Log z combo fix

[monikasylwia]

Witam,
mam problem z powracającymi trojanami. Polecono mi zainstalowanie combofix'a , co tez uczyniłam. Zamieszczam ponizej log i bardzo prosze o pomoc.



ComboFix 09-01-21.02 - MONIKA CHARYTONIUK 2009-01-22 10:10:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.1918.1457 [GMT 0:00]
Uruchomiony z: c:\documents and settings\MONIKA CHARYTONIUK\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090121-0] *On-access scanning disabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated)
* Utworzono nowy punkt przywracania
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\MONIKA CHARYTONIUK\Ulubione\Translator.url
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

.
((((((((((((((((((((((((( Pliki utworzone od 2008-12-22 do 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-22 10:06 . 2009-01-22 10:07 <DIR> d-------- c:\windows\LastGood
2009-01-22 09:58 . 2009-01-22 09:58 95,744 -r-hs---- c:\windows\system32\nmdfgds1.dll
2009-01-21 14:40 . 2009-01-21 18:27 95,744 --------- c:\windows\system32\nmdfgds0.dll
2009-01-20 09:39 . 2009-01-20 14:50 108,869 -r-hs---- C:\gy.exe
2009-01-19 19:44 . 2006-03-02 12:00 70,144 --a------ c:\windows\AhnRpta.exe
2009-01-19 19:36 . 2009-01-20 14:50 108,869 -r-hs---- c:\windows\system32\olhrwef.exe
2009-01-14 17:24 . 2009-01-14 17:24 <DIR> d-------- c:\program files\Common Files\xing shared
2009-01-12 16:56 . 2009-01-12 17:54 <DIR> d-------- c:\documents and settings\MONIKA CHARYTONIUK\Dane aplikacji\U3
2009-01-12 16:43 . 2009-01-22 10:10 <DIR> dr-hs---- C:\SYSTEM
2009-01-06 16:35 . 2009-01-06 16:35 <DIR> d-------- c:\program files\Two Pilots
2009-01-06 16:34 . 2009-01-06 16:35 <DIR> d-------- c:\program files\MakeUp Pilot
2009-01-06 16:11 . 2009-01-06 16:11 <DIR> d-------- c:\program files\Imagenomic
2009-01-06 16:01 . 2009-01-06 16:01 <DIR> d-------- c:\program files\Reallusion
2009-01-06 16:01 . 2009-01-06 16:01 <DIR> d-------- c:\documents and settings\MONIKA CHARYTONIUK\Dane aplikacji\Reallusion
2009-01-06 16:01 . 2009-01-06 16:31 42 --a------ c:\windows\FFS20ChtReg.ini

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 10:07 --------- d-----w c:\program files\ESET
2009-01-22 09:58 --------- d-----w c:\documents and settings\MONIKA CHARYTONIUK\Dane aplikacji\skypePM
2009-01-21 18:27 --------- d-----w c:\documents and settings\MONIKA CHARYTONIUK\Dane aplikacji\Skype
2009-01-14 17:24 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-01-14 17:24 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-14 17:24 --------- d-----w c:\program files\Real
2009-01-14 17:24 --------- d-----w c:\program files\Common Files\Real
2009-01-06 16:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 16:06 --------- d-----w c:\program files\Zylom Games
2008-12-15 08:30 724,992 ----a-w c:\windows\iun6002.exe
2008-12-15 08:30 --------- d-----w c:\program files\SpeedItUpFree
2008-12-14 17:35 --------- d-----w c:\program files\aod
2008-12-14 12:44 --------- d-----w c:\documents and settings\MONIKA CHARYTONIUK\Dane aplikacji\Uniblue
2008-12-14 12:44 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\WinZip
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-26 14:23 --------- d-----w c:\program files\Alwil Software
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-04-16 08:24 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-06 21898024]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-05 68856]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]
"cdoosoft"="c:\windows\system32\olhrwef.exe" [2009-01-20 108869]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-19 634880]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2007-08-24 790528]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-18 102400]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-14 185872]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"VTTimer"="VTTimer.exe" [2006-09-22 c:\windows\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2007-08-07 c:\windows\system32\S3Trayp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\MONIKA CHARYTONIUK\Menu Start\Programy\Autostart\
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
HotKeyDriver.lnk - c:\program files\HotKey_Driver\HotKeyDriver.exe [2008-03-19 3461120]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-20 111184]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-03-19 180480]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2008-03-19 607232]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-20 20560]
R4 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys --> c:\windows\system32\DRIVERS\epfwtdir.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [2008-03-31 1527900]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2008-08-02 178913]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-03-19 201216]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30a72380-9164-11dd-ada0-0015af739e33}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4054ef80-e0c6-11dd-ae7d-0015af739e33}]
\Shell\AutoRun\command - e:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
\Shell\open\command - e:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4054ef82-e0c6-11dd-ae7d-0015af739e33}]
\Shell\AutoRun\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
\Shell\open\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cfc54d6-c924-11dd-ae1e-0015af739e33}]
\Shell\AutoRun\command - e:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
\Shell\open\command - e:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cd77d84-915e-11dd-ad9d-0015af739e33}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6dbc6ba1-b58e-11dd-adec-0015af739e33}]
\Shell\AutoRun\command - E:\abk.bat
\Shell\explore\Command - E:\abk.bat
\Shell\open\Command - E:\abk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{868b7c76-9162-11dd-ad9f-0015af739e33}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2f3f86a-0a3b-11dd-abe0-0015af739e33}]
\Shell\AutoRun\command - E:\08dgu.com
\Shell\explore\Command - E:\08dgu.com
\Shell\open\Command - E:\08dgu.com

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
.
Zawartość folderu 'Zaplanowane zadania'

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-22 c:\windows\Tasks\User_Feed_Synchronization-{E1EB12D6-2B41-48FA-903C-3ACE10ED1A77}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F6F1764E-AB50-4C5D-B5A1-11F89C4B5BBC} = 212.2.96.51 212.2.96.52
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game10.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\MONIKA CHARYTONIUK\Dane aplikacji\Mozilla\Firefox\Profiles\pa9k11cv.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 10:11:54
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

skanowanie ukrytych plików ...


c:\docume~1\MONIKA~1\USTAWI~1\Temp\lucene-f33a813be231d59ffa13e613119771e2-commit.lock 0 bytes

skanowanie pomyślnie ukończone
ukryte pliki: 1

**************************************************************************
.
Czas ukończenia: 2009-01-22 10:13:26
ComboFix-quarantined-files.txt 2009-01-22 10:13:14

Przed: 120 825 352 192 bajtów wolnych
Po: 120,980,676,608 bajtów wolnych

WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

189 --- E O F --- 2009-01-15 09:58:25

[Okocza]

monikasylwia, popraw nazwę tematu, wstaw log w tagi code i opisz swój problem