Mój tata dostał zew adres IP i niestety sobie ściągnął jakiegoś wirusa 
Przed użyciem ComboFixa pulpit był cały czerwony, na pasku zadań pojawiła się ikonka z jakimś napisem "Ten system jest zarażony malware i może działać wolniej" oraz nie dało się włączyć managera zadań, gdyż wyświetlał błąd, że został zablokowany przez administratora.
Log z ComboFixa:
- Kod: Zaznacz wszystko
ComboFix 08-06-06.6 - erwin32 2008-06-07 11:45:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.648 [GMT 2:00]
Running from: E:\Documents and Settings\erwin32\Pulpit\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\DOCUME~1\erwin32\USTAWI~1\Temp\E_4
E:\DOCUME~1\erwin32\USTAWI~1\Temp\E_4\eWinSock.fne
E:\DOCUME~1\erwin32\USTAWI~1\Temp\E_4\krnln.fnr
E:\WINDOWS\g32.txt
E:\WINDOWS\index.html
E:\WINDOWS\s32.txt
E:\WINDOWS\system32\aspimgr.exe
E:\WINDOWS\system32\sft.res
E:\WINDOWS\system32\sockins32.dll
E:\WINDOWS\ws386.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASPIMGR
-------\Service_aspimgr
-------\Service_Binary file SvcDump matches
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.
2008-05-19 20:34 . 2008-05-19 20:34 20,480 --a------ E:\WINDOWS\system32\msscntr32.exe
2008-05-12 23:51 . 2008-05-12 23:51 <DIR> d-------- E:\Program Files\PDFCreator
2008-05-12 23:51 . 2004-03-09 01:00 662,288 --a------ E:\WINDOWS\system32\MSCOMCT2.OCX
2008-05-12 23:51 . 1998-06-24 01:00 137,000 --a------ E:\WINDOWS\system32\MSMAPI32.OCX
2008-05-12 23:51 . 2001-10-28 17:42 116,224 --a------ E:\WINDOWS\system32\pdfcmnnt.dll
2008-05-12 23:51 . 1998-07-06 01:00 23,552 --a------ E:\WINDOWS\system32\MSMPIDE.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 09:49 --------- d-----w E:\Documents and Settings\erwin32\Dane aplikacji\Skype
2008-06-07 09:35 --------- d-----w E:\Documents and Settings\erwin32\Dane aplikacji\skypePM
2008-05-26 10:11 --------- d-----w E:\Program Files\Norton SystemWorks
2008-05-24 04:32 --------- d-----w E:\Program Files\Common Files\Symantec Shared
2008-05-06 20:47 --------- d-----w E:\Documents and Settings\erwin32\Dane aplikacji\Azureus
2008-05-06 18:55 --------- d-----w E:\Program Files\Foxit Software
2008-05-01 06:34 --------- d-----w E:\Program Files\Azureus
2008-04-30 12:36 --------- d-----w E:\Documents and Settings\erwin32\Dane aplikacji\Talkback
2008-04-21 16:13 --------- d-----w E:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-04-21 16:09 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-04-14 20:13 --------- d-----w E:\Program Files\PITy2007
2008-03-21 17:54 32 ----a-w E:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
.
------- Sigcheck -------
2006-08-09 19:28 360576 0fb6743e937c7bb248b2530a5a77abc6 E:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="E:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 06:12 577536 E:\WINDOWS\soundman.exe]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"ccApp"="E:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-30 17:50 58992]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2005-09-25 19:11 155648]
E:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Przyspieszenie uruchomienia programu AutoCAD.lnk - E:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 15:43:54 11000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Action Manager 32.lnk]
path=E:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Action Manager 32.lnk
backup=E:\WINDOWS\pss\Action Manager 32.lnkCommon Startup
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Service Manager.lnk]
path=E:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Service Manager.lnk
backup=E:\WINDOWS\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Menu Start^Programy^Autostart^TV713X Remote Control.lnk]
path=E:\Documents and Settings\All Users\Menu Start\Programy\Autostart\TV713X Remote Control.lnk
backup=E:\WINDOWS\pss\TV713X Remote Control.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-25 19:11 94208 E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:44 15360 E:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
--a------ 2004-09-24 11:31 132208 E:\Program Files\Norton SystemWorks\cfgwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 13:22 7700480 E:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 13:22 86016 E:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 13:22 1622016 E:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-05-16 18:29 98304 E:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-09-26 16:49 35328 c:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
c:\Program Files\Google\Gmail Notifier\gnotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)
"WZCSVC"=2 (0x2)
"UPS"=3 (0x3)
"SQLSERVERAGENT"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQLSERVER"=2 (0x2)
"D2GS"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Gry\\RedFaction\\rf.exe"=
"E:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 oreans32;oreans32;E:\WINDOWS\system32\drivers\oreans32.sys [2007-04-29 09:48]
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 18:40]
R2 msscenter;Microsoft Security Center Extension;E:\WINDOWS\system32\msscntr32.exe [2008-05-19 20:34]
R2 r_server;Remote Administrator Service;"E:\WINDOWS\system32\r_server.exe" /service []
R3 Cap7134;Cap7134 Capture;E:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-09-16 15:56]
R3 PhTVTune;V-Stream WDM TVTuner;E:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-09-13 09:32]
S2 d2cs;d2cs service;E:\Diablo2LoD\pvpgn\d2csConsole.exe []
S2 d2dbs;d2dbs service;E:\Diablo2LoD\pvpgn\d2dbsConsole.exe []
S2 pvpgn;PvPGN service;E:\Diablo2LoD\pvpgn\PvPGNConsole.exe []
S3 NTProcDrv;Process creation detector for NT.;E:\Documents and Settings\erwin32\Pulpit\isrobot\NtProcDrv.sys []
S3 usbscan;Sterownik skanera USB;E:\WINDOWS\system32\DRIVERS\usbscan.sys [2006-08-09 19:48]
S3 USBSTOR;Sterownik magazynu masowego USB;E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-08-09 18:48]
S4 D2GS;Diablo II Close Game Server;C:\Gry\Diablo II\D2GSSVC.exe [2003-12-24 01:17]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddfcf8dc-a823-11dc-baa9-00c1260ffab6}]
\Shell\AutoRun\command - M:\USBNB.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 10:11:13 E:\WINDOWS\Tasks\Funkcja One Button Checkup pakietu Norton SystemWorks.job"
- E:\Program Files\Norton SystemWorks\OBC.exe
"2008-06-04 22:00:00 E:\WINDOWS\Tasks\Symantec Drmc.job"
- E:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 11:49:03
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
E:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\UTSCSI.EXE
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-06-07 11:51:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-07 09:51:44
Pre-Run: 1,350,565,888 bajtów wolnych
Post-Run: 1,668,694,016 bajt˘w wolnych
182
Log z HiJackThis:
- Kod: Zaznacz wszystko
Logfile of HijackThis v1.99.1
Scan saved at 12:02:07, on 2008-06-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\WINDOWS\system32\msscntr32.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\r_server.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\UTSCSI.EXE
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\WINDOWS\explorer.exe
J:\D\Nowy folder\Pulpit\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = E:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FLASHGET 1.50\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FLASHGET 1.50\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0688793E-972C-41FD-B386-F16D4CC52BA0}: NameServer = 195.177.64.66,195.177.64.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{0688793E-972C-41FD-B386-F16D4CC52BA0}: NameServer = 195.177.64.66,195.177.64.69
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - E:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: d2cs service (d2cs) - Unknown owner - E:\Diablo2LoD\pvpgn\d2csConsole.exe (file missing)
O23 - Service: d2dbs service (d2dbs) - Unknown owner - E:\Diablo2LoD\pvpgn\d2dbsConsole.exe (file missing)
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Security Center Extension (msscenter) - Unknown owner - E:\WINDOWS\system32\msscntr32.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PvPGN service (pvpgn) - Unknown owner - E:\Diablo2LoD\pvpgn\PvPGNConsole.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - E:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - E:\WINDOWS\system32\UTSCSI.EXE
Dziękuje z góry za wszelką pomoc.
Pozdrawiam Andrew_wojownik
