Heur.w32 wyłączony menadżer urządzeń

[Bury]

Mam poważny problem zawirusowane dwa komputery. Mks vir wykrył wirusy Heur.w32. Ctrl-alt-delete nie działa wyświetla się komunikat "menadżer urządzeń wyłączony przez administratora" dodatkowo cały czas próbuje łączyć mnie z netem i blokuje pliki .exe.

log combofix

Kod: Zaznacz wszystko

ComboFix 08-11-27.07 - Martucha 2008-11-28 19:40:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.127 [GMT 1:00]
Uruchomiony z: d:\instalacje\ComboFix.exe
* Utworzono nowy punkt przywracania
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\windows\system32\gasretyw0.dll
c:\windows\system32\kamsoft.exe

.
((((((((((((((((((((((((( Pliki utworzone od 2008-10-28 do 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 14:07 . 2008-11-28 14:35 <DIR> d-a------ c:\documents and settings\All Users\Dane aplikacji\TEMP
2008-11-28 13:07 . 2008-11-28 13:07 <DIR> d-------- c:\program files\SubEdit-Player
2008-11-28 12:09 . 2008-11-28 12:12 <DIR> d-------- c:\program files\ToniArts
2008-11-27 19:50 . 2004-08-23 13:50 32,768 --a------ c:\windows\system32\WooDial2000.dll
2008-11-27 19:47 . 2008-11-27 19:50 168 --a------ c:\windows\adidsl.ini
2008-11-27 19:47 . 2008-11-27 19:47 21 --a------ c:\windows\Fast800.ini
2008-11-27 19:46 . 2008-11-27 19:46 <DIR> d-------- c:\program files\SAGEM
2008-11-27 19:45 . 2008-11-27 19:45 <DIR> d-------- c:\program files\Java
2008-11-27 19:45 . 2003-08-04 13:22 94,208 --a------ c:\windows\system32\W32n50.dll
2008-11-27 19:45 . 2002-11-01 20:15 45,175 --------- c:\windows\system32\plugincpl140_03.cpl
2008-11-27 19:45 . 2002-11-01 20:15 41,068 --------- c:\windows\system32\ActPanel.dll
2008-11-27 19:45 . 2004-08-23 13:49 40,960 --a------ c:\windows\system32\FTRTSVC.exe
2008-11-27 19:45 . 2005-10-06 14:55 36,864 --a------ c:\windows\system32\IfHelper.dll
2008-11-27 19:45 . 2003-08-04 13:22 16,128 --------- c:\windows\system32\PCANDIS5.SYS
2008-11-27 19:43 . 2008-11-28 19:48 <DIR> d-------- c:\program files\neostrada tp
2008-11-27 19:42 . 2008-11-27 19:42 <DIR> d--hs---- c:\windows\ftpcache
2008-11-24 23:33 . 2008-11-24 23:33 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2008-11-24 23:33 . 2008-11-24 23:33 <DIR> d-------- c:\program files\Samsung
2008-11-24 23:33 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2008-11-23 11:22 . 2008-11-28 18:00 <DIR> d-------- c:\program files\Norton Security Scan
2008-11-23 11:22 . 2008-11-28 18:00 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-23 00:27 . 2008-11-04 09:35 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-11-23 00:26 . 2008-11-23 00:27 <DIR> d-------- c:\windows\system32\Adobe
2008-11-12 17:36 . 2008-10-24 12:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-31 14:18 . 2008-10-31 14:18 <DIR> d-------- c:\documents and settings\Martucha\Dane aplikacji\PlayFirst
2008-10-31 14:18 . 2008-10-31 14:18 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\PlayFirst
2008-10-30 13:08 . 2008-10-30 13:08 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Zylom
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- c:\documents and settings\Martucha\Dane aplikacji\GanymedeNet
2008-10-28 22:24 . 2008-10-28 22:24 4 --a------ c:\windows\system32\proc-507977554.bin

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 11:23 --------- d-----w c:\program files\eMule
2008-11-28 11:12 --------- d-----w c:\program files\Winamp
2008-11-28 11:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-27 18:47 33 ----a-w c:\windows\system32\drivers\adidsl.cfg
2008-10-26 15:47 --------- d-----w c:\program files\BitComet
2008-10-24 19:27 --------- d-----w c:\documents and settings\Martucha\Dane aplikacji\BESTplayer
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 14:27 --------- d-----w c:\program files\Common Files\Adobe
2008-10-13 09:11 --------- d-----w c:\documents and settings\Martucha\Dane aplikacji\Winamp
2008-10-13 08:45 --------- d-----w c:\program files\microsoft frontpage
2008-10-13 08:45 --------- d-----w c:\documents and settings\Martucha\Dane aplikacji\Microsoft Web Folders
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 159744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 827392]
"MKSRegmon"="c:\program files\mks_vir_2007\bin\mksregmon.exe" [2007-05-24 303104]
"mks_mail"="c:\program files\mks_vir_2007\bin\mks_mail.exe" [2007-05-24 520192]
"mkstray"="c:\program files\mks_vir_2007\bin\mkstray.exe" [2007-08-13 663552]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"WOOWATCH"="c:\progra~1\NEOSTR~1\Watch.exe" [2004-08-23 20480]
"WOOTASKBARICON"="c:\progra~1\NEOSTR~1\GestMaj.exe" [2004-10-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Martucha\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 49152]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 135220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MkS_Scan]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\CF8594.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\Program Files\\Hewlett-Packard\\HP Quick Launch Buttons\\qlbPres.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16981:TCP"= 16981:TCP:BitComet 16981 TCP
"16981:UDP"= 16981:UDP:BitComet 16981 UDP

R0 mksidsa;mksidsa;c:\windows\system32\mksidsa.sys [2007-05-24 6144]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-04-26 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-03-29 13696]
R1 mksfwallf;mksfwallf;\??\c:\windows\system32\mksfwallf.sys [2007-05-24 13312]
R1 mksfwallt;mksfwallt;\??\c:\windows\system32\mksfwallt.sys [2007-05-24 15360]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-01-23 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-04-26 5808]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-04 14336]
R2 HpFkCryptService;Drive Encryption Service;"c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [2007-04-27 221184]
R2 MksFwall;MksFwall;"c:\program files\mks_vir_2007\bin\MksFwall.exe" [2007-05-24 270336]
R2 MksPC;MksPC;"c:\program files\mks_vir_2007\bin\MksPC.exe" [2007-05-24 253952]
R2 MksUpdate;MksUpdate;"c:\program files\mks_vir_2007\bin\mksupdate.exe" [2007-05-24 570880]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\lpfpoe.sys []
R3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\DRIVERS\e4usbaw.sys [2008-11-27 116992]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-01-23 36608]
R3 mksidsf;mksidsf;\??\c:\windows\system32\mksidsf.sys [2007-05-24 11776]
R3 MksMonEn;MksMonEn;\??\c:\program files\mks_vir_2007\bin\MksMonEn.sys [2007-08-13 385024]
R3 MksMonEv;MksMonEv;\??\c:\program files\mks_vir_2007\bin\MksMonEv.sys [2007-05-24 89600]
R3 MksMonFd;MksMonFd;\??\c:\program files\mks_vir_2007\bin\MksMonFd.sys [2007-05-24 26624]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2004-08-04 14336]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\Drivers\e4ldr.sys [2008-11-27 64000]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [2008-09-23 33024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{628527b6-bd3d-11dd-abfd-4d6564696130}]
\Shell\AutOPLAY\cOmmaNd - F:\oyicum.exe
\Shell\AutoRun\command - F:\oyicum.exe
\Shell\ExpLORe\ComMANd - F:\oyicum.exe
\Shell\opeN\commAnD - F:\oyicum.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {09258F12-48E7-B18E-C414-1F48C215685F} /qb
.
Zawartość folderu 'Zaplanowane zadania'

2008-11-28 c:\windows\Tasks\Norton Security Scan for Martucha.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-BitComet - c:\program files\BitComet\BitComet.exe


.
------- Skan uzupełniający -------
.
FireFox -: Profile - c:\documents and settings\Martucha\Dane aplikacji\Mozilla\Firefox\Profiles\7sy42pdx.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.pl/
FF -: plugin - c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF -: plugin - c:\program files\Adobe\Acrobat 6.0 CE\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPBREAKOUT.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMAHJONG.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMARBLES.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 19:48:57
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
c:\windows\SbHpNp.DLL

- - - - - - - > 'lsass.exe'(812)
c:\windows\SbHpNp.dll
c:\program files\mks_vir_2007\bin\mkslsp.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\FTRTSVC.exe
c:\windows\system32\IFXTCS.exe
c:\program files\mks_vir_2007\bin\MksVirMonSvc.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\NEOSTR~1\TaskBarIcon.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
.
**************************************************************************
.
Czas ukończenia: 2008-11-28 19:51:43 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2008-11-28 18:51:34

Przed: 22 552 875 008 bajtów wolnych
Po: 22,492,598,272 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

222 --- E O F --- 2008-11-12 16:47:37

log hijackthis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:57:50, on 2008-11-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\FTRTSVC.exe
c:\WINDOWS\system32\ifxspmgt.exe
c:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\mks_vir_2007\bin\MksFwall.exe
C:\Program Files\mks_vir_2007\bin\MksPC.exe
C:\Program Files\mks_vir_2007\bin\mksupdate.exe
C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
c:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\mks_vir_2007\bin\mksregmon.exe
C:\Program Files\mks_vir_2007\bin\mks_mail.exe
C:\Program Files\mks_vir_2007\bin\mkstray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
c:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Martucha\USTAWI~1\Temp\mknc.exe
C:\DOCUME~1\Martucha\USTAWI~1\Temp\gqyja.exe
C:\DOCUME~1\Martucha\USTAWI~1\Temp\nqxp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/embed/hpsu/survey
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [IFXSPMGT] c:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MKSRegmon] C:\Program Files\mks_vir_2007\bin\mksregmon.exe
O4 - HKLM\..\Run: [mks_mail] C:\Program Files\mks_vir_2007\bin\mks_mail.exe
O4 - HKLM\..\Run: [mkstray] C:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7856CA4-E1EA-4ACB-99C0-12D6DDC8349E}: NameServer = 194.204.159.1 217.98.63.164
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\WINDOWS\system32\ifxtcs.exe
O23 - Service: MksFwall - MKS Sp z o.o. - C:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS Sp. z o. o. - C:\Program Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - c:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe

--
End of file - 8169 bytes


[wojtas]

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[Bury]

log Hijackthis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:33, on 2008-11-29
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\mks_vir_2007\bin\MksFwall.exe
C:\Program Files\mks_vir_2007\bin\MksPC.exe
C:\Program Files\mks_vir_2007\bin\mksupdate.exe
C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\mks_vir_2007\bin\mkstray.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
C:\Program Files\mks_vir_2007\bin\mks_scan.exe
C:\Program Files\mks_vir_2007\bin\mks_scan.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [mkstray] C:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\\mkslsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224782772406
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224782761359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MksFwall - MKS Sp z o.o. - C:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS Sp. z o. o. - C:\Program Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)

--
End of file - 5025 bytes


log combofix

Kod: Zaznacz wszystko

ComboFix 08-11-28.03 - Burandt 2008-11-29 12:43:28.8 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.342 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Burandt\Pulpit\ComboFix.exe
.

(((((((((((((((((((((((((   Pliki utworzone od 2008-10-28 do 2008-11-29  )))))))))))))))))))))))))))))))
.

2008-11-29 00:57 . 2008-11-29 00:57   <DIR>   d--------   c:\windows\ERUNT
2008-11-29 00:57 . 2008-11-29 00:57   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll
2008-11-29 00:56 . 2008-11-29 12:44   <DIR>   d--h-----   c:\documents and settings\Administrator\Ustawienia lokalne
2008-11-29 00:56 . 2008-10-23 16:51   <DIR>   d--------   c:\documents and settings\Administrator\Ulubione
2008-11-29 00:56 . 2008-10-23 15:57   <DIR>   d--h-----   c:\documents and settings\Administrator\Szablony
2008-11-29 00:56 . 2008-11-29 00:57   <DIR>   d--------   c:\documents and settings\Administrator\Pulpit
2008-11-29 00:56 . 2008-10-23 16:51   <DIR>   d--------   c:\documents and settings\Administrator\Moje dokumenty
2008-11-29 00:56 . 2008-10-23 16:51   <DIR>   dr-------   c:\documents and settings\Administrator\Menu Start
2008-11-29 00:56 . 2008-10-23 16:51   <DIR>   dr-h-----   c:\documents and settings\Administrator\Dane aplikacji
2008-11-29 00:56 . 2008-11-29 00:56   <DIR>   d--------   c:\documents and settings\Administrator
2008-11-29 00:51 . 2008-11-29 12:13   <DIR>   d--------   C:\SDFix
2008-11-28 23:10 . 2008-11-28 23:10   <DIR>   d--------   c:\windows\system32\AlertModule
2008-11-28 22:05 . 2008-11-28 23:07   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-11-28 22:05 . 2008-11-28 22:05   <DIR>   d--------   c:\documents and settings\Burandt\Dane aplikacji\Malwarebytes
2008-11-28 22:05 . 2008-11-28 22:05   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Malwarebytes
2008-11-28 18:41 . 2008-11-28 18:41   <DIR>   d--------   c:\program files\Trend Micro
2008-11-28 14:38 . 2008-11-28 14:43   <DIR>   d-a------   c:\documents and settings\All Users\Dane aplikacji\TEMP
2008-11-23 17:32 . 2008-11-23 17:33   <DIR>   d--------   c:\program files\SkanerOnline
2008-11-23 17:10 . 2008-11-29 12:14   <DIR>   d--------   c:\program files\neostrada tp
2008-11-23 14:36 . 2008-11-23 20:04   <DIR>   d--------   c:\program files\SubEdit-Player
2008-11-23 14:35 . 2008-11-23 14:38   <DIR>   d--------   c:\program files\ToniArts
2008-11-23 00:14 . 2008-11-23 02:34   <DIR>   d--------   c:\program files\Crystal Player
2008-11-22 22:52 . 2008-11-22 22:52   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\ABBYY
2008-11-22 19:46 . 2008-11-22 19:46   <DIR>   d--------   c:\documents and settings\Burandt\Dane aplikacji\ABBYY
2008-11-22 19:44 . 2008-11-23 10:40   <DIR>   d--------   c:\program files\ABBYY
2008-11-15 15:40 . 2008-10-24 12:21   455,296   -----c---   c:\windows\system32\dllcache\mrxsmb.sys
2008-11-15 15:39 . 2008-09-04 18:17   1,106,944   -----c---   c:\windows\system32\dllcache\msxml3.dll
2008-11-04 20:35 . 2008-11-04 20:35   <DIR>   d--------   c:\documents and settings\Burandt\Dane aplikacji\AdobeUM
2008-11-01 18:54 . 2007-04-09 13:23   28,040   --a------   c:\windows\system32\mdimon.dll
2008-11-01 18:53 . 2008-11-01 18:59   <DIR>   d--------   c:\windows\SHELLNEW
2008-11-01 12:23 . 2008-11-02 12:06   <DIR>   d--------   c:\documents and settings\Burandt\Dane aplikacji\Nowe Gadu-Gadu
2008-11-01 12:21 . 2008-11-23 15:34   <DIR>   d--------   c:\program files\Nowe Gadu-Gadu

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 14:23   ---------   d-----w   c:\program files\mks_vir_2007
2008-11-23 13:35   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-23 13:35   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-11-23 10:10   ---------   d-----w   c:\program files\Lexmark 2200 Series
2008-10-25 22:20   ---------   d-----w   c:\documents and settings\Burandt\Dane aplikacji\Crystal Player
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:06   ---------   d-----w   c:\program files\microsoft frontpage
2008-10-24 11:06   ---------   d-----w   c:\documents and settings\Burandt\Dane aplikacji\Microsoft Web Folders
2008-10-23 18:10   ---------   d-----w   c:\program files\Common Files\Adobe
2008-10-23 15:26   33   ----a-w   c:\windows\system32\drivers\adidsl.cfg
2008-10-23 15:26   ---------   d-----w   c:\program files\SAGEM
2008-10-23 15:25   ---------   d-----w   c:\program files\Java
2008-10-23 15:23   ---------   d-----w   c:\program files\Common Files\Ahead
2008-10-23 15:21   ---------   d-----w   c:\program files\Ahead
2008-10-23 15:12   ---------   d-----w   c:\program files\Realtek Sound Manager
2008-10-23 15:12   ---------   d-----w   c:\program files\AvRack
2008-10-23 15:11   ---------   d-----w   c:\program files\Gigabyte
2008-10-23 15:09   ---------   d-----w   c:\program files\Intel
2008-10-23 15:01   558,142   ----a-w   c:\windows\java\Packages\BLNPNBXR.ZIP
2008-10-23 15:01   155,995   ----a-w   c:\windows\java\Packages\O2AMYDZV.ZIP
2008-10-23 14:57   ---------   d-----w   c:\program files\Usługi online
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-09-15 15:27   1,846,656   ----a-w   c:\windows\system32\win32k.sys
2008-09-10 01:15   1,307,648   ------w   c:\windows\system32\msxml6.dll
2008-09-04 17:17   1,106,944   ----a-w   c:\windows\system32\msxml3.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-11-29_12.05.37,82   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-28 23:57:03   380,928   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-11-29 11:09:05   380,928   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-11-28 23:57:03   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-11-29 11:09:05   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-11-29 11:43:33   16,384   ----atw   c:\windows\temp\Perflib_Perfdata_e44.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 233472]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 225280]
"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
"mkstray"="c:\program files\mks_vir_2007\bin\mkstray.exe" [2007-08-13 663552]
"WOOWATCH"="c:\progra~1\NEOSTR~1\Watch.exe" [2004-08-23 20480]
"WOOTASKBARICON"="c:\progra~1\NEOSTR~1\GestMaj.exe" [2004-10-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe"=
"c:\\Program Files\\mks_vir_2007\\bin\\mks2007.exe"=
"c:\\Program Files\\mks_vir_2007\\bin\\mks_mail.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\Program Files\\mks_vir_2007\\bin\\mksregmon.exe"=
"c:\\Program Files\\mks_vir_2007\\bin\\mkstray.exe"=
"c:\\PROGRA~1\\NEOSTR~1\\TaskBarIcon.exe"=
"c:\\PROGRA~1\\NEOSTR~1\\GestMaj.exe"=
"c:\\PROGRA~1\\NEOSTR~1\\Inactivity.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
"c:\\Program Files\\neostrada tp\\neostradatp.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\mks_vir_2007\\bin\\mks_scan.exe"=

R0 mksidsa;mksidsa;c:\windows\system32\mksidsa.sys [2007-05-24 6144]
R1 mksfwallf;mksfwallf;\??\c:\windows\System32\mksfwallf.sys [2007-05-24 13312]
R1 mksfwallt;mksfwallt;\??\c:\windows\System32\mksfwallt.sys [2007-05-24 15360]
R2 MksFwall;MksFwall;"c:\program files\mks_vir_2007\bin\MksFwall.exe" [2007-05-24 270336]
R2 MksPC;MksPC;"c:\program files\mks_vir_2007\bin\MksPC.exe" [2007-05-24 253952]
R2 MksUpdate;MksUpdate;"c:\program files\mks_vir_2007\bin\mksupdate.exe" [2007-05-24 570880]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\mohmik.sys []
R3 MksMonFd;MksMonFd;\??\c:\program files\mks_vir_2007\bin\MksMonFd.sys [2007-05-24 26624]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\Drivers\e4ldr.sys [2008-10-23 64000]
S3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\DRIVERS\e4usbaw.sys [2008-10-23 116992]
S3 mksidsf;mksidsf;\??\c:\windows\System32\mksidsf.sys [2007-05-24 11776]
S3 MksMonEn;MksMonEn;\??\c:\program files\mks_vir_2007\bin\MksMonEn.sys [2007-08-13 385024]
S3 MksMonEv;MksMonEv;\??\c:\program files\mks_vir_2007\bin\MksMonEv.sys [2007-05-24 89600]
.
.
------- Skan uzupełniający -------
.
FireFox -: Profile - c:\documents and settings\Burandt\Dane aplikacji\Mozilla\Firefox\Profiles\cr7rlfbi.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wp.pl/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll
FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 12:44:30
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'lsass.exe'(580)
c:\program files\mks_vir_2007\bin\mkslsp.dll
.
Czas ukończenia: 2008-11-29 12:45:28
ComboFix-quarantined-files.txt  2008-11-29 11:45:22
ComboFix2.txt  2008-11-29 11:06:33
ComboFix3.txt  2008-11-29 09:09:13

Przed: 29 860 659 200 bajtów wolnych
Po: 29,852,356,608 bajtów wolnych

183   --- E O F ---   2008-11-15 17:34:16


log sdfix

Kod: Zaznacz wszystko

[b]SDFix: Version 1.240 [/b]
Run by Administrator on 2008-11-29 at 12:10

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 12:12:22
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\System32\\igfxtray.exe"="C:\\WINDOWS\\System32\\igfxtray.exe:*:Enabled:ipsec"
"C:\\WINDOWS\\system32\\userinit.exe"="C:\\WINDOWS\\system32\\userinit.exe:*:Enabled:ipsec"
"C:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe"="C:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe:*:Enabled:ipsec"
"C:\\Program Files\\mks_vir_2007\\bin\\mks2007.exe"="C:\\Program Files\\mks_vir_2007\\bin\\mks2007.exe:*:Enabled:ipsec"
"C:\\Program Files\\mks_vir_2007\\bin\\mks_mail.exe"="C:\\Program Files\\mks_vir_2007\\bin\\mks_mail.exe:*:Enabled:ipsec"
"C:\\WINDOWS\\SOUNDMAN.EXE"="C:\\WINDOWS\\SOUNDMAN.EXE:*:Enabled:ipsec"
"C:\\Program Files\\mks_vir_2007\\bin\\mksregmon.exe"="C:\\Program Files\\mks_vir_2007\\bin\\mksregmon.exe:*:Enabled:ipsec"
"C:\\Program Files\\mks_vir_2007\\bin\\mkstray.exe"="C:\\Program Files\\mks_vir_2007\\bin\\mkstray.exe:*:Enabled:ipsec"
"C:\\PROGRA~1\\NEOSTR~1\\TaskBarIcon.exe"="C:\\PROGRA~1\\NEOSTR~1\\TaskBarIcon.exe:*:Enabled:ipsec"
"C:\\PROGRA~1\\NEOSTR~1\\GestMaj.exe"="C:\\PROGRA~1\\NEOSTR~1\\GestMaj.exe:*:Enabled:ipsec"
"C:\\PROGRA~1\\NEOSTR~1\\Inactivity.exe"="C:\\PROGRA~1\\NEOSTR~1\\Inactivity.exe:*:Enabled:ipsec"
"C:\\ComboFix\\NirCmd.cfexe"="C:\\ComboFix\\NirCmd.cfexe:*:Enabled:ipsec"
"C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"="C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe:*:Enabled:ipsec"
"C:\\Program Files\\neostrada tp\\neostradatp.exe"="C:\\Program Files\\neostrada tp\\neostradatp.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Wed  3 May 2006        25,600 A..H. --- "C:\Documents and Settings\Burandt\Moje dokumenty\KOCIA\~WRL0923.tmp"
Tue  1 May 2007     4,508,160 A..H. --- "C:\Documents and Settings\Burandt\Moje dokumenty\dok.- Waldek\studia - ochrona ˜rodowiska\~WRL0894.tmp"
Sat  4 Feb 2006   106,235,392 A..H. --- "C:\Documents and Settings\Burandt\Moje dokumenty\dok.- Waldek\studia - ochrona ˜rodowiska\Praca inľynierska\~WRL3139.tmp"
Sat  5 May 2007        45,056 A..H. --- "C:\Documents and Settings\Burandt\Moje dokumenty\dok.- Waldek\studia - ochrona ˜rodowiska\praca magisterska\opracowania wˆasne\~WRL0329.tmp"
Sat  5 May 2007        43,520 A..H. --- "C:\Documents and Settings\Burandt\Moje dokumenty\dok.- Waldek\studia - ochrona ˜rodowiska\praca magisterska\opracowania wˆasne\~WRL1742.tmp"
Sat  5 May 2007        51,712 A..H. --- "C:\Documents and Settings\Burandt\Moje dokumenty\dok.- Waldek\studia - ochrona ˜rodowiska\praca magisterska\opracowania wˆasne\~WRL2532.tmp"
Sat  5 May 2007        58,880 A..H. --- "C:\Documents and Settings\Burandt\Moje dokumenty\dok.- Waldek\studia - ochrona ˜rodowiska\praca magisterska\opracowania wˆasne\~WRL3454.tmp"

[b]Finished![/b]



[wojtas]

skasuj to w hijacku:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5.Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.

[Bury]

Dzięki za pomoc ale nic z tego. Niestety wszelkie próby zawiodły, "menadżer zadań wyłączony przez administratora", "edytor rejestru wyłączony przez administratora" , tryb awaryjny nie odpala odnoszę wrażenie że to koniec format tylko mi pozostaje W ten sposób szybko to zakończę.