dziwne problemy z komputerem

[szczepan12]

wiatm

przedwczoraj cos mi sie działo z kompem. np kliknalem raz na ikonke pliku tekstowego i nagle otworzyl mi sie on 80 kilka razy . pozniej zamknalem ta grupe. po chwili to samo dzialo sie z ikonka gg . zresetowalem kompa, zaczal mi dziwnie pikac . mysle ze cos mi sie wpakowalo do kompa. prosze o sprawdzenie logow:

ComboFix 08-07-24.1 - Administrator 2008-07-25 11:05:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.241 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-24 13:02 . 2008-07-24 13:02 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-07-24 12:31 . 2008-07-24 12:31 <DIR> d-------- C:\Program Files\Pcsx2_0.9.4
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\srchasst
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\msagent
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-22 16:53 . 2008-07-22 16:53 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-22 16:53 . 2008-07-22 16:53 <DIR> d-------- C:\Program Files\Deamon-Tools
2008-07-22 16:53 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-07-22 16:53 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-07-21 22:32 . 2008-07-22 08:59 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\IDM
2008-07-21 22:24 . 2008-07-22 08:54 <DIR> d-------- C:\Program Files\Internet Download Manager
2008-07-21 22:24 . 2008-07-25 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\DMCache
2008-07-20 12:08 . 2008-07-20 12:08 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Azureus
2008-07-20 12:08 . 2008-07-20 12:10 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Azureus
2008-07-18 11:18 . 2008-07-18 11:18 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 22:34 . 2008-07-11 15:33 136 --a------ C:\WINDOWS\kaillera.ini
2008-07-09 12:02 . 2008-07-24 13:01 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-07-05 11:17 . 2008-07-05 11:17 <DIR> d-------- C:\Program Files\Audacity
2008-07-01 10:11 . 2008-07-01 10:11 <DIR> d-------- C:\Program Files\MarBit
2008-06-29 11:09 . 2008-06-29 11:09 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ESET
2008-06-25 14:25 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-25 14:25 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-25 14:24 . 2008-06-25 14:24 <DIR> d-------- C:\Program Files\ESET
2008-06-25 14:24 . 2008-06-25 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 09:03 --------- d-----w C:\Program Files\AutoConnect
2008-07-10 13:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-09 10:08 --------- d-----w C:\Program Files\Czasowy Wyłacznik Kompa
2008-07-05 11:23 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu
2008-06-26 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-09 16:34 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\AVI ReComp
2008-06-07 19:56 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\GetRightToGo
2008-06-07 19:43 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ulead Systems
2008-06-07 18:52 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Ulead Systems
2008-06-07 18:38 --------- d-----w C:\Program Files\Windows Media Components
2008-06-07 18:38 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\InstallShield
2008-06-06 17:06 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-05-30 16:38 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-30 16:38 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-30 16:31 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu
2008-05-30 16:22 33 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-05-30 16:22 --------- d-----w C:\Program Files\SAGEM
2008-05-30 16:18 --------- d-----w C:\Program Files\AvRack
2008-05-30 16:01 --------- d-----w C:\Program Files\Java
2008-05-30 16:01 --------- d-----w C:\Program Files\Common Files\Java
2008-05-30 15:56 --------- d-----w C:\Program Files\Windows Media Connect 2
.

------- Sigcheck -------

2007-07-10 15:06 642560 ce594e18fe0d0af804f1f3694921ce62 C:\WINDOWS\system32\user32.dll

2007-07-14 00:56 814592 ce7193c5f7c01b19768e066087c1c919 C:\WINDOWS\system32\wininet.dll

2007-07-28 03:15 360576 0fb6743e937c7bb248b2530a5a77abc6 C:\WINDOWS\system32\drivers\tcpip.sys

2007-07-26 19:30 2067584 5362d54a6925afdcbbba53b43ee65774 C:\WINDOWS\system32\ntkrnlpa.exe

2007-07-26 19:31 2190464 9899bb89856e3bd4ef13e11ccee49b71 C:\WINDOWS\system32\ntoskrnl.exe

2007-07-14 00:42 974848 32f67215c57df2c401bf93b7ee65987f C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-02-20 11:06 1443072]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 09:34 57344 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:44 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2008-05-30 18:22:55 839680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\Deamon-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=

R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-09-19 11:03]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-09-15 11:07]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.neostrada.pl
O8 -: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 -: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 -: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 11:06:28
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-25 11:07:32
ComboFix-quarantined-files.txt 2008-07-25 09:07:26

Pre-Run: 13,497,028,608 bajtów wolnych
Post-Run: 13,682,954,240 bajtów wolnych

139

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:17, on 2008-07-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3876 bytes

[Okocza]

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

to fix w hijacku

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

--------------

zaczal mi dziwnie pikac

jakie to były piski (długie krótkie) i ile ich było

[szczepan12]

w HJ usunąłem te wpisy ale one nadal sa
logi w kolejności :

SDFix: Version 1.208
Run by Administrator on 2008-07-25 at 15:54

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Administrator\Dane aplikacji\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted



Folder C:\Documents and Settings\Administrator\Dane aplikacji\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 15:56:38
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,aa,60,92,d1,c1,f2,ad,9d,8e,6b,8c,55,79,7f,68,2c,a5,..
"hj34z0"=hex:51,10,48,c5,21,36,9a,21,61,32,7f,58,36,bc,d0,0b,e6,fe,16,d7,25,..
"hj34z1"=hex:ca,10,48,c5,59,36,9a,21,60,32,7e,58,37,bc,d0,0b,e6,fe,16,d7,45,..
"hj34z2"=hex:ca,10,48,c5,59,36,9a,21,60,32,7e,58,37,bc,d0,0b,e6,fe,16,d7,45,..
"hj34z3"=hex:ca,10,48,c5,59,36,9a,21,60,32,7e,58,37,bc,d0,0b,e6,fe,16,d7,45,..
"hj34z4"=hex:ca,10,48,c5,59,36,9a,21,60,32,7e,58,37,bc,d0,0b,e6,fe,16,d7,45,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\31D9EBB4D71F8544491F46C71C53668E]
"1C6E7E1A7B518934982B689877F7DBDA"="C:\Program Files\ESET\ESET Smart Security\callmsi.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3FB590517D3AFDD41B39A39486180E30\InstahlProperties]
"LocalPackage"="C:\WINDOWS\Installer\9984a.msi"
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="3.0.04506.30"
"HelpLink"=""
"HelpTelephone"=""
"InstallDate"="20080530"
"InstallLocation"=""
"InstallSource"="C:\Documents and Settings\Default User\7zS808.tmp"
"ModifyPath"=str(2):"\x24dsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Microsoft Corporation"
"Size"=""
"EstimatedSize"=dword:00003ee6
"SystemComponent"=dword:00000001
"UninstallStrilg"=str(2):"MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}"
"URLInfoAbout"=""
"URLUpdateInfo"=""
"VersionMajor"=dword:00000003
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Versikn"=dword:0300119a
"Language"=dword:00000409
"DisplayName"="Microsoft .NET Framework 3.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\FONTDMWNLOAD]
"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4486"
"PlugUIText"="@inetcpl.cpl,-4793"
"Text"="Font download"
"Type"="group"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\FONTDMWNLOAD\ALLOW]
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"PlugUIText"="@inetcpl.cpl,-4803"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Enable"
"Type"="radio"
"ValueName"="1604"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\FONTDMWNLOAD\DENY]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="1604"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\FONTDMWNLOAD\QUERY]
"CheckedValue"=dword:00000001
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"PlugUIText"="@inetcpl.cpl,-4804"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Prompt"
"Type"="radio"
"ValueName"="1604"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\MSWIN.EXE\Metaspock 7.01]
"FILEOPENBOGUSCTRLID"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.101_x-ww_6818287f\downlevel_payload.8.0,50727.101]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.193_x-ww_68212ab8\downlevel_manifest.8.4.50727.193]
@=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 568 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"

Finished!

ComboFix 08-07-24.3 - Administrator 2008-07-25 16:02:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.297 [GMT 2:00]
Running from: D:\Downloads\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-25 15:52 . 2008-07-25 15:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-25 15:43 . 2008-07-25 15:57 <DIR> d-------- C:\SDFix
2008-07-24 13:02 . 2008-07-24 13:02 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-07-24 12:31 . 2008-07-24 12:31 <DIR> d-------- C:\Program Files\Pcsx2_0.9.4
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\srchasst
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\msagent
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-22 16:53 . 2008-07-22 16:53 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-22 16:53 . 2008-07-22 16:53 <DIR> d-------- C:\Program Files\Deamon-Tools
2008-07-22 16:53 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-07-22 16:53 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-07-21 22:32 . 2008-07-22 08:59 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\IDM
2008-07-21 22:24 . 2008-07-22 08:54 <DIR> d-------- C:\Program Files\Internet Download Manager
2008-07-21 22:24 . 2008-07-25 16:01 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\DMCache
2008-07-20 12:08 . 2008-07-20 12:08 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Azureus
2008-07-20 12:08 . 2008-07-20 12:10 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Azureus
2008-07-18 11:18 . 2008-07-18 11:18 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 22:34 . 2008-07-11 15:33 136 --a------ C:\WINDOWS\kaillera.ini
2008-07-09 12:02 . 2008-07-24 13:01 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-07-05 11:17 . 2008-07-05 11:17 <DIR> d-------- C:\Program Files\Audacity
2008-07-01 10:11 . 2008-07-01 10:11 <DIR> d-------- C:\Program Files\MarBit
2008-06-29 11:09 . 2008-06-29 11:09 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ESET
2008-06-25 14:25 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-25 14:25 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-25 14:24 . 2008-06-25 14:24 <DIR> d-------- C:\Program Files\ESET
2008-06-25 14:24 . 2008-06-25 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 13:58 --------- d-----w C:\Program Files\AutoConnect
2008-07-10 13:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-09 10:08 --------- d-----w C:\Program Files\Czasowy Wyłacznik Kompa
2008-07-05 11:23 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu
2008-06-26 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-09 16:34 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\AVI ReComp
2008-06-07 19:56 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\GetRightToGo
2008-06-07 19:43 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ulead Systems
2008-06-07 18:52 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Ulead Systems
2008-06-07 18:38 --------- d-----w C:\Program Files\Windows Media Components
2008-06-07 18:38 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\InstallShield
2008-06-06 17:06 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-05-30 16:38 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-30 16:38 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-30 16:31 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu
2008-05-30 16:22 33 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-05-30 16:22 --------- d-----w C:\Program Files\SAGEM
2008-05-30 16:18 --------- d-----w C:\Program Files\AvRack
2008-05-30 16:01 --------- d-----w C:\Program Files\Java
2008-05-30 16:01 --------- d-----w C:\Program Files\Common Files\Java
2008-05-30 15:56 --------- d-----w C:\Program Files\Windows Media Connect 2
.

------- Sigcheck -------

2007-07-10 15:06 642560 ce594e18fe0d0af804f1f3694921ce62 C:\WINDOWS\system32\user32.dll

2007-07-14 00:56 814592 ce7193c5f7c01b19768e066087c1c919 C:\WINDOWS\system32\wininet.dll

2007-07-28 03:15 360576 0fb6743e937c7bb248b2530a5a77abc6 C:\WINDOWS\system32\drivers\tcpip.sys

2007-07-26 19:30 2067584 5362d54a6925afdcbbba53b43ee65774 C:\WINDOWS\system32\ntkrnlpa.exe

2007-07-26 19:31 2190464 9899bb89856e3bd4ef13e11ccee49b71 C:\WINDOWS\system32\ntoskrnl.exe

2007-07-14 00:42 974848 32f67215c57df2c401bf93b7ee65987f C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-02-20 11:06 1443072]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 09:34 57344 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2008-05-30 18:22:55 839680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\Deamon-Tools\daemon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=

R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-09-19 11:03]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-09-15 11:07]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.neostrada.pl
O8 -: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 -: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 -: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 16:03:10
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-25 16:04:10
ComboFix-quarantined-files.txt 2008-07-25 14:04:07

Pre-Run: 13,834,534,912 bajtów wolnych
Post-Run: 13,830,717,440 bajtów wolnych

132

i w HJ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:04:26, on 2008-07-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3588 bytes

to pikanie... za bardzo nie pamietam bo to bylo przedwczoraj, dosc pozno ale to bylo ok 7 szybkich pikniec

[ Dodano: Dzisiaj o 16:11 ]

w HT usunąłem te wpisy ale one nadal sa
logi w kolejności :

SDFix: Version 1.208
Run by Administrator on 2008-07-25 at 15:54

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Administrator\Dane aplikacji\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted



Folder C:\Documents and Settings\Administrator\Dane aplikacji\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 15:56:38
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,aa,60,92,d1,c1,f2,ad,9d,8e,6b,8c,55,79,7f,68,2c,a5,..
"hj34z0"=hex:51,10,48,c5,21,36,9a,21,61,32,7f,58,36,bc,d0,0b,e6,fe,16,d7,25,..
"hj34z1"=hex:ca,10,48,c5,59,36,9a,21,60,32,7e,58,37,bc,d0,0b,e6,fe,16,d7,45,..
"hj34z2"=hex:ca,10,48,c5,59,36,9a,21,60,32,7e,58,37,bc,d0,0b,e6,fe,16,d7,45,..
"hj34z3"=hex:ca,10,48,c5,59,36,9a,21,60,32,7e,58,37,bc,d0,0b,e6,fe,16,d7,45,..
"hj34z4"=hex:ca,10,48,c5,59,36,9a,21,60,32,7e,58,37,bc,d0,0b,e6,fe,16,d7,45,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\31D9EBB4D71F8544491F46C71C53668E]
"1C6E7E1A7B518934982B689877F7DBDA"="C:\Program Files\ESET\ESET Smart Security\callmsi.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3FB590517D3AFDD41B39A39486180E30\InstahlProperties]
"LocalPackage"="C:\WINDOWS\Installer\9984a.msi"
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="3.0.04506.30"
"HelpLink"=""
"HelpTelephone"=""
"InstallDate"="20080530"
"InstallLocation"=""
"InstallSource"="C:\Documents and Settings\Default User\7zS808.tmp"
"ModifyPath"=str(2):"\x24dsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Microsoft Corporation"
"Size"=""
"EstimatedSize"=dword:00003ee6
"SystemComponent"=dword:00000001
"UninstallStrilg"=str(2):"MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}"
"URLInfoAbout"=""
"URLUpdateInfo"=""
"VersionMajor"=dword:00000003
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Versikn"=dword:0300119a
"Language"=dword:00000409
"DisplayName"="Microsoft .NET Framework 3.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\FONTDMWNLOAD]
"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4486"
"PlugUIText"="@inetcpl.cpl,-4793"
"Text"="Font download"
"Type"="group"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\FONTDMWNLOAD\ALLOW]
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"PlugUIText"="@inetcpl.cpl,-4803"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Enable"
"Type"="radio"
"ValueName"="1604"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\FONTDMWNLOAD\DENY]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="1604"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\FONTDMWNLOAD\QUERY]
"CheckedValue"=dword:00000001
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"PlugUIText"="@inetcpl.cpl,-4804"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Prompt"
"Type"="radio"
"ValueName"="1604"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\MSWIN.EXE\Metaspock 7.01]
"FILEOPENBOGUSCTRLID"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.101_x-ww_6818287f\downlevel_payload.8.0,50727.101]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.193_x-ww_68212ab8\downlevel_manifest.8.4.50727.193]
@=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 568 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"

Finished!

ComboFix 08-07-24.3 - Administrator 2008-07-25 16:02:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.297 [GMT 2:00]
Running from: D:\Downloads\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-25 15:52 . 2008-07-25 15:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-25 15:43 . 2008-07-25 15:57 <DIR> d-------- C:\SDFix
2008-07-24 13:02 . 2008-07-24 13:02 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-07-24 12:31 . 2008-07-24 12:31 <DIR> d-------- C:\Program Files\Pcsx2_0.9.4
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\srchasst
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\WINDOWS\msagent
2008-07-23 10:36 . 2008-07-23 10:36 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-22 16:53 . 2008-07-22 16:53 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-22 16:53 . 2008-07-22 16:53 <DIR> d-------- C:\Program Files\Deamon-Tools
2008-07-22 16:53 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-07-22 16:53 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-07-21 22:32 . 2008-07-22 08:59 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\IDM
2008-07-21 22:24 . 2008-07-22 08:54 <DIR> d-------- C:\Program Files\Internet Download Manager
2008-07-21 22:24 . 2008-07-25 16:01 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\DMCache
2008-07-20 12:08 . 2008-07-20 12:08 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Azureus
2008-07-20 12:08 . 2008-07-20 12:10 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Azureus
2008-07-18 11:18 . 2008-07-18 11:18 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 22:34 . 2008-07-11 15:33 136 --a------ C:\WINDOWS\kaillera.ini
2008-07-09 12:02 . 2008-07-24 13:01 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-07-05 11:17 . 2008-07-05 11:17 <DIR> d-------- C:\Program Files\Audacity
2008-07-01 10:11 . 2008-07-01 10:11 <DIR> d-------- C:\Program Files\MarBit
2008-06-29 11:09 . 2008-06-29 11:09 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ESET
2008-06-25 14:25 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-25 14:25 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-25 14:24 . 2008-06-25 14:24 <DIR> d-------- C:\Program Files\ESET
2008-06-25 14:24 . 2008-06-25 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 13:58 --------- d-----w C:\Program Files\AutoConnect
2008-07-10 13:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-09 10:08 --------- d-----w C:\Program Files\Czasowy Wyłacznik Kompa
2008-07-05 11:23 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu
2008-06-26 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-09 16:34 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\AVI ReComp
2008-06-07 19:56 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\GetRightToGo
2008-06-07 19:43 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ulead Systems
2008-06-07 18:52 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Ulead Systems
2008-06-07 18:38 --------- d-----w C:\Program Files\Windows Media Components
2008-06-07 18:38 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\InstallShield
2008-06-06 17:06 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-05-30 16:38 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-30 16:38 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-30 16:31 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu
2008-05-30 16:22 33 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-05-30 16:22 --------- d-----w C:\Program Files\SAGEM
2008-05-30 16:18 --------- d-----w C:\Program Files\AvRack
2008-05-30 16:01 --------- d-----w C:\Program Files\Java
2008-05-30 16:01 --------- d-----w C:\Program Files\Common Files\Java
2008-05-30 15:56 --------- d-----w C:\Program Files\Windows Media Connect 2
.

------- Sigcheck -------

2007-07-10 15:06 642560 ce594e18fe0d0af804f1f3694921ce62 C:\WINDOWS\system32\user32.dll

2007-07-14 00:56 814592 ce7193c5f7c01b19768e066087c1c919 C:\WINDOWS\system32\wininet.dll

2007-07-28 03:15 360576 0fb6743e937c7bb248b2530a5a77abc6 C:\WINDOWS\system32\drivers\tcpip.sys

2007-07-26 19:30 2067584 5362d54a6925afdcbbba53b43ee65774 C:\WINDOWS\system32\ntkrnlpa.exe

2007-07-26 19:31 2190464 9899bb89856e3bd4ef13e11ccee49b71 C:\WINDOWS\system32\ntoskrnl.exe

2007-07-14 00:42 974848 32f67215c57df2c401bf93b7ee65987f C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-02-20 11:06 1443072]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 09:34 57344 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2008-05-30 18:22:55 839680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\Deamon-Tools\daemon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=

R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-09-19 11:03]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-09-15 11:07]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.neostrada.pl
O8 -: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 -: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 -: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 16:03:10
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-25 16:04:10
ComboFix-quarantined-files.txt 2008-07-25 14:04:07

Pre-Run: 13,834,534,912 bajtów wolnych
Post-Run: 13,830,717,440 bajtów wolnych

132

i w HT...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:04:26, on 2008-07-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3588 bytes

to pikanie... za bardzo nie pamietam bo to bylo przedwczoraj, dosc pozno ale to bylo ok 7 szybkich pikniec

[Okocza]

w HJ usunąłem te wpisy ale one nadal sa Confused :0 Mad Evil or Very Mad Crying or Very sad

w awaryjnym je usuwaj.

jaki masz bios w komputerze

[szczepan12]

w awaryjnym usuwałem...
nawet dwa razy próbowałem

zrobilem te wszystkie logi, wstawiłem tu i teraz przez chwila na siłę probowalem usunac te wpisy ( nie w awaryjnym ) i jakos poszlo , zostal mi tylko jeden:

O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

co teraz robic?
da rade zobaczyć jaki mam bios w everescie?

[Okocza]

w takim razie zostaw na razie. poszukamy innego rozwiązania


da się

wchodzisz w zakładkę płyta główna i BIOS jesli nic to podczas uruchamiania wejdz do biosu. i tam zobacz.

[szczepan12]

BIOS:


co z tym wpisem?

[Okocza]

wpis zostaw.

co do biosu... to modernizowałes cos ostatnio

[szczepan12]

nic nigdy.

[Magik]

nic nigdy.

wez wyciagnij bateryjke, ktora jest na plycie glownej na jakies kilka minut potem wloz ja spowrotem

[szczepan12]

wez wyciagnij bateryjke, ktora jest na plycie glownej na jakies kilka minut potem wloz ja spowrotem

nie za bardzo odpowiada mi to rozwiazanie...
nigdy nie grzebałem tam "w srodku"
moze skupimy sie na tym 1 wpisie, jak go usunac a pikanie zostawimy ?

[Okocza]

wpis jest ok. reset biosu mozesz jeszcze zrobic wyjmujac zworke przy bateryjce i zwierajac pin wolny ze srodkowym

[szczepan12]

reset biosu mozesz jeszcze zrobic wyjmujac zworke przy bateryjce i zwierajac pin wolny ze srodkowym

yyy nie wiem o co chodzi...
koniecze to jest^^ ?

[Okocza]

koniecze to jest^^ ?

jesli chcesz sie pozbyc tego pikania to raczej tak. mozlwie ze to ustawienia biosu tylko, a mozliwe ze jakis podzespol pada.

to inaczej, wejdz do biosu podczas uruchamiania komputera i wejdz w "Load optimazed defaults"

[Magik]

yyy nie wiem o co chodzi... Confused
koniecze to jest^^ ?

wypadaloby


ew. wrzuc w Biosie taka opcje: Load setup defaults lub podobnie brzmiaca

[szczepan12]

wejde tam i co robic dalej ?

[Okocza]

wybierz

Load setup defaults lub podobnie brzmiaca Arrow

[szczepan12]

wejdz do biosu podczas uruchamiania komputera i wejdz w "Load optimazed defaults"

zrobione

[Okocza]

teraz powinno byc juz wszystko ok.

[Magik]

7 pikniec to procesor


wklej napeicia z Everesta i temperatury ze Speedfan