Problem z sknc

martinesq · 4 Lipca 2010

Dzień dobry, pisałem na innym forum, podaje link: hxxp://www.forum.tweaks.pl/LOG-Hijacks-t40001-pid-206364.html/page__gopid__206364#entry206364

Dodatkowo co jakiś czas rozłącza mi klawiature, wtyczki sprawne, próbowałem przełączać do innych gniazd to samo. Sądzę że to wina jakiegoś wirusa.

I jeszcze gdy wyłączam komputer to gdy już jest przy czarnym ekranie i kursorze od myszki to się zacina i trzeba na listwie lub przycisku wyłączyć

Logi:

http://wklej.org/id/360261/

http://wklej.org/id/360263/

Proszę o szybką pomoc.

picasso · 4 Lipca 2010

martinesq tutaj obowiązkiem jest podanie loga z GMER. Musi być weryfikacja pod kątem aktywności rootkit. Przy okazji, to w tym logu będzie widać także modyfikację funkcji biblioteki.

Zaś sama podmiana biblioteki to nie trudność. Do tego przejdziemy po przejrzeniu raportu GMER.

martinesq · 4 Lipca 2010

Już się robi do 10 minut podam log

http://wklej.org/id/360766/

picasso · 6 Lipca 2010

Został mi dosłany log z GMER (na tyle cały na ile się udało go zrobić), toteż go wklejam post wyżej. Pomijając, iż nie została zdjęta emulacja SPTD od Daemon Tools, w logu jest potwierdzenie stanu zainfekowania biblioteki WS2_32.dll. Przed przejściem do usuwania muszę się zorientować czy masz jakąkolwiek niemodyfikowaną przez keyloggera kopię biblioteki systemowej do podmiany. W przeciwnym wypadku dam czysty ekstrakt z obrazu. Uruchom SystemLook, w oknie wklej poniższy tekst:

:filefind

WS2_32.dll

Kliknij w Look i przeklej końcowe wyniki.

PS. Komentarz dodatkowy: plik sknc.dll jest prawdopodobnie pochodną jednej z paczek relatywnych do Tibia. Miej to na uwadze i dla własnego bezpieczeństwa lepiej pozbądź się wszelkich dodatków do Tibia, których źródło może budzić podejrzenia.

.

martinesq · 6 Lipca 2010

Skan z SystemLook :

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 08:52 on 06/07/2010 by zxcz (Administrator - Elevation successful)

========== filefind ==========

Searching for "WS2_32.dll"

C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll ------ 82944 bytes [13:37 19/02/2010] [23:44 03/08/2004] AB82237486B727DD7DAB36A76F38A3A2

C:\WINDOWS\SoftwareDistribution\Download\51fc2b55c6deef38fc801319336cdbc7\ws2_32.dll --a--- 82432 bytes [07:55 30/03/2010] [17:20 14/04/2008] C0AA2AB856680C44739B41E01F5BD4E9

C:\WINDOWS\system32\ws2_32.dll --a--- 83456 bytes [22:44 03/08/2004] [15:22 01/06/2010] 16C0372775B545DD17C20BCC055E7DA3

-=End Of File=-

picasso · 6 Lipca 2010

Plikiem wyglądającym na czysty jest kopia w ServicePackFiles. Twój system ma także status XP SP2, a ta kopia pliku odpowiada swą formą i sumą kontrolną temu stanowi.

C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll ------ 82944 bytes [13:37 19/02/2010] [23:44 03/08/2004] AB82237486B727DD7DAB36A76F38A3A2

Usuwanie zostanie podzielone na dwie partie. W pierwszej będzie podmiana biblioteki systemu i usunięcie innych szkodników. Dopiero po weryfikacji stanu i upewnieniu się, że plik uległ wymianie, zostanie skasowany plik sknc.dll oraz przeprowadzone dalsze roboty sprzątające.

1. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej następujący zestaw komend:

:Files
C:\WINDOWS\system32\ws2_32.dll|C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll /replace
C:\Program Files\Common Files\userInit.dll
C:\Program Files\Common Files\logonInit.dll
C:\WINDOWS\System32\secustat.dat
C:\WINDOWS\System32\secushr.dat
C:\autorun.inf
 
:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LogonInit]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rtyuoo"=-
 
:Commands
[emptyflash]
[emptytemp]

Uruchom przez opcję Wykonaj skrypt. Po restarcie otrzymasz z tego log. Zachowaj go, bo będziesz pokazywał.

2. Wejdź do Dodaj/Usuń programy i odinstaluj programy-śmieci oraz komponenty adware: 1-2-3 Spyware Free, Ask Toolbar, BarDiscover, DAEMON Tools Toolbar, Hotbar, ShopperReports. Jeśli nie korzystasz, także XfireXO Toolbar. Proces deinstalacji jest po to, by naturalną drogą pozbyć się maksymalnej ilości zapisów od tych obiektów. Usuwanie tylko linijek widocznych w OTL to nie jest kompletna droga. Dopiero po deinstalacji zobaczymy ile z tego ostatnie się w raporcie. Po wykonaniu deinstalacji możesz przejść do punktu 3:

3. Uruchamiasz OTL i tworzysz log opcją Skanuj. Konieczny nowy GMER - ułatw mu i przed uruchomieniem zdejmij emulację na podstawie ogłoszenia. Dołączasz także log otrzymany z usuwania w punkcie 1. Na podstawie tych wyników zostanie przeprowadzona kasacja pliku sknc.dll i dalsza "kosmetyka", czyli eliminacja śmieci z przeglądarek i innych zapisków.

.

martinesq · 6 Lipca 2010

1.

All processes killed

========== FILES ==========

Unable to replace file: C:\WINDOWS\system32\ws2_32.dll with C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll without a reboot.

C:\Program Files\Common Files\userInit.dll moved successfully.

C:\Program Files\Common Files\logonInit.dll moved successfully.

C:\WINDOWS\System32\secustat.dat moved successfully.

C:\WINDOWS\System32\secushr.dat moved successfully.

C:\autorun.inf moved successfully.

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LogonInit\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\rtyuoo deleted successfully.

========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default User

->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: zxcz

->Flash cache emptied: 22180 bytes

Total Flash Files Cleaned = 0,00 mb

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: zxcz

->Temp folder emptied: 196858975 bytes

->Temporary Internet Files folder emptied: 80762 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 95552997 bytes

->Google Chrome cache emptied: 8404069 bytes

->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2134112 bytes

%systemroot%\System32 .tmp files removed: 2596 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 18600760 bytes

RecycleBin emptied: 3027880240 bytes

Total Files Cleaned = 3 194,00 mb

OTL by OldTimer - Version 3.2.7.0 log created on 07062010_142946

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

2. zrobione

picasso · 6 Lipca 2010

OTL nie potrafił podstawić pliku:

Unable to replace file: C:\WINDOWS\system32\ws2_32.dll with C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll without a reboot.

I nie zrobił tego podczas restartu systemu. W związku z tym zostanie użyte narzędzie mocniejszej kategorii.

1. Pobierz ComboFix.

2. Otwórz Notatnik i wklej w nim:

FCopy::
C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll | C:\WINDOWS\system32\ws2_32.dll

Plik zapisz pod nazwą CFScript.txt. Przeciągnij go i upuść na ikonę ComboFixa.

3. Po ukończeniu pracy ComboFix zaprezentuj log, który z tego powstanie. I dołącz nowy OTL oraz GMER.

.

martinesq · 6 Lipca 2010

log combofix:

ComboFix 10-07-05.03 - zxcz 2010-07-06 15:00:16.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.1024.785 [GMT 2:00]

Uruchomiony z: c:\documents and settings\zxcz\Moje dokumenty\Pobieranie\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\zxcz\Moje dokumenty\Pobieranie\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\announce.exe

c:\documents and settings\zxcz\Dane aplikacji\BITS

c:\documents and settings\zxcz\Dane aplikacji\BITS\BITS.ini

c:\documents and settings\zxcz\Dane aplikacji\BITS\DHTTable.dat

c:\documents and settings\zxcz\Dane aplikacji\BITS\ProxyList.ini

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\FlashGetBHO3.dll

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\FlashGetHook.dll

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\GetAllUrl.htm

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\GetUrl.htm

c:\program files\FlashGet Network

c:\program files\FlashGet Network\FlashGet 3\dat\Appsetting.cfg

c:\program files\FlashGet Network\FlashGet 3\dat\FlashGet3db.bak

c:\program files\FlashGet Network\FlashGet 3\dat\FlashGet3db.db

c:\program files\FlashGet Network\FlashGet 3\P2PCfg.ini

c:\program files\FlashGet Network\FlashGet 3\perf.ini

c:\program files\FlashGet Network\FlashGet 3\pstat.dat

c:\program files\FlashGet Network\FlashGet 3\pup.dat

c:\windows\system32\dxva2.dll

c:\windows\system32\evr.dll

c:\windows\system32\evrprop.dll

c:\windows\system32\libFLAC.dll

c:\windows\system32\mkunicode.dll

c:\windows\system32\mkzlib.dll

c:\windows\system32\sknc.dll

Zainfekowana kopia c:\windows\system32\ws2_32.dll została znaleziona. Problem naprawiono

Plik odzyskano z - c:\system volume information\_restore{1386A8C2-E0B7-49EF-8B15-E3C31D4E1E48}\RP144\A0252191.dll

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_AVPsys

((((((((((((((((((((((((( Pliki utworzone od 2010-06-06 do 2010-07-06 )))))))))))))))))))))))))))))))

.

2010-07-06 12:29 . 2010-07-06 12:29 -------- d-----w- C:\_OTL

2010-07-04 17:35 . 2010-07-04 17:35 20480 ----a-w- c:\windows\system32\H@tKeysH@@k.DLL

2010-07-04 12:26 . 2001-10-26 14:48 9600 ----a-w- c:\windows\system32\drivers\NtApm.sys

2010-07-03 08:49 . 2010-07-03 09:57 -------- d-----w- c:\program files\Anti Trojan Elite

2010-07-03 08:45 . 2010-07-03 08:45 -------- d-----w- c:\program files\Trend Micro

2010-07-02 17:31 . 2010-07-02 17:32 -------- d-----w- c:\program files\AGEIA Technologies

2010-07-02 17:31 . 2010-07-02 17:31 -------- d-----w- c:\windows\system32\AGEIA

2010-07-02 17:31 . 2010-07-02 17:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-06-22 16:29 . 2010-06-22 16:29 -------- d-----w- c:\program files\KONAMI

2010-06-22 16:29 . 2010-06-22 16:29 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\KONAMI

2010-06-21 19:11 . 2010-07-05 07:23 -------- d---a-w- c:\documents and settings\All Users\Dane aplikacji\TEMP

2010-06-20 17:25 . 2010-06-20 17:24 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-20 09:07 . 2010-07-01 19:09 8 ----a-w- c:\windows\system32\nvModes.dat

2010-06-19 19:23 . 2010-07-01 19:15 -------- d-----w- c:\program files\TVTool

2010-06-17 20:26 . 2001-08-17 20:02 8576 ----a-w- c:\windows\system32\drivers\hidgame.sys

2010-06-15 20:11 . 2010-06-15 20:11 278984 ----a-w- c:\windows\system32\drivers\atksgt.sys

2010-06-15 20:10 . 2010-06-15 20:10 25416 ----a-w- c:\windows\system32\drivers\lirsgt.sys

2010-06-15 18:57 . 2010-06-15 18:57 -------- d-----w- c:\program files\Ubisoft

2010-06-15 17:27 . 2010-06-15 17:27 -------- d-----r- C:\MSOCache

2010-06-14 17:35 . 2010-06-14 17:35 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-06-06 19:50 . 2010-06-06 19:50 -------- d-----w- c:\program files\Turbine

2010-06-06 15:44 . 2010-06-06 15:44 -------- d-----w- c:\program files\Pando Networks

2010-06-06 15:42 . 2010-06-16 13:52 -------- d-----w- C:\Downloads

2010-06-06 15:42 . 2010-06-06 15:42 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\FlashGet

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-06 12:44 . 2010-05-30 13:42 -------- d-----w- c:\program files\XfireXO

2010-07-06 12:41 . 2010-06-03 18:20 -------- d-----w- c:\program files\Google

2010-07-06 12:41 . 2010-06-03 15:23 -------- d-----w- c:\program files\MoorHunt

2010-07-06 12:41 . 2010-05-17 16:18 -------- d-----w- c:\program files\Steam

2010-07-03 08:45 . 2010-07-03 08:45 388096 ----a-r- c:\documents and settings\zxcz\Dane aplikacji\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-01 13:51 . 2010-02-22 17:26 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\Gadu-Gadu 10

2010-06-27 12:44 . 2010-03-13 07:07 -------- d-----w- c:\program files\Mozilla Firetyfoxxxsadsasddytya

2010-06-25 18:35 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\Skype

2010-06-25 18:34 . 2010-02-19 18:29 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\skypePM

2010-06-25 18:33 . 2010-03-14 15:20 -------- d-----r- c:\program files\Skype

2010-06-21 10:23 . 2010-02-19 18:45 44984 ----a-w- c:\documents and settings\zxcz\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2010-06-20 17:25 . 2010-06-20 17:25 503808 ----a-w- c:\documents and settings\zxcz\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-29fd4d21-n\msvcp71.dll

2010-06-20 17:25 . 2010-06-20 17:25 499712 ----a-w- c:\documents and settings\zxcz\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-29fd4d21-n\jmc.dll

2010-06-20 17:25 . 2010-06-20 17:25 348160 ----a-w- c:\documents and settings\zxcz\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-29fd4d21-n\msvcr71.dll

2010-06-20 17:25 . 2010-06-20 17:25 61440 ----a-w- c:\documents and settings\zxcz\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d9755ba-n\decora-sse.dll

2010-06-20 17:25 . 2010-06-20 17:25 12800 ----a-w- c:\documents and settings\zxcz\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d9755ba-n\decora-d3d.dll

2010-06-20 09:54 . 2010-02-19 15:21 484 ----a-w- c:\windows\system32\xvidvfw.dll

2010-06-20 09:54 . 2010-02-19 15:21 484 ----a-w- c:\windows\system32\xvidcore.dll

2010-06-20 09:54 . 2010-04-11 17:32 -------- d-----w- c:\program files\ALLPlayer

2010-06-15 18:57 . 2010-02-19 14:21 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-15 18:27 . 2010-06-03 09:39 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Microsoft Help

2010-06-15 18:00 . 2010-06-03 09:40 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-06-03 14:32 . 2010-02-27 18:16 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\OpenFM

2010-06-03 09:46 . 2010-06-03 09:40 -------- d-----w- c:\program files\Common Files\Merge Modules

2010-06-02 17:35 . 2010-05-18 15:01 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\mIRC

2010-06-02 17:33 . 2010-05-18 15:01 -------- d-----w- c:\program files\mIRC

2010-05-30 13:47 . 2010-05-30 13:42 -------- d-----w- c:\program files\Xfire

2010-05-30 13:47 . 2010-05-30 13:42 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\Xfire

2010-05-30 13:42 . 2010-05-30 13:42 -------- d-----w- c:\program files\Conduit

2010-05-29 17:00 . 2010-05-29 17:00 -------- d-----w- c:\program files\Activision

2010-05-29 16:49 . 2010-05-29 16:47 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-29 12:34 . 2010-03-01 17:00 -------- d-----w- c:\program files\Remere's Map Editor

2010-05-28 14:04 . 2010-03-12 20:13 -------- d-----w- c:\program files\Gadu-Gadu 10

2010-05-23 11:28 . 2010-02-19 14:14 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\PC Suite

2010-05-23 11:26 . 2010-04-11 17:32 -------- d-----w- c:\program files\NAPI-PROJEKT

2010-05-19 18:00 . 2010-02-19 18:34 -------- d-----w- c:\program files\VGA USB Camera

2010-05-19 18:00 . 2010-05-19 18:00 -------- d-----w- c:\program files\directx

2010-05-11 18:32 . 2010-05-11 18:32 41872 ----a-w- c:\windows\system32\xfcodec.dll

2010-05-11 15:18 . 2010-05-11 15:18 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\Hide IP NG

2010-05-11 15:18 . 2010-05-11 15:18 -------- d-----w- c:\program files\Hide IP NG

2010-05-11 15:18 . 2010-05-11 15:18 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\Delete Cookie

2010-05-10 15:51 . 2010-04-30 13:59 -------- d-----w- c:\program files\ChomikBox

2010-05-10 15:45 . 2010-05-10 15:45 -------- d-----w- c:\program files\Ashampoo

2010-05-10 15:17 . 2010-05-08 13:56 -------- d-----w- c:\program files\Boilsoft ASF Converter

2010-05-10 15:15 . 2010-03-13 07:40 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Alwil Software

2010-05-10 15:13 . 2010-04-11 17:32 -------- d-----w- c:\program files\ALLConverter

2010-05-08 13:56 . 2010-04-21 19:39 -------- d-----w- c:\documents and settings\zxcz\Dane aplikacji\DivX

2010-04-21 19:40 . 2010-04-21 19:40 57344 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-04-21 19:39 . 2010-04-21 19:39 56766 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-04-21 19:39 . 2010-04-21 19:39 56978 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\WebPlayer\Uninstaller.exe

2010-04-21 19:39 . 2010-04-21 19:39 53600 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\Update\Uninstaller.exe

2010-04-21 19:39 . 2010-04-21 19:39 57679 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\Player\Uninstaller.exe

2010-04-21 19:38 . 2010-04-21 19:38 84040 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\TransferWizard\Uninstaller.exe

2010-04-21 19:38 . 2010-04-21 19:38 57054 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\DSDesktopComponents\Uninstaller.exe

2010-04-21 19:38 . 2010-04-21 19:38 54166 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\DSAVCDecoder\Uninstaller.exe

2010-04-21 19:38 . 2010-04-21 19:38 57532 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\DSASPDecoder\Uninstaller.exe

2010-04-21 19:38 . 2010-04-21 19:38 56458 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\DivXDecoderShortcut\Uninstaller.exe

2010-04-21 19:38 . 2010-04-21 19:38 54174 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\DSAACDecoder\Uninstaller.exe

2010-04-21 19:38 . 2010-04-21 19:38 54153 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\DFXPlugin\Uninstaller.exe

2010-04-21 19:38 . 2010-04-21 19:38 54128 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\Converter\Uninstaller.exe

2010-04-21 19:37 . 2010-04-21 19:37 54629 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\TranscodeEngine\Uninstaller.exe

2010-04-21 19:37 . 2010-04-21 19:37 54101 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\MPEG2Plugin\Uninstaller.exe

2010-04-21 19:37 . 2010-04-21 19:37 57409 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\ControlPanel\Uninstaller.exe

2010-04-21 19:37 . 2010-04-21 19:37 52963 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-04-21 19:37 . 2010-04-21 19:37 54073 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\Qt4.5\Uninstaller.exe

2010-04-21 19:37 . 2010-04-21 19:37 56969 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\ASPEncoder\Uninstaller.exe

2010-04-21 19:35 . 2010-04-21 19:35 144696 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\RunAsUser\RUNASUSERPROCESS.exe

2010-04-21 19:35 . 2010-04-21 19:39 754984 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\Setup\Resource.dll

2010-04-21 19:35 . 2010-04-21 19:39 1180952 ----a-w- c:\documents and settings\All Users\Dane aplikacji\DivX\Setup\DivXSetup.exe

2010-04-21 10:06 . 2010-05-30 13:42 101376 ------w- c:\documents and settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll

2010-04-21 10:06 . 2010-05-30 13:42 52224 ------w- c:\documents and settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll

2010-04-16 11:22 . 2001-10-26 14:15 80642 ----a-w- c:\windows\system32\perfc015.dat

2010-04-16 11:22 . 2001-10-26 14:15 460446 ----a-w- c:\windows\system32\perfh015.dat

2010-04-13 13:48 . 2010-03-30 18:07 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-11 17:26 . 2010-04-11 17:26 249856 ------w- c:\windows\Setup1.exe

2010-04-11 17:26 . 2010-04-11 17:26 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-03-28 11:49 . 2010-03-28 11:49 23 --sha-w- c:\windows\system32\cedddcd9_d.dll

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 01D5EAAFF224415A7FF513E4C882BE30 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\51fc2b55c6deef38fc801319336cdbc7\tcpip.sys

[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\zxcz\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" [2010-04-14 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"nwiz"="nwiz.exe" [2008-05-03 1630208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0rmparite.nt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Image Zone - szybkie uruchamianie.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Image Zone - szybkie uruchamianie.lnk

backup=c:\windows\pss\HP Image Zone - szybkie uruchamianie.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPLA!

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate]

2010-06-20 09:54 484 ----a-w- c:\program files\ALLPlayer\ALLUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite]

2010-07-03 09:57 864256 ----a-w- c:\program files\Anti Trojan Elite\TJEnder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2004-08-03 22:44 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu 10]

2010-04-21 08:40 11985504 ----a-w- c:\program files\Gadu-Gadu 10\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-04-14 14:08 136176 ----atw- c:\documents and settings\zxcz\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-08-03 22:44 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 14:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

2009-11-11 09:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-05-13 14:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedX]

2006-06-27 12:11 46718 ----a-w- c:\progra~1\MyPortal\Speed-X\SpeedX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-05-17 16:26 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 09:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Gadu-Gadu\\gg.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD_Demo.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\star trek online\\Star Trek Online.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD.exe"=

"c:\\Program Files\\Ubisoft\\THE SETTLERS - Narodziny Imperium\\base\\bin\\Settlers6.exe"=

"c:\\Program Files\\Steam\\steamapps\\csxxcs999\\team fortress classic\\hl.exe"=

"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2010\\pes2010.exe"=

"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2010\\Ekstraklasa patch 2010.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\steamapps\\csxxcs999\\counter-strike\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\mass effect 2 demo\\MassEffect2Launcher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\mass effect 2 demo\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-03-13 28552]

S3 ATE_PROCMON;ATE_PROCMON;c:\program files\Anti Trojan Elite\ATEPMON.sys [2010-07-03 5969]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Corporate Edition\kerneld.wnt [2010-02-19 27248]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-02-19 137344]

S3 NtApm;Sterownik interfejsu NT Apm/Legacy;c:\windows\system32\drivers\NtApm.sys [2010-07-04 9600]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-03-30 691696]

.

Zawartość folderu 'Zaplanowane zadania'

2010-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-688789844-1060284298-1003Core.job

- c:\documents and settings\zxcz\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2010-04-14 14:08]

2010-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-688789844-1060284298-1003UA.job

- c:\documents and settings\zxcz\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2010-04-14 14:08]

2010-04-25 c:\windows\Tasks\Install_NSS.job

- c:\program files\DivX\Symantec\scstubinstaller.exe [2010-03-08 18:00]

2010-07-06 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2010-03-31 20:18]

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://google.flashget.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = socks=

uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,

IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: ????3?? - c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\GetUrl.htm

IE: ????3?????? - c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\GetAllUrl.htm

TCP: {E6E023A1-BB31-49B3-915C-B1289A4EB0A5} = 88.208.105.1

FF - ProfilePath - c:\documents and settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Allegro

FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - component: c:\documents and settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll

FF - component: c:\documents and settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}\components\FlashGetXPI.dll

FF - component: c:\documents and settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll

FF - plugin: c:\documents and settings\All Users\Dane aplikacji\Gadu-Gadu 10\_userdata\npgg.2.dll

FF - plugin: c:\documents and settings\zxcz\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----

FF - user.js: network.proxy.type - 0

FF - user.js: network.proxy.http -

FF - user.js: network.proxy.http_port - 0

FF - user.js: network.proxy.ssl -

FF - user.js: network.proxy.ssl_port - 0

FF - user.js: network.proxy.ftp -

FF - user.js: network.proxy.ftp_port - 0

FF - user.js: network.proxy.gopher -

FF - user.js: network.proxy.gopher_port - 0

FF - user.js: network.proxy.socks_version - 5

FF - user.js: network.proxy.socks -

FF - user.js: network.proxy.socks_port - 0

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firetyfoxxxsadsasddytya\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firetyfoxxxsadsasddytya\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firetyfoxxxsadsasddytya\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - USUNIĘTO PUSTE WPISY - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

MSConfigStartUp-FlashGet 3 - c:\program files\FlashGet Network\FlashGet 3\FlashGet3.exe

MSConfigStartUp-HotbarSA - c:\program files\Hotbar\bin\11.0.175.0\HotbarSA.exe

AddRemove-Adobe AIR - c:\program files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe

AddRemove-Microsoft .NET Framework 2.0 - c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe

AddRemove-NSS - c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.7.0.52\InstStub.exe

AddRemove-RegSupreme Pro_is1 - c:\program files\RegSupreme Pro\unins000.exe

AddRemove-Tibia Auto - c:\program files\Tibia Auto\uninstall.exe

AddRemove-Tibia_is1 - c:\program files\Tibia857\unins000.exe

AddRemove-TMIPC - c:\program files\Asprate\Tibia Multi IP Changer\UNinstaller.exe

AddRemove-{A1062847-0846-427A-92A1-BB8251A91E91} - c:\program files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-06 15:07

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]

"ImagePath"="\??\c:\docume~1\zxcz\USTAWI~1\Temp\ASFWHide"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\c:\program files\Lavalys\EVEREST Corporate Edition\kerneld.wnt"

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-299502267-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\MenuExt\使用快车3下载]

@Allowed: (Read) (RestrictedCode)

@="c:\\Documents and Settings\\zxcz\\Dane aplikacji\\FlashGetBHO\\GetUrl.htm"

"contexts"=dword:00000022

[HKEY_USERS\S-1-5-21-299502267-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\MenuExt\使用快车3下载全部链接]

@Allowed: (Read) (RestrictedCode)

@="c:\\Documents and Settings\\zxcz\\Dane aplikacji\\FlashGetBHO\\GetAllUrl.htm"

"contexts"=dword:000000f3

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(1376)

c:\windows\system32\msi.dll

c:\program files\Gadu-Gadu\ggwhook.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_pol.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\browselc.dll

c:\program files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

c:\documents and settings\zxcz\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.183.29\GoogleCrashHandler.exe

c:\program files\Gadu-Gadu\gg.exe

.

**************************************************************************

.

Czas ukończenia: 2010-07-06 15:18:28 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2010-07-06 13:18

Przed: 20 365 758 464 bajtów wolnych

Po: 20 247 302 144 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - A84F914BDEE28A6B9DD4BDCE6A8D71DC

martinesq · 6 Lipca 2010

OTL ! OTL logfile created on: 2010-07-06 15:20:38 - Run 3

OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\zxcz\Moje dokumenty\Pobieranie

Windows XP Professional Edition Dodatek Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

1 024,00 Mb Total Physical Memory | 595,00 Mb Available Physical Memory | 58,00% Memory free

2,00 Gb Paging File | 2,00 Gb Available in Paging File | 87,00% Paging File free

Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74,52 Gb Total Space | 18,88 Gb Free Space | 25,33% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JK-935C0E4A6427

Current User Name: zxcz

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-07-04 18:38:36 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\zxcz\Moje dokumenty\Pobieranie\OTL.exe

PRC - [2010-06-27 14:43:38 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firetyfoxxxsadsasddytya\firefox.exe

PRC - [2010-06-15 07:13:18 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\zxcz\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.183.29\GoogleCrashHandler.exe

PRC - [2005-03-31 11:18:49 | 000,790,528 | ---- | M] (sms-express.com) -- C:\Program Files\Gadu-Gadu\gg.exe

PRC - [2004-08-04 00:44:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2004-04-01 11:52:06 | 001,368,064 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

========== Modules (SafeList) ==========

MOD - [2010-07-04 18:38:36 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\zxcz\Moje dokumenty\Pobieranie\OTL.exe

MOD - [2004-08-04 00:42:34 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

MOD - [2004-08-03 23:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

MOD - [2000-07-07 18:42:56 | 000,032,768 | ---- | M] () -- C:\Program Files\Gadu-Gadu\ggwhook.dll

========== Win32 Services (SafeList) ==========

SRV - [2010-01-26 13:41:08 | 000,652,800 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)

DRV - [2010-06-15 22:11:05 | 000,278,984 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)

DRV - [2010-06-15 22:10:54 | 000,025,416 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)

DRV - [2010-03-30 20:04:53 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)

DRV - [2010-01-21 15:53:16 | 000,018,048 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)

DRV - [2009-12-30 12:30:56 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)

DRV - [2009-12-30 12:30:48 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)

DRV - [2009-12-30 12:30:48 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)

DRV - [2009-12-30 12:25:12 | 000,137,344 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys -- (nmwcdnsu)

DRV - [2009-10-02 01:00:00 | 000,027,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavalys\EVEREST Corporate Edition\kerneld.wnt -- (EverestDriver)

DRV - [2009-06-30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)

DRV - [2008-08-26 10:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)

DRV - [2008-05-03 05:46:00 | 006,554,496 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2006-04-22 03:44:39 | 000,008,064 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)

DRV - [2005-05-03 17:34:02 | 000,027,392 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL)

DRV - [2004-09-10 04:05:36 | 000,005,969 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Program Files\Anti Trojan Elite\ATEPMON.sys -- (ATE_PROCMON)

DRV - [2004-08-04 01:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)

DRV - [2004-08-04 00:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) Sterownik audio USB (WDM)

DRV - [2004-08-03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Sterownik NT karty Realtek RTL8139(A/B/C)

DRV - [2004-08-03 23:03:36 | 000,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)

DRV - [2004-04-26 10:49:56 | 000,381,056 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)

DRV - [2003-09-25 18:00:00 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)

DRV - [2002-09-20 11:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)

DRV - [2002-07-27 19:01:06 | 000,005,306 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\TBPanel.sys -- (TBPanel)

DRV - [2002-07-27 19:01:06 | 000,005,306 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TBPanel.sys -- (Cardex)

DRV - [2001-10-26 16:48:56 | 000,009,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NtApm.sys -- (NtApm)

DRV - [2001-08-17 22:02:32 | 000,008,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidgame.sys -- (hidgame)

DRV - [2001-08-17 21:54:18 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)

DRV - [2001-08-17 21:54:18 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.flashget.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = plimus.com,www.plimus.com,regnow.com,www.regnow.com,

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = socks=

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "XfireXO Customized Web Search"

FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}"

FF - prefs.js..browser.search.selectedEngine: "Allegro"

FF - prefs.js..browser.startup.homepage: "http://www.google.pl"

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2

FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.3

FF - prefs.js..extensions.enabledItems: {0b38152b-1b20-484d-a11f-5e04a9b0661f}:5.6.10.2

FF - prefs.js..extensions.enabledItems: {5e5ab302-7f65-44cd-8211-c1d4caaccea3}:2.6.0.15

FF - prefs.js..extensions.enabledItems: {DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}:1.0

FF - prefs.js..extensions.enabledItems: DTToolbar@toolbarnet.com:1.1.2.0185

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: {AC57FCAF-E6FC-4BE9-ADC0-D00129C4C1E7}:1.0

FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&q="

FF - prefs.js..network.proxy.backup.ftp: ""

FF - prefs.js..network.proxy.backup.ftp_port: 0

FF - prefs.js..network.proxy.backup.gopher: ""

FF - prefs.js..network.proxy.backup.gopher_port: 0

FF - prefs.js..network.proxy.backup.socks: ""

FF - prefs.js..network.proxy.backup.socks_port: 0

FF - prefs.js..network.proxy.backup.ssl: ""

FF - prefs.js..network.proxy.backup.ssl_port: 0

FF - prefs.js..network.proxy.no_proxies_on: ""

FF - prefs.js..network.proxy.share_proxy_settings: true

FF - prefs.js..network.proxy.type: 0

FF - user.js..network.proxy.type: 0

FF - user.js..network.proxy.http: ""

FF - user.js..network.proxy.http_port: 0

FF - user.js..network.proxy.ssl: ""

FF - user.js..network.proxy.ssl_port: 0

FF - user.js..network.proxy.ftp: ""

FF - user.js..network.proxy.ftp_port: 0

FF - user.js..network.proxy.gopher: ""

FF - user.js..network.proxy.gopher_port: 0

FF - user.js..network.proxy.socks_version: 5

FF - user.js..network.proxy.socks: ""

FF - user.js..network.proxy.socks_port: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firetyfoxxxsadsasddytya\components [2010-06-28 17:12:37 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firetyfoxxxsadsasddytya\plugins [2010-07-06 14:40:58 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2010-03-21 17:13:46 | 000,000,000 | ---D | M]

[2010-02-19 14:58:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Extensions

[2010-07-06 14:47:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions

[2010-03-28 19:47:34 | 000,000,000 | ---D | M] (Winamp Toolbar) -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}

[2010-05-30 15:42:46 | 000,000,000 | ---D | M] (XfireXO Toolbar) -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}

[2010-05-09 13:14:12 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}

[2010-05-10 18:32:35 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010-06-06 17:42:33 | 000,000,000 | ---D | M] (flashget3 Extension) -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}

[2010-06-14 19:35:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\DTToolbar@toolbarnet.com

[2010-03-13 18:21:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\illimitux@illimitux.net

[2010-05-10 18:32:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\extensions\personas@christopher.beard

[2010-05-26 15:18:50 | 000,002,333 | ---- | M] () -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\searchplugins\askcom.xml

[2010-04-21 12:06:36 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\searchplugins\conduit.xml

[2010-03-30 20:05:09 | 000,002,055 | ---- | M] () -- C:\Documents and Settings\zxcz\Dane aplikacji\Mozilla\Firefox\Profiles\e4fq7bly.default\searchplugins\daemon-search.xml

O1 HOSTS File: ([2010-07-06 15:06:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (IEPluginBHO Class) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\All Users\Dane aplikacji\Gadu-Gadu 10\_userdata\ggbho.2.dll (GG Network S.A.)

O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll File not found

O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll File not found

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found

O9 - Extra 'Tools' menuitem : Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://active.macromedia.com/flash2/cabs/swflash.cab (Shockwave Flash Object)

O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\zxcz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\zxcz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp

O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010-02-18 23:12:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (rmparite.nt) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-07-06 14:58:41 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010-07-06 14:54:42 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010-07-06 14:54:42 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010-07-06 14:54:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010-07-06 14:54:41 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010-07-06 14:53:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010-07-06 14:51:46 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010-07-06 14:29:46 | 000,000,000 | ---D | C] -- C:\_OTL

[2010-07-06 11:03:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zxcz\Moje dokumenty\GTA San Andreas User Files

[2010-07-04 14:26:45 | 000,009,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\NtApm.sys

[2010-07-03 10:49:50 | 000,000,000 | ---D | C] -- C:\Program Files\Anti Trojan Elite

[2010-07-03 10:45:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010-07-02 19:31:53 | 000,000,000 | ---D | C] -- C:\Program Files\AGEIA Technologies

[2010-07-02 19:31:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\AGEIA

[2010-07-02 19:31:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

[2010-06-22 18:56:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zxcz\Moje dokumenty\KONAMI

[2010-06-22 18:29:28 | 000,000,000 | ---D | C] -- C:\Program Files\KONAMI

[2010-06-22 18:29:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\KONAMI

[2010-06-21 21:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\TEMP

[2010-06-20 19:25:06 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010-06-20 19:25:06 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010-06-20 19:25:05 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010-06-20 19:25:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010-06-20 19:25:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010-06-19 21:23:37 | 000,000,000 | ---D | C] -- C:\Program Files\TVTool

[2010-06-17 22:26:24 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hidgame.sys

[2010-06-16 15:57:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zxcz\Moje dokumenty\THE SETTLERS - Rise of an Empire

[2010-06-15 20:57:09 | 000,000,000 | ---D | C] -- C:\Program Files\Ubisoft

[2010-06-15 20:55:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dokumenty\DAEMON Tools Images

[2010-06-15 19:27:27 | 000,000,000 | R--D | C] -- C:\MSOCache

[2010-06-14 19:35:22 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite

[2010-06-07 20:26:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zxcz\Pulpit\bzzz

[2010-06-06 21:50:04 | 000,000,000 | ---D | C] -- C:\Program Files\Turbine

[2010-06-06 17:44:03 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks

[2010-06-06 17:42:33 | 000,000,000 | ---D | C] -- C:\Downloads

[2010-06-06 17:42:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zxcz\Dane aplikacji\FlashGet

========== Files - Modified Within 30 Days ==========

[2010-07-06 15:18:06 | 000,001,128 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-299502267-688789844-1060284298-1003UA.job

[2010-07-06 15:07:09 | 000,176,765 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml

[2010-07-06 15:07:01 | 000,000,258 | ---- | M] () -- C:\WINDOWS\system.ini

[2010-07-06 15:06:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010-07-06 15:06:22 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job

[2010-07-06 15:06:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010-07-06 15:06:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010-07-06 15:05:56 | 1073,315,840 | -HS- | M] () -- C:\hiberfil.sys

[2010-07-06 15:05:15 | 006,029,312 | ---- | M] () -- C:\Documents and Settings\zxcz\ntuser.dat

[2010-07-06 15:05:15 | 000,000,292 | -HS- | M] () -- C:\Documents and Settings\zxcz\ntuser.ini

[2010-07-06 14:58:50 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010-07-06 12:34:54 | 000,066,915 | ---- | M] () -- C:\Documents and Settings\zxcz\Pulpit\stats.JPG

[2010-07-06 09:14:22 | 000,005,992 | ---- | M] () -- C:\Documents and Settings\zxcz\Pulpit\avatar.jpg

[2010-07-06 09:06:35 | 000,189,461 | ---- | M] () -- C:\Documents and Settings\zxcz\Pulpit\download.JPG

[2010-07-04 23:22:33 | 000,000,911 | ---- | M] () -- C:\WINDOWS\win.ini

[2010-07-04 23:22:33 | 000,000,211 | ---- | M] () -- C:\Boot.bak

[2010-07-04 19:35:37 | 000,020,480 | ---- | M] () -- C:\WINDOWS\System32\H@tKeysH@@k.DLL

[2010-07-03 11:57:49 | 000,014,848 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll

[2010-07-03 07:18:00 | 000,001,076 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-299502267-688789844-1060284298-1003Core.job

[2010-07-01 21:15:28 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\zxcz\Pulpit\TVTool.lnk

[2010-07-01 21:09:41 | 000,000,008 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat

[2010-07-01 14:17:20 | 001,576,722 | -H-- | M] () -- C:\Documents and Settings\zxcz\Ustawienia lokalne\Dane aplikacji\IconCache.db

[2010-06-22 21:15:12 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\zxcz\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010-06-22 09:04:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010-06-21 12:23:36 | 000,044,984 | ---- | M] () -- C:\Documents and Settings\zxcz\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

[2010-06-21 09:03:35 | 000,198,552 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010-06-20 19:24:45 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010-06-20 19:24:45 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010-06-20 19:24:45 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010-06-20 19:24:45 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010-06-20 19:24:45 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010-06-20 11:54:51 | 000,000,484 | ---- | M] () -- C:\WINDOWS\System32\xvidvfw.dll

[2010-06-20 11:54:51 | 000,000,484 | ---- | M] () -- C:\WINDOWS\System32\xvidcore.dll

[2010-06-20 11:54:51 | 000,000,484 | ---- | M] () -- C:\WINDOWS\System32\ac3acm.acm

[2010-06-16 08:29:42 | 000,000,000 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP

[2010-06-16 06:33:53 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI

[2010-06-15 22:12:17 | 000,001,938 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\THE SETTLERS - Narodziny Imperium.lnk

[2010-06-15 22:11:05 | 000,278,984 | ---- | M] () -- C:\WINDOWS\System32\drivers\atksgt.sys

[2010-06-15 22:10:54 | 000,025,416 | ---- | M] () -- C:\WINDOWS\System32\drivers\lirsgt.sys

[2010-06-06 17:42:25 | 000,000,025 | ---- | M] () -- C:\WINDOWS\libem.INI

========== Files Created - No Company Name ==========

[2010-07-06 14:58:50 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010-07-06 14:58:47 | 000,262,400 | ---- | C] () -- C:\cmldr

[2010-07-06 14:54:42 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010-07-06 14:54:42 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010-07-06 14:54:42 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010-07-06 14:54:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010-07-06 14:54:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010-07-06 12:34:53 | 000,066,915 | ---- | C] () -- C:\Documents and Settings\zxcz\Pulpit\stats.JPG

[2010-07-06 09:14:21 | 000,005,992 | ---- | C] () -- C:\Documents and Settings\zxcz\Pulpit\avatar.jpg

[2010-07-06 09:06:34 | 000,189,461 | ---- | C] () -- C:\Documents and Settings\zxcz\Pulpit\download.JPG

[2010-07-04 19:35:37 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\H@tKeysH@@k.DLL

[2010-07-03 11:54:51 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll

[2010-07-01 21:15:28 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\zxcz\Pulpit\TVTool.lnk

[2010-06-20 11:07:23 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat

[2010-06-15 22:12:17 | 000,001,938 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\THE SETTLERS - Narodziny Imperium.lnk

[2010-06-15 22:11:04 | 000,278,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys

[2010-06-15 22:10:54 | 000,025,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys

[2010-06-06 17:42:25 | 000,000,025 | ---- | C] () -- C:\WINDOWS\libem.INI

[2010-06-03 11:14:58 | 001,867,776 | ---- | C] () -- C:\WINDOWS\System32\python24.dll

[2010-05-29 19:25:59 | 000,000,280 | ---- | C] () -- C:\WINDOWS\game.ini

[2010-05-11 20:32:38 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll

[2010-03-28 13:49:56 | 000,000,023 | -HS- | C] () -- C:\WINDOWS\System32\cedddcd9_d.dll

[2010-03-14 19:07:54 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2010-03-06 20:02:14 | 001,867,776 | ---- | C] () -- C:\WINDOWS\python24.dll

[2010-02-19 17:21:07 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

[2010-02-19 17:21:07 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini

[2010-02-19 17:21:05 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2010-02-19 17:21:05 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2010-02-19 17:21:04 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2010-02-19 17:21:01 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2010-02-19 17:21:01 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest

[2010-02-19 16:01:15 | 000,000,421 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009-08-03 00:21:54 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll

[2009-08-03 00:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll

[2009-08-03 00:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll

[2005-12-10 03:06:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll

[2005-12-10 03:06:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll

[2005-12-10 03:06:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll

[2005-12-10 03:06:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll

[2005-12-10 03:06:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll

[2005-12-10 03:06:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

[2004-07-17 11:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

[2003-04-08 11:40:22 | 000,005,679 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 286 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:6BE50C2B

< End of report >

picasso · 6 Lipca 2010

1. ComboFix porządził się inaczej, zignorował manual, wziął całkiem inną kopię do podmiany, z katalogu Przywracania systemu:

Zainfekowana kopia c:\windows\system32\ws2_32.dll została znaleziona. Problem naprawiono

Plik odzyskano z - c:\system volume information\_restore{1386A8C2-E0B7-49EF-8B15-E3C31D4E1E48}\RP144\A0252191.dll

Skasował także plik sknc.dll, co było tu przewidziane. W podsumowaniu: problem z zainfekowaną keyloggerem biblioteką oraz otwieraniem dysków jest już rozwiązany.

2. Skutkiem ubocznym używania ComboFix jest usunięcie komponentów FlashGet, ponieważ program klasyfikuje ten obiekt jako adware:

c:\documents and settings\zxcz\Dane aplikacji\BITS

c:\documents and settings\zxcz\Dane aplikacji\BITS\BITS.ini

c:\documents and settings\zxcz\Dane aplikacji\BITS\DHTTable.dat

c:\documents and settings\zxcz\Dane aplikacji\BITS\ProxyList.ini

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\FlashGetBHO3.dll

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\FlashGetHook.dll

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\GetAllUrl.htm

c:\documents and settings\zxcz\Dane aplikacji\FlashGetBHO\GetUrl.htm

c:\program files\FlashGet Network

c:\program files\FlashGet Network\FlashGet 3\dat\Appsetting.cfg

c:\program files\FlashGet Network\FlashGet 3\dat\FlashGet3db.bak

c:\program files\FlashGet Network\FlashGet 3\dat\FlashGet3db.db

c:\program files\FlashGet Network\FlashGet 3\P2PCfg.ini

c:\program files\FlashGet Network\FlashGet 3\perf.ini

c:\program files\FlashGet Network\FlashGet 3\pstat.dat

c:\program files\FlashGet Network\FlashGet 3\pup.dat

FlashGet wstawił także w menu kontekstowym IE zapisy po chińsku, które są zablokowane:

--------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- 

[HKEY_USERS\S-1-5-21-299502267-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\MenuExt\使用快车3下载]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

@="c:\\Documents and Settings\\zxcz\\Dane aplikacji\\FlashGetBHO\\GetUrl.htm"

"contexts"=dword:00000022
 

[HKEY_USERS\S-1-5-21-299502267-688789844-1060284298-1003\Software\Microsoft\Internet Explorer\MenuExt\使用快车3下载全部链接]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

@="c:\\Documents and Settings\\zxcz\\Dane aplikacji\\FlashGetBHO\\GetAllUrl.htm"

"contexts"=dword:000000f3

.

Pytaniem jest co chcesz przeprowadzić: jeśli FlashGeta nie stosujesz, całkowicie odinstaluj. Jeśli stosujesz, chyba sprawniej pójdzie reinstalacja niż wyciąganie z kwarantanny.

3. ComboFix skasował także serię plików:


[2010-04-11 19:55:38 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\evr.dll

[2010-04-11 19:55:37 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\evrprop.dll

[2010-04-11 19:55:37 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\dxva2.dll

[2010-04-11 19:55:36 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\libFLAC.dll

[2010-04-11 19:55:31 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll

[2010-04-11 19:55:31 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll

Te pliki, choć wg nazw prawidłowe, mają ten sam rozmiar. Porównując teraz z nowym logiem z OTL jest większa grupa plików kodeko-pochodnych dzieląca ten sam rozmiar:


[2010-06-20 11:54:51 | 000,000,484 | ---- | M] () -- C:\WINDOWS\System32\xvidvfw.dll

[2010-06-20 11:54:51 | 000,000,484 | ---- | M] () -- C:\WINDOWS\System32\xvidcore.dll

[2010-06-20 11:54:51 | 000,000,484 | ---- | M] () -- C:\WINDOWS\System32\ac3acm.acm

Nie wiem co o tym sądzić, bo te pliki nie powinny mieć takiego samego rozmiaru. Weź jeden z tych trzech wyżej wyliczonych i przeskanuj na VirusTotal. Podaj tu wyniki.

Czyszczeniem mało istotnych śmieci z OTL zajmiemy się potem. Najpierw wyniki skanu.

.

martinesq · 6 Lipca 2010

A gmer ci dać ?? bo tamte 2 logi były szybko a na ten jeszcze poczekasz pewnie długo

http://www.virustotal.com/pl/analisis/48ec8eabefd51bc4a9e876a662a1fd3a83e3db3ef8559827986a315ebbd51866-1265154586

FlasGet nie używam juz odinstalowany

picasso · 6 Lipca 2010

Nie, GMER nie jest już konieczny. Plik ws2_32.dll został pomyślnie zamieniony, czego dowodem jest bezbólowa kasacja pliku sknc.dll. Gdyby plik systemowy nie został podmieniony, proste usunięcie sknc.dll skutkuje niemożnością startu do Windows. Ta sprawa jest rozwiązana. Na teraz chodzi mi o sprecyzowanie co robić z FlashGetem i sprawdzenie na Virus Total jednego z podanych plików. I wtedy przejdę dalej.

EDIT: Dodałeś dane. Posty złączyłam razem. Pliki wg skanerów są czyste, ale one mi się nie podobają i będę je usuwać, a Ty nadpiszesz sobie paczkę K-Lite Codec Pack. W związku z usunięciem FlashGeta podaj nowy log z OTL, by było wiadomo co się usunęło od tego programu w sposób automatyczny.

martinesq · 6 Lipca 2010

OTL logfile created on: 2010-07-06 16:34:30 - Run 4

OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\zxcz\Moje dokumenty\Pobieranie

Windows XP Professional Edition Dodatek Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

1 024,00 Mb Total Physical Memory | 523,00 Mb Available Physical Memory | 51,00% Memory free

2,00 Gb Paging File | 2,00 Gb Available in Paging File | 84,00% Paging File free

Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74,52 Gb Total Space | 18,85 Gb Free Space | 25,30% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JK-935C0E4A6427

Current User Name: zxcz

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-07-04 18:38:36 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\zxcz\Moje dokumenty\Pobieranie\OTL.exe

PRC - [2010-06-27 14:43:40 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firetyfoxxxsadsasddytya\plugin-container.exe