amvo.exe itd

[maru666]

log z combofix

ComboFix 08-07-10.1 - Valued Customer 2008-07-19 11:04:42.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1429 [GMT 2:00]
Running from: C:\Documents and Settings\Valued Customer\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 21:59 . 2008-07-18 10:20 117,757 -r-hs---- C:\ybj8df.exe
2008-07-17 15:45 . 2008-07-18 10:20 117,757 -r-hs---- C:\ivcvknr.bat
2008-07-16 22:15 . 2008-07-16 11:40 116,492 -r-hs---- C:\p83gjy.exe
2008-07-16 11:40 . 2008-07-16 11:40 116,492 -r-hs---- C:\33gmhso.bat
2008-07-15 16:12 . 2008-07-15 09:44 118,512 -r-hs---- C:\k.com
2008-07-15 13:11 . 2008-07-15 13:11 43,131 --a------ C:\aeeeeeeeeeeeeeeeee.JPG
2008-07-15 12:21 . 2008-07-14 03:59 63,666 --a------ C:\ZmVhWkkkdVU4O1o0dSVddWVleEZ1c3R2Zzt7eWZfaFs=.jpg
2008-07-14 08:27 . 2008-07-15 09:44 118,512 -r-hs---- C:\fi.cmd
2008-07-12 09:17 . 2008-07-12 17:52 116,972 -r-hs---- C:\ffojc.com
2008-07-11 11:21 . 2008-07-11 11:21 <DIR> d-------- C:\Program Files\PrevxCSI
2008-07-11 11:21 . 2008-07-11 11:30 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-07-11 09:29 . 2008-07-11 09:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-10 23:25 . 2008-07-18 20:52 <DIR> d-------- C:\Documents and Settings\Valued Customer\Application Data\HLSW
2008-07-10 23:00 . 2008-07-10 23:00 52,696 --a------ C:\4.jpg
2008-07-10 23:00 . 2008-07-10 23:00 46,881 --a------ C:\3.jpg
2008-07-10 23:00 . 2008-07-10 23:00 46,558 --a------ C:\2.jpg
2008-07-10 22:40 . 2008-07-11 09:21 77,312 -r-hs---- C:\WINDOWS\system32\ckvo2.dll
2008-07-10 18:54 . 2008-07-11 11:51 117,053 -r-hs---- C:\0gjn3yw.exe
2008-07-10 09:45 . 2008-07-10 13:15 116,414 -r-hs---- C:\mp.cmd
2008-07-08 21:22 . 2008-07-18 21:58 77,312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-08 21:21 . 2008-07-18 10:20 117,757 -r-hs---- C:\WINDOWS\system32\ckvo.exe
2008-07-08 21:21 . 2008-07-19 10:06 77,312 -r-hs---- C:\WINDOWS\system32\ckvo0.dll
2008-07-07 20:53 . 2008-07-07 20:53 8,723 --a------ C:\zagglada.jpg
2008-07-06 21:12 . 2008-07-05 19:01 113,028 -r-hs---- C:\qxbx9blb.com
2008-07-05 17:41 . 2008-07-05 18:06 <DIR> d-------- C:\XL
2008-07-04 20:27 . 2008-07-10 09:58 58,011 --a------ C:\s.jpg
2008-07-04 18:48 . 2008-07-09 16:18 118,734 -r-hs---- C:\00hoeav.com
2008-07-01 16:05 . 2008-07-01 16:05 <DIR> d-------- C:\New Folder (2)
2008-07-01 15:49 . 2008-07-01 15:49 <DIR> d-------- C:\New Folder
2008-06-29 09:53 . 2008-06-29 09:53 112,227 -r-hs---- C:\klp8j6i.com
2008-06-28 17:42 . 2008-06-28 17:42 <DIR> d--hs---- C:\found.000
2008-06-28 14:36 . 2008-07-16 20:05 <DIR> d-------- C:\auto
2008-06-25 23:31 . 2008-06-16 11:53 117,568 -r-hs---- C:\r.cmd
2008-06-25 17:52 . 2008-06-25 17:52 <DIR> dr-h----- C:\Documents and Settings\Valued Customer\Application Data\SecuROM
2008-06-25 14:42 . 2007-09-25 05:52 2,865,651,712 --a------ C:\flt-fif8.iso
2008-06-24 17:54 . 2008-06-24 18:16 <DIR> d-------- C:\cv
2008-06-20 19:41 . 2008-06-20 19:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 12:44 . 2008-06-20 12:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 17:57 . 2008-06-19 18:02 <DIR> d-------- C:\fb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 09:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-19 08:22 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2008-07-18 21:45 --------- d-----w C:\Program Files\mIRC
2008-07-18 21:31 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-18 16:28 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\foobar2000
2008-07-11 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-11 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-11 14:16 --------- d-----w C:\Program Files\Symantec
2008-07-11 07:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 21:25 --------- d-s---w C:\Program Files\HLSW
2008-06-28 16:26 --------- d-----w C:\Program Files\XAC
2008-06-27 14:52 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\Skype
2008-06-25 15:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-25 12:52 --------- d-----w C:\Program Files\EA SPORTS
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 16:19 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\Hamachi
2008-06-18 16:03 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-06-18 14:25 --------- d-----w C:\Program Files\Peer2Mail
2008-06-16 09:53 117,568 --sh--r C:\6x8be16.cmd
2008-06-14 07:04 --------- d-----w C:\Program Files\SkanerOnline
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-25 14:41 --------- d-----w C:\Program Files\Ventrilo
2008-05-23 11:10 --------- d-----w C:\Program Files\Advance Split Machine
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 06:51 103,832 --sh--r C:\xlu8a8sy.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-05 10:31 934,761 ----a-w C:\Program Files\Messenger.rar
1980-01-01 07:00 1,559,435 ----a-w C:\Program Files\Common Files\slawek.jpg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2005-03-31 11:18 790528]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-29 01:25 94208]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 21:54 5674352]
"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [2008-07-18 10:20 117757]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 07:58 458752]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 07:58 7581696]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 07:58 86016]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 08:11 49152]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 01:30 81920]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 19:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 19:23 1187840]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 01:19 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 07:22 794713]
"nwiz"="nwiz.exe" [2006-07-20 07:58 1519616 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2007-07-06 14:46 177152 C:\WINDOWS\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 17:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Picasa3\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=C:\WINDOWS\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Valued Customer^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Valued Customer\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-02-06 00:52 849280 c:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 02:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-10-23 23:18 443968 C:\Picasa3\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-06-19 20:33 163840 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-06 21:43 23165736 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-17 07:22 794713 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Steam\\SteamApps\\pmok26@wp.pl\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"9595:TCP"= 9595:TCP:BitComet 9595 TCP
"9595:UDP"= 9595:UDP:BitComet 9595 UDP
"20233:TCP"= 20233:TCP:BitComet 20233 TCP
"20233:UDP"= 20233:UDP:BitComet 20233 UDP

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-07-11 11:30]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-07-11 11:30]
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-09 18:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42546310-2687-11dd-8585-001641c46acc}]
\Shell\AutoRun\command - r6r.exe
\Shell\explore\Command - r6r.exe
\Shell\open\Command - r6r.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{952f8dea-4d01-11dc-8264-001641c46acc}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\open\Command - activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{952f8df0-4d01-11dc-8264-001641c46acc}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6c216a4-8e14-11dc-8358-001641c46acc}]
\Shell\AutoRun\command - G:\klp8j6i.com
\Shell\explore\Command - G:\klp8j6i.com
\Shell\open\Command - G:\klp8j6i.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d31f84b7-c285-11dc-843d-001641c46acc}]
\Shell\AutoRun\command - G:\xlu8a8sy.exe
\Shell\explore\Command - G:\xlu8a8sy.exe
\Shell\open\Command - G:\xlu8a8sy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef9ffb34-b575-11dc-83f3-001641c46acc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 11:06:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????Y??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-19 11:07:21
ComboFix-quarantined-files.txt 2008-07-19 09:07:18
ComboFix2.txt 2008-07-11 10:02:40

Pre-Run: 578,379,776 bytes free
Post-Run: 585,592,832 bytes free

225 --- E O F --- 2008-07-09 08:20:15

log z hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26:50, on 2008-07-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\CPUCooL\CooLSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Picasa3\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Picasa3\PicasaMediaDetector.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79DF4097-ECBA-48F8-9EE1-89E1747D0486}: NameServer = 194.204.159.1,194.204.152.34
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\CPUCooL\CooLSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee HackerWatch Service - Unknown owner - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10373 bytes

dzieki z gory

[Magik]

wklej do notatnika

Kod: Zaznacz wszystko

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42546310-2687-11dd-8585-001641c46acc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{952f8dea-4d01-11dc-8264-001641c46acc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{952f8df0-4d01-11dc-8264-001641c46acc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6c216a4-8e14-11dc-8358-001641c46acc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d31f84b7-c285-11dc-843d-001641c46acc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef9ffb34-b575-11dc-83f3-001641c46acc}]

zapisz jako fix.reg i odpal

W HJT na fix

Kod: Zaznacz wszystko

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll (file missing)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)


wklej do notatnika

Kod: Zaznacz wszystko

FILE::
C:\ybj8df.exe
C:\ivcvknr.bat
C:\p83gjy.exe
C:\33gmhso.bat
C:\k.com
C:\WINDOWS\system32\ckvo2.dll
C:\0gjn3yw.exe
C:\mp.cmd
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll

zapisz jako CFScript.txt, przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe i wklej nowy log, ktory sie wygeneruje

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt

[maru666]

nowy log z combofix

ComboFix 08-07-10.1 - Valued Customer 2008-07-19 15:55:50.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1412 [GMT 2:00]
Running from: C:\Documents and Settings\Valued Customer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Valued Customer\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\0gjn3yw.exe
C:\33gmhso.bat
C:\ivcvknr.bat
C:\k.com
C:\mp.cmd
C:\p83gjy.exe
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\ckvo2.dll
C:\ybj8df.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0gjn3yw.exe
C:\33gmhso.bat
C:\autorun.inf
C:\ivcvknr.bat
C:\k.com
C:\mp.cmd
C:\p83gjy.exe
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\ckvo2.dll
C:\ybj8df.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-19 15:48 . 2008-07-19 15:48 788 --a------ C:\fix.reg
2008-07-19 14:32 . 2006-07-14 00:09 161,768 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-19 14:32 . 2006-07-17 21:56 104,024 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-19 14:32 . 2006-07-08 15:46 84,744 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-19 14:32 . 2006-07-14 00:10 37,800 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-19 14:32 . 2006-07-14 00:09 33,896 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-19 14:32 . 2006-07-14 00:09 31,560 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-19 14:32 . 2006-07-27 17:12 1,808 --a------ C:\WINDOWS\system32\subst.inf
2008-07-19 13:45 . 2008-07-19 15:07 <DIR> d-------- C:\Program Files\McAfee
2008-07-19 13:45 . 2008-07-19 15:07 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-19 13:44 . 2008-07-19 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-19 13:43 . 2007-01-18 07:16 <DIR> d-------- C:\McAfee Total Protection 2007
2008-07-15 13:11 . 2008-07-15 13:11 43,131 --a------ C:\aeeeeeeeeeeeeeeeee.JPG
2008-07-15 12:21 . 2008-07-14 03:59 63,666 --a------ C:\ZmVhWkkkdVU4O1o0dSVddWVleEZ1c3R2Zzt7eWZfaFs=.jpg
2008-07-14 08:27 . 2008-07-15 09:44 118,512 -r-hs---- C:\fi.cmd
2008-07-12 09:17 . 2008-07-12 17:52 116,972 -r-hs---- C:\ffojc.com
2008-07-11 09:29 . 2008-07-11 09:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-10 23:25 . 2008-07-18 20:52 <DIR> d-------- C:\Documents and Settings\Valued Customer\Application Data\HLSW
2008-07-10 23:00 . 2008-07-10 23:00 52,696 --a------ C:\4.jpg
2008-07-10 23:00 . 2008-07-10 23:00 46,881 --a------ C:\3.jpg
2008-07-10 23:00 . 2008-07-10 23:00 46,558 --a------ C:\2.jpg
2008-07-07 20:53 . 2008-07-07 20:53 8,723 --a------ C:\zagglada.jpg
2008-07-06 21:12 . 2008-07-05 19:01 113,028 -r-hs---- C:\qxbx9blb.com
2008-07-05 17:41 . 2008-07-05 18:06 <DIR> d-------- C:\XL
2008-07-04 20:27 . 2008-07-10 09:58 58,011 --a------ C:\s.jpg
2008-07-04 18:48 . 2008-07-09 16:18 118,734 -r-hs---- C:\00hoeav.com
2008-07-01 16:05 . 2008-07-01 16:05 <DIR> d-------- C:\New Folder (2)
2008-07-01 15:49 . 2008-07-01 15:49 <DIR> d-------- C:\New Folder
2008-06-29 09:53 . 2008-06-29 09:53 112,227 -r-hs---- C:\klp8j6i.com
2008-06-28 17:42 . 2008-06-28 17:42 <DIR> d--hs---- C:\found.000
2008-06-28 14:36 . 2008-07-16 20:05 <DIR> d-------- C:\auto
2008-06-25 23:31 . 2008-06-16 11:53 117,568 -r-hs---- C:\r.cmd
2008-06-25 17:52 . 2008-06-25 17:52 <DIR> dr-h----- C:\Documents and Settings\Valued Customer\Application Data\SecuROM
2008-06-25 14:42 . 2007-09-25 05:52 2,865,651,712 --a------ C:\flt-fif8.iso
2008-06-24 17:54 . 2008-06-24 18:16 <DIR> d-------- C:\cv
2008-06-20 19:41 . 2008-06-20 19:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 12:44 . 2008-06-20 12:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 17:57 . 2008-06-19 18:02 <DIR> d-------- C:\fb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 13:34 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-19 13:33 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2008-07-19 13:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-19 12:00 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\foobar2000
2008-07-18 21:45 --------- d-----w C:\Program Files\mIRC
2008-07-11 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-11 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-11 14:16 --------- d-----w C:\Program Files\Symantec
2008-07-11 07:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 21:25 --------- d-s---w C:\Program Files\HLSW
2008-06-28 16:26 --------- d-----w C:\Program Files\XAC
2008-06-27 14:52 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\Skype
2008-06-25 12:52 --------- d-----w C:\Program Files\EA SPORTS
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 16:19 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\Hamachi
2008-06-18 16:03 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-06-18 14:25 --------- d-----w C:\Program Files\Peer2Mail
2008-06-16 09:53 117,568 --sh--r C:\6x8be16.cmd
2008-06-14 07:04 --------- d-----w C:\Program Files\SkanerOnline
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 14:41 --------- d-----w C:\Program Files\Ventrilo
2008-05-23 11:10 --------- d-----w C:\Program Files\Advance Split Machine
2008-05-07 06:51 103,832 --sh--r C:\xlu8a8sy.exe
2007-10-05 10:31 934,761 ----a-w C:\Program Files\Messenger.rar
1980-01-01 07:00 1,559,435 ----a-w C:\Program Files\Common Files\slawek.jpg
.

((((((((((((((((((((((((((((( snapshot@2008-07-19_11.07.13,65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-19 11:48:12 16,384 ----a-w C:\WINDOWS\assembly\GAC\Arbus.Interfacing.Library\1.0.0.0__2be3a081d8c94867\Arbus.Interfacing.Library.dll
+ 2008-07-19 11:48:12 16,384 ----a-w C:\WINDOWS\assembly\GAC\ArbusApplicationController\1.0.0.0__da57d5d39b1d6dd8\ArbusApplicationController.dll
- 2008-07-19 08:06:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-19 13:59:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-05-10 22:52:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-19 12:13:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-05-10 22:52:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-19 12:13:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-05-10 22:52:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-19 12:13:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-19 08:10:48 67,492 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-19 13:20:08 67,492 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-19 08:10:48 418,724 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-19 13:20:08 418,724 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2005-03-31 11:18 790528]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-29 01:25 94208]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 21:54 5674352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 07:58 458752]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 07:58 7581696]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 07:58 86016]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 08:11 49152]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 01:30 81920]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 19:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 19:23 1187840]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 01:19 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 07:22 794713]
"nwiz"="nwiz.exe" [2006-07-20 07:58 1519616 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 17:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Picasa3\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=C:\WINDOWS\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Valued Customer^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Valued Customer\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-02-06 00:52 849280 c:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 02:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-10-23 23:18 443968 C:\Picasa3\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-06-19 20:33 163840 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-06 21:43 23165736 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-17 07:22 794713 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Steam\\SteamApps\\pmok26@wp.pl\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"9595:TCP"= 9595:TCP:BitComet 9595 TCP
"9595:UDP"= 9595:UDP:BitComet 9595 UDP
"20233:TCP"= 20233:TCP:BitComet 20233 TCP
"20233:UDP"= 20233:UDP:BitComet 20233 UDP

R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-09 18:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-19 12:32:11 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-07-19 12:32:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 15:59:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????Y??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\CPUCooL\CooLSRV.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-19 16:02:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-19 14:02:34
ComboFix2.txt 2008-07-19 09:07:22
ComboFix3.txt 2008-07-11 10:02:40

Pre-Run: 7,864,606,720 bytes free
Post-Run: 7,847,481,344 bytes free

250 --- E O F --- 2008-07-09 08:20:15

[Magik]

wklej dalej do notatnika

Kod: Zaznacz wszystko

FILE::
C:\qxbx9blb.com
C:\XL
C:\00hoeav.com
C:\klp8j6i.com
C:\found.000
C:\r.cmd
C:\xlu8a8sy.exe


zapisz jako CFScript.txt, przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe i wklej nowy log, ktory sie wygeneruje

+

http://forum.programosy.pl/program-szukajacy-trojanow-i-malware-vt97108.html

i ten Sdfix poprosze

[maru666]

SDFIX

SDFix: Version 1.206
Run by Administrator on Sat 07/19/2008 at 04:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 16:16:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:71,77,d0,63,92,00,f9,5d,4a,59,49,52,03,78,88,92,e9,22,cf,31,65,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:90,71,f4,ed,50,9c,a3,8a,f4,55,92,c1,f0,f5,af,3e,b4,c7,25,df,1c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d0,d3,38,da,c1,63,82,19,48,fb,4e,92,84,f9,8f,9b,06,..
"khjeh"=hex:79,d7,c8,c8,29,04,87,85,0f,5f,4c,fb,90,12,a8,e3,90,76,b4,9b,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:87,cd,be,50,59,46,8a,b5,63,ac,63,c8,bc,5a,8c,5c,1b,c8,ef,55,5f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:ee,f7,c2,8c,b4,f2,e7,d0,d0,b7,2a,63,f1,7c,12,b4,e6,04,25,50,e4,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:01,2a,ff,a6,00,7e,d7,91,ab,47,75,0c,e5,b4,35,5e,8e,eb,41,45,57,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:71,77,d0,63,92,00,f9,5d,4a,59,49,52,03,78,88,92,e9,22,cf,31,65,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:90,71,f4,ed,50,9c,a3,8a,f4,55,92,c1,f0,f5,af,3e,b4,c7,25,df,1c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d0,d3,38,da,c1,63,82,19,48,fb,4e,92,84,f9,8f,9b,06,..
"khjeh"=hex:79,d7,c8,c8,29,04,87,85,0f,5f,4c,fb,90,12,a8,e3,90,76,b4,9b,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:87,cd,be,50,59,46,8a,b5,63,ac,63,c8,bc,5a,8c,5c,1b,c8,ef,55,5f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:ee,f7,c2,8c,b4,f2,e7,d0,d0,b7,2a,63,f1,7c,12,b4,e6,04,25,50,e4,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:01,2a,ff,a6,00,7e,d7,91,ab,47,75,0c,e5,b4,35,5e,8e,eb,41,45,57,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000061

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Steam\\SteamApps\\pmok26@wp.pl\\counter-strike\\hl.exe"="C:\\Steam\\SteamApps\\pmok26@wp.pl\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 9 Jul 2008 118,734 ..SHR --- "C:\00hoeav.com"
Sat 12 Jul 2008 116,972 ..SHR --- "C:\ffojc.com"
Sun 29 Jun 2008 112,227 ..SHR --- "C:\klp8j6i.com"
Sat 5 Jul 2008 113,028 ..SHR --- "C:\qxbx9blb.com"
Wed 7 May 2008 103,832 ..SHR --- "C:\xlu8a8sy.exe"
Mon 20 Aug 2007 5,388,088 A..H. --- "C:\Picasa2\setup.exe"
Thu 8 Nov 2007 6,219,320 A..H. --- "C:\Picasa3\setup.exe"
Sat 10 May 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 4 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\69d36bfb88bb6252fc5b48610fdd4093\BIT12.tmp"
Tue 10 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b41c719149668a1b6ff66ea433b94344\BIT8.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp"

Finished!

[Magik]

Łok

wklej na koniec log z combofix'a, HJT kontrolnie, bo nic juz groznego nie widac

Odpal

[maru666]

i log z combofixa

ComboFix 08-07-10.1 - Valued Customer 2008-07-19 16:20:46.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1494 [GMT 2:00]
Running from: C:\Documents and Settings\Valued Customer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Valued Customer\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\00hoeav.com
C:\found.000
C:\klp8j6i.com
C:\qxbx9blb.com
C:\r.cmd
C:\XL
C:\xlu8a8sy.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\00hoeav.com
C:\klp8j6i.com
C:\qxbx9blb.com
C:\r.cmd
C:\xlu8a8sy.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-19 16:09 . 2008-07-19 16:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-19 16:06 . 2008-07-19 16:18 <DIR> d-------- C:\SDFix
2008-07-19 15:48 . 2008-07-19 15:48 788 --a------ C:\fix.reg
2008-07-19 14:32 . 2006-07-14 00:09 161,768 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-19 14:32 . 2006-07-17 21:56 104,024 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-19 14:32 . 2006-07-08 15:46 84,744 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-19 14:32 . 2006-07-14 00:10 37,800 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-19 14:32 . 2006-07-14 00:09 33,896 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-19 14:32 . 2006-07-14 00:09 31,560 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-19 14:32 . 2006-07-27 17:12 1,808 --a------ C:\WINDOWS\system32\subst.inf
2008-07-19 13:45 . 2008-07-19 15:07 <DIR> d-------- C:\Program Files\McAfee
2008-07-19 13:45 . 2008-07-19 15:07 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-19 13:44 . 2008-07-19 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-19 13:43 . 2007-01-18 07:16 <DIR> d-------- C:\McAfee Total Protection 2007
2008-07-15 13:11 . 2008-07-15 13:11 43,131 --a------ C:\aeeeeeeeeeeeeeeeee.JPG
2008-07-15 12:21 . 2008-07-14 03:59 63,666 --a------ C:\ZmVhWkkkdVU4O1o0dSVddWVleEZ1c3R2Zzt7eWZfaFs=.jpg
2008-07-14 08:27 . 2008-07-15 09:44 118,512 -r-hs---- C:\fi.cmd
2008-07-12 09:17 . 2008-07-12 17:52 116,972 -r-hs---- C:\ffojc.com
2008-07-11 09:29 . 2008-07-11 09:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-10 23:25 . 2008-07-18 20:52 <DIR> d-------- C:\Documents and Settings\Valued Customer\Application Data\HLSW
2008-07-10 23:00 . 2008-07-10 23:00 52,696 --a------ C:\4.jpg
2008-07-10 23:00 . 2008-07-10 23:00 46,881 --a------ C:\3.jpg
2008-07-10 23:00 . 2008-07-10 23:00 46,558 --a------ C:\2.jpg
2008-07-07 20:53 . 2008-07-07 20:53 8,723 --a------ C:\zagglada.jpg
2008-07-05 17:41 . 2008-07-05 18:06 <DIR> d-------- C:\XL
2008-07-04 20:27 . 2008-07-10 09:58 58,011 --a------ C:\s.jpg
2008-07-01 16:05 . 2008-07-01 16:05 <DIR> d-------- C:\New Folder (2)
2008-07-01 15:49 . 2008-07-01 15:49 <DIR> d-------- C:\New Folder
2008-06-28 17:42 . 2008-06-28 17:42 <DIR> d--hs---- C:\found.000
2008-06-28 14:36 . 2008-07-16 20:05 <DIR> d-------- C:\auto
2008-06-25 17:52 . 2008-06-25 17:52 <DIR> dr-h----- C:\Documents and Settings\Valued Customer\Application Data\SecuROM
2008-06-25 14:42 . 2007-09-25 05:52 2,865,651,712 --a------ C:\flt-fif8.iso
2008-06-24 17:54 . 2008-06-24 18:16 <DIR> d-------- C:\cv
2008-06-20 19:41 . 2008-06-20 19:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 12:44 . 2008-06-20 12:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 17:57 . 2008-06-19 18:02 <DIR> d-------- C:\fb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 14:18 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-19 14:18 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2008-07-19 13:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-19 12:00 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\foobar2000
2008-07-18 21:45 --------- d-----w C:\Program Files\mIRC
2008-07-11 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-11 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-11 14:16 --------- d-----w C:\Program Files\Symantec
2008-07-11 07:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 21:25 --------- d-s---w C:\Program Files\HLSW
2008-06-28 16:26 --------- d-----w C:\Program Files\XAC
2008-06-27 14:52 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\Skype
2008-06-25 15:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-25 12:52 --------- d-----w C:\Program Files\EA SPORTS
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 16:19 --------- d-----w C:\Documents and Settings\Valued Customer\Application Data\Hamachi
2008-06-18 16:03 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-06-18 14:25 --------- d-----w C:\Program Files\Peer2Mail
2008-06-16 09:53 117,568 --sh--r C:\6x8be16.cmd
2008-06-14 07:04 --------- d-----w C:\Program Files\SkanerOnline
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-25 14:41 --------- d-----w C:\Program Files\Ventrilo
2008-05-23 11:10 --------- d-----w C:\Program Files\Advance Split Machine
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-05 10:31 934,761 ----a-w C:\Program Files\Messenger.rar
1980-01-01 07:00 1,559,435 ----a-w C:\Program Files\Common Files\slawek.jpg
.

((((((((((((((((((((((((((((( snapshot@2008-07-19_11.07.13,65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-19 11:48:12 16,384 ----a-w C:\WINDOWS\assembly\GAC\Arbus.Interfacing.Library\1.0.0.0__2be3a081d8c94867\Arbus.Interfacing.Library.dll
+ 2008-07-19 11:48:12 16,384 ----a-w C:\WINDOWS\assembly\GAC\ArbusApplicationController\1.0.0.0__da57d5d39b1d6dd8\ArbusApplicationController.dll
- 2008-07-19 08:06:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-19 14:14:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-17 10:57:07 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-19 14:09:10 835,584 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-19 14:09:10 98,304 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-17 10:57:07 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-19 14:09:08 835,584 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-19 14:09:08 98,304 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-05-10 22:52:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-19 12:13:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-05-10 22:52:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-19 12:13:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-05-10 22:52:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-19 12:13:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-19 08:10:48 67,492 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-19 14:19:25 67,492 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-19 08:10:48 418,724 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-19 14:19:25 418,724 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2005-03-31 11:18 790528]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-29 01:25 94208]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 21:54 5674352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 07:58 458752]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 07:58 7581696]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 07:58 86016]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 08:11 49152]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 01:30 81920]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 19:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 19:23 1187840]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 01:19 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 07:22 794713]
"nwiz"="nwiz.exe" [2006-07-20 07:58 1519616 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 17:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Picasa3\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=C:\WINDOWS\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Valued Customer^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Valued Customer\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-02-06 00:52 849280 c:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 02:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-10-23 23:18 443968 C:\Picasa3\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-06-19 20:33 163840 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-06 21:43 23165736 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-17 07:22 794713 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Steam\\SteamApps\\pmok26@wp.pl\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"9595:TCP"= 9595:TCP:BitComet 9595 TCP
"9595:UDP"= 9595:UDP:BitComet 9595 UDP
"20233:TCP"= 20233:TCP:BitComet 20233 TCP
"20233:UDP"= 20233:UDP:BitComet 20233 UDP

R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-09 18:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-19 12:32:11 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-07-19 12:32:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 16:21:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????Y??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-19 16:22:19
ComboFix-quarantined-files.txt 2008-07-19 14:22:13
ComboFix2.txt 2008-07-19 14:02:38
ComboFix3.txt 2008-07-19 09:07:22
ComboFix4.txt 2008-07-11 10:02:40

Pre-Run: 7,744,716,800 bytes free
Post-Run: 7,726,264,320 bytes free

235 --- E O F --- 2008-07-09 08:20:15

[Magik]

maru666 jesli odpaliles ten soft, do ktorego podalem Ci link i nic nie znalazl

to na koniec by Mario

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp
2.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
3.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem


i to na tyle

[maru666]

FixIEDef nic nie znalazl
jeszcze odpale te 2 progsy i wrzuce na koniec log z HJT

wielkie dzieki dla ciebie !

[ Dodano: Dzisiaj o 16:34 ]
jeszcze dla pewnosci log z HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32:54, on 2008-07-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\CPUCooL\CooLSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\MSN Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Picasa3\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Picasa3\PicasaMediaDetector.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79DF4097-ECBA-48F8-9EE1-89E1747D0486}: NameServer = 194.204.159.1,194.204.152.34
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\CPUCooL\CooLSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee HackerWatch Service - Unknown owner - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9751 bytes

[Magik]

jeszcze dla pewnosci log z HJT

cóż mogę rzec

czyściutko miłego dnia

[maru666]

jeszcze raz dzieki

pozdro

[rogal7540]

Witam mam goraca prosbe o sprawdzenie loga z ComboFix-a bo nie moge sobieporadzic z ckvo.exe postawilem system odnowa a on wciaz jest wilka prosba o sprawdzenie i udzielenie pomocy. Generalnie to nie jestem zbyt biegly w tych sprawach poczytalem juz troszke w necie o tym przypadku!
Oto log:

ComboFix 08-08-29.02 - Rogal 2008-08-30 17:05:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.572 [GMT 2:00]
Running from: C:\Documents and Settings\Rogal\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\wl.exe
D:\Autorun.inf
D:\bwpncb6.com
D:\krg62.cmd

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-30 17:08 . 2001-08-17 23:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-08-30 17:07 . 2004-08-04 02:35 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-08-30 17:06 . 2004-08-04 00:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-08-30 17:06 . 2004-08-04 00:44 77,312 --a--c--- C:\WINDOWS\system32\dllcache\usbui.dll
2008-08-30 17:06 . 2004-08-04 00:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-08-30 17:06 . 2004-08-04 01:07 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2008-08-30 17:06 . 2001-08-17 23:57 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-08-30 17:06 . 2001-08-17 23:58 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2008-08-30 17:06 . 2001-08-17 23:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-08-30 17:06 . 2004-08-04 02:37 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2008-08-30 17:04 . 2008-08-30 16:47 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> dr-h----- C:\Documents and Settings\Default User\Ustawienia lokalne
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> d-------- C:\Documents and Settings\Default User\Ulubione
2008-08-30 17:04 . 2008-08-30 15:13 <DIR> d--h----- C:\Documents and Settings\Default User\Szablony
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> d-------- C:\Documents and Settings\Default User\Pulpit
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> dr------- C:\Documents and Settings\Default User\Menu Start
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> dr-h----- C:\Documents and Settings\Default User\Dane aplikacji
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Ulubione
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> d--h----- C:\Documents and Settings\All Users\Szablony
2008-08-30 17:04 . 2008-08-30 16:15 <DIR> d-------- C:\Documents and Settings\All Users\Pulpit
2008-08-30 17:04 . 2008-08-30 15:18 <DIR> dr------- C:\Documents and Settings\All Users\Menu Start
2008-08-30 17:04 . 2008-08-30 15:14 <DIR> dr------- C:\Documents and Settings\All Users\Dokumenty
2008-08-30 17:04 . 2008-08-30 17:04 <DIR> dr-h----- C:\Documents and Settings\All Users\Dane aplikacji
2008-08-30 17:03 . 2008-08-30 15:18 <DIR> d--h----- C:\Documents and Settings\Default User
2008-08-30 17:03 . 2008-08-30 15:17 <DIR> d-------- C:\Documents and Settings\All Users
2008-08-30 17:03 . 2008-08-30 15:27 <DIR> d-------- C:\Documents and Settings
2008-08-30 17:02 . 2008-08-30 15:21 261 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 14:22 --------- d-----w C:\Program Files\Synaptics
2008-08-30 14:22 --------- d-----w C:\Program Files\Intel
2008-08-30 14:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 14:21 --------- d-----w C:\Program Files\CONEXANT
2008-08-30 14:20 --------- d-----w C:\Program Files\Analog Devices
2008-08-30 14:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-30 14:15 --------- d-----w C:\Program Files\MicroStar
2008-08-30 13:18 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-30 13:16 --------- d-----w C:\Program Files\Usługi online
2008-08-29 05:40 89,828 --sh--r C:\ph.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-17 10:42 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-17 10:40 618496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^WlanUtility.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\WlanUtility.lnk
backup=C:\WINDOWS\pss\WlanUtility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-07-09 22:13 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-07-09 22:25 155648 C:\WINDOWS\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kamsoft - C:\WINDOWS\system32\ckvo.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 17:06:37
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-30 17:07:11
ComboFix-quarantined-files.txt 2008-08-30 15:07:09

Pre-Run: 8,161,447,936 bajtów wolnych
Post-Run: 8,165,900,288 bajtów wolnych

99 --- E O F --- 2008-08-30 15:04:33