Amvo.exe - prośba

[Szamano]

Witam. Mam problem z plikiem amvo.exe. Użyłem programu ComboFix (poniżej log), ale nie wiem co dalej z tym zrobić. Niestety jestem zielony w tych sprawach, więc proszę o pomoc . Z góry dziękuję .

ComboFix 08-12-26.03 - Monika Wachowska 2008-12-28 14:17:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.503.216 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Monika Wachowska\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 081218-0] *On-access scanning disabled* (Outdated)
* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\Mozilla Firefox\plugins\NPMyGlSh.dll
c:\program files\myglobalsearch
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST
c:\program files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL
c:\program files\myglobalsearch\bar\1.bin\MGSBAR.DLL
c:\program files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL
c:\program files\myglobalsearch\bar\Cache\000238AA
c:\program files\myglobalsearch\bar\Cache\002E036B.bin
c:\program files\myglobalsearch\bar\Cache\002E056E.bin
c:\program files\myglobalsearch\bar\Cache\002E0697.bin
c:\program files\myglobalsearch\bar\Cache\00E70878
c:\program files\myglobalsearch\bar\Cache\0109A9A4
c:\program files\myglobalsearch\bar\Cache\files.ini
c:\program files\myglobalsearch\bar\History\search
c:\program files\myglobalsearch\bar\Settings\prevcfg.htm
c:\windows\IE4 Error Log.txt
c:\windows\system32\amvo.exe
D:\Autorun.inf
E:\Autorun.inf
G:\autorun.inf

.
((((((((((((((((((((((((( Pliki utworzone od 2008-11-28 do 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-25 12:34 . 2008-12-21 02:40 116,977 -r-hs---- C:\2vk6wn.exe
2008-12-25 12:33 . 2008-12-28 12:13 84,992 -r-hs---- c:\windows\system32\kav320.dll
2008-12-18 09:17 . 2008-12-18 09:17 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-18 09:17 . 2008-12-18 09:17 1,409 --a------ c:\windows\QTFont.for
2008-12-06 03:42 . 2008-12-06 03:42 580,096 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-06 03:41 . 2008-12-06 03:41 147,456 --ah----- c:\windows\system32\aston.mt

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 02:42 580,096 ----a-w c:\windows\system32\user32.DLL
2008-11-22 18:22 --------- d-----w c:\program files\InterActual
2008-11-21 13:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 13:47 --------- d-----w c:\program files\Codemasters
2008-11-21 13:46 --------- d-----w c:\documents and settings\Monika Wachowska\Dane aplikacji\InstallShield
2008-11-18 18:35 --------- d-----w c:\documents and settings\Monika Wachowska\Dane aplikacji\ACD Systems
2008-11-18 18:34 --------- d-----w c:\program files\Common Files\ACD Systems
2008-11-18 18:34 --------- d-----w c:\program files\ACD Systems
2008-11-18 18:34 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\ACD Systems
2008-11-05 08:02 --------- d-----w c:\documents and settings\Monika Wachowska\Dane aplikacji\Tlen.pl
2008-10-23 12:42 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-18 23:05 9,895 ----a-w c:\windows\system32\ fsmgmt.dll
2008-10-16 20:33 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:04 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-11-13 22:24 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-13 22:24 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-13 22:24 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-13 22:24 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-13 22:24 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
c:\windows\system32\user32.dll ... jest zarażony !!
578,560 2005-03-02 18:21:08 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
579,584 2007-03-08 15:51:57 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
579,072 2007-03-08 15:38:47 c:\windows\$NtServicePackUninstall$\user32.dll
578,560 2006-03-02 12:00:00 c:\windows\$NtUninstallKB890859$\user32.dll
578,560 2005-03-02 18:18:38 c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2005-03-02 18:18:38 c:\windows\$NtUninstallKB925902$\user32.dll.000
580,096 2008-04-14 17:20:56 c:\windows\ServicePackFiles\i386\user32.dll
580,096 2008-12-06 02:42:17 c:\windows\system32\user32.DLL
580,096 2008-12-06 02:42:17 c:\windows\system32\dllcache\user32.dll


((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-19 94208]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EXPLORER.EXE"="EXPLORER.EXE" [2008-04-14 c:\windows\explorer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2006-02-17 163840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Tlen.pl\\tlen.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8461:TCP"= 8461:TCP:GoD High Port
"8462:TCP"= 8462:TCP:GoD Low Port

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-05 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-05 20560]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\TEMP\61.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba9feae-086e-11dd-b2a7-0013d37e36b7}]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c4e6593-035a-11dd-b297-0040d09a0655}]
\Shell\AutoRun\command - G:\xpbkh.com
\Shell\explore\Command - G:\xpbkh.com
\Shell\open\Command - G:\xpbkh.com

*Newly Created Service* - PROCEXP90
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-wsctf.exe - wsctf.exe
HKLM-Run-NWEReboot - (no file)


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uInternet Connection Wizard,ShellNext = hxxp://google.bearshare.com/pl/
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Monika Wachowska\Dane aplikacji\Mozilla\Firefox\Profiles\zwfh050a.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 14:20:00
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\c:\windows\TEMP\61.tmp"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Czas ukończenia: 2008-12-28 14:21:06
ComboFix-quarantined-files.txt 2008-12-28 13:20:37

Przed: 2˙999˙361˙536 bajt˘w wolnych
Po: 4,431,740,928 bajt˘w wolnych

167 --- E O F --- 2008-12-18 02:02:01

[Okocza]

Szamano, wstaw log w tagi 'code'

[Szamano]

Kod: Zaznacz wszystko

ComboFix 08-12-26.03 - Monika Wachowska 2008-12-28 14:17:18.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1250.1.1045.18.503.216 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Monika Wachowska\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 081218-0] *On-access scanning disabled* (Outdated)
* Utworzono nowy punkt przywracania

[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\Mozilla Firefox\plugins\NPMyGlSh.dll
c:\program files\myglobalsearch
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST
c:\program files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL
c:\program files\myglobalsearch\bar\1.bin\MGSBAR.DLL
c:\program files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]00238AA
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]02E036B.bin
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]02E056E.bin
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]02E0697.bin
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]0E70878
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]109A9A4
c:\program files\myglobalsearch\bar\Cache\files.ini
c:\program files\myglobalsearch\bar\History\search
c:\program files\myglobalsearch\bar\Settings\prevcfg.htm
c:\windows\IE4 Error Log.txt
c:\windows\system32\amvo.exe
D:\Autorun.inf
E:\Autorun.inf
G:\autorun.inf

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-11-28 do 2008-12-28  )))))))))))))))))))))))))))))))
.

2008-12-25 12:34 . 2008-12-21 02:40   116,977   -r-hs----   C:\2vk6wn.exe
2008-12-25 12:33 . 2008-12-28 12:13   84,992   -r-hs----   c:\windows\system32\kav320.dll
2008-12-18 09:17 . 2008-12-18 09:17   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-18 09:17 . 2008-12-18 09:17   1,409   --a------   c:\windows\QTFont.for
2008-12-06 03:42 . 2008-12-06 03:42   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll
2008-12-06 03:41 . 2008-12-06 03:41   147,456   --ah-----   c:\windows\system32\aston.mt

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 02:42   580,096   ----a-w   c:\windows\system32\user32.DLL
2008-11-22 18:22   ---------   d-----w   c:\program files\InterActual
2008-11-21 13:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-21 13:47   ---------   d-----w   c:\program files\Codemasters
2008-11-21 13:46   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\InstallShield
2008-11-18 18:35   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\program files\Common Files\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\program files\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ACD Systems
2008-11-05 08:02   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\Tlen.pl
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-18 23:05   9,895   ----a-w   c:\windows\system32\ fsmgmt.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-03 10:04   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-09-30 15:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-11-13 22:24   67,696   ----a-w   c:\program files\mozilla firefox\components\jar50.dll
2008-11-13 22:24   54,376   ----a-w   c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-13 22:24   34,952   ----a-w   c:\program files\mozilla firefox\components\myspell.dll
2008-11-13 22:24   46,720   ----a-w   c:\program files\mozilla firefox\components\spellchk.dll
2008-11-13 22:24   172,144   ----a-w   c:\program files\mozilla firefox\components\xpinstal.dll
.
[color=red] c:\windows\system32\user32.dll ... jest zarażony !! [/color]
578,560 2005-03-02 18:21:08  c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
579,584 2007-03-08 15:51:57  c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
579,072 2007-03-08 15:38:47  c:\windows\$NtServicePackUninstall$\user32.dll
578,560 2006-03-02 12:00:00  c:\windows\$NtUninstallKB890859$\user32.dll
578,560 2005-03-02 18:18:38  c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2005-03-02 18:18:38  c:\windows\$NtUninstallKB925902$\user32.dll.000
580,096 2008-04-14 17:20:56  c:\windows\ServicePackFiles\i386\user32.dll
580,096 2008-12-06 02:42:17  c:\windows\system32\user32.DLL
580,096 2008-12-06 02:42:17  c:\windows\system32\dllcache\user32.dll


(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-19 94208]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EXPLORER.EXE"="EXPLORER.EXE" [2008-04-14 c:\windows\explorer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2006-02-17 163840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Tlen.pl\\tlen.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8461:TCP"= 8461:TCP:GoD High Port
"8462:TCP"= 8462:TCP:GoD Low Port

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-05 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-05 20560]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\TEMP\61.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba9feae-086e-11dd-b2a7-0013d37e36b7}]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c4e6593-035a-11dd-b297-0040d09a0655}]
\Shell\AutoRun\command - G:\xpbkh.com
\Shell\explore\Command - G:\xpbkh.com
\Shell\open\Command - G:\xpbkh.com

*Newly Created Service* - PROCEXP90
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-wsctf.exe - wsctf.exe
HKLM-Run-NWEReboot - (no file)


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uInternet Connection Wizard,ShellNext = hxxp://google.bearshare.com/pl/
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Monika Wachowska\Dane aplikacji\Mozilla\Firefox\Profiles\zwfh050a.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 14:20:00
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\c:\windows\TEMP\61.tmp"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Czas ukończenia: 2008-12-28 14:21:06
ComboFix-quarantined-files.txt  2008-12-28 13:20:37

Przed: 2˙999˙361˙536 bajt˘w wolnych
Po: 4,431,740,928 bajt˘w wolnych

167   --- E O F ---   2008-12-18 02:02:01


[Okocza]

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[Szamano]

Kod: Zaznacz wszystko

[b]SDFix: Version 1.240 [/b]
Run by Administrator on 2008-12-28 at 15:21

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

[b]Path [/b]:
\??\C:\WINDOWS\TEMP\61.tmp

{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



[b]Infected user32.dll Found![/b]

user32.dll File Locations:

"C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll" 578560 2005-03-02 19:21
"C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll" 579584 2007-03-08 16:51
"C:\WINDOWS\$NtServicePackUninstall$\user32.dll" 579072 2007-03-08 16:38
"C:\WINDOWS\$NtUninstallKB890859$\user32.dll" 578560 2006-03-02 13:00
"C:\WINDOWS\$NtUninstallKB925902$\user32.dll" 578560 2005-03-02 19:18
"C:\WINDOWS\ServicePackFiles\i386\user32.dll" 580096 2008-04-14 18:20
"C:\WINDOWS\system32\user32.DLL" 580096 2008-12-06 03:42
"C:\WINDOWS\system32\dllcache\user32.dll" 580096 2008-12-06 03:42

[C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll] 6A93565BE9B8422EB7538C66AC732D76
[C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll] 11ABDECC02EFC1D2B6A6A0FA46C26594
[C:\WINDOWS\$NtServicePackUninstall$\user32.dll] A37A4637F84F8DD771274EAF8D17FA65
[C:\WINDOWS\$NtUninstallKB890859$\user32.dll] 0C81764F50F32D376E6E4B9E9F4B01A0
[C:\WINDOWS\$NtUninstallKB925902$\user32.dll] B7EEB1A1AF740306049241DDF61F21FF
[C:\WINDOWS\ServicePackFiles\i386\user32.dll] A435C5C069AFD901751AC323AD238793
[C:\WINDOWS\system32\user32.DLL] 8D68750C11A366E84E390F2AF3D4D9E4
[C:\WINDOWS\system32\dllcache\user32.dll] 8D68750C11A366E84E390F2AF3D4D9E4


[C:\WINDOWS\System32\ugucby] A435C5C069AFD901751AC323AD238793


Note: SDFix does not repair this file!



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found


[color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/]MBR Rootkit Detector[/url] by Gmer[/color]




Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 15:31:20
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:6b,bb,2b,dc,1e,b4,57,74,c6,5a,e8,1c,1d,ca,62,0b,7b,db,38,4d,c7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,58,52,92,16,d9,93,b8,1d,10,61,ce,68,dc,67,35,ef,7e,..
"khjeh"=hex:75,d1,79,51,1c,d5,5c,dd,ee,30,b8,b2,7d,e2,1d,28,39,3f,75,da,4b,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5b,21,d7,9d,62,df,f7,c2,52,ef,21,77,d8,cf,44,fd,ba,c5,85,ca,59,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:6b,bb,2b,dc,1e,b4,57,74,c6,5a,e8,1c,1d,ca,62,0b,7b,db,38,4d,c7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,58,52,92,16,d9,93,b8,1d,10,61,ce,68,dc,67,35,ef,7e,..
"khjeh"=hex:75,d1,79,51,1c,d5,5c,dd,ee,30,b8,b2,7d,e2,1d,28,39,3f,75,da,4b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5b,21,d7,9d,62,df,f7,c2,52,ef,21,77,d8,cf,44,fd,ba,c5,85,ca,59,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:6b,bb,2b,dc,1e,b4,57,74,c6,5a,e8,1c,1d,ca,62,0b,7b,db,38,4d,c7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,58,52,92,16,d9,93,b8,1d,10,61,ce,68,dc,67,35,ef,7e,..
"khjeh"=hex:75,d1,79,51,1c,d5,5c,dd,ee,30,b8,b2,7d,e2,1d,28,39,3f,75,da,4b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5b,21,d7,9d,62,df,f7,c2,52,ef,21,77,d8,cf,44,fd,ba,c5,85,ca,59,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000af

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Kod: Zaznacz wszystko

ComboFix 08-12-26.03 - Monika Wachowska 2008-12-28 15:40:11.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1250.1.1045.18.503.218 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Monika Wachowska\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 081218-0] *On-access scanning disabled* (Outdated)

[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.

(((((((((((((((((((((((((   Pliki utworzone od 2008-11-28 do 2008-12-28  )))))))))))))))))))))))))))))))
.

2008-12-28 15:18 . 2008-12-28 15:19   <DIR>   d--------   c:\windows\ERUNT
2008-12-28 15:17 . 2008-12-28 15:18   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-28 15:16 . 2008-12-28 15:32   <DIR>   d--------   C:\SDFix
2008-12-25 12:34 . 2008-12-21 02:40   116,977   -r-hs----   C:\2vk6wn.exe
2008-12-25 12:33 . 2008-12-28 12:13   84,992   -r-hs----   c:\windows\system32\kav320.dll
2008-12-18 09:17 . 2008-12-18 09:17   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-18 09:17 . 2008-12-18 09:17   1,409   --a------   c:\windows\QTFont.for
2008-12-06 03:42 . 2008-12-06 03:42   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll
2008-12-06 03:41 . 2008-12-06 03:41   147,456   --ah-----   c:\windows\system32\aston.mt

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 02:42   580,096   ----a-w   c:\windows\system32\user32.DLL
2008-11-22 18:22   ---------   d-----w   c:\program files\InterActual
2008-11-21 13:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-21 13:47   ---------   d-----w   c:\program files\Codemasters
2008-11-21 13:46   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\InstallShield
2008-11-18 18:35   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\program files\Common Files\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\program files\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ACD Systems
2008-11-05 08:02   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\Tlen.pl
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-18 23:05   9,895   ----a-w   c:\windows\system32\ fsmgmt.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-03 10:04   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-09-30 15:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-11-13 22:24   67,696   ----a-w   c:\program files\mozilla firefox\components\jar50.dll
2008-11-13 22:24   54,376   ----a-w   c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-13 22:24   34,952   ----a-w   c:\program files\mozilla firefox\components\myspell.dll
2008-11-13 22:24   46,720   ----a-w   c:\program files\mozilla firefox\components\spellchk.dll
2008-11-13 22:24   172,144   ----a-w   c:\program files\mozilla firefox\components\xpinstal.dll
.
[color=red] c:\windows\system32\user32.dll ... jest zarażony !! [/color]
578,560 2005-03-02 18:21:08  c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
579,584 2007-03-08 15:51:57  c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
579,072 2007-03-08 15:38:47  c:\windows\$NtServicePackUninstall$\user32.dll
578,560 2006-03-02 12:00:00  c:\windows\$NtUninstallKB890859$\user32.dll
578,560 2005-03-02 18:18:38  c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2005-03-02 18:18:38  c:\windows\$NtUninstallKB925902$\user32.dll.000
580,096 2008-04-14 17:20:56  c:\windows\ServicePackFiles\i386\user32.dll
580,096 2008-12-06 02:42:17  c:\windows\system32\user32.DLL
580,096 2008-12-06 02:42:17  c:\windows\system32\dllcache\user32.dll


(((((((((((((((((((((((((((((   snapshot@2008-12-28_14.20.14,28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-28 14:19:24   397,312   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-12-28 14:19:24   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-12-28 14:19:08   397,312   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-12-28 14:19:08   8,192   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-12-28 14:29:07   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_448.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-19 94208]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EXPLORER.EXE"="EXPLORER.EXE" [2008-04-14 c:\windows\explorer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2006-02-17 163840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Tlen.pl\\tlen.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8461:TCP"= 8461:TCP:GoD High Port
"8462:TCP"= 8462:TCP:GoD Low Port

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-05 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-05 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba9feae-086e-11dd-b2a7-0013d37e36b7}]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c4e6593-035a-11dd-b297-0040d09a0655}]
\Shell\AutoRun\command - G:\xpbkh.com
\Shell\explore\Command - G:\xpbkh.com
\Shell\open\Command - G:\xpbkh.com
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uInternet Connection Wizard,ShellNext = hxxp://google.bearshare.com/pl/
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Monika Wachowska\Dane aplikacji\Mozilla\Firefox\Profiles\zwfh050a.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 15:41:40
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2008-12-28 15:42:40
ComboFix-quarantined-files.txt  2008-12-28 14:42:20
ComboFix2.txt  2008-12-28 13:21:07

Przed: 4 359 884 800 bajtów wolnych
Po: 4,347,510,784 bajtów wolnych

141   --- E O F ---   2008-12-18 02:02:01


Powyżej logi z SDFix i Combofix. Musisz mi jeszcze napisać, jak mam zrobić ten log z hijacka (i co to w ogóle jest).

[wojtas]

Otworz notatnik i wklej w nim to:

File::
C:\2vk6wn.exe
c:\windows\system32\kav320.dl
c:\windows\system32\aston.mt

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c4e6593-035a-11dd-b297-0040d09a0655}]

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

podmien plik user32.dll jak jest opisane tu:

problem-z-nvaux32-dll-vt104500s0.html

potem 1. Wykonaj skan Dr. Web CureIt
2. Robisz loga z mbr.exe , nowy log z combofixa

[Szamano]

wojtas, dla ciebie log z Combofixa po "zabiegu" z CFScript:

Kod: Zaznacz wszystko

ComboFix 08-12-26.03 - Monika Wachowska 2008-12-28 16:07:25.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1250.1.1045.18.503.212 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Monika Wachowska\Pulpit\Grześ - naprawa kompa\ComboFix.exe
Użyto następujących komend :: G:\CFScript.txt
AV: avast! antivirus 4.8.1201 [VPS 081218-0] *On-access scanning disabled* (Outdated)
* Utworzono nowy punkt przywracania

[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]

FILE ::
C:\2vk6wn.exe
c:\windows\system32\aston.mt
c:\windows\system32\kav320.dl
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\2vk6wn.exe
c:\windows\system32\aston.mt

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-11-28 do 2008-12-28  )))))))))))))))))))))))))))))))
.

2008-12-28 15:18 . 2008-12-28 15:19   <DIR>   d--------   c:\windows\ERUNT
2008-12-28 15:17 . 2008-12-28 15:18   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-28 15:16 . 2008-12-28 15:59   <DIR>   d--------   C:\SDFix
2008-12-25 12:33 . 2008-12-28 12:13   84,992   -r-hs----   c:\windows\system32\kav320.dll
2008-12-18 09:17 . 2008-12-18 09:17   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-18 09:17 . 2008-12-18 09:17   1,409   --a------   c:\windows\QTFont.for
2008-12-06 03:42 . 2008-12-06 03:42   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 02:42   580,096   ----a-w   c:\windows\system32\user32.DLL
2008-11-22 18:22   ---------   d-----w   c:\program files\InterActual
2008-11-21 13:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-21 13:47   ---------   d-----w   c:\program files\Codemasters
2008-11-21 13:46   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\InstallShield
2008-11-18 18:35   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\program files\Common Files\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\program files\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ACD Systems
2008-11-05 08:02   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\Tlen.pl
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-18 23:05   9,895   ----a-w   c:\windows\system32\ fsmgmt.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-03 10:04   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-09-30 15:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-11-13 22:24   67,696   ----a-w   c:\program files\mozilla firefox\components\jar50.dll
2008-11-13 22:24   54,376   ----a-w   c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-13 22:24   34,952   ----a-w   c:\program files\mozilla firefox\components\myspell.dll
2008-11-13 22:24   46,720   ----a-w   c:\program files\mozilla firefox\components\spellchk.dll
2008-11-13 22:24   172,144   ----a-w   c:\program files\mozilla firefox\components\xpinstal.dll
.
[color=red] c:\windows\system32\user32.dll ... jest zarażony !! [/color]
578,560 2005-03-02 18:21:08  c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
579,584 2007-03-08 15:51:57  c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
579,072 2007-03-08 15:38:47  c:\windows\$NtServicePackUninstall$\user32.dll
578,560 2006-03-02 12:00:00  c:\windows\$NtUninstallKB890859$\user32.dll
578,560 2005-03-02 18:18:38  c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2005-03-02 18:18:38  c:\windows\$NtUninstallKB925902$\user32.dll.000
580,096 2008-04-14 17:20:56  c:\windows\ServicePackFiles\i386\user32.dll
580,096 2008-12-06 02:42:17  c:\windows\system32\user32.DLL
580,096 2008-12-06 02:42:17  c:\windows\system32\dllcache\user32.dll


(((((((((((((((((((((((((((((   snapshot@2008-12-28_14.20.14,28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-28 14:49:53   397,312   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-12-28 14:49:53   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-12-28 14:19:08   397,312   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-12-28 14:19:08   8,192   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-12-28 14:56:01   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_444.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-19 94208]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EXPLORER.EXE"="EXPLORER.EXE" [2008-04-14 c:\windows\explorer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2006-02-17 163840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Tlen.pl\\tlen.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8461:TCP"= 8461:TCP:GoD High Port
"8462:TCP"= 8462:TCP:GoD Low Port

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-05 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-05 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba9feae-086e-11dd-b2a7-0013d37e36b7}]
\Shell\AutoRun\command - setup.exe
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uInternet Connection Wizard,ShellNext = hxxp://google.bearshare.com/pl/
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Monika Wachowska\Dane aplikacji\Mozilla\Firefox\Profiles\zwfh050a.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 16:08:37
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2008-12-28 16:09:38
ComboFix-quarantined-files.txt  2008-12-28 15:09:15
ComboFix2.txt  2008-12-28 14:42:42
ComboFix3.txt  2008-12-28 13:21:07

Przed: 4 332 998 656 bajtów wolnych
Po: 4,320,804,864 bajtów wolnych

145   --- E O F ---   2008-12-18 02:02:01


Kurde, zapomniałem o zmianie rejestru . Log z całości dam później .

Dodano Dzisiaj, 16:30:
wojtas, cały log z pliku CFScript.txt:

Kod: Zaznacz wszystko

ComboFix 08-12-26.03 - Monika Wachowska 2008-12-28 16:24:31.4 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1250.1.1045.18.503.195 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Monika Wachowska\Pulpit\Grześ - naprawa kompa\ComboFix.exe
Użyto następujących komend :: G:\CFScript.txt.txt
AV: avast! antivirus 4.8.1201 [VPS 081218-0] *On-access scanning disabled* (Outdated)
* Utworzono nowy punkt przywracania

[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]

FILE ::
C:\2vk6wn.exe
c:\windows\system32\aston.mt
c:\windows\system32\kav320.dl
.

(((((((((((((((((((((((((   Pliki utworzone od 2008-11-28 do 2008-12-28  )))))))))))))))))))))))))))))))
.

2008-12-28 15:18 . 2008-12-28 15:19   <DIR>   d--------   c:\windows\ERUNT
2008-12-28 15:17 . 2008-12-28 15:18   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-28 15:16 . 2008-12-28 15:59   <DIR>   d--------   C:\SDFix
2008-12-18 09:17 . 2008-12-18 09:17   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-18 09:17 . 2008-12-18 09:17   1,409   --a------   c:\windows\QTFont.for
2008-12-06 03:42 . 2008-12-06 03:42   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 02:42   580,096   ----a-w   c:\windows\system32\user32.DLL
2008-11-22 18:22   ---------   d-----w   c:\program files\InterActual
2008-11-21 13:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-21 13:47   ---------   d-----w   c:\program files\Codemasters
2008-11-21 13:46   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\InstallShield
2008-11-18 18:35   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\program files\Common Files\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\program files\ACD Systems
2008-11-18 18:34   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ACD Systems
2008-11-05 08:02   ---------   d-----w   c:\documents and settings\Monika Wachowska\Dane aplikacji\Tlen.pl
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-18 23:05   9,895   ----a-w   c:\windows\system32\ fsmgmt.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-03 10:04   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-09-30 15:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-11-13 22:24   67,696   ----a-w   c:\program files\mozilla firefox\components\jar50.dll
2008-11-13 22:24   54,376   ----a-w   c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-13 22:24   34,952   ----a-w   c:\program files\mozilla firefox\components\myspell.dll
2008-11-13 22:24   46,720   ----a-w   c:\program files\mozilla firefox\components\spellchk.dll
2008-11-13 22:24   172,144   ----a-w   c:\program files\mozilla firefox\components\xpinstal.dll
.
[color=red] c:\windows\system32\user32.dll ... jest zarażony !! [/color]
578,560 2005-03-02 18:21:08  c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
579,584 2007-03-08 15:51:57  c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
579,072 2007-03-08 15:38:47  c:\windows\$NtServicePackUninstall$\user32.dll
578,560 2006-03-02 12:00:00  c:\windows\$NtUninstallKB890859$\user32.dll
578,560 2005-03-02 18:18:38  c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2005-03-02 18:18:38  c:\windows\$NtUninstallKB925902$\user32.dll.000
580,096 2008-04-14 17:20:56  c:\windows\ServicePackFiles\i386\user32.dll
580,096 2008-12-06 02:42:17  c:\windows\system32\user32.DLL
580,096 2008-12-06 02:42:17  c:\windows\system32\dllcache\user32.dll


(((((((((((((((((((((((((((((   snapshot@2008-12-28_14.20.14,28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-28 14:49:53   397,312   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-12-28 14:49:53   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-12-28 14:19:08   397,312   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-12-28 14:19:08   8,192   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-12-28 15:18:36   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_438.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-19 94208]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EXPLORER.EXE"="EXPLORER.EXE" [2008-04-14 c:\windows\explorer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2006-02-17 163840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Tlen.pl\\tlen.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8461:TCP"= 8461:TCP:GoD High Port
"8462:TCP"= 8462:TCP:GoD Low Port

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-05 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-05 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba9feae-086e-11dd-b2a7-0013d37e36b7}]
\Shell\AutoRun\command - setup.exe
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uInternet Connection Wizard,ShellNext = hxxp://google.bearshare.com/pl/
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Monika Wachowska\Dane aplikacji\Mozilla\Firefox\Profiles\zwfh050a.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 16:26:08
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2008-12-28 16:27:10
ComboFix-quarantined-files.txt  2008-12-28 15:26:49
ComboFix2.txt  2008-12-28 15:09:39
ComboFix3.txt  2008-12-28 14:42:42
ComboFix4.txt  2008-12-28 13:21:07

Przed: 4 307 218 432 bajtów wolnych
Po: 4,294,864,896 bajtów wolnych

142   --- E O F ---   2008-12-18 02:02:01


[Okocza]

Szamano, przeskanuj na www.virustotal.com

Kod: Zaznacz wszystko

c:\windows\system32\user32.dll

i daj raporty

[wojtas]

c:\windows\system32\kav320.dll

skasuj ten plik...

[Szamano]

Skan z tej strony virustotal pliku user32.dll pokazał wynik 0/38.
Usunąłem również plik kav320.dll.

[wojtas]

daj nowy log z combofixa i mbr.exe

[Szamano]

chwilowo jest to niemożliwe, ponieważ lapek, którego sprawdzałem jest w toruniu, a ja w bydgoszczy. postaram się przesłać loga najszybciej jak się da.