RNS Opublikowano 18 Września 2010 Zgłoś Udostępnij Opublikowano 18 Września 2010 Witam ! Chciałem prosić o pomoc w rozwiazaniu problemu z moim zainfekowanym komputerem. Nie jestem obeznany w tematyce dlatego proszę w przypadku zlego lub niepełnego opisu problemu mieć to na uwadzę Jendka zapoznałem się z regułami jakie nalezy stosować przy zakąłdaniu wątków . I tak na wstepie przynam się ze jakis mieśac temu po przeskanowaniu włączyłem combofix bez wczesnijeszego spytania o to czy jest taka koniecznosc. Byl to wynik skanu Nodem32, który wykrył około 100 zainfekowanych plików. Po pierwsze juz na wstepie combofix robil problemy tzn. nie generowal loga, i podczas skanu wyskakiwał bład. tydzien po wykonaniu tych czynnosci padł mi windows i zawieszal się podczas uruchamiania. Znajomy przywrocil mi system z konca siernpia. Wczoraj właczyłem Nodem scak io znalazl 388 zainfekowanych plików... rózne trojany, wszystkei one znajduja sie w zakladce kwarantanna. Po przywroceniu systemu przedewszystkim nie działa mi opera, wyskakuje ... error 10. explorer wyłancza się co jakis czas ... . Mam pytanie czy jest szansa na ratunek systemu i pozbycie sie problemu ?? Dolanczam wymagane załączniki w całości tak jak je zapisało w txt. Z tym, ze GMER nie uruchomil mi się wyskakiwał ekran śmierci i restartował się komputer. OTL Extras logfile created on: 2010-09-18 07:46:18 - Run 1 OTL by OldTimer - Version 3.2.12.1 Folder = D:\Documents and Settings\Sławek\Pulpit Windows XP Professional Edition Dodatek Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 77,00% Memory free 4,00 Gb Paging File | 4,00 Gb Available in Paging File | 91,00% Paging File free Paging file location(s): D:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files Drive C: | 100,22 Gb Total Space | 18,64 Gb Free Space | 18,60% Space Free | Partition Type: NTFS Drive D: | 48,82 Gb Total Space | 12,00 Gb Free Space | 24,57% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded Drive G: | 232,88 Gb Total Space | 8,59 Gb Free Space | 3,69% Space Free | Partition Type: NTFS H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: S-4D77D1A397C04 Current User Name: Sławek Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .html [@ = Opera.HTML] -- D:\Program Files\Opera\Opera.exe (Opera Software) .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l .reg [@ = regfile] -- regedit.exe "%1" ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* helpfile [open] -- winhlp32.exe %1 htmlfile [edit] -- Reg Error: Key error. http [open] -- "D:\Program Files\Opera\opera.exe" "%1" (Opera Software) https [open] -- "D:\Program Files\Opera\opera.exe" "%1" (Opera Software) InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l piffile [open] -- "%1" %* regfile [open] -- regedit.exe "%1" regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 1 "FirewallDisableNotify" = 1 "UpdatesDisableNotify" = 1 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 "DoNotAllowExceptions" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "8375:TCP" = 8375:TCP:*:Enabled:League of Legends Launcher "8375:UDP" = 8375:UDP:*:Enabled:League of Legends Launcher "8376:TCP" = 8376:TCP:*:Enabled:League of Legends Launcher "8376:UDP" = 8376:UDP:*:Enabled:League of Legends Launcher "6900:TCP" = 6900:TCP:*:Enabled:League of Legends Launcher "6900:UDP" = 6900:UDP:*:Enabled:League of Legends Launcher "8377:TCP" = 8377:TCP:*:Enabled:League of Legends Launcher "8377:UDP" = 8377:UDP:*:Enabled:League of Legends Launcher "6910:TCP" = 6910:TCP:*:Enabled:League of Legends Launcher "6910:UDP" = 6910:UDP:*:Enabled:League of Legends Launcher "6902:TCP" = 6902:TCP:*:Enabled:League of Legends Launcher "6902:UDP" = 6902:UDP:*:Enabled:League of Legends Launcher "8378:TCP" = 8378:TCP:*:Enabled:League of Legends Launcher "8378:UDP" = 8378:UDP:*:Enabled:League of Legends Launcher "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "6974:TCP" = 6974:TCP:*:Enabled:League of Legends Launcher "6974:UDP" = 6974:UDP:*:Enabled:League of Legends Launcher "6901:TCP" = 6901:TCP:*:Enabled:League of Legends Launcher "6901:UDP" = 6901:UDP:*:Enabled:League of Legends Launcher "6968:TCP" = 6968:TCP:*:Enabled:League of Legends Launcher "6968:UDP" = 6968:UDP:*:Enabled:League of Legends Launcher "6920:TCP" = 6920:TCP:*:Enabled:League of Legends Launcher "6920:UDP" = 6920:UDP:*:Enabled:League of Legends Launcher "8379:TCP" = 8379:TCP:*:Enabled:League of Legends Launcher "8379:UDP" = 8379:UDP:*:Enabled:League of Legends Launcher "6979:TCP" = 6979:TCP:*:Enabled:League of Legends Launcher "6979:UDP" = 6979:UDP:*:Enabled:League of Legends Launcher "6964:TCP" = 6964:TCP:*:Enabled:League of Legends Launcher "6964:UDP" = 6964:UDP:*:Enabled:League of Legends Launcher "6912:TCP" = 6912:TCP:*:Enabled:League of Legends Launcher "6912:UDP" = 6912:UDP:*:Enabled:League of Legends Launcher ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "D:\Program Files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe" = D:\Program Files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe:*:Enabled:WiselinkPro -- () "D:\Program Files\Samsung\SAMSUNG PC Share Manager\http_ss_win_pro.exe" = D:\Program Files\Samsung\SAMSUNG PC Share Manager\http_ss_win_pro.exe:*:Enabled:http_ss_win_pro -- () "D:\Program Files\Gadu-Gadu 10\gg.exe" = D:\Program Files\Gadu-Gadu 10\gg.exe:*:Enabled:Gadu-Gadu 10 -- (GG Network S.A.) "D:\Program Files\Opera\opera.exe" = D:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software) "D:\Riot Games\League of Legends\air\LolClient.exe" = D:\Riot Games\League of Legends\air\LolClient.exe:*:Enabled:League of Legends Lobby -- () "D:\Riot Games\League of Legends\game\League of Legends.exe" = D:\Riot Games\League of Legends\game\League of Legends.exe:*:Enabled:League of Legends Game Client -- () "D:\Program Files\Java\jre6\bin\javaw.exe" = D:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.) "D:\Program Files\Sony Ericsson\Update Service\Update Service.exe" = D:\Program Files\Sony Ericsson\Update Service\Update Service.exe:*:Enabled:Update Service -- () "D:\Program Files\Sony Ericsson\SEMC OMSI Module\SEMC OMSI Module.exe" = D:\Program Files\Sony Ericsson\SEMC OMSI Module\SEMC OMSI Module.exe:*:Enabled:SEMC OMSI Module -- () "D:\Program Files\SopCast\SopCast.exe" = D:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com) "D:\Program Files\SopCast\adv\SopAdver.exe" = D:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com) "D:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe" = D:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server -- (PeeringPortal) "D:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe" = D:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server -- (PeeringPortal) "D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" = D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe:*:Enabled:Alcohol iSCSI Service -- File not found "D:\Program Files\Ubisoft\Transmission Games\Heroes Over Europe\heroes2.exe" = D:\Program Files\Ubisoft\Transmission Games\Heroes Over Europe\heroes2.exe:*:Enabled:Heroes Over Europe -- (Transmission Games) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0101386E-6E51-4544-A66E-26FA06FF1776}" = Heroes Over Europe "{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}" = Sound Blaster X-Fi "{1943A043-5C85-4A16-A0D0-D687B2C1A40F}" = VirtualCom driver "{1BBDD6C0-ED6F-43C3-8A9C-84E3249A5615}" = TWIN PS TO PC CONVERTER "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18 "{2A2E822B-3B0E-46C1-9E3B-ACD7D1E95139}" = SAMSUNG PC Share Manager "{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 6.011.00 "{33CF58F5-48D8-4575-83D6-96F574E4D83A}" = Nero DriveSpeed "{34BDF3BF-AA61-42E7-8818-C16A304910FC}" = Emma Core "{350C9415-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{359CFC0A-BEB1-440D-95BA-CF63A86DA34F}" = Nero Recode "{368BA326-73AD-4351-84ED-3C0A7A52CC53}" = Nero Rescue Agent "{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JRAID "{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision "{477AB148-138C-46D2-820B-0DBFA744CEE8}" = TV@Anywhere Utilities "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{58627328-3fbe-490c-a41a-acd9999ba779}" = Nero 9 Trial "{5888428E-699C-4E71-BF71-94EE06B497DA}" = TuneUp Utilities 2008 "{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress "{5C1DA723-24FC-48AD-93BA-925695C3EF26}" = Logitech Gaming Software "{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner "{6BD5BAAF-44F0-4D9B-88E7-4D1C54E689AC}" = ESET NOD32 Antivirus "{70858C67-8761-4444-895A-0A8B2E9E144E}" = Opera 10.61 "{7184F382-8A6C-4B85-A3AC-B63734B1E241}" = SAMSUNG Mobile USB Driver "{760E3EF8-577D-483E-9CB2-E759880AD82E}" = League of Legends "{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart "{7829DB6F-A066-4E40-8912-CB07887C20BB}" = Nero BurnRights "{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946 "{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{869200DB-287A-4DC0-B02B-2B6787FBCD4C}" = Nero DiscSpeed "{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar "{90110415-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends "{9E82B934-9A25-445B-B8DF-8012808074AC}" = Nero PhotoSnap "{A209525B-3377-43F4-B886-32F6B6E7356F}" = Nero WaveEditor "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress "{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3 "{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}" = Samsung Master "{AF7E85DC-317C-47F5-810E-B82EE093A612}" = Samsung New PC Studio USB Driver Installer "{B0DC2DA9-2AF9-422A-88E0-1B84E0F65DB5}" = Speed-Link SL-6535 USB Pad "{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles "{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center "{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit "{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter "{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5 "{C5A7CB6C-E76D-408F-BA0E-85605420FE9D}" = SoundTrax "{D025A639-B9C9-417D-8531-208859000AF8}" = NeroBurningROM "{D8CE69B0-9274-4b8c-BA49-0FF6A20A3C65}" = SAMSUNG SYMBIAN USB Download Driver "{D9DCF92E-72EB-412D-AC71-3B01276E5F8B}" = Nero ShowTime "{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit "{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer "{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio "{FBCDFD61-7DCF-4E71-9226-873BA0053139}" = Nero InfoTool "3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Pakiet sterowników systemu Windows - Nokia pccsmcfd (10/12/2007 6.85.4.0) "6194C28A8F62DD817EA1B918E6E46E806A21B452" = Pakiet sterowników systemu Windows - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0) "65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Pakiet sterowników systemu Windows - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0) "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "AIMP2" = AIMP2 "CDisplay_is1" = CDisplay 1.8 "Core Center" = Core Center "cw2_pl_is1" = Combat Wings - Bitwa o Anglię "E24870CB6AA1C3511635FF9020A3E9471287FBE7" = Pakiet sterowników systemu Windows - MobileTop (sshpmdm) Modem (01/26/2008 2.6.0.0) "free-downloads.net Toolbar" = free-downloads.net Toolbar "Gadu-Gadu 10" = Gadu-Gadu 10 "Guitar Pro 5_is1" = Guitar Pro 5.2 "InstallShield_{2A2E822B-3B0E-46C1-9E3B-ACD7D1E95139}" = SAMSUNG PC Share Manager "InstallShield_{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946 "InstallShield_{AF7E85DC-317C-47F5-810E-B82EE093A612}" = Samsung New PC Studio USB Driver Installer "InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio "ipla" = ipla 2.1.2 "JDownloader" = JDownloader "KLiteCodecPack_is1" = K-Lite Codec Pack 6.0.4 (Basic) "Liveupdate4_is1" = Liveupdate4 "MSI8624Drv" = MSI 8624 Video Capture "NVIDIA Drivers" = NVIDIA Drivers "SAMSUNG Android USB Modem" = SAMSUNG Android USB Modem Software "Samsung ML-2010 Series" = Samsung ML-2010 Series "SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software "SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set "Samsung Mobile Modem Device" = Samsung Mobile Modem Device Software "SAMSUNG Mobile Modem V2" = SAMSUNG Mobile Modem V2 Software "Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software "SAMSUNG Mobile USB Download Driver" = SAMSUNG Mobile USB Download Driver Software "SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software "SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software "Samsung Mobile USB Modem Device" = Samsung Mobile USB Modem Device Software "SAMSUNG USB Mobile Device" = SAMSUNG USB Mobile Device Software "SEMC OMSI Module" = SEMC OMSI Module "SopCast" = SopCast 3.2.9 "SubEdit-Player_is1" = SubEdit-Player "Superfrog for Windows (d)" = Superfrog for Windows (d) "Update Service" = Update Service "VirtualCloneDrive" = VirtualCloneDrive "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 "Windows Media Format Runtime" = Windows Media Format 11 runtime "WinRAR archiver" = Archiwizator WinRAR "WMFDist11" = Windows Media Format 11 runtime "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-606747145-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "advantage_DAEM" = AdVantage (Powering DAEMON Tools) "Artist's Sketchbook 1.65" = Artist's Sketchbook 1.65 ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 2010-09-17 06:56:00 | Computer Name = S-4D77D1A397C04 | Source = SecurityCenter | ID = 1802 Description = Usługa Centrum zabezpieczeń systemu Windows nie może ustanowić kwerend zdarzeń z WMI, aby monitorować zaporę i program antywirusowy innej firmy. Error - 2010-09-17 07:02:49 | Computer Name = S-4D77D1A397C04 | Source = SecurityCenter | ID = 1802 Description = Usługa Centrum zabezpieczeń systemu Windows nie może ustanowić kwerend zdarzeń z WMI, aby monitorować zaporę i program antywirusowy innej firmy. Error - 2010-09-17 15:29:03 | Computer Name = S-4D77D1A397C04 | Source = SecurityCenter | ID = 1802 Description = Usługa Centrum zabezpieczeń systemu Windows nie może ustanowić kwerend zdarzeń z WMI, aby monitorować zaporę i program antywirusowy innej firmy. Error - 2010-09-17 15:56:30 | Computer Name = S-4D77D1A397C04 | Source = Application Error | ID = 1000 Description = Aplikacja powodująca błąd iexplore.exe, wersja 6.0.2900.2180, moduł powodujący błąd mshtml.dll, wersja 6.0.2900.2180, adres błędu 0x0016108f. Error - 2010-09-17 16:29:02 | Computer Name = S-4D77D1A397C04 | Source = SecurityCenter | ID = 1802 Description = Usługa Centrum zabezpieczeń systemu Windows nie może ustanowić kwerend zdarzeń z WMI, aby monitorować zaporę i program antywirusowy innej firmy. Error - 2010-09-17 16:31:20 | Computer Name = S-4D77D1A397C04 | Source = Application Error | ID = 1000 Description = Aplikacja powodująca błąd explorer.exe, wersja 6.0.2900.2180, moduł powodujący błąd unknown, wersja 0.0.0.0, adres błędu 0x00b111a9. Error - 2010-09-17 16:31:29 | Computer Name = S-4D77D1A397C04 | Source = SecurityCenter | ID = 1802 Description = Usługa Centrum zabezpieczeń systemu Windows nie może ustanowić kwerend zdarzeń z WMI, aby monitorować zaporę i program antywirusowy innej firmy. Error - 2010-09-18 01:04:08 | Computer Name = S-4D77D1A397C04 | Source = SecurityCenter | ID = 1802 Description = Usługa Centrum zabezpieczeń systemu Windows nie może ustanowić kwerend zdarzeń z WMI, aby monitorować zaporę i program antywirusowy innej firmy. Error - 2010-09-18 01:10:16 | Computer Name = S-4D77D1A397C04 | Source = Application Error | ID = 1000 Description = Aplikacja powodująca błąd iexplore.exe, wersja 6.0.2900.2180, moduł powodujący błąd mshtml.dll, wersja 6.0.2900.2180, adres błędu 0x0016108f. Error - 2010-09-18 01:24:13 | Computer Name = S-4D77D1A397C04 | Source = Application Error | ID = 1000 Description = Aplikacja powodująca błąd iexplore.exe, wersja 6.0.2900.2180, moduł powodujący błąd mshtml.dll, wersja 6.0.2900.2180, adres błędu 0x0016108f. [ System Events ] Error - 2010-09-14 13:10:25 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7023 Description = Usługa Aktualizacje automatyczne zakończyła działanie; wystąpił następujący błąd: %%126 Error - 2010-09-14 15:43:49 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7023 Description = Usługa Aktualizacje automatyczne zakończyła działanie; wystąpił następujący błąd: %%126 Error - 2010-09-15 09:14:16 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7023 Description = Usługa Aktualizacje automatyczne zakończyła działanie; wystąpił następujący błąd: %%126 Error - 2010-09-15 09:59:54 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7023 Description = Usługa Aktualizacje automatyczne zakończyła działanie; wystąpił następujący błąd: %%126 Error - 2010-09-17 06:39:38 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi StarWind AE Service z powodu następującego błędu: %%2 Error - 2010-09-17 06:57:33 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi StarWind AE Service z powodu następującego błędu: %%2 Error - 2010-09-17 07:04:20 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi StarWind AE Service z powodu następującego błędu: %%2 Error - 2010-09-17 14:30:35 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi StarWind AE Service z powodu następującego błędu: %%2 Error - 2010-09-17 16:32:44 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi StarWind AE Service z powodu następującego błędu: %%2 Error - 2010-09-18 01:05:23 | Computer Name = S-4D77D1A397C04 | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi StarWind AE Service z powodu następującego błędu: %%2 < End of report > OTL logfile created on: 2010-09-18 07:46:18 - Run 1 OTL by OldTimer - Version 3.2.12.1 Folder = D:\Documents and Settings\Sławek\Pulpit Windows XP Professional Edition Dodatek Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 77,00% Memory free 4,00 Gb Paging File | 4,00 Gb Available in Paging File | 91,00% Paging File free Paging file location(s): D:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files Drive C: | 100,22 Gb Total Space | 18,64 Gb Free Space | 18,60% Space Free | Partition Type: NTFS Drive D: | 48,82 Gb Total Space | 12,00 Gb Free Space | 24,57% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded Drive G: | 232,88 Gb Total Space | 8,59 Gb Free Space | 3,69% Space Free | Partition Type: NTFS H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: S-4D77D1A397C04 Current User Name: Sławek Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010-09-18 07:44:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Sławek\Pulpit\OTL.com PRC - [2010-08-12 14:16:26 | 000,810,144 | ---- | M] (ESET) -- D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe PRC - [2010-08-12 14:16:12 | 002,215,064 | ---- | M] (ESET) -- D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe PRC - [2010-02-25 09:43:46 | 000,306,296 | ---- | M] (Sony Ericsson Mobile Communications) -- D:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe PRC - [2010-02-25 09:43:46 | 000,162,936 | ---- | M] (Sony Ericsson Mobile Communications) -- D:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe PRC - [2009-11-20 10:17:12 | 000,434,176 | ---- | M] (Sony Ericsson Mobile Communications AB) -- D:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe PRC - [2009-10-09 15:18:14 | 000,238,952 | ---- | M] (Teruten) -- D:\WINDOWS\system32\FsUsbExService.Exe PRC - [2009-09-23 14:38:18 | 000,935,208 | ---- | M] (Nero AG) -- D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe PRC - [2009-06-17 13:44:11 | 000,085,160 | ---- | M] (Elaborate Bytes AG) -- D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe PRC - [2009-04-30 11:23:26 | 000,090,112 | ---- | M] () -- D:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe PRC - [2006-05-24 06:20:44 | 000,018,944 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\system32\CTXFIHLP.EXE PRC - [2006-05-24 06:20:41 | 000,017,920 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\CTHELPER.EXE PRC - [2006-05-24 06:05:45 | 000,730,112 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\system32\CTXFISPI.EXE PRC - [2006-04-20 10:07:32 | 000,385,024 | R--- | M] (JMicron Technology Corp.) -- D:\WINDOWS\system32\JMRaidTool.exe PRC - [2006-04-05 18:19:56 | 000,122,880 | ---- | M] (Creative Technology Ltd) -- D:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe PRC - [2005-07-03 16:20:50 | 000,372,736 | R--- | M] (Samsung Electronics.) -- D:\WINDOWS\Samsung\ComSMMgr\SSMMgr.exe PRC - [2005-04-18 11:16:02 | 000,073,728 | ---- | M] (Logitech Inc.) -- D:\Program Files\Logitech\Profiler\LWEMon.exe PRC - [2004-08-04 01:44:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe ========== Modules (SafeList) ========== MOD - [2010-09-18 07:44:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Sławek\Pulpit\OTL.com MOD - [2006-05-24 06:20:39 | 000,007,168 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\system32\CTAGENT.DLL MOD - [2004-08-04 01:42:34 | 001,050,624 | R--- | M] (Microsoft Corporation) -- D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll MOD - [2004-08-04 00:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\msscript.ocx ========== Win32 Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE) SRV - [2010-08-12 14:18:40 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv) SRV - [2010-08-12 14:16:26 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn) SRV - [2010-03-28 19:28:12 | 000,361,728 | ---- | M] (TuneUp Software GmbH) [On_Demand | Stopped] -- D:\WINDOWS\system32\TuneUpDefragService.exe -- (TuneUp.Defrag) SRV - [2010-02-25 09:43:46 | 000,306,296 | ---- | M] (Sony Ericsson Mobile Communications) [Auto | Running] -- D:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe -- (EmmaDevMgmtSvc) SRV - [2010-02-25 09:43:46 | 000,162,936 | ---- | M] (Sony Ericsson Mobile Communications) [Auto | Running] -- D:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe -- (EmmaUpdMgmtSvc) SRV - [2009-10-09 15:18:14 | 000,238,952 | ---- | M] (Teruten) [Auto | Running] -- D:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService) SRV - [2009-09-23 14:38:18 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0) SRV - [2009-04-30 11:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- D:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service) SRV - [2009-01-08 10:38:46 | 004,136,960 | ---- | M] () [On_Demand | Stopped] -- D:\Program Files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe -- (WiselinkPro) SRV - [2008-07-18 15:05:40 | 000,028,416 | ---- | M] (TuneUp Software GmbH) [Auto | Running] -- D:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp) SRV - [2008-04-07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- D:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- E:\INSTALL\GMSIPCI.SYS -- (GMSIPCI) DRV - [2010-08-04 11:50:36 | 000,140,752 | ---- | M] (ESET) [File_System | Auto | Running] -- D:\WINDOWS\system32\drivers\eamon.sys -- (eamon) DRV - [2010-08-03 13:28:36 | 000,095,896 | ---- | M] (ESET) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir) DRV - [2010-07-29 13:31:26 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv) DRV - [2010-06-20 15:34:31 | 000,697,328 | ---- | M] () [Kernel | Boot | Running] -- D:\WINDOWS\System32\Drivers\sptd.sys -- (sptd) DRV - [2010-03-28 14:17:53 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri) DRV - [2010-03-28 14:17:53 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc) DRV - [2010-03-28 14:17:53 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt) DRV - [2009-12-18 00:25:12 | 000,026,024 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO) DRV - [2009-10-05 09:29:46 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk) DRV - [2009-09-11 10:40:06 | 000,121,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm) DRV - [2009-09-11 10:40:06 | 000,090,240 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM) DRV - [2009-09-11 10:40:06 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter) DRV - [2009-09-04 11:12:50 | 000,030,240 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ssadadb.sys -- (androidusb) DRV - [2009-08-09 23:25:56 | 000,000,000 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\vclone.sys -- (VClone) DRV - [2008-05-16 11:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\s0016unic.sys -- (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM) DRV - [2008-05-16 11:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\s0016nd5.sys -- (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS) DRV - [2008-05-16 11:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\s0016mdfl.sys -- (s0016mdfl) DRV - [2008-05-16 11:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\s0016mdm.sys -- (s0016mdm) DRV - [2008-05-16 11:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\s0016mgmt.sys -- (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM) DRV - [2008-05-16 11:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\s0016obex.sys -- (s0016obex) DRV - [2008-05-16 11:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\s0016bus.sys -- (s0016bus) Sony Ericsson Device 0016 driver (WDM) DRV - [2007-12-14 10:21:32 | 000,009,216 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\Program Files\MSI\Live Update 4\LU4\flashsys.sys -- (FLASHSYS) DRV - [2007-09-17 15:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd) DRV - [2007-07-03 16:58:20 | 000,106,792 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm) DRV - [2007-07-03 16:57:24 | 000,011,944 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl) DRV - [2007-07-03 16:54:24 | 000,080,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM) DRV - [2006-10-23 12:42:30 | 000,031,899 | ---- | M] (Compuware Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\hid8101.sys -- (hid8101) DRV - [2006-08-11 15:42:42 | 003,958,496 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv) DRV - [2006-05-24 05:41:07 | 000,007,168 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k) DRV - [2006-05-24 05:41:04 | 000,499,584 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM) DRV - [2006-05-24 05:40:21 | 001,110,016 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k) DRV - [2006-05-24 05:38:30 | 000,116,224 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv) DRV - [2006-05-24 05:38:08 | 000,143,872 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k) DRV - [2006-05-24 05:38:01 | 000,078,336 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia) DRV - [2006-05-24 05:37:44 | 000,502,272 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k) DRV - [2006-05-23 16:05:36 | 000,039,936 | ---- | M] (MICRO-STAR INT'L CO., LTD.) [Kernel | On_Demand | Running] -- D:\Program Files\MSI\Core Center\RushTop.sys -- (RushTopDevice) DRV - [2006-04-20 10:02:44 | 000,042,368 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID) DRV - [2006-02-26 23:46:20 | 000,081,408 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp) DRV - [2006-02-07 13:52:58 | 000,006,912 | R--- | M] (JMicron ) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\JGOGO.sys -- (JGOGO) DRV - [2005-11-10 11:06:03 | 000,340,704 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k) DRV - [2005-05-04 10:32:32 | 000,686,080 | R--- | M] (Philips Semiconductors GmbH) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\Cap713x.sys -- (Cap713x) DRV - [2005-04-12 19:21:32 | 000,022,240 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\wmfilter.sys -- (WmFilter) DRV - [2005-04-12 19:21:28 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum) DRV - [2005-04-12 19:21:28 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\wmvirhid.sys -- (WmVirHid) DRV - [2005-04-12 19:21:26 | 000,045,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore) DRV - [2005-03-14 14:01:38 | 000,041,984 | ---- | M] (DeviceGuys, Inc.) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\DGIVECP.SYS -- (DgiVecp) DRV - [2004-08-03 23:00:14 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- D:\WINDOWS\System32\drivers\Changer.sys -- (Changer) DRV - [2004-08-03 22:59:34 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- D:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-606747145-1085031214-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?SearchSource=10&ctid=CT1098640 IE - HKU\S-1-5-21-606747145-1085031214-725345543-1003\..\URLSearchHook: {ecdee021-0d17-467f-a1ff-c7a115230949} - D:\Program Files\free-downloads.net\tbfre0.dll (Conduit Ltd.) IE - HKU\S-1-5-21-606747145-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: D:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010-08-21 22:00:30 | 000,000,000 | ---D | M] O1 HOSTS File: ([2010-08-05 17:34:40 | 000,000,906 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 serial.alcohol-soft.com O1 - Hosts: 127.0.0.1 www.alcohol-soft.com O1 - Hosts: 127.0.0.1 images.alcohol-soft.com O1 - Hosts: 127.0.0.1 trial.alcohol-soft.com O1 - Hosts: 127.0.0.1 alcohol-soft.com O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com) O2 - BHO: (free-downloads.net Toolbar) - {ecdee021-0d17-467f-a1ff-c7a115230949} - D:\Program Files\free-downloads.net\tbfre0.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com) O3 - HKLM\..\Toolbar: (free-downloads.net Toolbar) - {ecdee021-0d17-467f-a1ff-c7a115230949} - D:\Program Files\free-downloads.net\tbfre0.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-606747145-1085031214-725345543-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com) O3 - HKU\S-1-5-21-606747145-1085031214-725345543-1003\..\Toolbar\WebBrowser: (free-downloads.net Toolbar) - {ECDEE021-0D17-467F-A1FF-C7A115230949} - D:\Program Files\free-downloads.net\tbfre0.dll (Conduit Ltd.) O4 - HKLM..\Run: [CTHelper] File not found O4 - HKLM..\Run: [CTxfiHlp] File not found O4 - HKLM..\Run: [egui] D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [JMB36X Configure] D:\WINDOWS\System32\JMRaidTool.exe (JMicron Technology Corp.) O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] File not found O4 - HKLM..\Run: [nwiz] File not found O4 - HKLM..\Run: [samsung Common SM] D:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe (Samsung Electronics.) O4 - HKLM..\Run: [updReg] D:\WINDOWS\Updreg.EXE (Creative Technology Ltd.) O4 - HKLM..\Run: [VirtualCloneDrive] D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG) O4 - HKLM..\Run: [VolPanel] D:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe (Creative Technology Ltd) O4 - HKU\S-1-5-21-606747145-1085031214-725345543-1003..\Run: [api32] D:\DOCUME~1\SAWEK~1\USTAWI~1\Temp\apiqq.exe File not found O4 - HKU\S-1-5-21-606747145-1085031214-725345543-1003..\Run: [dso32] D:\DOCUME~1\SAWEK~1\USTAWI~1\Temp\dsoqq.exe File not found O4 - HKU\S-1-5-21-606747145-1085031214-725345543-1003..\Run: [sony Ericsson PC Suite] D:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB) O4 - HKU\S-1-5-21-606747145-1085031214-725345543-1003..\Run: [start WingMan Profiler] D:\Program Files\Logitech\Profiler\lwemon.exe (Logitech Inc.) O4 - Startup: D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\CoreCenter.lnk = D:\Program Files\MSI\Core Center\CoreCenter.exe () O4 - Startup: D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\JDownloader.lnk = D:\Program Files\JDownloader\JDownloader.exe (AppWork UG (haftungsbeschränkt)) O4 - Startup: D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\sysrda32.exe () O4 - Startup: D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\updpxe32.exe () O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-606747145-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-606747145-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 89.174.36.7 89.174.36.2 O20 - HKLM Winlogon: Shell - (Explorer.exe) - File not found O20 - HKLM Winlogon: UIHost - (logonui.exe) - File not found O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - File not found O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - File not found O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - File not found O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home O24 - Desktop WallPaper: D:\Documents and Settings\Sławek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: D:\Documents and Settings\Sławek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - File not found O29 - HKLM SecurityProviders - (msapsspc.dll) - File not found O29 - HKLM SecurityProviders - (schannel.dll) - File not found O29 - HKLM SecurityProviders - (digest.dll) - File not found O29 - HKLM SecurityProviders - (msnsspc.dll) - File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010-03-27 16:26:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010-09-18 07:44:41 | 000,575,488 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Sławek\Pulpit\OTL.com [2010-09-17 12:53:02 | 000,000,000 | ---D | C] -- D:\WINDOWS\tmp [2010-09-17 12:40:53 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\Pulpit\The_Offspring_-_Happy_Hour-(Japan_Limited_Edition)-2010-ATRium [2010-09-17 12:40:53 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\Pulpit\Brandon_Boyd-The_Wild_Trapeze-2010-MTD [2010-09-17 12:00:58 | 000,021,504 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\hidserv.dll [2010-09-17 12:00:39 | 000,031,616 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\usbccgp.sys [2010-09-14 21:44:54 | 000,000,000 | ---D | C] -- D:\Program Files\Kolekcja Klasyki [2010-09-12 14:27:08 | 000,000,000 | -HSD | C] -- D:\Config.Msi [2010-09-11 21:43:55 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\.gstreamer-0.10 [2010-09-11 17:41:20 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\Pulpit\GM [2010-09-08 22:26:26 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\Moje dokumenty\my games [2010-09-08 22:18:22 | 000,000,000 | ---D | C] -- D:\Program Files\UltraISO [2010-09-08 22:18:22 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\Moje dokumenty\My ISO Files [2010-09-08 20:04:21 | 000,000,000 | ---D | C] -- D:\Program Files\SoulseekNS [2010-09-04 10:08:58 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\Pulpit\52_trip_uploaded_by_Benchmade42 [2010-09-01 22:11:28 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\Pulpit\Raising_Theos_-_Falling_Behind-EP-2010-UID [2010-08-29 16:13:00 | 000,000,000 | --SD | C] -- D:\ComboFix [2010-08-29 12:04:19 | 000,212,480 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWXCACLS.exe [2010-08-29 12:04:19 | 000,161,792 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWREG.exe [2010-08-29 12:04:19 | 000,136,704 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWSC.exe [2010-08-29 12:04:19 | 000,031,232 | ---- | C] (NirSoft) -- D:\WINDOWS\NIRCMD.exe [2010-08-29 12:04:10 | 000,000,000 | ---D | C] -- D:\WINDOWS\ERDNT [2010-08-29 11:48:43 | 000,000,000 | ---D | C] -- D:\WINDOWS\pss [2010-08-29 10:58:43 | 000,000,000 | ---D | C] -- D:\Qoobox [2010-08-29 00:53:53 | 001,093,632 | ---- | C] (Karol Winnicki) -- D:\Documents and Settings\Sławek\Pulpit\BESTplayer.exe [2010-08-28 16:14:31 | 000,000,000 | ---D | C] -- D:\Program Files\Mistrz Pamieci [2010-08-28 10:12:30 | 000,000,000 | ---D | C] -- D:\WINDOWS\Brain Challenge [2010-08-28 10:12:30 | 000,000,000 | ---D | C] -- D:\Program Files\Brain Challenge [2010-08-27 19:29:06 | 000,034,688 | ---- | C] (Toshiba Corp.) -- D:\WINDOWS\System32\drivers\lbrtfdc.sys [2010-08-27 19:29:06 | 000,034,688 | ---- | C] (Toshiba Corp.) -- D:\WINDOWS\System32\dllcache\lbrtfdc.sys [2010-08-27 19:29:04 | 000,008,192 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\i2omgmt.sys [2010-08-27 19:29:02 | 000,008,192 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\Changer.sys [2010-08-27 19:29:02 | 000,008,192 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\changer.sys [2010-08-22 09:52:51 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Dane aplikacji\OpenFM [2010-08-22 09:52:50 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Sławek\Dane aplikacji\OpenFM [2010-08-21 23:08:46 | 000,000,000 | ---D | C] -- D:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\ESET [2010-08-21 22:00:29 | 000,000,000 | ---D | C] -- D:\Program Files\ESET [2010-08-21 22:00:29 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Dane aplikacji\ESET [2010-08-21 13:54:59 | 000,000,000 | ---D | C] -- D:\Program Files\K-Lite Codec Pack [2010-03-28 16:33:01 | 000,148,736 | ---- | C] (Avanquest Software) -- D:\Documents and Settings\All Users\Dane aplikacji\hpe61E.dll [2006-05-24 06:38:39 | 000,033,792 | R--- | C] ( ) -- D:\WINDOWS\System32\a3d.dll [4 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ] [3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010-09-18 07:44:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Sławek\Pulpit\OTL.com [2010-09-18 07:31:07 | 013,969,563 | ---- | M] () -- D:\Documents and Settings\Sławek\Moje dokumenty\..T.R.6.8.2.2595...rar[1] [2010-09-18 07:03:57 | 000,081,191 | ---- | M] () -- D:\WINDOWS\System32\nvapps.xml [2010-09-18 07:03:56 | 000,000,542 | ---- | M] () -- D:\WINDOWS\tasks\Konserwacja jednym kliknięciem.job [2010-09-18 07:03:55 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT [2010-09-18 07:03:54 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat [2010-09-17 22:57:12 | 000,064,900 | ---- | M] () -- D:\WINDOWS\System32\DVCState-{00000003-00000000-00000001-00001102-00000005-00211102}.rfx [2010-09-17 22:57:12 | 000,055,184 | ---- | M] () -- D:\WINDOWS\System32\BMXStateBkp-{00000003-00000000-00000001-00001102-00000005-00211102}.rfx [2010-09-17 22:57:12 | 000,055,184 | ---- | M] () -- D:\WINDOWS\System32\BMXState-{00000003-00000000-00000001-00001102-00000005-00211102}.rfx [2010-09-17 22:57:12 | 000,001,080 | ---- | M] () -- D:\WINDOWS\System32\settingsbkup.sfm [2010-09-17 22:57:12 | 000,001,080 | ---- | M] () -- D:\WINDOWS\System32\settings.sfm [2010-09-17 22:57:07 | 003,936,256 | ---- | M] () -- D:\Documents and Settings\Sławek\ntuser.dat [2010-09-17 22:57:07 | 000,000,188 | -HS- | M] () -- D:\Documents and Settings\Sławek\ntuser.ini [2010-09-17 22:56:02 | 000,034,816 | ---- | M] () -- D:\Documents and Settings\Sławek\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010-09-17 22:01:00 | 000,000,236 | ---- | M] () -- D:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job [2010-09-17 12:38:08 | 000,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl [2010-09-17 12:38:04 | 000,211,288 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT [2010-09-17 12:02:11 | 000,356,508 | ---- | M] () -- D:\WINDOWS\System32\perfh015.dat [2010-09-17 12:02:11 | 000,312,184 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat [2010-09-17 12:02:11 | 000,050,048 | ---- | M] () -- D:\WINDOWS\System32\perfc015.dat [2010-09-17 12:02:11 | 000,040,380 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat [2010-09-15 23:09:36 | 000,000,000 | ---- | M] () -- D:\WINDOWS\System32\drivers\mcpynnj.sys [2010-09-15 23:09:21 | 002,108,474 | -H-- | M] () -- D:\Documents and Settings\Sławek\Ustawienia lokalne\Dane aplikacji\IconCache.db [2010-09-15 21:13:25 | 000,036,864 | ---- | M] () -- D:\Documents and Settings\Sławek\Moje dokumenty\PLAN PRACY WYCHOWAWCZEJ.doc [2010-09-15 19:16:19 | 366,768,422 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E11 Undercover.avi [2010-09-14 22:48:53 | 366,696,448 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E10 Better Half.avi [2010-09-14 21:35:49 | 000,028,160 | ---- | M] () -- D:\Documents and Settings\Sławek\Moje dokumenty\Cele ogólne.doc [2010-09-12 16:33:22 | 366,874,646 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E09 Life Is Priceless.avi [2010-09-12 15:14:32 | 016,188,067 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Gotham Central #02 (fatal77 - [GruMiK])(1121)[TL][PL].cbr [2010-09-12 01:14:13 | 014,359,246 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Gotham Central #01 (fatal77 - [GruMiK])(1120)[TL][PL].cbr [2010-09-11 16:21:21 | 367,009,792 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E08 Depraved Heart.avi [2010-09-11 15:14:54 | 366,778,368 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E07 The Best Policy.avi [2010-09-05 21:42:12 | 366,311,702 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E05 Unchained.avi [2010-09-05 20:41:47 | 366,704,308 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E04 Love Always.avi [2010-09-05 19:24:54 | 366,279,158 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E03 A Perfect Score.avi [2010-09-05 18:18:58 | 366,978,332 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E02 Moral Waiver.avi [2010-09-04 10:05:32 | 130,087,192 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\52_trip_uploaded_by_Benchmade42.rar [2010-09-02 16:50:02 | 000,068,608 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\wizytówki.doc [2010-09-01 19:55:50 | 000,049,152 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Klasa Ib lista obecności.doc [2010-08-29 15:21:44 | 003,830,790 | R--- | M] () -- D:\Documents and Settings\Sławek\Pulpit\ComboFix.exe [2010-08-29 15:04:56 | 000,000,118 | ---- | M] () -- D:\WINDOWS\System32\fjhdyfhsn.bat [2010-08-29 14:55:45 | 000,000,573 | ---- | M] () -- D:\WINDOWS\win.ini [2010-08-29 14:55:45 | 000,000,227 | ---- | M] () -- D:\WINDOWS\system.ini [2010-08-29 10:47:24 | 000,000,598 | ---- | M] () -- D:\Documents and Settings\All Users\Pulpit\Opera.lnk [2010-08-29 00:53:34 | 001,093,632 | ---- | M] (Karol Winnicki) -- D:\Documents and Settings\Sławek\Pulpit\BESTplayer.exe [2010-08-28 21:42:08 | 000,000,008 | ---- | M] () -- D:\Documents and Settings\Sławek\Dane aplikacji\avdrn.dat [2010-08-28 16:14:34 | 000,000,696 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Mistrz Pamięci.lnk [2010-08-28 10:12:40 | 000,001,680 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\Brain Challenge.lnk [2010-08-22 11:03:09 | 000,000,644 | ---- | M] () -- D:\Documents and Settings\All Users\Pulpit\AIMP2.lnk [2010-08-21 21:59:34 | 080,694,267 | ---- | M] () -- D:\Documents and Settings\Sławek\Pulpit\en32av.4.2.64.12.rar [4 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ] [3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2010-09-18 07:31:07 | 013,969,563 | ---- | C] () -- D:\Documents and Settings\Sławek\Moje dokumenty\..T.R.6.8.2.2595...rar[1] [2010-09-15 18:46:23 | 000,036,864 | ---- | C] () -- D:\Documents and Settings\Sławek\Moje dokumenty\PLAN PRACY WYCHOWAWCZEJ.doc [2010-09-15 18:22:10 | 366,768,422 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E11 Undercover.avi [2010-09-14 21:54:56 | 366,696,448 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E10 Better Half.avi [2010-09-14 21:35:49 | 000,028,160 | ---- | C] () -- D:\Documents and Settings\Sławek\Moje dokumenty\Cele ogólne.doc [2010-09-12 15:43:25 | 366,874,646 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E09 Life Is Priceless.avi [2010-09-12 15:12:23 | 016,188,067 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Gotham Central #02 (fatal77 - [GruMiK])(1121)[TL][PL].cbr [2010-09-12 01:12:39 | 014,359,246 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Gotham Central #01 (fatal77 - [GruMiK])(1120)[TL][PL].cbr [2010-09-11 15:29:55 | 367,009,792 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E08 Depraved Heart.avi [2010-09-11 14:25:18 | 366,778,368 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E07 The Best Policy.avi [2010-09-05 20:51:39 | 366,311,702 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E05 Unchained.avi [2010-09-05 19:52:03 | 366,704,308 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E04 Love Always.avi [2010-09-05 18:35:21 | 366,279,158 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E03 A Perfect Score.avi [2010-09-05 17:25:25 | 366,978,332 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Lie to Me S01E02 Moral Waiver.avi [2010-09-04 09:47:59 | 130,087,192 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\52_trip_uploaded_by_Benchmade42.rar [2010-09-02 16:50:02 | 000,068,608 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\wizytówki.doc [2010-09-01 19:55:49 | 000,049,152 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Klasa Ib lista obecności.doc [2010-08-31 18:15:32 | 003,936,256 | ---- | C] () -- D:\Documents and Settings\Sławek\ntuser.dat [2010-08-29 15:05:12 | 000,000,000 | ---- | C] () -- D:\WINDOWS\System32\drivers\mcpynnj.sys [2010-08-29 12:04:19 | 000,256,512 | ---- | C] () -- D:\WINDOWS\PEV.exe [2010-08-29 12:04:19 | 000,098,816 | ---- | C] () -- D:\WINDOWS\sed.exe [2010-08-29 12:04:19 | 000,080,412 | ---- | C] () -- D:\WINDOWS\grep.exe [2010-08-29 12:04:19 | 000,077,312 | ---- | C] () -- D:\WINDOWS\MBR.exe [2010-08-29 12:04:19 | 000,068,096 | ---- | C] () -- D:\WINDOWS\zip.exe [2010-08-29 11:18:20 | 003,830,790 | R--- | C] () -- D:\Documents and Settings\Sławek\Pulpit\ComboFix.exe [2010-08-28 21:42:11 | 000,000,016 | ---- | C] () -- D:\Documents and Settings\NetworkService\Dane aplikacji\hngmfc.dat [2010-08-28 16:14:34 | 000,000,696 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Mistrz Pamięci.lnk [2010-08-28 10:12:40 | 000,001,680 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\Brain Challenge.lnk [2010-08-27 19:28:52 | 000,000,118 | ---- | C] () -- D:\WINDOWS\System32\fjhdyfhsn.bat [2010-08-27 19:28:51 | 000,000,016 | ---- | C] () -- D:\Documents and Settings\NetworkService\Dane aplikacji\bawuho.dat [2010-08-27 19:25:28 | 000,000,008 | ---- | C] () -- D:\Documents and Settings\Sławek\Dane aplikacji\avdrn.dat [2010-08-21 21:45:26 | 080,694,267 | ---- | C] () -- D:\Documents and Settings\Sławek\Pulpit\en32av.4.2.64.12.rar [2010-08-21 13:55:00 | 000,165,376 | ---- | C] () -- D:\WINDOWS\System32\unrar.dll [2010-05-27 20:18:28 | 000,110,592 | ---- | C] () -- D:\WINDOWS\System32\FsUsbExDevice.Dll [2010-05-27 20:18:28 | 000,036,608 | ---- | C] () -- D:\WINDOWS\System32\FsUsbExDisk.Sys [2010-05-27 20:18:22 | 000,002,528 | ---- | C] () -- D:\Documents and Settings\Sławek\Dane aplikacji\$_hpcst$.hpc [2010-04-27 19:59:21 | 000,000,421 | ---- | C] () -- D:\WINDOWS\ODBC.INI [2010-04-22 19:12:43 | 000,697,328 | ---- | C] () -- D:\WINDOWS\System32\drivers\sptd.sys [2010-04-11 21:01:21 | 000,765,952 | ---- | C] () -- D:\WINDOWS\System32\xvidcore.dll [2010-04-11 21:01:21 | 000,180,224 | ---- | C] () -- D:\WINDOWS\System32\xvidvfw.dll [2010-03-28 10:25:02 | 000,000,152 | ---- | C] () -- D:\WINDOWS\CoolPlay.ini [2010-03-28 10:10:30 | 000,086,445 | R--- | C] () -- D:\WINDOWS\System32\instwdm.ini [2010-03-28 10:10:30 | 000,003,072 | ---- | C] () -- D:\WINDOWS\CTXFIRES.DLL [2010-03-28 10:10:30 | 000,000,191 | R--- | C] () -- D:\WINDOWS\System32\ctzapxx.ini [2010-03-28 09:52:56 | 000,002,986 | ---- | C] () -- D:\WINDOWS\TVP3XDrv.ini [2010-03-28 00:45:56 | 000,034,816 | ---- | C] () -- D:\Documents and Settings\Sławek\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010-03-27 21:35:04 | 000,217,088 | ---- | C] () -- D:\WINDOWS\NVGfxOgl.dll [2009-08-09 23:25:56 | 000,000,000 | ---- | C] () -- D:\WINDOWS\System32\drivers\vclone.sys [2008-05-04 17:39:34 | 000,002,560 | ---- | C] () -- D:\WINDOWS\System32\ViaClassCoInstaller.dll [2007-10-25 17:26:10 | 000,005,632 | ---- | C] () -- D:\WINDOWS\System32\drivers\StarOpen.sys [2006-08-11 15:45:20 | 000,581,632 | ---- | C] () -- D:\WINDOWS\System32\nvhwvid.dll [2006-08-11 15:43:10 | 000,196,608 | ---- | C] () -- D:\WINDOWS\System32\nvapi.dll [2006-08-11 15:43:00 | 001,662,976 | ---- | C] () -- D:\WINDOWS\System32\nvwdmcpl.dll [2006-08-11 15:43:00 | 001,470,464 | ---- | C] () -- D:\WINDOWS\System32\nview.dll [2006-08-11 15:43:00 | 001,019,904 | ---- | C] () -- D:\WINDOWS\System32\nvwimg.dll [2006-08-11 15:43:00 | 000,466,944 | ---- | C] () -- D:\WINDOWS\System32\nvshell.dll [2006-08-11 15:43:00 | 000,286,720 | ---- | C] () -- D:\WINDOWS\System32\nvnt4cpl.dll [2006-05-24 07:00:48 | 000,037,888 | ---- | C] () -- D:\WINDOWS\System32\CTBURST.DLL [2005-07-26 23:13:11 | 000,000,214 | ---- | C] () -- D:\WINDOWS\System32\KILL.INI [2005-06-07 15:10:49 | 000,070,656 | ---- | C] () -- D:\WINDOWS\System32\CTMMACTL.DLL [2004-08-04 01:44:00 | 000,081,920 | ---- | C] () -- D:\WINDOWS\System32\ieencode.dll [2004-07-17 12:36:38 | 000,027,440 | ---- | C] () -- D:\WINDOWS\System32\drivers\secdrv.sys [2003-04-08 11:40:22 | 000,005,679 | ---- | C] () -- D:\WINDOWS\System32\OUTLPERF.INI ========== LOP Check ========== [2010-03-28 16:33:14 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Dane aplikacji\BVRP Software [2010-08-21 22:00:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Dane aplikacji\ESET [2010-03-27 22:51:53 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Dane aplikacji\Gadu-Gadu 10 [2010-03-27 22:57:30 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Dane aplikacji\ipla [2010-08-22 09:53:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Dane aplikacji\OpenFM [2010-05-27 20:21:46 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Dane aplikacji\PC Suite [2010-03-28 19:28:03 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Dane aplikacji\TuneUp Software [2010-08-21 23:41:56 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\advantage [2010-09-15 19:00:57 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\AIMP [2010-09-17 13:24:09 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\BESTplayer [2010-06-24 18:04:36 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\DAEMON Tools Pro [2010-03-27 23:56:26 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\Gadu-Gadu 10 [2010-08-29 11:35:34 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\ipla [2010-05-13 20:40:43 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\LolClient [2010-03-28 13:35:44 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1 [2010-05-30 13:24:43 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\ML [2010-08-22 09:52:50 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\OpenFM [2010-03-28 00:13:52 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\Opera [2010-05-27 20:21:45 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\PC Suite [2010-05-27 20:18:20 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\Samsung [2010-03-28 19:28:11 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\TuneUp Software [2010-06-24 18:53:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\Ubisoft [2010-09-18 07:03:56 | 000,000,542 | ---- | M] () -- D:\WINDOWS\Tasks\Konserwacja jednym kliknięciem.job [2010-09-17 22:01:00 | 000,000,236 | ---- | M] () -- D:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job ========== Purity Check ========== < End of report > Odnośnik do komentarza
picasso Opublikowano 18 Września 2010 Zgłoś Udostępnij Opublikowano 18 Września 2010 1. Są ślady infekcji, w postaci tych zapisów rejestru + plików na dysku: O4 - HKU\S-1-5-21-606747145-1085031214-725345543-1003..\Run: [api32] D:\DOCUME~1\SAWEK~1\USTAWI~1\Temp\apiqq.exe File not foundO4 - HKU\S-1-5-21-606747145-1085031214-725345543-1003..\Run: [dso32] D:\DOCUME~1\SAWEK~1\USTAWI~1\Temp\dsoqq.exe File not foundO4 - Startup: D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\sysrda32.exe ()O4 - Startup: D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\updpxe32.exe () [2010-08-29 15:05:12 | 000,000,000 | ---- | C] () -- D:\WINDOWS\System32\drivers\mcpynnj.sys[2010-08-28 21:42:11 | 000,000,016 | ---- | C] () -- D:\Documents and Settings\NetworkService\Dane aplikacji\hngmfc.dat[2010-08-27 19:28:52 | 000,000,118 | ---- | C] () -- D:\WINDOWS\System32\fjhdyfhsn.bat[2010-08-27 19:28:51 | 000,000,016 | ---- | C] () -- D:\Documents and Settings\NetworkService\Dane aplikacji\bawuho.dat[2010-08-27 19:25:28 | 000,000,008 | ---- | C] () -- D:\Documents and Settings\Sławek\Dane aplikacji\avdrn.dat ... oraz przywróconych przez Ochronę systemu plików Windows tych sterowników: DRV - [2004-08-03 23:00:14 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- D:\WINDOWS\System32\drivers\Changer.sys -- (Changer)DRV - [2004-08-03 22:59:34 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- D:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc) [2010-08-27 19:29:06 | 000,034,688 | ---- | C] (Toshiba Corp.) -- D:\WINDOWS\System32\drivers\lbrtfdc.sys[2010-08-27 19:29:06 | 000,034,688 | ---- | C] (Toshiba Corp.) -- D:\WINDOWS\System32\dllcache\lbrtfdc.sys[2010-08-27 19:29:04 | 000,008,192 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\i2omgmt.sys[2010-08-27 19:29:02 | 000,008,192 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\Changer.sys[2010-08-27 19:29:02 | 000,008,192 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\changer.sys (w normalnym XP ich nie ma, są tylko puste usługi) 2. Są jeszcze śmieci w postaci pasków narzędziowych Ask i free-downloads.net oraz adware AdVantage. Z tym, ze GMER nie uruchomil mi się wyskakiwał ekran śmierci i restartował się komputer. 1. Po pierwsze: nie przygotowałeś prawidłowego podłoża do uruchomienia programu. Aplikuje się ogłoszenie. W tle działa sterownik emulacji wirtualnych napędów: DRV - [2010-06-20 15:34:31 | 000,697,328 | ---- | M] () [Kernel | Boot | Running] -- D:\WINDOWS\System32\Drivers\sptd.sys -- (sptd) 2. Po drugie: jest wyraźnie napisane, że jeśli nie działa GMER, należy podać log z Root Repeal. Wczoraj właczyłem Nodem scak io znalazl 388 zainfekowanych plików... rózne trojany, wszystkei one znajduja sie w zakladce kwarantanna Nie można oceniać systemu nie mając danych jakie wirusy to są. Proszę o porządny tekstowy raport z NOD do wglądu. Tak by było widać: nazwy wirusów i precyzyjne ścieżki dostępu. Zawartość raportu może diametralnie zmienić ocenę co widać aktualnie w logach. Przykładowo: dla infekcji w wykonywalnych priorytetem jest usuwanie wirusa z programów a nie zabawy w "drobnostki". Po uzupełnieniu przez Ciebie danych i ujrzeniu kompletu informacji wybiorę metodę usuwania i podam instrukcje. . Odnośnik do komentarza
RNS Opublikowano 18 Września 2010 Autor Zgłoś Udostępnij Opublikowano 18 Września 2010 Witam Dzieki za szybką odpowiedź i zainteresowanie moim problemem. Po drugie: jest wyraźnie napisane, że jeśli nie działa GMER, należy podać log z Root Repeal. wiem przeczytałem oczywiście tą infomrację dlatego załączyłem wynik analizy z tego programu w pliku o nazwie "s" poniewaz nie chciało wstawić mi informacji, ze względu na zbyt długi post. W teraz wkleje log z Root Repeal. TREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/09/18 08:03 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: dump_diskdump.sys Image Path: D:\WINDOWS\System32\Drivers\dump_diskdump.sys Address: 0xBAD50000 Size: 16384 File Visible: No Signed: - Status: - Name: dump_JRAID.sys Image Path: D:\WINDOWS\System32\Drivers\dump_JRAID.sys Address: 0xB80BB000 Size: 45056 File Visible: No Signed: - Status: - Name: PCI_PNP4094 Image Path: \Driver\PCI_PNP4094 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA018C000 Size: 49152 File Visible: No Signed: - Status: - Name: spmr.sys Image Path: spmr.sys Address: 0xBA6AE000 Size: 1019904 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\1L1I7FPU\ServiceLoginAuthf2fab69a[1] Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EEN35WFV\ServiceLoginAuth[1].htm Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EEN35WFV\mail[1] Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EEN35WFV\mail[1].htm Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EEN35WFV\mail[2].htm Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EEN35WFV\mail[3].htm Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EEN35WFV\mail[4].htm Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EEN35WFV\ServiceLoginAuth[2].htm Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\HH86F35H\load[1].htm Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\HH86F35H\mail[1] Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\HH86F35H\mail[2] Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\HH86F35H\mail[3] Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\HH86F35H\mail[4] Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\23218_100001189255786_6872_q[1].jpg Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\41651_843310261_6003_q[1].jpg Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\48988_778357441_2684_q[1].jpg Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\49053_100000589037776_6625_q[1].jpg Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\4908-89969-29966-0_43293_PL09GenPro_Diesel09_300x250[1].swf Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\5761346b50557955546a304141746b45[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\accept[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\CA2UTJEM.htm Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\cf_av1[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\cf_backup[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\cf_rc4[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\challenge[2] Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\c[1].gif Status: Invisible to the Windows API! Path: d:\documents and settings\sławek\ustawienia lokalne\temp\ultra$iso\men of war red tide\desktop.ini Status: Size mismatch (API: 54, Raw: 67) Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\erdnt2[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\file2[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\footer2_bg[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\gm1[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\gm6[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\gm7[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\gm_button[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\gm_button[2].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\imp[1] Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[10].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[1].htm Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[1].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\lock[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\login_corners_sprite[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\login_features_sprite[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\logo[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\moduleright_bot[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\moduleright_top[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\num_4[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\orb_medium[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\oth3[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\otl2[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\otl3[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\otlpe06[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\otsx64[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\pl[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\rootr5[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\rootr6[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\rsit4[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\rsitico[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\search.conduit[1].htm Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\seccheck1[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\star_n[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\tab_top_li[1].png Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\user8_top_ul[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\weatherrequest[1].xml Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\wink[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[3].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[4].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[5].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[6].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[7].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[8].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\index[9].php Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\ipb_print[1].css Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\item_add_users[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\item_details_right[1].gif Status: Invisible to the Windows API! Path: D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\Ultra$ISO\men of war red tide\desktop.ini Status: Invisible to the Windows API! SSDT ------------------- #: 071 Function Name: NtEnumerateKey Status: Hooked by "spmr.sys" at address 0xba6c9e4c #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spmr.sys" at address 0xba6ca1da #: 119 Function Name: NtOpenKey Status: Hooked by "spmr.sys" at address 0xba6af0c0 #: 160 Function Name: NtQueryKey Status: Hooked by "spmr.sys" at address 0xba6ca2b2 #: 177 Function Name: NtQueryValueKey Status: Hooked by "spmr.sys" at address 0xba6ca132 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x89e511f8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE] Process: System Address: 0x89de01f8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE] Process: System Address: 0x89de01f8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89de01f8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89de01f8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_POWER] Process: System Address: 0x89de01f8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89de01f8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_PNP] Process: System Address: 0x89de01f8 Size: 121 Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE] Process: System Address: 0x89e521f8 Size: 121 Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE] Process: System Address: 0x89e521f8 Size: 121 Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89e521f8 Size: 121 Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89e521f8 Size: 121 Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER] Process: System Address: 0x89e521f8 Size: 121 Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89e521f8 Size: 121 Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP] Process: System Address: 0x89e521f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x89b10470 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x89e531f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x89b25470 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x89b25470 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89b25470 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89b25470 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x89b25470 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89b25470 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x89b25470 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x89de11f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x8765c1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x8765c1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8765c1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8765c1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x8765c1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x8765c1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x89bd7408 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x89bd7408 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89bd7408 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89bd7408 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x89bd7408 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89bd7408 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x89bd7408 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x89c2f470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_CREATE] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_CLOSE] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_READ] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_SET_INFORMATION] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_SHUTDOWN] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_CLEANUP] Process: System Address: 0x898e1470 Size: 121 Object: Hidden Code [Driver: Cdfs????ä, IRP_MJ_PNP] Process: System Address: 0x898e1470 Size: 121 ==EOF== Jeżeli chodzi o wirtualny napęd to specjaleni odinstalowałem demona i alkohol ... przepraszam ale po zapoznaniu się z tematem o usuwaniu wirtualnych napędów myślałem, że jest ok Załączam plik dziennika oraz kwarantanny NOD. scan.txt scan2.txt Odnośnik do komentarza
picasso Opublikowano 18 Września 2010 Zgłoś Udostępnij Opublikowano 18 Września 2010 Jeżeli chodzi o wirtualny napęd to specjaleni odinstalowałem demona i alkohol ... przepraszam ale po zapoznaniu się z tematem o usuwaniu wirtualnych napędów myślałem, że jest ok Jest tam napisane, że prosta deinstalacja programu nie usuwa wszystkiego. Sterownik SPTD zawsze pozostaje w formie czynnej po tej operacji i musi być zaadresowany z osobna. wiem przeczytałem oczywiście tą infomrację dlatego załączyłem wynik analizy z tego programu w pliku o nazwie "s" poniewaz nie chciało wstawić mi informacji, ze względu na zbyt długi post. Nie widziałam żadnego Załącznika .... Oceniając podany tu raport: zrobiony przy czynnym SPTD, który zaciemnia odczyty. Log ponownie do wykonania, przy całkowicie odmontowanym SPTD. Załączam plik dziennika oraz kwarantanny NOD. Teraz mam lepsze pojęcie co się działo. NOD usuwał infekcję, której szczątki właśnie punktuję (masowe wstawienie sterowników-podróbek w system), infekcję przeniesioną via dysk USB oraz znaleziska w katalogu Przywracania systemu System Volume Information (forma nieczynna dopóki nie zaczniesz cofać systemu wybierając zarażony punkt...). Przechodzę do usuwania tego co widać: 1. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej: :OTL O4 - HKU\S-1-5-21-606747145-1085031214-725345543-1003..\Run: [api32] D:\DOCUME~1\SAWEK~1\USTAWI~1\Temp\apiqq.exe File not found O4 - HKU\S-1-5-21-606747145-1085031214-725345543-1003..\Run: [dso32] D:\DOCUME~1\SAWEK~1\USTAWI~1\Temp\dsoqq.exe File not found O4 - Startup: D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\sysrda32.exe () O4 - Startup: D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\updpxe32.exe () [2010-08-29 15:05:12 | 000,000,000 | ---- | C] () -- D:\WINDOWS\System32\drivers\mcpynnj.sys [2010-08-28 21:42:11 | 000,000,016 | ---- | C] () -- D:\Documents and Settings\NetworkService\Dane aplikacji\hngmfc.dat [2010-08-27 19:28:52 | 000,000,118 | ---- | C] () -- D:\WINDOWS\System32\fjhdyfhsn.bat [2010-08-27 19:28:51 | 000,000,016 | ---- | C] () -- D:\Documents and Settings\NetworkService\Dane aplikacji\bawuho.dat [2010-08-27 19:25:28 | 000,000,008 | ---- | C] () -- D:\Documents and Settings\Sławek\Dane aplikacji\avdrn.dat :Reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "D:\Program Files\SopCast\adv\SopAdver.exe"=- :Commands [emptyflash] [emptytemp] Rozpocznij proces przez Uruchom skrypt. System będzie restartował, a na koniec otrzymasz log. 2. Przejdź do Dodaj / Usuń programy i odmontuj dziadostwa: AdVantage (Powering DAEMON Tools), Ask Toolbar i free-downloads.net Toolbar. 3. Przejdź do Menedżera urządzeń Start > Uruchom > devmgmt.msc i popatrz czy nie figurują tam jakieś wykrzykniki (ta infekcja wrzucająca fałszywki sterowników często skutkuje takimi defektami). Jeśli tak będzie, odinstaluj opcją kontekstową dane wejście i zresetuj komputer. 4. Po wykonaniu wszystkich zadań wytwórz nowy zestaw logów z OTL. Dołącz log powstały z usuwania w punkcie 1. Dorzuć i raport z USBFix z opcji Listing. . Odnośnik do komentarza
RNS Opublikowano 18 Września 2010 Autor Zgłoś Udostępnij Opublikowano 18 Września 2010 Wykonałem co nastepuje: Nie widziałam żadnego Załącznika .... Oceniając podany tu raport: zrobiony przy czynnym SPTD, który zaciemnia odczyty. Log ponownie do wykonania, przy całkowicie odmontowanym SPTD. Odmontowane 1. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej: (...) Wykonane - otrzymany log All processes killed ========== OTL ========== Registry value HKEY_USERS\S-1-5-21-606747145-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\api32 deleted successfully. Registry value HKEY_USERS\S-1-5-21-606747145-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\dso32 deleted successfully. File move failed. D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\sysrda32.exe scheduled to be moved on reboot. File move failed. D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\updpxe32.exe scheduled to be moved on reboot. D:\WINDOWS\system32\drivers\mcpynnj.sys moved successfully. D:\Documents and Settings\NetworkService\Dane aplikacji\hngmfc.dat moved successfully. D:\WINDOWS\system32\fjhdyfhsn.bat moved successfully. D:\Documents and Settings\NetworkService\Dane aplikacji\bawuho.dat moved successfully. D:\Documents and Settings\Sławek\Dane aplikacji\avdrn.dat moved successfully. ========== REGISTRY ========== Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\SopCast\adv\SopAdver.exe deleted successfully. ========== COMMANDS ========== [EMPTYFLASH] User: Administrator ->Flash cache emptied: 41620 bytes User: All Users User: Default User ->Flash cache emptied: 41620 bytes User: LocalService User: LocalService.ZARZĄDZANIE NT User: NetworkService User: NetworkService.ZARZĄDZANIE NT User: Sławek ->Flash cache emptied: 2539102 bytes Total Flash Files Cleaned = 3,00 mb [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Java cache emptied: 0 bytes ->Flash cache emptied: 0 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Java cache emptied: 0 bytes ->Flash cache emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: LocalService.ZARZĄDZANIE NT ->Temp folder emptied: 49600 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 402 bytes User: NetworkService.ZARZĄDZANIE NT ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 402 bytes User: Sławek ->Temp folder emptied: 1508809440 bytes ->Temporary Internet Files folder emptied: 195108614 bytes ->Java cache emptied: 12231868 bytes ->Opera cache emptied: 17532005 bytes ->Flash cache emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2114584 bytes %systemroot%\System32 .tmp files removed: 2677354 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 106775805 bytes RecycleBin emptied: 2217200992 bytes Total Files Cleaned = 3Â 874,00 mb OTL by OldTimer - Version 3.2.12.1 log created on 09182010_195310 Files\Folders moved on Reboot... D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\sysrda32.exe moved successfully. D:\Documents and Settings\Sławek\Menu Start\Programy\Autostart\updpxe32.exe moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\VGX2C.tmp moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temp\VGX2D.tmp moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ZXL7EEAP\world_120x600[1].html moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\TBYVTG4T\openhand_8_8[1].bmp moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\HH86F35H\world_728x90[1].html moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\71234567\120x600_www_perform[1].htm moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\71234567\300x250_www_perform[1].htm moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6YH0AKLD\728x90_www2_perform[1].htm moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\1L1I7FPU\980480[1].htm moved successfully. D:\Documents and Settings\Sławek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\1L1I7FPU\world_300x250[1].html moved successfully. Registry entries deleted on Reboot... 2. Przejdź do Dodaj / Usuń programy i odmontuj dziadostwa: AdVantage (Powering DAEMON Tools), Ask Toolbar i free-downloads.net Toolbar. Usunięte 3. Przejdź do Menedżera urządzeń Start > Uruchom > devmgmt.msc i popatrz czy nie figurują tam jakieś wykrzykniki (ta infekcja wrzucająca fałszywki sterowników często skutkuje takimi defektami). Jeśli tak będzie, odinstaluj opcją kontekstową dane wejście i zresetuj komputer. Rzeczywiście były dwa urzadzenia z wykrzyknikiem jeno PCI coś tam możliwe ze to karta dzwiękowa zintegrowana której specjalnei nie instalowałem oraz clon disc ktory usunołem. 4. Po wykonaniu wszystkich zadań wytwórz nowy zestaw logów z OTL. Dołącz log powstały z usuwania w punkcie 1. Dorzuć i raport z USBFix z opcji Listing. Dołączyłem z tym, że jeszcze pewnie majać zainfekowanego pendriva zrobiłem loga w usbfix i też załączyłem. OTL.Txt UsbFix-listowanie.txt UsbFix- Tworzenie loga pen.txt Odnośnik do komentarza
picasso Opublikowano 19 Września 2010 Zgłoś Udostępnij Opublikowano 19 Września 2010 Zadania się wykonały. Pozostały drobnostki do korekty, tzn. usunięcie odpadków po niekompletnej deinstalacji tych adware oraz "not found" w usługach. 1. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej: :OTL IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = "http://search.conduit.com/?SearchSource=10&ctid=CT1098640" O2 - BHO: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. [2010-08-21 23:41:56 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Sławek\Dane aplikacji\advantage SRV - File not found [Auto | Stopped] -- D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE) DRV - File not found [Kernel | Disabled | Stopped] -- D:\WINDOWS\System32\Drivers\sptd.sys -- (sptd) DRV - File not found [Kernel | On_Demand | Stopped] -- E:\INSTALL\GMSIPCI.SYS -- (GMSIPCI) Oczywiście: Wykonaj skrypt. Tym razem nie będzie bez restartu. 2. Posprzątaj po używanych narzędziach: W Start > Uruchom > wklej polecenie: "D:\Documents and Settings\Sławek\Pulpit\ComboFix.exe" /uninstall W OTL wywołaj funkcję Sprzątanie. 3. Wykonaj kompletne skanowanie przez Malwarebytes' Anti-Malware i zgłoś się tu z wynikami. Dołączyłem z tym, że jeszcze pewnie majać zainfekowanego pendriva zrobiłem loga w usbfix i też załączyłem. Wyniki w przeważającej części do zignorowania. 1. Dysk E to CD-ROM, toteż ten odczyt do opuszczenia: Found ! E:\Autorun.inf 2. Wyciągi z klucza Image File Execution są niezrozumiałe. Takie klucze są w systemie w stadium normalnym. OTL zresztą nie wyliczył żadnych niestandardowych zapisów z tego klucza. Nie należy podejmować tu żadnych akcji. 3. Jedyne co się kwalifikuje do usuwania, to klucz: Found ! HKLM\Software\Classes\CLSID\MADOWN Ale tym zajmie się MBAM. Rzeczywiście były dwa urzadzenia z wykrzyknikiem jeno PCI coś tam możliwe ze to karta dzwiękowa zintegrowana której specjalnei nie instalowałem oraz clon disc ktory usunołem. Jeśli rzecz o VirtualCloneDrive, to notuję tu nieprawidłowość, sterownik nie ma w ogóle markera firmowego + ma wagę zero bajtów, a tak nie powinno być: DRV - [2009-08-09 23:25:56 | 000,000,000 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\vclone.sys -- (VClone) Oto wygląd prawidłowego sterownika: DRV - [2009-08-09 23:25:56 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone) Najlepiej całkowicie odinstaluj ten soft i ponownie zainstaluj z nowej instalki pobranej od producenta. . Odnośnik do komentarza
RNS Opublikowano 19 Września 2010 Autor Zgłoś Udostępnij Opublikowano 19 Września 2010 Witam Wykonany skrypt w OTL ========== OTL ========== HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ecdee021-0d17-467f-a1ff-c7a115230949}\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found. D:\Documents and Settings\Sławek\Dane aplikacji\advantage folder moved successfully. Service StarWindServiceAE stopped successfully! Service StarWindServiceAE deleted successfully! File D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe not found. Service sptd stopped successfully! Service sptd deleted successfully! File D:\WINDOWS\System32\Drivers\sptd.sys not found. Service GMSIPCI stopped successfully! Service GMSIPCI deleted successfully! File E:\INSTALL\GMSIPCI.SYS not found. OTL by OldTimer - Version 3.2.12.1 log created on 09192010_080640 [*]W Start > Uruchom > wklej polecenie: "D:\Documents and Settings\Sławek\Pulpit\ComboFix.exe" /uninstall[*]W OTL wywołaj funkcję Sprzątanie. Wywołałem co spowodowało odinstalowaniem OTL. 3. Wykonaj kompletne skanowanie przez Malwarebytes' Anti-Malware i zgłoś się tu z wynikami. Oto wynik wyszukiwania w tym, że w trakcie skanowania NOD wykrywał wirusy, które usuwałem. Po skanowaniu usunołem również infekcje w MBAM. Wersja bazy: 4650 Windows 5.1.2600 Dodatek Service Pack 2 Internet Explorer 6.0.2900.2180 2010-09-19 09:14:30 mbam-log-2010-09-19 (09-14-30).txt Typ skanowania: Pełne skanowanie (C:\|D:\|G:\|) Przeskanowano obiektów: 328533 Upłynęło: 54 minut(y), 50 sekund(y) Zainfekowanych procesów w pamięci: 0 Zainfekowanych modułów w pamięci: 0 Zainfekowanych kluczy rejestru: 2 Zainfekowanych wartości rejestru: 0 Zainfekowane informacje rejestru systemowego: 4 Zainfekowanych folderów: 1 Zainfekowanych plików: 18 Zainfekowanych procesów w pamięci: (Nie znaleziono zagrożeń) Zainfekowanych modułów w pamięci: (Nie znaleziono zagrożeń) Zainfekowanych kluczy rejestru: HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\advantage (Adware.Vomba) -> No action taken. Zainfekowanych wartości rejestru: (Nie znaleziono zagrożeń) Zainfekowane informacje rejestru systemowego: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken. Zainfekowanych folderów: D:\Program Files\Advantage (Adware.Advantage) -> No action taken. Zainfekowanych plików: C:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP103\A0034661.exe (Spyware.OnlineGames) -> No action taken. C:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP105\A0034800.exe (Spyware.OnlineGames) -> No action taken. C:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP106\A0035026.exe (Spyware.OnlineGames) -> No action taken. C:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP113\A0037179.exe (Spyware.OnlineGames) -> No action taken. C:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP114\A0039301.exe (Spyware.OnlineGames) -> No action taken. C:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP117\A0039520.exe (Spyware.OnlineGames) -> No action taken. C:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP117\A0039567.exe (Spyware.OnlineGames) -> No action taken. D:\Program Files\Nero\Nero 9\Nero Burning ROM\Keymaker.exe (Trojan.Agent) -> No action taken. D:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP166\A0061064.EXE (Trojan.Dropper.PGen) -> No action taken. D:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP127\A0040550.dll (Adware.Vomba) -> No action taken. G:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP103\A0034663.exe (Spyware.OnlineGames) -> No action taken. G:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP105\A0034804.exe (Spyware.OnlineGames) -> No action taken. G:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP106\A0035028.exe (Spyware.OnlineGames) -> No action taken. G:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP113\A0037183.exe (Spyware.OnlineGames) -> No action taken. G:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP114\A0039303.exe (Spyware.OnlineGames) -> No action taken. G:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP117\A0039522.exe (Spyware.OnlineGames) -> No action taken. G:\System Volume Information\_restore{D2EB91BC-1F9C-426B-B0DD-02A053118231}\RP117\A0039569.exe (Spyware.OnlineGames) -> No action taken. G:\Ściaganie\Keymaker.exe (Trojan.Agent) -> No action taken. Wyniki w przeważającej części do zignorowania. 1. Dysk E to CD-ROM, toteż ten odczyt do opuszczenia: Found ! E:\Autorun.inf OK czyli pendrive czysty ? 2. Wyciągi z klucza Image File Execution są niezrozumiałe. Takie klucze są w systemie w stadium normalnym. OTL zresztą nie wyliczył żadnych niestandardowych zapisów z tego klucza. Nie należy podejmować tu żadnych akcji. Nie podjęto 3. Jedyne co się kwalifikuje do usuwania, to klucz: Found ! HKLM\Software\Classes\CLSID\MADOWN Ale tym zajmie się MBAM. OK. Jeśli rzecz o VirtualCloneDrive, to notuję tu nieprawidłowość, sterownik nie ma w ogóle markera firmowego + ma wagę zero bajtów, a tak nie powinno być: DRV - [2009-08-09 23:25:56 | 000,000,000 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\vclone.sys -- (VClone) Oto wygląd prawidłowego sterownika: DRV - [2009-08-09 23:25:56 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone) Najlepiej całkowicie odinstaluj ten soft i ponownie zainstaluj z nowej instalki pobranej od producenta. Może dlatego, że odinstalowałem ten program w każdym razie zainstalowałem teraz ze strony producenta. Mogę stwierdzić, że po wykonanych zaleceniach komputer naprawdę pracuje inaczej. Internet działa i to dużo szybciej niż wcześniej. Naprawdę dziękuje za pomoc Odnośnik do komentarza
picasso Opublikowano 19 Września 2010 Zgłoś Udostępnij Opublikowano 19 Września 2010 Oto wynik wyszukiwania w tym, że w trakcie skanowania NOD wykrywał wirusy, które usuwałem. Po skanowaniu usunołem również infekcje w MBAM. Deinstalacja ComboFix powinna wyzerować punkty Przywracania i ustawić pierwszy z nowej sytuacji. Aczkolwiek widzę, że MBAM, według chronologii uruchamiany później, nadal znajdował zagrożenia w katalogach Przywracania systemu. Popraw ręcznym czyszczeniem katalogów: INSTRUKCJE. OK czyli pendrive czysty ? Wg raportu opcji Listing nie widziałam na USB żadnego pliku leżącego bezpośrednio w głównym katalogu, który można powiązać z infekcją. I zakładam, że urządzenie przeskanowałeś NODem. Może dlatego, że odinstalowałem ten program w każdym razie zainstalowałem teraz ze strony producenta. To i tak nie powinno tak wyglądać po deinstalacji. **************************** Część zabezpieczająca: 1. W Panda USB Vaccine zabezpiecz system (Computer vaccination) oraz urządzenie zewnętrzne (USB vaccination). 2. Obowiązkowa aktualizacja statusu zabezpieczeń: Windows XP Professional Edition Dodatek Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 6.0.2900.2180) Doprowadź do złożenia: Service Pack 3 + Internet Explorer 8 (instalowany niezależnie od tego czy w ogóle z niego korzystasz). Zaktualizuj także java. Wszystko rozpisane tutaj: INSTRUKCJE. . Odnośnik do komentarza
RNS Opublikowano 19 Września 2010 Autor Zgłoś Udostępnij Opublikowano 19 Września 2010 Deinstalacja ComboFix powinna wyzerować punkty Przywracania i ustawić pierwszy z nowej sytuacji. Aczkolwiek widzę, że MBAM, według chronologii uruchamiany później, nadal znajdował zagrożenia w katalogach Przywracania systemu. Popraw ręcznym czyszczeniem katalogów: INSTRUKCJE. 1. Poprawione Wg raportu opcji Listing nie widziałam na USB żadnego pliku leżącego bezpośrednio w głównym katalogu, który można powiązać z infekcją. I zakładam, że urządzenie przeskanowałeś NODem. Tak wczesniej NOD niby wykrył dwa wirusy 1. W Panda USB Vaccine zabezpiecz system (Computer vaccination) oraz urządzenie zewnętrzne (USB vaccination). 1. Wykonane 2. Obowiązkowa aktualizacja statusu zabezpieczeń (...) 2. SP3 i IE8 zainstalowane. Java podniesiona 4. Dziekuje Tobie jeszcze raz za fachową pomoc w rozwiązaniu problemu. Pozdrawiam !!!!!! Odnośnik do komentarza
Rekomendowane odpowiedzi