu zero zainfekowanych.

 

2. Pobierz Sality_RegKeys, ze środka uruchom plik SafeBootWinXP.reg, potwierdzając import do rejestru.

 

3. Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej następujący tekst:

 

:OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\awrcaaod.sys -- (awrcaaod)
[2012-05-16 08:10:57 | 000,000,000 | ---D | M] ("Winamp Toolbar") -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\uyyo6yop.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
[2012-01-12 17:42:13 | 000,002,354 | ---- | M] () -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\uyyo6yop.default\searchplugins\aol-web-search.xml
[2012-01-11 17:34:39 | 000,001,360 | ---- | M] () -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\uyyo6yop.default\searchplugins\winampsearch-1.xml
[2008-05-28 13:00:05 | 000,001,360 | ---- | M] () -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\uyyo6yop.default\searchplugins\winampsearch.xml
O3 - HKU\S-1-5-21-1715567821-1614895754-682003330-500\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1715567821-1614895754-682003330-500\..\Toolbar\WebBrowser: (no name) - {414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3} - No CLSID value found.
O3 - HKU\S-1-5-21-1715567821-1614895754-682003330-500\..\Toolbar\WebBrowser: (no name) - {5C5B9468-D672-4EB7-B52F-B5AFABF28C5B} - No CLSID value found.
 
:Files
autorun.inf /alldrives
 
:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
:Commands
[emptytemp]

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Kliknij w Wykonaj skrypt. Zatwierdź restart komputera.

 

4. Uruchamiasz OTL ponownie, tym razem wywołujesz opcję Skanuj. Pokazujesz nowy log z OTL (bez extras) oraz z USBFix z opcji Listing. Daj znać też co pokazał SalityKiller.

[lukasz8]

1 i 2 wykonane. SalityKiller naprawił jeden wpis w rejestrze. Brak zarażonych plików.

3 i 4 wykonane.

Log: http://wklej.org/id/809469/

Nie wykonane zadanie z USBFIx, ponieważ nie można pobrać programu (linki prowadzące do programu nie działają).

[Landuss]

USBFix spróbuj stąd pobrać: http://www.cybertrash.pl/Tata/USBFix/USBFix.html

[lukasz8]

niestety też nic z tego

próbowałem z kilku lokacji w sieci i nigdzie nie mogę go nameirzyć

[Landuss]

Dobra odpuść to w takim razie bo ja też nie mam czasu aby szukać dobrego linka. Wklej do OTl skrypt poprawkowy:

 

:OTL
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817"
 
:Files
C:\Documents and Settings\NetworkService\Dane aplikacji\bawuho.dat

 

Klik w Wykonaj skrypt. Kontrolnie daj nowego loga.

[lukasz8]

OTL logfile created on: 2012-08-12 22:12:00 - Run 4

OTL by OldTimer - Version 3.2.56.0 Folder = G:\na_wirusy

Windows XP Professional Edition Dodatek Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

 

767,48 Mb Total Physical Memory | 524,01 Mb Available Physical Memory | 68,28% Memory free

1,69 Gb Paging File | 1,51 Gb Available in Paging File | 89,58% Paging File free

Paging file location(s): E:\pagefile.sys 1000 4000 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 9,77 Gb Total Space | 1,14 Gb Free Space | 11,69% Space Free | Partition Type: NTFS

Drive E: | 78,13 Gb Total Space | 58,03 Gb Free Space | 74,27% Space Free | Partition Type: NTFS

Drive F: | 61,15 Gb Total Space | 35,60 Gb Free Space | 58,22% Space Free | Partition Type: NTFS

Drive G: | 1,94 Gb Total Space | 0,32 Gb Free Space | 16,61% Space Free | Partition Type: FAT

 

Computer Name: AUTO-5CE37970A1 | User Name: Administrator | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

 

========== Processes (SafeList) ==========

 

PRC - [2012-08-11 16:18:14 | 000,596,480 | ---- | M] (OldTimer Tools) -- G:\na_wirusy\OTL.exe

PRC - [2012-03-07 01:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- E:\Program Files\Alwil Software\Avast5\AvastUI.exe

PRC - [2012-03-07 01:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- e:\Program Files\Alwil Software\Avast5\AvastSvc.exe

PRC - [2008-03-20 12:04:46 | 002,127,296 | ---- | M] (Gadu-Gadu S.A.) -- C:\Program Files\Gadu-Gadu\gg.exe

PRC - [2007-06-13 15:23:49 | 001,034,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007-04-16 15:28:22 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe

 

 

========== Modules (No Company Name) ==========

 

MOD - [2012-08-11 08:09:13 | 001,792,512 | ---- | M] () -- e:\Program Files\Alwil Software\Avast5\defs\12081100\algo.dll

MOD - [2008-03-20 11:17:48 | 000,106,496 | ---- | M] () -- C:\Program Files\Gadu-Gadu\libiax2.dll

MOD - [2008-03-20 11:17:44 | 000,061,440 | ---- | M] () -- C:\Program Files\Gadu-Gadu\libjb.dll

MOD - [2007-10-25 13:51:16 | 000,198,656 | ---- | M] () -- C:\Program Files\Gadu-Gadu\libcurl.dll

 

 

========== Win32 Services (SafeList) ==========

 

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)

SRV - [2012-07-19 08:13:08 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2012-03-07 01:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- e:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)

SRV - [2011-06-17 19:33:04 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService)

 

 

========== Driver Services (SafeList) ==========

 

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)

DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)

DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)

DRV - File not found [Kernel | System | Stopped] -- -- (Changer)

DRV - [2012-03-27 10:48:30 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)

DRV - [2012-03-07 01:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)

DRV - [2012-03-07 01:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)

DRV - [2012-03-07 01:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)

DRV - [2012-03-07 01:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)

DRV - [2012-03-07 01:01:39 | 000,095,704 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)

DRV - [2012-03-07 01:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)

DRV - [2012-03-07 00:58:29 | 000,024,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)

DRV - [2010-08-11 12:15:06 | 000,585,472 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aec.sys -- (aec)

DRV - [2010-02-26 14:32:58 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)

DRV - [2010-02-26 14:32:46 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)

DRV - [2010-02-26 14:32:44 | 000,022,528 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)

DRV - [2010-02-26 14:32:44 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)

DRV - [2008-09-24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM)

DRV - [2008-08-26 10:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)

DRV - [2007-03-13 05:35:56 | 000,476,416 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)

DRV - [2006-12-22 10:09:38 | 000,024,064 | ---- | M] (wave-p) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tw6802.sys -- (XVVideo)

DRV - [2005-03-14 07:01:38 | 000,041,984 | ---- | M] (DeviceGuys, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DGIVECP.SYS -- (DgiVecp)

DRV - [2004-08-04 02:34:10 | 000,188,672 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\acpi.sys -- (ACPI)

DRV - [2004-08-04 01:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)

DRV - [2004-08-03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

 

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 

========== FireFox ==========

 

FF - user.js - File not found

 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

 

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\wrc@avast.com: e:\Program Files\Alwil Software\Avast5\WebRep\FF [2012-03-27 17:03:14 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012-07-19 08:13:11 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012-01-11 17:31:20 | 000,000,000 | ---D | M]

 

[2012-08-12 17:37:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Extensions

[2012-01-11 17:31:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2012-07-19 08:13:10 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2010-09-09 16:42:12 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2012-05-18 08:38:36 | 000,002,767 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\allegro-pl.xml

[2012-05-18 08:38:36 | 000,001,406 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fbc-pl.xml

[2012-05-18 08:38:36 | 000,000,917 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\merlin-pl.xml

[2012-05-18 08:38:36 | 000,000,858 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\pwn-pl.xml

[2012-05-18 08:38:36 | 000,001,183 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-pl.xml

[2012-05-18 08:38:36 | 000,001,683 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wp-pl.xml

 

O1 HOSTS File: ([2012-08-07 14:56:42 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [avast5] e:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)

O4 - HKCU..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\gg.exe (Gadu-Gadu S.A.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun: NoDriveTypeAutoRun = 177

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8A64CE01-9215-4A30-83C5-26FDF1AFA246}: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Idylla.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Idylla.bmp

O27 - HKLM IFEO\mcmpeng.exe: Debugger - C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 0

O32 - AutoRun File - [2008-01-23 02:18:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2011-06-16 07:51:50 | 000,000,037 | ---- | M] () - G:\autorun.txt -- [ FAT ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

 

========== Files/Folders - Created Within 30 Days ==========

 

[2012-08-12 19:27:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Dane aplikacji\OpenOffice.org

[2012-08-12 19:07:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu

[2012-08-12 17:37:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Menu Start\Programy\Narzędzia administracyjne

[2012-08-12 17:37:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Menu Start\Programy\Elraty 2007

[2012-08-12 17:37:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Menu Start\Programy\DVR

[2012-08-12 17:37:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Menu Start\Programy\Cairo-Soft

[2012-08-12 17:37:27 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart

[2012-08-12 17:37:27 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria

[2012-08-12 17:37:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Dane aplikacji\Adobe

[2012-08-12 17:37:26 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo

[2012-08-12 17:37:26 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent

[2012-08-12 17:37:26 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood

[2012-08-12 17:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Gadu-Gadu

[2012-08-12 17:19:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Pulpit\Dokumenty

[2012-08-12 17:19:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Pulpit\Auto Lakus

[2012-08-12 17:19:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Pulpit\FERRO

[2012-08-12 17:01:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Moje dokumenty\Pobieranie

[2012-08-12 16:59:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla

[2012-08-12 16:59:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla

[2012-08-12 16:58:18 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Dane aplikacji\Microsoft

[2012-08-12 16:58:18 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Cookies

[2012-08-12 16:58:17 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Dane aplikacji

[2012-08-12 16:58:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Menu Start

[2012-08-12 16:58:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Ustawienia lokalne

[2012-08-12 16:58:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Szablony

[2012-08-12 16:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Ulubione

[2012-08-12 16:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Pulpit

[2012-08-12 16:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Moje dokumenty

[2012-08-12 16:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft

[2012-08-10 15:25:11 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntvdm.exe

[2012-08-10 15:23:13 | 000,552,960 | ---- | C] (Datecs Polska Sp.z o.o.) -- C:\Program Files\DSS_2.4.5.3.exe

[2012-08-01 12:11:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Pulpit\Nowy folder

 

========== Files - Modified Within 30 Days ==========

 

[2012-08-12 22:10:39 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2012-08-12 22:10:17 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job

[2012-08-12 22:09:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2012-08-12 22:09:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012-08-12 22:08:08 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2012-08-12 19:32:16 | 004,290,826 | -H-- | M] () -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\IconCache.db

[2012-08-12 17:45:11 | 000,000,241 | ---- | M] () -- C:\WINDOWS\system.ini

[2012-08-10 15:43:56 | 000,139,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\sndvol32.exe

[2012-08-10 15:43:48 | 000,420,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntvdm.exe

[2012-08-10 15:43:44 | 000,345,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mspaint.exe

[2012-08-10 15:43:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2012-08-10 15:43:10 | 000,395,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe

[2012-08-10 15:43:10 | 000,065,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cleanmgr.exe

[2012-08-10 15:36:26 | 000,552,960 | ---- | M] (Datecs Polska Sp.z o.o.) -- C:\Program Files\DSS_2.4.5.3.exe

[2012-08-07 14:56:42 | 000,000,761 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2012-08-07 08:13:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

 

========== Files Created - No Company Name ==========

 

[2012-08-12 17:05:33 | 004,290,826 | -H-- | C] () -- C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\IconCache.db

[2012-08-12 16:58:36 | 000,000,563 | ---- | C] () -- C:\Documents and Settings\Administrator\Menu Start\Programy\Outlook Express.lnk

[2012-08-12 16:58:19 | 000,000,188 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2012-08-12 16:58:18 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator\Menu Start\Programy\Windows Media Player.lnk

[2012-08-12 16:58:17 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2012-03-27 17:57:39 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

 

========== LOP Check ==========

 

[2010-07-05 08:38:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Alwil Software

[2012-03-23 15:20:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\IC_Katalog

[2010-06-29 15:38:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Installations

[2012-05-22 10:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\NokiaInstallerCache

[2010-06-29 15:59:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite

[2012-08-12 19:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu

[2012-08-12 19:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Dane aplikacji\OpenOffice.org

[2012-08-12 22:10:17 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

 

========== Purity Check ==========

 

 

 

< End of report >

[Landuss]

To by było wszystko jeśli chodzi o usuwanie. Przejdź do finalizacji tematu:

 

1. Użyj opcji Sprzątanie z OTL.

 

2. Opróżnij przywracanie systemu: KLIK

 

3. Zaktualizuj system do Service Pack 3, IE do wersji 8 oraz Jave do wersji 7 Update 5. Szczegóły aktualizacyjne: KLIK

[lukasz8]

Wykonane. Wielkie dzięki. Teraz testowanie.