Heur + disabled taskmanager regedit itp

[bleetz]

witam

mam maly problem z heurem
do tego mialem zablokowane regedity taskmanagera itp co moze wskazywac na wirusa
prosze o sprawdzenie z gory dzieki

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:56, on 2009-02-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 4272 bytes


[wojtas]

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[bleetz]

problem w tym ze nie moge uruchomic awaryjnego bo mi wyskakuje blue screen

log z CF

Kod: Zaznacz wszystko

ComboFix 09-02-03.01 - marek 2009-02-04 18:59:20.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1033.18.2046.1576 [GMT 1:00]
Uruchomiony z: c:\documents and settings\marek\Desktop\DOWNLOAD\ComboFix.exe
* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Sterowniki/Usługi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr


(((((((((((((((((((((((((   Pliki utworzone od 2009-01-04 do 2009-02-04  )))))))))))))))))))))))))))))))
.

2009-02-04 15:46 . 2009-02-04 15:46   <DIR>   d--------   c:\documents and settings\marek\Application Data\Thunderbird
2009-02-04 15:45 . 2009-02-04 18:54   <DIR>   d--------   c:\program files\Mozilla Thunderbird
2009-02-04 15:20 . 2009-02-04 15:20   <DIR>   dr-h-----   c:\documents and settings\marek\Application Data\SecuROM
2009-02-04 15:20 . 2009-02-04 15:20   107,888   --a------   c:\windows\system32\CmdLineExt.dll
2009-02-04 15:08 . 2009-02-04 15:08   <DIR>   d--------   c:\program files\Trend Micro
2009-02-04 14:37 . 2009-02-04 14:37   <DIR>   d--------   c:\documents and settings\marek\Application Data\DAEMON Tools Pro
2009-02-04 14:37 . 2009-02-04 14:37   <DIR>   d--------   c:\documents and settings\marek\Application Data\DAEMON Tools
2009-02-04 14:36 . 2009-02-04 14:36   <DIR>   d--------   c:\program files\DAEMON Tools Lite
2009-02-04 14:36 . 2009-02-04 14:36   <DIR>   d--------   c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-02-04 14:32 . 2009-02-04 14:32   <DIR>   d--------   c:\documents and settings\marek\Application Data\DAEMON Tools Lite
2009-02-04 14:32 . 2009-02-04 14:32   717,296   --a------   c:\windows\system32\drivers\sptd.sys
2009-02-04 14:30 . 2009-02-04 14:30   <DIR>   d--------   c:\program files\MSN Messenger
2009-02-04 14:29 . 2009-02-04 14:29   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-02-04 14:20 . 2006-04-11 11:07   1,902   ---------   c:\windows\system32\SetupBD.din
2009-02-04 14:05 . 2009-02-04 14:05   <DIR>   d--------   c:\documents and settings\marek\Contacts
2009-02-04 14:04 . 2009-02-04 14:04   <DIR>   d--------   c:\program files\Skype
2009-02-04 14:04 . 2009-02-04 14:04   <DIR>   d--------   c:\program files\Common Files\Skype
2009-02-04 13:58 . 2009-02-04 16:30   <DIR>   d--------   c:\documents and settings\marek\Application Data\skypePM
2009-02-04 13:58 . 2009-02-04 13:58   56   --ah-----   c:\windows\system32\ezsidmv.dat
2009-02-04 13:57 . 2009-02-04 19:01   <DIR>   d--------   c:\documents and settings\marek\Application Data\Skype
2009-02-04 13:57 . 2009-02-04 14:04   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Skype
2009-02-04 13:45 . 2009-02-04 13:45   <DIR>   d--------   c:\program files\foobar2000
2009-02-04 13:45 . 2009-02-04 18:31   <DIR>   d--------   c:\documents and settings\marek\Application Data\foobar2000
2009-02-04 13:41 . 2009-02-04 13:41   <DIR>   d--------   c:\program files\Gadu-Gadu
2009-02-04 13:41 . 2009-02-04 13:42   <DIR>   d--------   c:\documents and settings\marek\Gadu-Gadu
2009-02-04 13:38 . 2009-02-04 13:46   <DIR>   d--------   c:\program files\SkanerOnline
2009-02-04 13:38 . 2009-02-04 18:33   108,705   -r-hs----   C:\pook.com
2009-02-04 13:34 . 2009-02-04 13:34   <DIR>   d--------   c:\program files\Nvidia Omega Drivers
2009-02-04 13:34 . 2007-12-05 06:41   8,523,776   --a------   c:\windows\system32\nvcpl.dll
2009-02-04 13:32 . 2005-11-01 18:08   308,992   --a------   c:\windows\system32\drivers\rixdptsk.sys
2009-02-04 13:31 . 2008-04-14 00:45   60,800   --a------   c:\windows\system32\drivers\sysaudio.sys
2009-02-04 13:31 . 2008-04-14 00:45   60,800   --a--c---   c:\windows\system32\dllcache\sysaudio.sys
2009-02-04 13:31 . 2008-04-14 00:09   7,552   --a------   c:\windows\system32\drivers\MSKSSRV.sys
2009-02-04 13:31 . 2008-04-14 00:09   7,552   --a--c---   c:\windows\system32\dllcache\mskssrv.sys
2009-02-04 13:31 . 2008-04-14 00:09   5,376   --a------   c:\windows\system32\drivers\MSPCLOCK.sys
2009-02-04 13:31 . 2008-04-14 00:09   5,376   --a--c---   c:\windows\system32\dllcache\mspclock.sys
2009-02-04 13:31 . 2008-04-14 00:09   4,992   --a------   c:\windows\system32\drivers\MSPQM.sys
2009-02-04 13:31 . 2008-04-14 00:09   4,992   --a--c---   c:\windows\system32\dllcache\mspqm.sys
2009-02-04 13:31 . 2008-04-14 00:15   2,944   --a------   c:\windows\system32\drivers\drmkaud.sys
2009-02-04 13:31 . 2008-04-14 00:15   2,944   --a--c---   c:\windows\system32\dllcache\drmkaud.sys
2009-02-04 13:30 . 2008-04-14 00:49   146,048   --a------   c:\windows\system32\drivers\portcls.sys
2009-02-04 13:30 . 2008-04-14 00:49   146,048   --a--c---   c:\windows\system32\dllcache\portcls.sys
2009-02-04 13:30 . 2008-04-14 05:42   129,536   --a------   c:\windows\system32\ksproxy.ax
2009-02-04 13:30 . 2008-04-14 05:42   129,536   --a--c---   c:\windows\system32\dllcache\ksproxy.ax
2009-02-04 13:30 . 2008-04-14 00:15   60,160   --a------   c:\windows\system32\drivers\drmk.sys
2009-02-04 13:30 . 2008-04-14 00:15   60,160   --a--c---   c:\windows\system32\dllcache\drmk.sys
2009-02-04 13:30 . 2008-04-14 05:41   4,096   --a------   c:\windows\system32\ksuser.dll
2009-02-04 13:30 . 2008-04-14 05:41   4,096   --a--c---   c:\windows\system32\dllcache\ksuser.dll
2009-02-04 13:29 . 2009-02-04 13:29   <DIR>   d--------   c:\program files\Hewlett-Packard
2009-02-04 13:21 . 2009-02-04 13:21   <DIR>   d--------   c:\program files\NetWaiting
2009-02-04 13:21 . 2009-02-04 15:41   <DIR>   d--h-----   c:\program files\InstallShield Installation Information
2009-02-04 13:21 . 2009-02-04 13:21   <DIR>   d--------   c:\program files\CONEXANT
2009-02-04 13:21 . 2009-02-04 13:29   <DIR>   d--------   c:\program files\Common Files\InstallShield
2009-02-04 13:17 . 2009-02-04 13:17   0   --a------   c:\windows\nsreg.dat
2009-02-04 13:14 . 2007-08-27 11:12   2,777,088   --a------   c:\windows\system32\NETw4r32.dll
2009-02-04 13:14 . 2007-09-26 06:01   2,236,032   --a------   c:\windows\system32\drivers\NETw4x32.sys
2009-02-04 13:14 . 2007-08-27 11:12   745,472   --a------   c:\windows\system32\NETw4c32.dll
2009-02-04 13:13 . 2009-02-04 14:29   <DIR>   d----c---   c:\windows\system32\DRVSTORE

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 17:33   108,705   --sh--r   c:\windows\system32\olhrwef.exe
2009-02-04 12:34   472,576   ----a-w   c:\windows\Nvidia Omega Drivers v2.169.21 Uninstall.exe
2009-02-04 11:47   2,423   ----a-w   c:\windows\bcm6.tmp
2009-02-04 11:47   ---------   d-----w   c:\program files\Broadcom
2009-02-04 11:47   ---------   d-----w   c:\documents and settings\marek\Application Data\InstallShield
2009-02-04 11:41   ---------   d-----w   c:\program files\Intel
2009-02-04 10:28   ---------   d-----w   c:\program files\microsoft frontpage
2009-02-04 10:24   ---------   d-----w   c:\program files\Windows Media Connect 2
2009-02-01 03:38   109,930   --sh--r   C:\a2h2.com
2009-01-21 16:11   473,600   ----a-w   c:\windows\system32\SkanerOnline.dll
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft"="c:\windows\system32\olhrwef.exe" [2009-02-04 108705]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2005-03-31 790528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-23 22058792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-09-04 6856704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 c:\windows\system32\CHDAudPropShortcut.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\pes2008\\PES2008.exe"=

.
.
------- Skan uzupełniający -------
.
DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
FF - ProfilePath - c:\documents and settings\marek\Application Data\Mozilla\Firefox\Profiles\rgd1jr7g.default\
FF - prefs.js: browser.startup.homepage - google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 19:01:31
Windows 5.1.2600 Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Czas ukończenia: 2009-02-04 19:02:38 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2009-02-04 18:02:36

Przed: 16 176 873 472 bytes free
Po: 16,149,848,064 bytes free

150


log z HJT

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03:32, on 2009-02-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 3756 bytes


EDIT
po przejechaniu CFem udalo sie uruchomic awaryjny

log z sdfixa

Kod: Zaznacz wszystko


[b]SDFix: Version 1.240 [/b]
Run by marek on 2009-02-04 at 19:09

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\marek\Desktop\DOWNLOAD\SDFix\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\autorun.inf - Deleted





Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 19:12:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:54,c0,e3,b5,9d,ee,88,af,42,44,5e,3a,b1,83,29,68,d7,7c,81,a7,81,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,f1,17,cd,35,de,9e,5f,63,99,f5,1d,49,2f,ad,70,cd,57,..
"khjeh"=hex:4a,d8,28,73,c8,5b,6b,ca,02,bb,46,a8,f3,5e,16,57,1f,15,74,c1,93,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:4f,69,2d,4a,3b,fe,91,53,78,01,a7,14,a2,cd,84,5a,5d,0e,4e,c0,ce,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:54,c0,e3,b5,9d,ee,88,af,42,44,5e,3a,b1,83,29,68,d7,7c,81,a7,81,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,f1,17,cd,35,de,9e,5f,63,99,f5,1d,49,2f,ad,70,cd,57,..
"khjeh"=hex:4a,d8,28,73,c8,5b,6b,ca,02,bb,46,a8,f3,5e,16,57,1f,15,74,c1,93,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:4f,69,2d,4a,3b,fe,91,53,78,01,a7,14,a2,cd,84,5a,5d,0e,4e,c0,ce,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"D:\\pes2008\\PES2008.exe"="D:\\pes2008\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

[b]Remaining Files [/b]:


File Backups: - C:\DOCUME~1\marek\Desktop\DOWNLOAD\SDFix\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sun  1 Feb 2009       109,930 ..SHR --- "C:\a2h2.com"
Wed  4 Feb 2009       108,705 ..SHR --- "C:\pook.com"
Wed  4 Feb 2009        95,744 ..SHR --- "C:\WINDOWS\system32\nmdfgds0.dll"
Wed  4 Feb 2009       108,705 ..SHR --- "C:\WINDOWS\system32\olhrwef.exe"

[b]Finished![/b]



i log z hjt po sdfixie

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22:25, on 2009-02-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 3669 bytes


[wojtas]

Otworz notatnik i wklej w nim to:

File::
C:\pook.com
C:\a2h2.com
d:\pook.com
d:\a2h2.com
e:\pook.com
e:\a2h2.com
c:\windows\bcm6.tmp

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

[bleetz]

log z CF

Kod: Zaznacz wszystko

ComboFix 09-02-03.01 - marek 2009-02-04 19:25:20.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1033.18.2046.1572 [GMT 1:00]
Uruchomiony z: c:\documents and settings\marek\Desktop\DOWNLOAD\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\marek\Desktop\DOWNLOAD\CFScript.txt.txt
* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

FILE ::
C:\a2h2.com
C:\pook.com
c:\windows\bcm6.tmp
d:\a2h2.com
d:\pook.com
e:\a2h2.com
e:\pook.com
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a2h2.com
C:\autorun.inf
C:\pook.com
c:\windows\bcm6.tmp
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
d:\a2h2.com
D:\Autorun.inf
d:\pook.com

.
(((((((((((((((((((((((((   Pliki utworzone od 2009-01-04 do 2009-02-04  )))))))))))))))))))))))))))))))
.

2009-02-04 19:08 . 2009-02-04 19:08   <DIR>   d--------   c:\windows\ERUNT
2009-02-04 15:46 . 2009-02-04 15:46   <DIR>   d--------   c:\documents and settings\marek\Application Data\Thunderbird
2009-02-04 15:45 . 2009-02-04 19:02   <DIR>   d--------   c:\program files\Mozilla Thunderbird
2009-02-04 15:20 . 2009-02-04 15:20   <DIR>   dr-h-----   c:\documents and settings\marek\Application Data\SecuROM
2009-02-04 15:20 . 2009-02-04 15:20   107,888   --a------   c:\windows\system32\CmdLineExt.dll
2009-02-04 15:08 . 2009-02-04 15:08   <DIR>   d--------   c:\program files\Trend Micro
2009-02-04 14:37 . 2009-02-04 14:37   <DIR>   d--------   c:\documents and settings\marek\Application Data\DAEMON Tools Pro
2009-02-04 14:37 . 2009-02-04 14:37   <DIR>   d--------   c:\documents and settings\marek\Application Data\DAEMON Tools
2009-02-04 14:36 . 2009-02-04 14:36   <DIR>   d--------   c:\program files\DAEMON Tools Lite
2009-02-04 14:36 . 2009-02-04 14:36   <DIR>   d--------   c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-02-04 14:32 . 2009-02-04 14:32   <DIR>   d--------   c:\documents and settings\marek\Application Data\DAEMON Tools Lite
2009-02-04 14:32 . 2009-02-04 14:32   717,296   --a------   c:\windows\system32\drivers\sptd.sys
2009-02-04 14:30 . 2009-02-04 14:30   <DIR>   d--------   c:\program files\MSN Messenger
2009-02-04 14:29 . 2009-02-04 14:29   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-02-04 14:20 . 2006-04-11 11:07   1,902   ---------   c:\windows\system32\SetupBD.din
2009-02-04 14:05 . 2009-02-04 14:05   <DIR>   d--------   c:\documents and settings\marek\Contacts
2009-02-04 14:04 . 2009-02-04 14:04   <DIR>   d--------   c:\program files\Skype
2009-02-04 14:04 . 2009-02-04 14:04   <DIR>   d--------   c:\program files\Common Files\Skype
2009-02-04 13:58 . 2009-02-04 16:30   <DIR>   d--------   c:\documents and settings\marek\Application Data\skypePM
2009-02-04 13:58 . 2009-02-04 13:58   56   --ah-----   c:\windows\system32\ezsidmv.dat
2009-02-04 13:57 . 2009-02-04 19:22   <DIR>   d--------   c:\documents and settings\marek\Application Data\Skype
2009-02-04 13:57 . 2009-02-04 14:04   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Skype
2009-02-04 13:45 . 2009-02-04 13:45   <DIR>   d--------   c:\program files\foobar2000
2009-02-04 13:45 . 2009-02-04 18:31   <DIR>   d--------   c:\documents and settings\marek\Application Data\foobar2000
2009-02-04 13:41 . 2009-02-04 13:41   <DIR>   d--------   c:\program files\Gadu-Gadu
2009-02-04 13:41 . 2009-02-04 13:42   <DIR>   d--------   c:\documents and settings\marek\Gadu-Gadu
2009-02-04 13:38 . 2009-02-04 13:46   <DIR>   d--------   c:\program files\SkanerOnline
2009-02-04 13:34 . 2009-02-04 13:34   <DIR>   d--------   c:\program files\Nvidia Omega Drivers
2009-02-04 13:34 . 2007-12-05 06:41   8,523,776   --a------   c:\windows\system32\nvcpl.dll
2009-02-04 13:32 . 2005-11-01 18:08   308,992   --a------   c:\windows\system32\drivers\rixdptsk.sys
2009-02-04 13:31 . 2008-04-14 00:45   60,800   --a------   c:\windows\system32\drivers\sysaudio.sys
2009-02-04 13:31 . 2008-04-14 00:45   60,800   --a--c---   c:\windows\system32\dllcache\sysaudio.sys
2009-02-04 13:31 . 2008-04-14 00:09   7,552   --a------   c:\windows\system32\drivers\MSKSSRV.sys
2009-02-04 13:31 . 2008-04-14 00:09   7,552   --a--c---   c:\windows\system32\dllcache\mskssrv.sys
2009-02-04 13:31 . 2008-04-14 00:09   5,376   --a------   c:\windows\system32\drivers\MSPCLOCK.sys
2009-02-04 13:31 . 2008-04-14 00:09   5,376   --a--c---   c:\windows\system32\dllcache\mspclock.sys
2009-02-04 13:31 . 2008-04-14 00:09   4,992   --a------   c:\windows\system32\drivers\MSPQM.sys
2009-02-04 13:31 . 2008-04-14 00:09   4,992   --a--c---   c:\windows\system32\dllcache\mspqm.sys
2009-02-04 13:31 . 2008-04-14 00:15   2,944   --a------   c:\windows\system32\drivers\drmkaud.sys
2009-02-04 13:31 . 2008-04-14 00:15   2,944   --a--c---   c:\windows\system32\dllcache\drmkaud.sys
2009-02-04 13:30 . 2008-04-14 00:49   146,048   --a------   c:\windows\system32\drivers\portcls.sys
2009-02-04 13:30 . 2008-04-14 00:49   146,048   --a--c---   c:\windows\system32\dllcache\portcls.sys
2009-02-04 13:30 . 2008-04-14 05:42   129,536   --a------   c:\windows\system32\ksproxy.ax
2009-02-04 13:30 . 2008-04-14 05:42   129,536   --a--c---   c:\windows\system32\dllcache\ksproxy.ax
2009-02-04 13:30 . 2008-04-14 00:15   60,160   --a------   c:\windows\system32\drivers\drmk.sys
2009-02-04 13:30 . 2008-04-14 00:15   60,160   --a--c---   c:\windows\system32\dllcache\drmk.sys
2009-02-04 13:30 . 2008-04-14 05:41   4,096   --a------   c:\windows\system32\ksuser.dll
2009-02-04 13:30 . 2008-04-14 05:41   4,096   --a--c---   c:\windows\system32\dllcache\ksuser.dll
2009-02-04 13:29 . 2009-02-04 13:29   <DIR>   d--------   c:\program files\Hewlett-Packard
2009-02-04 13:21 . 2009-02-04 13:21   <DIR>   d--------   c:\program files\NetWaiting
2009-02-04 13:21 . 2009-02-04 15:41   <DIR>   d--h-----   c:\program files\InstallShield Installation Information
2009-02-04 13:21 . 2009-02-04 13:21   <DIR>   d--------   c:\program files\CONEXANT
2009-02-04 13:21 . 2009-02-04 13:29   <DIR>   d--------   c:\program files\Common Files\InstallShield
2009-02-04 13:17 . 2009-02-04 13:17   0   --a------   c:\windows\nsreg.dat
2009-02-04 13:14 . 2007-08-27 11:12   2,777,088   --a------   c:\windows\system32\NETw4r32.dll
2009-02-04 13:14 . 2007-09-26 06:01   2,236,032   --a------   c:\windows\system32\drivers\NETw4x32.sys
2009-02-04 13:14 . 2007-08-27 11:12   745,472   --a------   c:\windows\system32\NETw4c32.dll
2009-02-04 13:13 . 2009-02-04 14:29   <DIR>   d----c---   c:\windows\system32\DRVSTORE

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 18:21   108,705   --sh--r   c:\windows\system32\olhrwef.exe
2009-02-04 12:34   472,576   ----a-w   c:\windows\Nvidia Omega Drivers v2.169.21 Uninstall.exe
2009-02-04 11:47   ---------   d-----w   c:\program files\Broadcom
2009-02-04 11:47   ---------   d-----w   c:\documents and settings\marek\Application Data\InstallShield
2009-02-04 11:41   ---------   d-----w   c:\program files\Intel
2009-02-04 10:28   ---------   d-----w   c:\program files\microsoft frontpage
2009-02-04 10:24   ---------   d-----w   c:\program files\Windows Media Connect 2
2009-01-21 16:11   473,600   ----a-w   c:\windows\system32\SkanerOnline.dll
.

(((((((((((((((((((((((((((((   snapshot@2009-02-04_19.01.55.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-02-04 18:08:35   1,212,416   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2009-02-04 18:08:35   36,864   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-02-04 18:08:26   1,212,416   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2009-02-04 18:08:26   36,864   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
- 2009-02-04 17:37:40   40,326   ----a-w   c:\windows\system32\perfc009.dat
+ 2009-02-04 18:22:15   40,190   ----a-w   c:\windows\system32\perfc009.dat
- 2009-02-04 17:37:40   311,938   ----a-w   c:\windows\system32\perfh009.dat
+ 2009-02-04 18:22:15   311,802   ----a-w   c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft"="c:\windows\system32\olhrwef.exe" [2009-02-04 108705]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2005-03-31 790528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-23 22058792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-09-04 6856704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 c:\windows\system32\CHDAudPropShortcut.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\pes2008\\PES2008.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
.
------- Skan uzupełniający -------
.
DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
FF - ProfilePath - c:\documents and settings\marek\Application Data\Mozilla\Firefox\Profiles\rgd1jr7g.default\
FF - prefs.js: browser.startup.homepage - google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 19:26:04
Windows 5.1.2600 Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2009-02-04 19:26:43
ComboFix-quarantined-files.txt  2009-02-04 18:26:41
ComboFix2.txt  2009-02-04 18:02:39

Przed: 16 096 915 456 bytes free
Po: 16,086,773,760 bytes free

163


[wojtas]

Wylecz pendriva lub kartę pamięci
Perlovga Removal Tool
Flash Disinfector
lub format



1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Wykonaj skan Dr. Web CureIt
6. Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.

[bleetz]

log z kasperskiego

Kod: Zaznacz wszystko

--------------------------------------------------------------------------------
RAPORT KASPERSKY ONLINE SCANNER 7.0
czwartek, 5 luty 2009
System operacyjny: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Wersja Kaspersky Online Scanner: 7.0.26.12
Data ostatniej aktualizacji bazy danych: Wednesday, February 04, 2009 22:55:49
Liczba wpisów: 1752380
--------------------------------------------------------------------------------

Ustawienia skanowania:
   Typ bazy danych użytej do skanowania: rozszerzona
   Skanuj archiwa: tak
   Skanuj pocztowe bazy danych: tak

Obszar skanowania - Mój komputer:
   C:\
   D:\
   E:\
   F:\

Statystyki skanowania:
   Przeskanowanych plików: 34493
   Nazwa zagrożenia: 2
   Zainfekowanych obiektów: 9
   Podejrzanych obiektów: 0
   Czas skanowania: 00:27:42


Nazwa pliku / Nazwa zagrożenia / Liczba zagrożeń
D:\download\SDFix\SDFix\backups_old4\backups.zip   Zainfekowany: Worm.Win32.AutoRun.vnq   1
D:\lapek marka\sp32646.exe   Zainfekowany: Virus.Win32.Sality.aa   1
D:\lapek marka\sp34200.exe   Zainfekowany: Virus.Win32.Sality.aa   1
D:\lapek marka\sp34204.exe   Zainfekowany: Virus.Win32.Sality.aa   1
D:\Q3\Extras\cs\sysinfo.exe   Zainfekowany: Virus.Win32.Sality.aa   1
D:\steam\steamapps\pmok26@wp.pl\counter-strike\hl.exe   Zainfekowany: Virus.Win32.Sality.aa   1
D:\steam\steamapps\pmok26@wp.pl\counter-strike\hlds.exe   Zainfekowany: Virus.Win32.Sality.aa   1
D:\steam\WriteMiniDump.exe   Zainfekowany: Virus.Win32.Sality.aa   1
D:\wc3\BNUpdate.exe   Zainfekowany: Virus.Win32.Sality.aa   1

Wybrany obszar został przeskanowany.


i chyba czysty log z fixiedef

Kod: Zaznacz wszystko

********************************************************************************
*                                                                              *
*                                 FixIEDef Log                                 *
*                              Version 1.7.22.7368                             *
*                                                                              *
********************************************************************************

Created at 11:07:14 on Thursday, February 05, 2009

Time Zone            : (GMT+01:00) Sarajevo, Skopje, Warsaw, Zagreb

Logged On User       : marek

Operating System     : Microsoft Windows XP Professional Service Pack 3
OS Architecture      : X86
System Langauge      : English (United States)
Keyboard Layout      : English (United States)
Processor            : X64 Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz

System Drive         : C:\
Windows Directory    : C:\WINDOWS
System Directory     : C:\WINDOWS\system32

System Drive Type    : Fixed
System Drive Status  : READY
System Drive Label   :
System Drive Size    : 20.25 GB
System Drive Free    : 15.6 GB

Total Physical Memory: 2046 MB
Free Physical Memory : 1524 MB
Total Page File      : 2046 MB
Free Page File       : 3542 MB
Total Virtual Memory : 2048 MB
Free Virtual Memory  : 1960 MB

Boot State           : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

No malicious files found

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!


[Okocza]

D:\download\SDFix\SDFix\backups_old4\backups.zip Zainfekowany: Worm.Win32.AutoRun.vnq 1
D:\lapek marka\sp32646.exe Zainfekowany: Virus.Win32.Sality.aa 1
D:\lapek marka\sp34200.exe Zainfekowany: Virus.Win32.Sality.aa 1
D:\lapek marka\sp34204.exe Zainfekowany: Virus.Win32.Sality.aa 1
D:\Q3\Extras\cs\sysinfo.exe Zainfekowany: Virus.Win32.Sality.aa 1
D:\steam\steamapps\pmok26@wp.pl\counter-strike\hl.exe Zainfekowany: Virus.Win32.Sality.aa 1
D:\steam\steamapps\pmok26@wp.pl\counter-strike\hlds.exe Zainfekowany: Virus.Win32.Sality.aa 1
D:\steam\WriteMiniDump.exe Zainfekowany: Virus.Win32.Sality.aa 1
D:\wc3\BNUpdate.exe Zainfekowany: Virus.Win32.Sality.aa 1

usuń te wszystkie plik - potem przeinstaluj Counter Strike. Masz zarażone pliki wirusem Sality.