Kłopoty z ekplorer.exe

[mirekg1963]

Witam moich dobroczyńców, całuję po nóżkach i pytam na razie grzecznie ! Mam kilka domowych kompów połączonych w sieci ( taki malutki warsztacik) i co ja tu ostatni widzę? Ano przy starcie windowsa pojawia się komunikat że nastąpiły problemy z aplikacją eksplorer.EXE i zostanie on zamknięta i niby mnie przeprasza.Po czym kiedy komunikat zamykam następuję chwilowe zaniknięcie ikon po czym również chwilowe pojawienie się okienka ustawienia spersonalizowane i wszystko wraca do normy. Mam to już na wszystkich kompach . Powyłączałem co trzeba w msconfig (tak mi się wydaje), przeskanowałem itp. Mój system to xp! Proszę koleżeństwa a może tak jakaś trafna bądź celna rada na to co się dzieje w moim kompie! Helpik, pleasik

[wojtas]

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[mirekg1963]

Witam ! Idąc za radą szanownego kolegi robię co następuje
...z SDFix- a

Kod: Zaznacz wszystko

[b]SDFix: Version 1.240 [/b]
Run by admin on 2009-04-03 at 09:43

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\autorun.inf - Deleted
C:\Documents and Settings\admin.XPN19\Ustawienia lokalne\Temp\nsb4.tmp.exe - Deleted
C:\Documents and Settings\admin.XPN19\Ustawienia lokalne\Temp\nsl62.tmp.exe - Deleted



Folder C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 - Removed


Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 09:56:15
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Metin2_PL\\metin2.bin"="C:\\Program Files\\Metin2_PL\\metin2.bin:*:Enabled:metin2"
"C:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"="C:\\Program Files\\Nowe Gadu-Gadu\\gg.exe:*:Enabled:Nowe Gadu-Gadu"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\MTA San Andreas\\server\\MTA Server.exe"="C:\\Program Files\\MTA San Andreas\\server\\MTA Server.exe:*:Enabled:MTA Server"
"C:\\Documents and Settings\\TEMP.XPN19\\Pulpit\\newlongju\\metin2.bin"="C:\\Documents and Settings\\TEMP.XPN19\\Pulpit\\newlongju\\metin2.bin:*:Enabled:metin2"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"D:\\Program Files\\Metin2_PL\\metin_2009longju.exe"="D:\\Program Files\\Metin2_PL\\metin_2009longju.exe:*:Enabled:metin_2009longju"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"D:\\Program Files\\Metin2_PL\\metin2.bin"="D:\\Program Files\\Metin2_PL\\metin2.bin:*:Enabled:metin2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Tue 10 Feb 2009       109,006 ..SHR --- "C:\2aaxaiy.exe"
Tue  3 Feb 2009       108,836 ..SHR --- "C:\a2h2.com"
Wed 11 Mar 2009       107,190 ..SHR --- "C:\cb.exe"
Fri 30 Jan 2009       109,127 ..SHR --- "C:\hl80c6b1.com"
Tue 17 Feb 2009       107,564 ..SHR --- "C:\hyetn1i.exe"
Tue 10 Feb 2009       109,724 ..SHR --- "C:\opgde.exe"
Tue  3 Feb 2009       108,836 ..SHR --- "C:\pook.com"
Mon 16 Feb 2009       106,803 ..SHR --- "C:\qphdin.com"
Fri 13 Feb 2009       107,823 ..SHR --- "C:\ur0.com"
Sat 21 Feb 2009       107,796 ..SHR --- "C:\w2.com"
Thu 22 Jan 2009       107,882 ..SHR --- "C:\w98.com"
Thu 12 Mar 2009       108,968 ..SHR --- "C:\xdw.com"
Sun  2 Nov 2008       118,784 A.SHR --- "C:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe"
Fri 13 Mar 2009        84,992 ..SHR --- "C:\WINDOWS\system32\gasretyw0.dll"
Fri 13 Mar 2009        94,720 ..SHR --- "C:\WINDOWS\system32\nmdfgds0.dll"
Thu 12 Mar 2009        94,720 ..SHR --- "C:\WINDOWS\system32\nmdfgds1.dll"
Fri 27 Feb 2009   311,684,381 A..H. --- "C:\SDFix\backups\movedfile.vir\Pulpit\Tutorial7.zip"
Tue 23 Oct 2007     3,350,528 A..H. --- "C:\Documents and Settings\admin.XPN19\Dane aplikacji\U3\temp\Launchpad Removal.exe"
Tue 23 Oct 2007     3,350,528 A..H. --- "C:\SDFix\backups\movedfile.vir\Dane aplikacji\U3\temp\Launchpad Removal.exe"
Sun 11 Jan 2009       107,548 A.SH. --- "C:\SDFix\backups\movedfile.vir\Menu Start\Programy\Autostart\lsass.exe"

[b]Finished![/b]



....z ComboFix

Kod: Zaznacz wszystko

ComboFix 09-04-01.01 - admin 2009-04-03 10:10:22.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1250.1.1045.18.447.113 [GMT 2:00]
Uruchomiony z: c:\documents and settings\admin.XPN19\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1utbfd.bat
C:\2aaxaiy.exe
C:\2fiy.bat
C:\autorun.inf
C:\m0vnonh.bat
C:\MS32DLL.dll.vbs
C:\pook.com
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
C:\uvsqfgwd.cmd
c:\windows\MS32DLL.dll.vbs
c:\windows\system32\_000036_.tmp.dll
c:\windows\system32\gasretyw0.dll
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
D:\[u]0[/u]u.cmd
D:\[u]0[/u]w.com
D:\1gk8ha.bat
D:\1u0o8bnq.cmd
D:\1utbfd.bat
D:\2aaxaiy.exe
D:\2fiy.bat
D:\2u.com
D:\3rl3lqbq.bat
D:\68.exe
D:\9.cmd
D:\9yqusig.bat
D:\a1.bat
D:\abk.bat
D:\Autorun.inf
D:\b.exe
D:\b0j6j16.bat
D:\cv22.cmd
D:\e.cmd
D:\ev60a2.cmd
D:\fe.bat
D:\h3.bat
D:\ij.bat
D:\iky.bat
D:\iqe68o.bat
D:\lky.exe
D:\m0vnonh.bat
D:\m2nl.bat
D:\MS32DLL.dll.vbs
D:\ncyrf.bat
D:\nfdmg.com
D:\nq0cq.cmd
D:\p1y2.cmd
D:\pnt.com
D:\pook.com
D:\rcukd.cmd
D:\sq.com
D:\uvsqfgwd.cmd
D:\vxl.exe
D:\wjlfhtfm.cmd
D:\xih9.cmd
D:\xk2n.bat
D:\yannh.cmd

.
(((((((((((((((((((((((((   Pliki utworzone od 2009-03-03 do 2009-04-03  )))))))))))))))))))))))))))))))
.

2009-04-03 09:41 . 2009-04-03 09:41   <DIR>   d--------   c:\windows\ERUNT
2009-04-03 09:31 . 2009-04-03 09:57   <DIR>   d--------   C:\SDFix
2009-04-02 19:17 . 2009-04-03 10:09   3,478   -rahs----   C:\pagefile.sys.vbs
2009-03-31 18:10 . 2009-03-31 18:51   <DIR>   d--------   c:\program files\BearShare
2009-03-31 18:10 . 2009-03-31 18:12   <DIR>   d--------   C:\My Downloads
2009-03-31 16:32 . 2009-04-03 10:10   <DIR>   dr-hs----   C:\SYSTEM
2009-03-27 20:10 . 2009-03-30 10:05   <DIR>   d--------   c:\documents and settings\admin.XPN19\.gstreamer-0.10
2009-03-25 15:43 . 2009-04-01 13:25   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\Winamp
2009-03-25 15:40 . 2009-03-25 15:40   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\Media Player Classic
2009-03-25 15:40 . 2009-03-25 15:40   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\DivX
2009-03-25 15:09 . 2005-05-26 16:34   2,297,552   --a------   c:\windows\system32\d3dx9_26.dll
2009-03-25 15:04 . 2009-03-25 15:06   <DIR>   d--------   C:\NFSMWDemo
2009-03-23 19:21 . 2009-03-23 19:21   <DIR>   d--------   c:\program files\ChomikBox
2009-03-23 10:41 . 2009-03-23 10:41   <DIR>   d--------   c:\program files\Defraggler
2009-03-19 21:47 . 2009-03-19 21:47   <DIR>   d---s----   c:\documents and settings\admin.XPN19\UserData
2009-03-17 20:54 . 2009-03-18 15:05   <DIR>   d--------   c:\program files\BearShare Applications
2009-03-17 20:54 . 2009-03-17 20:54   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\29213
2009-03-17 14:05 . 2009-03-30 16:43   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\GanymedeNet
2009-03-17 14:05 . 2009-03-17 14:05   4   --a------   c:\windows\system32\proc1395793746.bin
2009-03-17 10:24 . 2009-03-17 10:16   15,688   --a------   c:\windows\system32\lsdelete.exe
2009-03-17 10:19 . 2009-03-17 10:19   <DIR>   d--------   c:\documents and settings\LocalService\Pulpit
2009-03-17 10:16 . 2009-03-17 10:16   64,160   --a------   c:\windows\system32\drivers\Lbd.sys
2009-03-17 10:14 . 2009-03-17 10:14   <DIR>   d--------   c:\program files\Lavasoft
2009-03-17 10:14 . 2009-03-17 10:14   <DIR>   d--h-c---   c:\documents and settings\All Users\Dane aplikacji\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-12 18:14 . 2009-03-12 18:14   108,968   -r-hs----   C:\xdw.com
2009-03-11 21:48 . 2009-03-11 22:01   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\Tibia
2009-03-11 19:58 . 2009-03-11 19:58   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\OpenOffice.org
2009-03-11 18:32 . 2009-03-11 18:32   107,190   -r-hs----   C:\cb.exe
2009-03-11 18:04 . 2009-04-01 18:35   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\Nowe Gadu-Gadu
2009-03-11 13:39 . 2009-03-31 16:31   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\U3
2009-03-11 13:20 . 2004-08-04 00:08   31,616   --a------   c:\windows\system32\drivers\usbccgp.sys
2009-03-11 13:20 . 2004-08-04 00:08   31,616   --a--c---   c:\windows\system32\dllcache\usbccgp.sys
2009-03-11 12:15 . 2009-03-11 12:15   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\101E4
2009-03-11 12:14 . 2008-09-25 15:20   483,328   --a------   c:\windows\system32\actskn45.ocx
2009-03-10 19:47 . 2009-03-10 19:47   <DIR>   d--------   c:\documents and settings\admin.XPN19\Dane aplikacji\.clamwin
2009-03-10 19:46 . 2009-01-02 17:14   <DIR>   d--h-----   c:\documents and settings\admin.XPN19\Ustawienia lokalne
2009-03-10 19:46 . 2009-03-10 19:47   <DIR>   dr-------   c:\documents and settings\admin.XPN19\Ulubione
2009-03-10 19:46 . 2009-01-02 16:26   <DIR>   d--h-----   c:\documents and settings\admin.XPN19\Szablony
2009-03-10 19:46 . 2009-04-03 10:02   <DIR>   d--------   c:\documents and settings\admin.XPN19\Pulpit
2009-03-10 19:46 . 2009-03-31 17:59   <DIR>   dr-------   c:\documents and settings\admin.XPN19\Moje dokumenty
2009-03-10 19:46 . 2009-01-02 17:14   <DIR>   dr-------   c:\documents and settings\admin.XPN19\Menu Start
2009-03-10 19:46 . 2009-04-03 09:49   <DIR>   dr-h-----   c:\documents and settings\admin.XPN19\Dane aplikacji
2009-03-10 19:46 . 2009-03-27 20:10   <DIR>   d--------   c:\documents and settings\admin.XPN19
2009-03-10 18:41 . 2009-03-10 18:41   <DIR>   d--------   c:\documents and settings\TEMP.XPN19
2009-03-09 13:17 . 2008-09-19 14:54   1,081,616   --a------   c:\windows\system32\MSCOMCTL.OCX
2009-03-06 21:18 . 2009-03-06 21:18   <DIR>   d--------   c:\windows\WinAVI Video Converter 9.0
2009-03-06 12:29 . 2009-03-06 15:01   <DIR>   d--------   c:\program files\MTA San Andreas
2009-03-06 12:28 . 1998-06-18 01:00   89,360   --a------   c:\windows\system32\VB5DB.DLL
2009-03-06 12:02 . 2003-02-07 00:40   195,188   --a------   c:\windows\system32\GDIplus.tlb
2009-03-06 11:41 . 2009-03-06 15:00   <DIR>   d--------   c:\program files\Empire Interactive
2009-03-04 22:26 . 2009-03-04 22:26   <DIR>   d--------   c:\program files\Nowe Gadu-Gadu
2009-03-04 15:49 . 2009-01-02 17:14   <DIR>   d--h-----   c:\documents and settings\TEMP\Ustawienia lokalne
2009-03-04 15:49 . 2009-01-02 17:14   <DIR>   d--------   c:\documents and settings\TEMP\Ulubione
2009-03-04 15:49 . 2009-01-02 16:26   <DIR>   d--h-----   c:\documents and settings\TEMP\Szablony
2009-03-04 15:49 . 2009-01-02 17:14   <DIR>   d--------   c:\documents and settings\TEMP\Pulpit
2009-03-04 15:49 . 2009-03-04 15:49   <DIR>   dr-------   c:\documents and settings\TEMP\Moje dokumenty
2009-03-04 15:49 . 2009-01-02 17:14   <DIR>   dr-------   c:\documents and settings\TEMP\Menu Start
2009-03-04 15:49 . 2009-01-02 17:14   <DIR>   dr-h-----   c:\documents and settings\TEMP\Dane aplikacji
2009-03-04 15:49 . 2009-03-04 15:49   <DIR>   d--------   c:\documents and settings\TEMP
2009-03-03 21:18 . 2009-03-03 21:18   <DIR>   d--------   c:\program files\K-Lite Codec Pack

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 08:09   3,478   --sha-r   c:\windows\pagefile.sys.vbs
2009-03-25 13:44   ---------   d-----w   c:\program files\winamp
2009-03-25 12:22   ---------   d-----w   c:\program files\Valve
2009-03-25 09:35   ---------   d-----w   c:\program files\Metin2_PL
2009-03-23 13:22   ---------   d-----w   c:\program files\Ganymede
2009-03-06 13:01   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-03-06 13:00   ---------   d-----w   c:\program files\Common Files\InstallShield
2009-03-03 09:11   ---------   d-----w   c:\program files\WarRock
2009-03-03 09:10   ---------   d-----w   c:\program files\D.B. World
2009-02-24 14:21   ---------   d-----w   c:\program files\Ganz
2009-02-23 09:33   ---------   d-----w   c:\program files\Windows Media Connect 2
2009-02-21 09:21   25,280   ----a-w   c:\windows\system32\drivers\hamachi.sys
2009-02-21 08:13   ---------   d-----w   c:\program files\Tibia
2009-02-21 08:03   107,796   --sh--r   C:\w2.com
2009-02-19 17:54   ---------   d-----w   c:\program files\Apple Software Update
2009-02-19 17:54   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Apple
2009-02-17 09:03   107,564   --sh--r   C:\hyetn1i.exe
2009-02-16 08:29   106,803   --sh--r   C:\qphdin.com
2009-02-13 19:12   107,823   --sh--r   C:\ur0.com
2009-02-13 14:24   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Trymedia
2009-02-10 16:16   109,724   --sh--r   C:\opgde.exe
2009-02-09 14:19   1,846,528   ----a-w   c:\windows\system32\win32k.sys
2009-02-07 09:13   ---------   d-----w   c:\program files\Odkurzacz
2009-02-04 13:07   254,206,888   ----a-w   c:\program files\SyrenkaRacer.rar
2009-02-03 15:27   108,836   --sh--r   C:\a2h2.com
2009-01-30 17:01   109,127   --sh--r   C:\hl80c6b1.com
2009-01-22 19:01   107,882   --sh--r   C:\w98.com
2009-01-15 11:22   410,984   ----a-w   c:\windows\system32\deploytk.dll
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Odkurzacz-MCD"="c:\program files\Odkurzacz\odk_mcd.exe" [2008-08-16 264704]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]
"MSRegInfo"="c:\windows\pagefile.sys.vbs" [2009-04-03 3478]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-17 515416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\admin.XPN19\Menu Start\Programy\Autostart\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"="c:\recycler\S-1-5-21-4333671949-2011856151-261119530-3745\isl.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^svchost.exe]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\svchost.exe
backup=c:\windows\pss\svchost.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-03-02 14:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSRegInfo]
-rahs---- 2009-04-03 10:09 3478 c:\windows\pagefile.sys.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 12:04 2879488 c:\windows\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Metin2_PL\\metin2.bin"=
"c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"d:\\Program Files\\Metin2_PL\\metin_2009longju.exe"=
"d:\\Program Files\\Metin2_PL\\metin2.bin"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8461:TCP"= 8461:TCP:GoD High Port
"8462:TCP"= 8462:TCP:GoD Low Port

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-17 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{951b5bc8-1e00-11de-8746-001a4d7a076b}]
\Shell\AutoRun\command - e:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
\Shell\open\command - e:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{951b5bc9-1e00-11de-8746-001a4d7a076b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99816816-e244-11dd-8621-001a4d7a076b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae9e635c-0e2e-11de-86f6-001a4d7a076b}]
\Shell\AutoRun\command - E:\m9ma.exe
\Shell\explore\Command - E:\m9ma.exe
\Shell\open\Command - E:\m9ma.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c89277bc-17ce-11de-8729-001a4d7a076b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
.
Zawartość folderu 'Zaplanowane zadania'

2009-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-17 10:15]

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 14:42]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKLM-Run-BearShare - c:\program files\BearShare\BearShare.exe
MSConfigStartUp-lsass - c:\windows\lsass.exe
MSConfigStartUp-MSHost - c:\windows\system32\mshost.exe
MSConfigStartUp-shell - c:\windows\system32\services32.exe
MSConfigStartUp-Tibia - c:\windows\system32\Tibia.exe
MSConfigStartUp-Windows - c:\windows\services.exe


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.bearshare.com/pl/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} - hxxp://cached.gamedesire.com/g_bin/pl/snooker_2_0_0_35.cab
FF - ProfilePath - c:\documents and settings\admin.XPN19\Dane aplikacji\Mozilla\Firefox\Profiles\as0k3bd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 10:11:46
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2009-04-03 10:13:01
ComboFix-quarantined-files.txt  2009-04-03 08:12:52

Przed: 24 608 456 704 bajtów wolnych
Po: 24,729,862,144 bajtów wolnych

WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

271   --- E O F ---   2009-03-23 12:59:33


...z HJackthis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:01, on 2009-04-03
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://cached.gamedesire.com/g_bin/pl/snooker_2_0_0_35.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4237 bytes