komp szaleje nie wiem co sie dzieje

[Piotrek89]

oto log z hijacka:

Logfile of HijackThis v1.99.1
Scan saved at 04:42:09, on 2003-07-11
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\piotrek\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinDLL (tepmlayer.exe)] rundll32.exe C:\WINDOWS\System32\tepmlayer.exe,start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9229683-BA71-479A-B217-55C6D1362A68}: NameServer = 80.244.140.241 80.244.128.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

[wojtas]

co sie dzieje z kompem ?

[Piotrek89]

na poczatku nie mogl sie wlaczyc probowalem wszystkiego dochodzilo do ladowania systemu i wtedy sie restartowal i tak dalej zrobilem formata myslalem ze juz dobrze a tu znowu to sam wiec jeszcze raz format i pisze tutaj avast caly czas wykrywa jakies bledy ;/

[wojtas]

Wykonaj to co jest podane w tym temacie


Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz z hijacka

[Dzi@dek]

avast caly czas wykrywa jakies bledy

Konkretnie jakie

[Piotrek89]

Plik: C:\WINDOWS\System32\sstts.dll
Nazwa pasożyta: Win32:TratBHO [Trj]
Typ pasozyta: Koń trojański
Wersja VPS: 080116-0, 2008-01-16

[Dzi@dek]

Zastosuj SDFix .

[Piotrek89]

SDFix: Version 1.127

Run by piotrek on 2008-01-16 at 15:57

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Distributed Allocated Memory Unit

Path:
"C:\WINDOWS\system32\dllcache\mravsc32.exe"

Distributed Allocated Memory Unit - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\ADWARE.EXE - Deleted
C:\WINDOWS\system32\algs.exe - Deleted
C:\WINDOWS\system32\dllcache\mravsc32.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\iexplore.exe - Deleted
C:\WINDOWS\system32\logon.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 15:59:56
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 11 Jul 2003 1,138,688 ..SH. --- "C:\WINDOWS\system32\wingatey32.exe"

Finished!

ComboFix 08-01-16.4 - piotrek 2008-01-16 16:04:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.70 [GMT 1:00]
Running from: C:\Documents and Settings\piotrek\Pulpit\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Gadu-Gadu\gg .exe
C:\Program Files\Gadu-Gadu\gg .exe
C:\Program Files\Gadu-Gadu\gg .exe
C:\Program Files\Gadu-Gadu\gg .exe
C:\Program Files\Gadu-Gadu\gg .exe
C:\Program Files\Gadu-Gadu\gg .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\awtturr.dll
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\byxvuut.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddcaaby.dll
C:\WINDOWS\system32\ddcawvw.dll
C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\hggdeef.dll
C:\WINDOWS\system32\hgggfdb.dll
C:\WINDOWS\system32\jkkjghe.dll
C:\WINDOWS\system32\khfggff.dll
C:\WINDOWS\system32\RCX18.tmp
C:\WINDOWS\system32\RCX1E.tmp
C:\WINDOWS\system32\RCX20.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2

Kod: Zaznacz wszystko

<pre>
C:\Program Files\Alwil Software\Avast4\ashDisp .exe ---> QooBox
C:\Program Files\Gadu-Gadu\gg       .exe ---> gg.exe
C:\Program Files\Messenger\msmsgs .exe ---> msmsgs.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag .exe ---> Dragdiag.exe
C:\Program Files\Winamp\winampa .exe ---> winampa.exe
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 16:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 16:00 . 2008-01-16 16:00 334,848 --a------ C:\WINDOWS\system32\ddcyv.dll
2008-01-16 16:00 . 2008-01-16 16:00 0 --a------ C:\adware.exe
2008-01-16 15:57 . 2008-01-16 15:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 11:02 . 2008-01-16 15:49 82,882 --a------ C:\WINDOWS\system32\explorer .exe
2008-01-16 09:32 . 2008-01-16 09:32 82,882 --a------ C:\WINDOWS\system32\winamp .exe
2008-01-16 09:18 . 2008-01-16 09:18 82,882 --a------ C:\WINDOWS\system32\uaxhodqt.exe
2008-01-16 09:18 . 2008-01-16 09:18 19,711 --a------ C:\WINDOWS\system32\chpwwben.exe
2008-01-16 09:18 . 2008-01-16 09:18 19,711 --a------ C:\WINDOWS\system32\acvdzo.exe
2008-01-16 09:18 . 2008-01-16 09:18 6,696 --a------ C:\WINDOWS\system32\yxllikxi.exe
2008-01-16 09:18 . 2008-01-16 09:18 6,696 --a------ C:\WINDOWS\system32\lhccrb.exe
2008-01-16 09:00 . 2008-01-16 09:00 82,882 --a------ C:\WINDOWS\system32\dcnls.exe
2008-01-16 09:00 . 2008-01-16 09:00 19,711 --a------ C:\WINDOWS\system32\mylcn.exe
2008-01-16 09:00 . 2008-01-16 09:00 19,711 --a------ C:\WINDOWS\system32\gjtxresk.exe
2008-01-16 09:00 . 2008-01-16 09:00 6,696 --a------ C:\WINDOWS\system32\uytm.exe
2008-01-16 09:00 . 2008-01-16 09:00 6,696 --a------ C:\WINDOWS\system32\czsgd.exe
2008-01-16 08:59 . 2008-01-16 15:49 82,882 --a------ C:\WINDOWS\system32\iexplore .exe
2008-01-16 08:59 . 2008-01-16 09:32 64,816 --a------ C:\WINDOWS\system32\logon .exe
2008-01-16 08:09 . 2008-01-16 08:09 82,882 --a------ C:\WINDOWS\system32\dksmx.exe
2008-01-16 08:09 . 2008-01-16 08:09 19,711 --a------ C:\WINDOWS\system32\hnvxzdbu.exe
2008-01-16 08:09 . 2008-01-16 08:09 6,696 --a------ C:\WINDOWS\system32\wbdcmqyg.exe
2008-01-15 23:01 . 2008-01-15 23:01 82,882 --a------ C:\WINDOWS\system32\dlneuwfp.exe
2008-01-15 23:01 . 2008-01-15 23:01 19,711 --a------ C:\WINDOWS\system32\dkfksuws.exe
2008-01-15 23:01 . 2008-01-15 23:01 6,696 --a------ C:\WINDOWS\system32\jrpeupeq.exe
2008-01-15 22:02 . 2008-01-15 22:02 19,711 --a------ C:\WINDOWS\system32\xzlpyjlj.exe
2008-01-15 22:02 . 2008-01-15 22:02 6,696 --a------ C:\WINDOWS\system32\rxtr.exe
2008-01-15 22:01 . 2008-01-15 22:01 82,882 --a------ C:\WINDOWS\system32\winIogon .exe
2008-01-15 21:46 . 2008-01-15 21:46 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-15 20:54 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-15 20:54 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-15 20:54 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-15 20:54 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-15 20:54 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-15 20:54 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-15 20:54 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-15 20:54 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-15 20:06 . 2003-10-28 11:02 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-15 20:05 . 2008-01-16 16:06 <DIR> d-------- C:\Program Files\Winamp
2008-01-15 20:05 . 2008-01-16 12:19 192 --a------ C:\WINDOWS\winamp.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 15:06 --------- d-----w C:\Program Files\Gadu-Gadu
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2003-07-11 21:20 1,138,688 --sh--w C:\WINDOWS\system32\wingatey32.exe
.

Kod: Zaznacz wszystko

<pre>
----a-w            82,882 2008-01-16 14:49:29  C:\WINDOWS\system32\explorer .exe
----a-w            82,882 2008-01-16 14:49:27  C:\WINDOWS\system32\iexplore .exe
----a-w            64,816 2008-01-16 08:32:05  C:\WINDOWS\system32\logon .exe
----a-w            82,882 2008-01-16 08:32:08  C:\WINDOWS\system32\winamp .exe
----a-w            82,882 2008-01-15 21:01:22  C:\WINDOWS\system32\winIogon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}]
2003-07-11 22:22 37376 --a------ C:\WINDOWS\system32\ssqnopm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 18:29 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-16 16:00 1077277]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 13:16 49152]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 13:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 13:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2008-01-16 16:00 888832]
"WinDLL (wingatey32.exe)"="C:\WINDOWS\System32\wingatey32.exe" [2003-07-11 22:20 1138688]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 16:00 33792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-26 18:29 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}"= C:\WINDOWS\system32\ssqnopm.dll [2003-07-11 22:22 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnopm]
ssqnopm.dll 2003-07-11 22:22 37376 C:\WINDOWS\system32\ssqnopm.dll

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2003-07-11 22:20]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys [2003-09-30 06:25]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 16:07:02
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqnopm.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2600.0000]
-> C:\WINDOWS\system32\ssqnopm.dll
.
Completion time: 2008-01-16 16:07:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 15:07:30

Logfile of HijackThis v1.99.1
Scan saved at 16:08:35, on 2008-01-16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\piotrek\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {2AE4005E-689F-4FB9-8C3D-D2B8B58AC072} - C:\WINDOWS\system32\ssqnopm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinDLL (wingatey32.exe)] rundll32.exe C:\WINDOWS\System32\wingatey32.exe,start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg .exe" /tray
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{33003CF2-917F-4503-8D05-684F6E635342}: NameServer = 80.244.140.241 80.244.128.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{33003CF2-917F-4503-8D05-684F6E635342}: NameServer = 80.244.140.241 80.244.128.1
O20 - Winlogon Notify: ssqnopm - C:\WINDOWS\SYSTEM32\ssqnopm.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[wojtas]

zastosuj:

smitfraudfix z opcji 2

oraz te skanery po kilka razy

VundoFix

VirtumundoBeGone

FixVundo


i daj nowe logi z hijacka oraz combofixa

[Piotrek89]

Logfile of HijackThis v1.99.1
Scan saved at 09:49:14, on 2008-01-17
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\piotrek\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinDLL (wingatey32.exe)] rundll32.exe C:\WINDOWS\System32\wingatey32.exe,start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{33003CF2-917F-4503-8D05-684F6E635342}: NameServer = 80.244.140.241 80.244.128.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{33003CF2-917F-4503-8D05-684F6E635342}: NameServer = 80.244.140.241 80.244.128.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

ComboFix 08-01-16.4 - piotrek 2008-01-17 9:44:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.101 [GMT 1:00]
Running from: C:\Documents and Settings\piotrek\Pulpit\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 09:29 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-17 09:29 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-17 09:29 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-17 09:28 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-17 09:28 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-17 09:28 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-17 09:28 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-17 09:28 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-16 23:26 . 2008-01-16 23:35 <DIR> d-------- C:\VundoFix Backups
2008-01-16 23:16 . 2008-01-16 23:21 1,296 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-16 21:52 . 2008-01-16 21:52 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-01-16 21:52 . 2008-01-16 21:52 <DIR> d-------- C:\Program Files\ACD Systems
2008-01-16 21:52 . 2008-01-16 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2008-01-16 21:52 . 2008-01-16 21:52 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-01-16 21:48 . 2008-01-16 21:48 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-16 16:53 . 2008-01-16 16:54 <DIR> d-------- C:\Documents and Settings\piotrek\Dane aplikacji\Tibia
2008-01-16 16:52 . 2008-01-16 16:52 <DIR> d-------- C:\Program Files\Tibia
2008-01-16 16:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 16:00 . 2008-01-17 09:30 0 --a------ C:\adware.exe
2008-01-16 15:57 . 2008-01-16 15:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 11:02 . 2008-01-16 15:49 82,882 --a------ C:\WINDOWS\system32\explorer .exe
2008-01-16 09:32 . 2008-01-16 09:32 82,882 --a------ C:\WINDOWS\system32\winamp .exe
2008-01-16 09:18 . 2008-01-16 09:18 82,882 --a------ C:\WINDOWS\system32\uaxhodqt.exe
2008-01-16 09:18 . 2008-01-16 09:18 19,711 --a------ C:\WINDOWS\system32\chpwwben.exe
2008-01-16 09:18 . 2008-01-16 09:18 19,711 --a------ C:\WINDOWS\system32\acvdzo.exe
2008-01-16 09:18 . 2008-01-16 09:18 6,696 --a------ C:\WINDOWS\system32\yxllikxi.exe
2008-01-16 09:18 . 2008-01-16 09:18 6,696 --a------ C:\WINDOWS\system32\lhccrb.exe
2008-01-16 09:00 . 2008-01-16 09:00 82,882 --a------ C:\WINDOWS\system32\dcnls.exe
2008-01-16 09:00 . 2008-01-16 09:00 19,711 --a------ C:\WINDOWS\system32\mylcn.exe
2008-01-16 09:00 . 2008-01-16 09:00 19,711 --a------ C:\WINDOWS\system32\gjtxresk.exe
2008-01-16 09:00 . 2008-01-16 09:00 6,696 --a------ C:\WINDOWS\system32\uytm.exe
2008-01-16 09:00 . 2008-01-16 09:00 6,696 --a------ C:\WINDOWS\system32\czsgd.exe
2008-01-16 08:59 . 2008-01-16 15:49 82,882 --a------ C:\WINDOWS\system32\iexplore .exe
2008-01-16 08:59 . 2008-01-16 09:32 64,816 --a------ C:\WINDOWS\system32\logon .exe
2008-01-16 08:09 . 2008-01-16 08:09 82,882 --a------ C:\WINDOWS\system32\dksmx.exe
2008-01-16 08:09 . 2008-01-16 08:09 19,711 --a------ C:\WINDOWS\system32\hnvxzdbu.exe
2008-01-16 08:09 . 2008-01-16 08:09 6,696 --a------ C:\WINDOWS\system32\wbdcmqyg.exe
2008-01-15 23:01 . 2008-01-15 23:01 82,882 --a------ C:\WINDOWS\system32\dlneuwfp.exe
2008-01-15 23:01 . 2008-01-15 23:01 19,711 --a------ C:\WINDOWS\system32\dkfksuws.exe
2008-01-15 23:01 . 2008-01-15 23:01 6,696 --a------ C:\WINDOWS\system32\jrpeupeq.exe
2008-01-15 22:02 . 2008-01-15 22:02 19,711 --a------ C:\WINDOWS\system32\xzlpyjlj.exe
2008-01-15 22:02 . 2008-01-15 22:02 6,696 --a------ C:\WINDOWS\system32\rxtr.exe
2008-01-15 22:01 . 2008-01-15 22:01 82,882 --a------ C:\WINDOWS\system32\winIogon .exe
2008-01-15 21:46 . 2008-01-15 21:46 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-15 20:06 . 2003-10-28 11:02 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-15 20:05 . 2008-01-16 16:06 <DIR> d-------- C:\Program Files\Winamp
2008-01-15 20:05 . 2008-01-17 09:25 192 --a------ C:\WINDOWS\winamp.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 15:06 --------- d-----w C:\Program Files\Gadu-Gadu
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2003-07-11 21:20 1,138,688 --sh--w C:\WINDOWS\system32\wingatey32.exe
.

Kod: Zaznacz wszystko

<pre>
----a-w            82,882 2008-01-16 14:49:29  C:\WINDOWS\system32\explorer .exe
----a-w            82,882 2008-01-16 14:49:27  C:\WINDOWS\system32\iexplore .exe
----a-w            64,816 2008-01-16 08:32:05  C:\WINDOWS\system32\logon .exe
----a-w            82,882 2008-01-16 08:32:08  C:\WINDOWS\system32\winamp .exe
----a-w            82,882 2008-01-15 21:01:22  C:\WINDOWS\system32\winIogon .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-16_16.07.19.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-16 20:53:12 61,440 ----a-r C:\WINDOWS\Installer\{271B64EE-3E1B-4381-A8FE-012390050492}\ACDSeeDesktopShortcu_FD88D5011F0A4DA4A13A6437411EE0C3.exe
+ 2008-01-16 20:53:12 61,440 ----a-r C:\WINDOWS\Installer\{271B64EE-3E1B-4381-A8FE-012390050492}\ACDSeePMShortcut_FD88D5011F0A4DA4A13A6437411EE0C3.exe
+ 2008-01-16 20:53:12 61,440 ----a-r C:\WINDOWS\Installer\{271B64EE-3E1B-4381-A8FE-012390050492}\ARPPRODUCTICON.exe
+ 2008-01-16 20:53:12 45,056 ----a-r C:\WINDOWS\Installer\{271B64EE-3E1B-4381-A8FE-012390050492}\DevDetectPMShortcut.exe
+ 2008-01-16 20:53:12 61,440 ----a-r C:\WINDOWS\Installer\{271B64EE-3E1B-4381-A8FE-012390050492}\FotoCanvasDesktopSho_FD88D5011F0A4DA4A13A6437411EE0C3.exe
+ 2008-01-16 20:53:12 61,440 ----a-r C:\WINDOWS\Installer\{271B64EE-3E1B-4381-A8FE-012390050492}\FotoCanvasProgramMen_FD88D5011F0A4DA4A13A6437411EE0C3.exe
+ 2008-01-16 20:53:12 57,344 ----a-r C:\WINDOWS\Installer\{271B64EE-3E1B-4381-A8FE-012390050492}\FotoSlateDesktopShor_FD88D5011F0A4DA4A13A6437411EE0C3.exe
+ 2008-01-16 20:53:12 57,344 ----a-r C:\WINDOWS\Installer\{271B64EE-3E1B-4381-A8FE-012390050492}\FotoSlateProgramFile_FD88D5011F0A4DA4A13A6437411EE0C3.exe
+ 2004-03-04 11:51:46 307,200 ----a-w C:\WINDOWS\system32\ACDSee.scr
- 2008-01-16 15:04:10 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2008-01-17 08:44:38 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2002-05-13 14:05:32 167,936 ----a-r C:\WINDOWS\system32\czs_ui.dll
+ 2002-03-20 20:01:18 45,568 ----a-w C:\WINDOWS\system32\DC210.dll
+ 2002-03-20 20:01:18 114,688 ----a-w C:\WINDOWS\system32\DC240.dll
+ 2002-03-20 20:01:06 230,400 ----a-w C:\WINDOWS\system32\DC265.dll
+ 2002-03-20 20:01:18 122,880 ----a-w C:\WINDOWS\system32\DC280.dll
+ 2002-05-13 14:05:32 168,960 ----a-r C:\WINDOWS\system32\deimg.dll
+ 2002-05-13 14:05:34 212,992 ----a-r C:\WINDOWS\system32\deImg010.dll
+ 2002-05-13 14:05:34 172,032 ----a-r C:\WINDOWS\system32\deImg110.dll
+ 2002-05-13 14:05:34 161,280 ----a-r C:\WINDOWS\system32\deimg301.dll
+ 2002-05-13 14:05:34 161,792 ----a-r C:\WINDOWS\system32\deimg401.dll
+ 2002-05-13 14:05:34 360,448 ----a-r C:\WINDOWS\system32\deImg404.dll
+ 2002-05-13 14:05:34 162,816 ----a-r C:\WINDOWS\system32\deimg602.dll
+ 2002-05-13 14:05:34 167,936 ----a-r C:\WINDOWS\system32\Deimg603.dll
+ 2002-03-20 20:01:06 6,688 ----a-w C:\WINDOWS\system32\Digita.sys
+ 2002-03-20 20:01:18 44,544 ----a-w C:\WINDOWS\system32\ekfpixaudio.dll
+ 2002-03-20 20:01:06 138,240 ----a-w C:\WINDOWS\system32\ekfpixexif.dll
+ 2002-03-20 20:01:20 4,096 ----a-w C:\WINDOWS\system32\ekfpixguid.dll
+ 2002-03-20 20:01:20 449,536 ----a-w C:\WINDOWS\system32\ekfpixio130.dll
+ 2002-03-20 20:01:20 100,352 ----a-w C:\WINDOWS\system32\ekfpixjpeg.dll
+ 2002-03-20 20:01:20 67,584 ----a-w C:\WINDOWS\system32\ekfpixpsets.dll
+ 2002-03-20 20:01:20 36,864 ----a-w C:\WINDOWS\system32\F210.dll
+ 2002-03-20 20:01:58 446,464 ----a-w C:\WINDOWS\system32\HHActiveX.dll
+ 2002-05-13 15:13:58 19,968 ----a-r C:\WINDOWS\system32\JGA1500.DLL
+ 2002-05-13 15:13:58 10,752 ----a-r C:\WINDOWS\system32\JGAA500.DLL
+ 2002-05-13 15:13:58 16,896 ----a-r C:\WINDOWS\system32\JGAD500.DLL
+ 2002-05-13 15:13:58 9,216 ----a-r C:\WINDOWS\system32\JGAP500.DLL
+ 2002-05-13 15:13:58 11,264 ----a-r C:\WINDOWS\system32\JGAR500.DLL
+ 2002-05-13 15:13:58 31,744 ----a-r C:\WINDOWS\system32\JGAU500.DLL
+ 2002-05-13 15:13:58 6,144 ----a-r C:\WINDOWS\system32\JGDR500.DLL
+ 2002-05-13 15:13:58 144,896 ----a-r C:\WINDOWS\system32\JGDW500.DLL
+ 2002-05-13 15:13:58 15,360 ----a-r C:\WINDOWS\system32\JGEA500.DLL
+ 2002-05-13 15:13:58 39,424 ----a-r C:\WINDOWS\system32\JGED500.DLL
+ 2002-05-13 15:13:58 11,264 ----a-r C:\WINDOWS\system32\JGEM500.DLL
+ 2002-05-13 15:13:58 10,752 ----a-r C:\WINDOWS\system32\JGFI500.DLL
+ 2002-05-13 15:13:58 67,072 ----a-r C:\WINDOWS\system32\JGFR500.DLL
+ 2002-05-13 15:13:58 24,576 ----a-r C:\WINDOWS\system32\JGFS500.DLL
+ 2002-05-13 15:13:58 12,800 ----a-r C:\WINDOWS\system32\JGGI500.DLL
+ 2002-05-13 15:13:58 19,456 ----a-r C:\WINDOWS\system32\JGI1500.DLL
+ 2002-05-13 15:13:58 41,984 ----a-r C:\WINDOWS\system32\JGI3500.DLL
+ 2002-05-13 15:13:58 60,416 ----a-r C:\WINDOWS\system32\JGI5500.DLL
+ 2002-05-13 15:13:58 11,264 ----a-r C:\WINDOWS\system32\JGID500.DLL
+ 2002-05-13 15:13:58 34,304 ----a-r C:\WINDOWS\system32\JGIP500.DLL
+ 2002-05-13 15:13:58 6,656 ----a-r C:\WINDOWS\system32\JGIQ500.DLL
+ 2002-05-13 15:13:58 24,064 ----a-r C:\WINDOWS\system32\JGIT500.DLL
+ 2002-05-13 15:13:58 74,240 ----a-r C:\WINDOWS\system32\JGM1500.DLL
+ 2002-05-13 15:13:58 29,696 ----a-r C:\WINDOWS\system32\JGMC500.DLL
+ 2002-05-13 15:13:58 7,168 ----a-r C:\WINDOWS\system32\JGME500.DLL
+ 2002-05-13 15:13:58 24,576 ----a-r C:\WINDOWS\system32\JGMI500.DLL
+ 2002-05-13 15:13:58 11,264 ----a-r C:\WINDOWS\system32\JGMP500.DLL
+ 2002-05-13 15:13:58 24,064 ----a-r C:\WINDOWS\system32\JGN1500.DLL
+ 2002-05-13 15:13:58 80,384 ----a-r C:\WINDOWS\system32\JGOS500.DLL
+ 2002-05-13 15:13:58 13,824 ----a-r C:\WINDOWS\system32\JGPD500.DLL
+ 2002-05-13 15:13:58 15,872 ----a-r C:\WINDOWS\system32\JGPL500.DLL
+ 2002-05-13 15:13:58 12,288 ----a-r C:\WINDOWS\system32\JGPP500.DLL
+ 2002-05-13 15:13:58 33,280 ----a-r C:\WINDOWS\system32\JGS1500.DLL
+ 2002-05-13 15:13:58 15,360 ----a-r C:\WINDOWS\system32\JGS3500.DLL
+ 2002-05-13 15:13:58 21,504 ----a-r C:\WINDOWS\system32\JGSN500.DLL
+ 2002-05-13 15:13:58 13,312 ----a-r C:\WINDOWS\system32\JGST500.DLL
+ 2002-01-05 03:48:16 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
+ 2002-01-05 03:36:38 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
+ 2002-01-05 02:38:38 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
+ 2002-01-05 02:40:20 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
+ 2002-01-05 02:37:28 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
+ 2002-05-13 14:05:34 57,344 ----a-r C:\WINDOWS\system32\pscAdimg.dll
+ 2002-05-13 14:05:34 135,168 ----a-r C:\WINDOWS\system32\pscCllct.dll
+ 2002-05-13 14:05:34 462,848 ----a-r C:\WINDOWS\system32\pscCStUI.dll
+ 2002-05-13 14:05:34 331,776 ----a-r C:\WINDOWS\system32\pscDcd.dll
+ 2002-05-13 14:05:34 180,224 ----a-r C:\WINDOWS\system32\pscDevUI.dll
+ 2002-05-13 14:05:34 90,112 ----a-r C:\WINDOWS\system32\pscDvlp.dll
+ 2002-05-13 14:05:34 167,936 ----a-r C:\WINDOWS\system32\Pscl2STI.dll
+ 2002-05-13 14:05:34 180,224 ----a-r C:\WINDOWS\system32\pscll.dll
+ 2002-05-13 14:05:34 200,704 ----a-r C:\WINDOWS\system32\pscParse.dll
+ 2002-05-13 14:05:34 98,304 ----a-r C:\WINDOWS\system32\pscSetup.dll
+ 2002-05-13 14:05:36 389,120 ----a-r C:\WINDOWS\system32\psdkdll.dll
+ 2002-05-13 14:05:36 57,344 ----a-r C:\WINDOWS\system32\psdkReg.dll
+ 2002-05-13 14:05:36 102,400 ----a-r C:\WINDOWS\system32\psParse.dll
+ 2002-03-20 20:00:18 49,152 ----a-w C:\WINDOWS\system32\TransportIrCOMM.dll
+ 2002-03-20 20:00:18 49,152 ----a-w C:\WINDOWS\system32\TransportIrDA.dll
+ 2002-03-20 20:00:20 49,152 ----a-w C:\WINDOWS\system32\TransportSerial.dll
+ 2002-03-20 20:00:20 49,152 ----a-w C:\WINDOWS\system32\TransportUSB.dll
+ 2002-03-21 13:39:02 73,728 ----a-w C:\WINDOWS\system32\UNACEV2.DLL
+ 2008-01-17 08:30:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_414.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 18:29 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-16 16:00 1077277]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 13:16 49152]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-16 16:00 2396160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 13:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 13:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2008-01-16 16:00 888832]
"WinDLL (wingatey32.exe)"="C:\WINDOWS\System32\wingatey32.exe" [2003-07-11 22:20 1138688]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 16:00 33792]
"Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" [2003-11-26 18:54 217088]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-26 18:29 13312]

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2003-07-11 22:20]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys [2003-09-30 06:25]

*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 09:45:33
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2600.0000]
-> C:\Program Files\Gadu-Gadu\ggwhook.dll
.
Completion time: 2008-01-17 9:46:32
ComboFix-quarantined-files.txt 2008-01-17 08:45:46
ComboFix2.txt 2008-01-16 15:07:46

[wojtas]

skasuj te wpisy:

O4 - HKLM\..\Run: [WinDLL (wingatey32.exe)] rundll32.exe C:\WINDOWS\System32\wingatey32.exe,start
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Otworz notatnik i wklej w nim to:

File::
C:\adware.exe
C:\WINDOWS\system32\explorer .exe
C:\WINDOWS\system32\winamp .exe
C:\WINDOWS\system32\uaxhodqt.exe
C:\WINDOWS\system32\chpwwben.exe
C:\WINDOWS\system32\acvdzo.exe
C:\WINDOWS\system32\yxllikxi.exe
C:\WINDOWS\system32\lhccrb.exe
C:\WINDOWS\system32\dcnls.exe
C:\WINDOWS\system32\mylcn.exe
C:\WINDOWS\system32\gjtxresk.exe
C:\WINDOWS\system32\uytm.exe
C:\WINDOWS\system32\czsgd.exe
C:\WINDOWS\system32\iexplore .exe
C:\WINDOWS\system32\logon .exe
C:\WINDOWS\web\related.htm
C:\WINDOWS\system32\dksmx.exe
C:\WINDOWS\system32\hnvxzdbu.exe
C:\WINDOWS\system32\wbdcmqyg.exe
C:\WINDOWS\system32\dlneuwfp.exe
C:\WINDOWS\system32\dkfksuws.exe
C:\WINDOWS\system32\jrpeupeq.exe
C:\WINDOWS\system32\wingatey32.exe
C:\WINDOWS\system32\xzlpyjlj.exe
C:\WINDOWS\system32\rxtr.exe
C:\WINDOWS\system32\winIogon .exe

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . Potwierdz >>> zresetuje sie komputer

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER). Rozpocznie się proces usuwania
Potem nowy log z hijacka oraz combofixa

[Piotrek89]

ComboFix 08-01-16.4 - piotrek 2008-01-19 19:29:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.80 [GMT 1:00]
Running from: C:\Documents and Settings\piotrek\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\piotrek\Pulpit\CFScript.txt
* Created a new restore point

FILE
C:\adware.exe
C:\WINDOWS\system32\acvdzo.exe
C:\WINDOWS\system32\chpwwben.exe
C:\WINDOWS\system32\czsgd.exe
C:\WINDOWS\system32\dcnls.exe
C:\WINDOWS\system32\dkfksuws.exe
C:\WINDOWS\system32\dksmx.exe
C:\WINDOWS\system32\dlneuwfp.exe
C:\WINDOWS\system32\explorer .exe
C:\WINDOWS\system32\gjtxresk.exe
C:\WINDOWS\system32\hnvxzdbu.exe
C:\WINDOWS\system32\iexplore .exe
C:\WINDOWS\system32\jrpeupeq.exe
C:\WINDOWS\system32\lhccrb.exe
C:\WINDOWS\system32\logon .exe
C:\WINDOWS\system32\mylcn.exe
C:\WINDOWS\system32\rxtr.exe
C:\WINDOWS\system32\uaxhodqt.exe
C:\WINDOWS\system32\uytm.exe
C:\WINDOWS\system32\wbdcmqyg.exe
C:\WINDOWS\system32\winamp .exe
C:\WINDOWS\system32\wingatey32.exe
C:\WINDOWS\system32\winIogon .exe
C:\WINDOWS\system32\xzlpyjlj.exe
C:\WINDOWS\system32\yxllikxi.exe
C:\WINDOWS\web\related.htm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\adware.exe
C:\WINDOWS\system32\acvdzo.exe
C:\WINDOWS\system32\chpwwben.exe
C:\WINDOWS\system32\czsgd.exe
C:\WINDOWS\system32\dcnls.exe
C:\WINDOWS\system32\dkfksuws.exe
C:\WINDOWS\system32\dksmx.exe
C:\WINDOWS\system32\dlneuwfp.exe
C:\WINDOWS\system32\explorer .exe
C:\WINDOWS\system32\gjtxresk.exe
C:\WINDOWS\system32\hnvxzdbu.exe
C:\WINDOWS\system32\iexplore .exe
C:\WINDOWS\system32\jrpeupeq.exe
C:\WINDOWS\system32\lhccrb.exe
C:\WINDOWS\system32\logon .exe
C:\WINDOWS\system32\mylcn.exe
C:\WINDOWS\system32\rxtr.exe
C:\WINDOWS\system32\uaxhodqt.exe
C:\WINDOWS\system32\uytm.exe
C:\WINDOWS\system32\wbdcmqyg.exe
C:\WINDOWS\system32\winamp .exe
C:\WINDOWS\system32\wingatey32.exe
C:\WINDOWS\system32\winIogon .exe
C:\WINDOWS\system32\xzlpyjlj.exe
C:\WINDOWS\system32\yxllikxi.exe
C:\WINDOWS\web\related.htm

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 15:27 . 2008-01-19 15:27 <DIR> d-------- C:\Program Files\MarBit
2008-01-19 15:26 . 2008-01-19 15:26 <DIR> d-------- C:\Program Files\Real Alternative
2008-01-19 15:26 . 2008-01-19 15:26 <DIR> d-------- C:\Program Files\Media Player Classic
2008-01-18 21:38 . 2008-01-18 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Last.fm
2008-01-18 21:37 . 2008-01-18 21:37 <DIR> d-------- C:\Program Files\Last.fm
2008-01-17 18:00 . 2008-01-17 18:00 20 --a------ C:\WINDOWS\naglos.INI
2008-01-17 15:28 . 2008-01-17 15:28 <DIR> d-------- C:\Documents and Settings\piotrek\Dane aplikacji\ACD Systems
2008-01-17 15:27 . 2001-10-26 17:29 146,944 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-17 15:27 . 2001-08-17 21:53 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-17 15:27 . 2001-08-17 21:53 13,824 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-17 15:27 . 2001-10-26 17:29 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-17 09:56 . 2001-08-17 22:03 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-16 23:26 . 2008-01-16 23:35 <DIR> d-------- C:\VundoFix Backups
2008-01-16 23:16 . 2008-01-16 23:21 1,296 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-16 21:52 . 2008-01-16 21:52 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-01-16 21:52 . 2008-01-16 21:52 <DIR> d-------- C:\Program Files\ACD Systems
2008-01-16 21:52 . 2008-01-16 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2008-01-16 21:52 . 2008-01-16 21:52 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-01-16 21:48 . 2008-01-16 21:48 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-16 16:53 . 2008-01-16 16:54 <DIR> d-------- C:\Documents and Settings\piotrek\Dane aplikacji\Tibia
2008-01-16 16:52 . 2008-01-16 16:52 <DIR> d-------- C:\Program Files\Tibia
2008-01-16 16:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 15:57 . 2008-01-16 15:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-15 21:46 . 2008-01-15 21:46 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-15 20:06 . 2003-10-28 11:02 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-15 20:05 . 2008-01-16 16:06 <DIR> d-------- C:\Program Files\Winamp
2008-01-15 20:05 . 2008-01-19 19:16 192 --a------ C:\WINDOWS\winamp.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 15:06 --------- d-----w C:\Program Files\Gadu-Gadu
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot_2008-01-17_ 9.45.37,43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 15:04:04 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 18:29:32 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 15:04:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 18:29:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 15:04:04 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 18:29:32 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 15:04:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 18:29:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 15:04:05 1,069,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 18:29:32 1,687,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 15:04:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 18:29:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-17 08:44:38 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2008-01-19 18:29:38 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2001-08-17 21:03:22 21,760 ----a-w C:\WINDOWS\system32\drivers\USBSTOR.SYS
+ 2001-06-23 00:31:20 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
+ 1998-03-26 03:57:34 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
+ 1998-05-12 19:36:44 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
+ 2006-01-28 01:55:26 176,167 ----a-w C:\WINDOWS\system32\rmoc3260.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 18:29 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-16 16:00 1077277]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 13:16 49152]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-16 16:00 2396160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 13:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 13:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2008-01-16 16:00 888832]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 16:00 33792]
"Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" [2003-11-26 18:54 217088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-26 18:29 13312]

C:\Documents and Settings\piotrek\Menu Start\Programy\Autostart\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-18 21:37:13]

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2003-07-11 22:20]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys [2003-09-30 06:25]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 19:30:28
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 19:30:52
ComboFix-quarantined-files.txt 2008-01-19 18:30:38
ComboFix2.txt 2008-01-17 08:46:32
ComboFix3.txt 2008-01-16 15:07:46

Logfile of HijackThis v1.99.1
Scan saved at 19:32:25, on 2008-01-19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\piotrek\USTAWI~1\Temp\Rar$EX00.641\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33003CF2-917F-4503-8D05-684F6E635342}: NameServer = 80.244.140.241 80.244.128.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{33003CF2-917F-4503-8D05-684F6E635342}: NameServer = 80.244.140.241 80.244.128.1
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[wojtas]

czysto