Nod32 wykrywa połączenia z banksguard.com

[jimij]

co chwię nod32 wykrywa polaczenie z banksguard.com/picxxx/gate.php?id=........ , to chyba coś co wykrada hasła ftp z TC i Filezilli?
screen z noda:
http://i41.tinypic.com/295tnir.gif
pozamykałem porty programem Windows Worms Doors Cleaner i zrzucilem logi, ktore wygladaja tak:

Kod: Zaznacz wszystko

ComboFix 09-03-04.01 - User 2009-03-07 12:09:57.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.3007.2512 [GMT 1:00]
Uruchomiony z: C:\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Możliwe zainfekowane strony -----

hxxp://banksguard.com
.
(((((((((((((((((((((((((   Pliki utworzone od 2009-02-07 do 2009-03-07  )))))))))))))))))))))))))))))))
.

2009-03-07 10:52 . 2009-03-07 10:52   51,232   --a------   C:\wwdc.exe
2009-03-05 21:05 . 2009-03-05 21:02   102,664   --a------   c:\windows\system32\drivers\tmcomm.sys
2009-03-05 21:02 . 2009-03-05 21:10   <DIR>   d--------   c:\documents and settings\User\.housecall6.6
2009-03-05 20:56 . 2009-03-05 20:56   <DIR>   d--------   c:\program files\Trend Micro
2009-03-05 20:56 . 2009-03-05 20:56   812,344   --a------   C:\HJTInstall.exe
2009-03-05 20:55 . 2009-03-05 20:55   2,932,444   -ra------   C:\ComboFix.exe
2009-03-05 18:18 . 2009-03-07 12:12   <DIR>   d--h-----   c:\documents and settings\Administrator.HOME.000\Ustawienia lokalne
2009-03-05 18:18 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator.HOME.000\Ulubione
2009-03-05 18:18 . 2008-06-03 18:46   <DIR>   d--h-----   c:\documents and settings\Administrator.HOME.000\Szablony
2009-03-05 18:18 . 2008-07-02 19:46   <DIR>   d--------   c:\documents and settings\Administrator.HOME.000\Pulpit
2009-03-05 18:18 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator.HOME.000\Moje dokumenty
2009-03-05 18:18 . 2008-06-03 20:37   <DIR>   dr-------   c:\documents and settings\Administrator.HOME.000\Menu Start
2009-03-05 18:18 . 2008-06-03 20:37   <DIR>   dr-h-----   c:\documents and settings\Administrator.HOME.000\Dane aplikacji
2009-03-05 18:18 . 2009-03-05 18:18   <DIR>   d--------   c:\documents and settings\Administrator.HOME.000
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   d--h-----   c:\documents and settings\Administrator.HOME\Ustawienia lokalne
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator.HOME\Ulubione
2009-03-05 07:53 . 2008-06-03 18:46   <DIR>   d--h-----   c:\documents and settings\Administrator.HOME\Szablony
2009-03-05 07:53 . 2008-07-02 19:46   <DIR>   d--------   c:\documents and settings\Administrator.HOME\Pulpit
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator.HOME\Moje dokumenty
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   dr-------   c:\documents and settings\Administrator.HOME\Menu Start
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   dr-h-----   c:\documents and settings\Administrator.HOME\Dane aplikacji
2009-03-05 07:53 . 2009-03-05 07:53   <DIR>   d--------   c:\documents and settings\Administrator.HOME
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   d--h-----   c:\documents and settings\Administrator\Ustawienia lokalne
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator\Ulubione
2009-03-05 07:52 . 2008-06-03 18:46   <DIR>   d--h-----   c:\documents and settings\Administrator\Szablony
2009-03-05 07:52 . 2008-07-02 19:46   <DIR>   d--------   c:\documents and settings\Administrator\Pulpit
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator\Moje dokumenty
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   dr-------   c:\documents and settings\Administrator\Menu Start
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   dr-h-----   c:\documents and settings\Administrator\Dane aplikacji
2009-03-05 07:52 . 2009-03-05 07:52   <DIR>   d--------   c:\documents and settings\Administrator
2009-03-04 01:45 . 2009-03-05 07:49   <DIR>   d-a------   c:\documents and settings\All Users\Dane aplikacji\TEMP
2009-03-04 01:45 . 2008-08-25 12:36   81,288   --a------   c:\windows\system32\drivers\iksyssec.sys
2009-03-04 01:45 . 2008-08-25 12:36   66,952   --a------   c:\windows\system32\drivers\iksysflt.sys
2009-03-04 01:45 . 2008-08-25 12:36   40,840   --a------   c:\windows\system32\drivers\ikfilesec.sys
2009-03-04 01:45 . 2008-06-02 16:19   29,576   --a------   c:\windows\system32\drivers\kcom.sys
2009-03-04 01:44 . 2009-03-04 19:56   <DIR>   d--------   c:\program files\Spyware Doctor
2009-03-04 01:44 . 2009-03-04 01:44   <DIR>   d--------   c:\documents and settings\User\Dane aplikacji\PC Tools
2009-03-04 01:34 . 2009-03-04 01:35   <DIR>   d--------   c:\program files\Windows Live Safety Center
2009-03-04 01:30 . 2009-03-04 01:33   18,381,352   --a------   C:\sdstart.exe
2009-03-04 01:29 . 2009-03-04 01:29   712   --a------   C:\fix.reg
2009-03-03 19:56 . 2008-04-14 21:51   26,624   --a------   c:\windows\system32\stu2.exe
2009-03-02 18:10 . 2009-03-06 04:36   <DIR>   d--------   c:\program files\FreeCommander
2009-03-02 18:10 . 2009-03-02 18:10   <DIR>   d--------   c:\documents and settings\User\Dane aplikacji\AD ON Multimedia
2009-03-02 18:09 . 2009-03-02 18:09   <DIR>   d--------   C:\fc_setup_
2009-03-02 18:08 . 2009-03-02 18:08   2,444,718   --a------   C:\fc_setup_.zip
2009-03-02 02:02 . 2009-03-02 02:01   5,724   --a------   c:\windows\wtfpsa.rar
2009-03-01 20:38 . 2008-03-03 14:25   5,702   --ah-----   c:\windows\nod32restoretemdono.reg
2009-03-01 20:38 . 2008-03-03 18:21   568   --ah-----   c:\windows\nod32fixtemdono.reg
2009-03-01 20:32 . 2009-03-01 20:32   11,396   --a------   C:\raport_kaspersky_2.html
2009-03-01 20:06 . 2009-03-01 20:57   <DIR>   d--------   C:\Unreal Commander
2009-03-01 19:55 . 2009-03-01 19:55   2,247,184   --a------   C:\uncomsetup0.95(build717).exe
2009-03-01 15:18 . 2009-03-01 15:18   4,298   --a------   C:\raport_kaspersky_1.html
2009-03-01 13:34 . 2009-03-01 13:34   410,984   --a------   c:\windows\system32\deploytk.dll
2009-03-01 13:32 . 2009-03-01 13:32   607,640   --a------   C:\jxpiinstall-6u12-fcs-bin-b04-windows-i586-17_jan_2009.exe
2009-03-01 11:45 . 2009-03-01 11:45   24,736   --a------   C:\wyciag_090301.html
2009-02-25 01:23 . 2009-02-25 02:36   <DIR>   d--------   C:\BRUSHES technical
2009-02-21 13:09 . 2009-02-22 02:40   <DIR>   d--------   c:\documents and settings\User\Dane aplikacji\FileZilla
2009-02-21 13:09 . 2009-02-21 13:10   3,866,419   --a------   C:\FileZilla_3.2.2_win32-setup.exe

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 11:04   ---------   d-----w   c:\documents and settings\User\Dane aplikacji\OpenOffice.org2
2009-03-07 10:59   ---------   d-----w   c:\program files\PhotomatixPro3
2009-03-07 10:59   ---------   d-----w   c:\program files\CheckScreen
2009-03-07 10:09   ---------   d-----w   c:\program files\PCRegistryCleaner
2009-03-07 10:08   ---------   d-----w   c:\program files\Jalbum8.1
2009-03-04 19:50   16,384   ----a-w   c:\windows\system32\userinit.exe
2009-03-01 23:04   ---------   d-----w   c:\program files\Web Data Extractor 6.1
2009-03-01 19:37   ---------   d-----w   c:\program files\ESET
2009-03-01 12:34   ---------   d-----w   c:\program files\Java
2009-02-26 18:51   ---------   d-----w   c:\program files\Microsoft Silverlight
2009-02-22 09:23   20   ---h--w   c:\documents and settings\All Users\Dane aplikacji\PKP_DLdu.DAT
2009-02-09 18:34   20   ---h--w   c:\documents and settings\All Users\Dane aplikacji\PKP_DLdw.DAT
2008-12-20 23:03   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-12-19 00:32   2,828   --sha-w   c:\windows\system32\KGyGaAvL.sys
2008-07-01 18:38   20   ---h--w   c:\documents and settings\All Users\Dane aplikacji\PKP_DLbz.DAT
2006-06-23 06:48   32,768   ------w   c:\windows\inf\UpdateUSB.exe
.

------- Sigcheck -------

2006-03-02 13:00  25088  bd768099b4c44aa631728cb74eb54396   c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 21:51  26624  2a5b37d520508be6570a3ea79695f5b5   c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-04 20:50  16384  1e61929b9d68047c3cadca0234a5c321   c:\windows\system32\userinit.exe
.
(((((((((((((((((((((((((((((   SnapShot@2009-03-07_11.38.27.62   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-07 11:03:56   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_7c0.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Menu Start\Programy\Autostart\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-06-14 479232]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-06-26 113664]
Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM WiFi manager\WLANUTL.exe [2008-06-20 925696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-06-04 45848]
R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2008-06-20 402432]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2006-03-02 3584]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-04 356920]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Zawartość folderu 'Zaplanowane zadania'

2009-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = socks=
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer Enterprise\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer Enterprise\Add_AllO.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\uloq4wwk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
FF - user.js: network.proxy.type - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 12:12:20
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 


**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_045e&Pid_0714&Col02\8&1cedcfc3&0&0001\LogConf]
@DACL=(02 0000)
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Czas ukończenia: 2009-03-07 12:15:48
ComboFix-quarantined-files.txt  2009-03-07 11:14:31
ComboFix2.txt  2009-03-07 10:38:56

Przed: 4 257 271 808 bajtów wolnych
Po: 4,244,856,832 bajtów wolnych

204   --- E O F ---   2009-03-02 16:33:23


Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:37, on 2009-03-07
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SAGEM WiFi manager\WLANUTL.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
*.local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ?
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212517495687
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe

--
End of file - 7613 bytes


jak można pozbyć się tego robaka?

[wojtas]

sciagnij killbox’a

Odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżkę

c:\windows\system32\stu2.exe

i nacisnij x
Program będzie pytał o restart (oczywiście zgadzasz się

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Wykonaj skan Dr. Web CureIt
6. Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.

[jimij]

odpaliłem killbox'a kazalem usunac po rebocie c:\windows\system32\stu2.exe
i restarcie mam teraz czysty pulpit, sama tapeta, żadnych ikon, brak paska windowsa, działa jedynie alt+ctrl+del,

jakiś pomysł?

[wojtas]

ctrl + alt + delete -> nowe zadanie > explorer.exe i enter

[jimij]

kaspersky i fixiedef nic zupelnie juz nie znalazly, nod32 nie sygnalizuje juz polaczen z banksguard.com/picxxx/gate.php?id= , ale po zrzucenia logow combofix'em mam dalej:

".....
----- BITS: Możliwe zainfekowane strony -----
hxxp://banksguard.com
........"

i nie wiem czy pozbylem sie tego czy dalej jest ?

Kod: Zaznacz wszystko

ComboFix 09-03-06.02 - User 2009-03-09 17:36:15.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.3007.2531 [GMT 1:00]
Uruchomiony z: C:\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Możliwe zainfekowane strony -----

hxxp://banksguard.com
.
(((((((((((((((((((((((((   Pliki utworzone od 2009-02-09 do 2009-03-09  )))))))))))))))))))))))))))))))
.

2009-03-09 17:34 . 2009-03-09 17:34   2,933,448   -ra------   C:\ComboFix.exe
2009-03-09 06:37 . 2009-03-09 06:37   13,002   --a------   C:\test.pdf
2009-03-09 06:35 . 2009-03-09 06:35   105,229   --a------   C:\promocja.jpg
2009-03-08 15:47 . 2009-03-08 15:55   82,944   --a------   C:\życzenia.doc
2009-03-07 20:31 . 2009-03-07 20:31   <DIR>   d--------   c:\windows\ERUNT
2009-03-07 20:31 . 2009-03-07 20:31   <DIR>   d--------   C:\ERDNT
2009-03-07 20:31 . 2009-03-07 20:31   <DIR>   d--------   C:\!FixIEDef
2009-03-07 20:29 . 2009-03-07 20:30   1,130,036   --a------   C:\FixIEDef.exe
2009-03-07 20:27 . 2009-03-07 20:27   2,872   --a------   C:\111.html
2009-03-07 18:38 . 2009-03-07 18:38   <DIR>   d--------   c:\documents and settings\User\DoctorWeb
2009-03-07 18:32 . 2009-03-07 18:36   12,896,488   --a------   C:\launch.exe
2009-03-07 17:59 . 2009-03-07 21:00   <DIR>   d--------   c:\program files\Odkurzacz
2009-03-07 17:54 . 2009-03-07 17:58   7,217,599   --a------   C:\odk11.3.0808setup_[www.programosy.pl].exe
2009-03-07 17:54 . 2009-03-07 17:54   50,688   --a------   C:\ATF-Cleaner.exe
2009-03-07 16:21 . 2009-03-07 16:21   <DIR>   d--------   C:\KillBox
2009-03-07 16:20 . 2009-03-07 16:20   70,487   --a------   C:\KillBox.zip
2009-03-07 13:22 . 2009-03-07 13:22   5,973   --a------   C:\banksguard.gif
2009-03-07 10:52 . 2009-03-07 10:52   51,232   --a------   C:\wwdc.exe
2009-03-05 21:05 . 2009-03-05 21:02   102,664   --a------   c:\windows\system32\drivers\tmcomm.sys
2009-03-05 21:02 . 2009-03-05 21:10   <DIR>   d--------   c:\documents and settings\User\.housecall6.6
2009-03-05 20:56 . 2009-03-05 20:56   <DIR>   d--------   c:\program files\Trend Micro
2009-03-05 20:56 . 2009-03-05 20:56   812,344   --a------   C:\HJTInstall.exe
2009-03-05 18:18 . 2009-03-09 17:38   <DIR>   d--h-----   c:\documents and settings\Administrator.HOME.000\Ustawienia lokalne
2009-03-05 18:18 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator.HOME.000\Ulubione
2009-03-05 18:18 . 2008-06-03 18:46   <DIR>   d--h-----   c:\documents and settings\Administrator.HOME.000\Szablony
2009-03-05 18:18 . 2008-07-02 19:46   <DIR>   d--------   c:\documents and settings\Administrator.HOME.000\Pulpit
2009-03-05 18:18 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator.HOME.000\Moje dokumenty
2009-03-05 18:18 . 2008-06-03 20:37   <DIR>   dr-------   c:\documents and settings\Administrator.HOME.000\Menu Start
2009-03-05 18:18 . 2008-06-03 20:37   <DIR>   dr-h-----   c:\documents and settings\Administrator.HOME.000\Dane aplikacji
2009-03-05 18:18 . 2009-03-05 18:18   <DIR>   d--------   c:\documents and settings\Administrator.HOME.000
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   d--h-----   c:\documents and settings\Administrator.HOME\Ustawienia lokalne
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator.HOME\Ulubione
2009-03-05 07:53 . 2008-06-03 18:46   <DIR>   d--h-----   c:\documents and settings\Administrator.HOME\Szablony
2009-03-05 07:53 . 2008-07-02 19:46   <DIR>   d--------   c:\documents and settings\Administrator.HOME\Pulpit
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator.HOME\Moje dokumenty
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   dr-------   c:\documents and settings\Administrator.HOME\Menu Start
2009-03-05 07:53 . 2008-06-03 20:37   <DIR>   dr-h-----   c:\documents and settings\Administrator.HOME\Dane aplikacji
2009-03-05 07:53 . 2009-03-05 07:53   <DIR>   d--------   c:\documents and settings\Administrator.HOME
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   d--h-----   c:\documents and settings\Administrator\Ustawienia lokalne
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator\Ulubione
2009-03-05 07:52 . 2008-06-03 18:46   <DIR>   d--h-----   c:\documents and settings\Administrator\Szablony
2009-03-05 07:52 . 2008-07-02 19:46   <DIR>   d--------   c:\documents and settings\Administrator\Pulpit
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   d--------   c:\documents and settings\Administrator\Moje dokumenty
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   dr-------   c:\documents and settings\Administrator\Menu Start
2009-03-05 07:52 . 2008-06-03 20:37   <DIR>   dr-h-----   c:\documents and settings\Administrator\Dane aplikacji
2009-03-05 07:52 . 2009-03-05 07:52   <DIR>   d--------   c:\documents and settings\Administrator
2009-03-04 01:45 . 2009-03-05 07:49   <DIR>   d-a------   c:\documents and settings\All Users\Dane aplikacji\TEMP
2009-03-04 01:45 . 2008-08-25 12:36   81,288   --a------   c:\windows\system32\drivers\iksyssec.sys
2009-03-04 01:45 . 2008-08-25 12:36   66,952   --a------   c:\windows\system32\drivers\iksysflt.sys
2009-03-04 01:45 . 2008-08-25 12:36   40,840   --a------   c:\windows\system32\drivers\ikfilesec.sys
2009-03-04 01:45 . 2008-06-02 16:19   29,576   --a------   c:\windows\system32\drivers\kcom.sys
2009-03-04 01:44 . 2009-03-07 18:29   <DIR>   d--------   c:\program files\Spyware Doctor
2009-03-04 01:44 . 2009-03-04 01:44   <DIR>   d--------   c:\documents and settings\User\Dane aplikacji\PC Tools
2009-03-04 01:34 . 2009-03-04 01:35   <DIR>   d--------   c:\program files\Windows Live Safety Center
2009-03-04 01:30 . 2009-03-04 01:33   18,381,352   --a------   C:\sdstart.exe
2009-03-04 01:29 . 2009-03-04 01:29   712   --a------   C:\fix.reg
2009-03-02 18:10 . 2009-03-06 04:36   <DIR>   d--------   c:\program files\FreeCommander
2009-03-02 18:10 . 2009-03-02 18:10   <DIR>   d--------   c:\documents and settings\User\Dane aplikacji\AD ON Multimedia
2009-03-02 18:09 . 2009-03-02 18:09   <DIR>   d--------   C:\fc_setup_
2009-03-02 18:08 . 2009-03-02 18:08   2,444,718   --a------   C:\fc_setup_.zip
2009-03-02 02:02 . 2009-03-02 02:01   5,724   --a------   c:\windows\wtfpsa.rar
2009-03-01 20:38 . 2008-03-03 14:25   5,702   --ah-----   c:\windows\nod32restoretemdono.reg
2009-03-01 20:38 . 2008-03-03 18:21   568   --ah-----   c:\windows\nod32fixtemdono.reg
2009-03-01 20:32 . 2009-03-01 20:32   11,396   --a------   C:\raport_kaspersky_2.html
2009-03-01 20:06 . 2009-03-01 20:57   <DIR>   d--------   C:\Unreal Commander
2009-03-01 19:55 . 2009-03-01 19:55   2,247,184   --a------   C:\uncomsetup0.95(build717).exe
2009-03-01 15:18 . 2009-03-01 15:18   4,298   --a------   C:\raport_kaspersky_1.html
2009-03-01 13:34 . 2009-03-01 13:34   410,984   --a------   c:\windows\system32\deploytk.dll
2009-03-01 13:32 . 2009-03-01 13:32   607,640   --a------   C:\jxpiinstall-6u12-fcs-bin-b04-windows-i586-17_jan_2009.exe
2009-03-01 11:45 . 2009-03-01 11:45   24,736   --a------   C:\wyciag_090301.html
2009-02-25 01:23 . 2009-02-25 02:36   <DIR>   d--------   C:\BRUSHES technical
2009-02-21 13:09 . 2009-02-22 02:40   <DIR>   d--------   c:\documents and settings\User\Dane aplikacji\FileZilla
2009-02-21 13:09 . 2009-02-21 13:10   3,866,419   --a------   C:\FileZilla_3.2.2_win32-setup.exe

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 05:37   ---------   d-----w   c:\documents and settings\User\Dane aplikacji\OpenOffice.org2
2009-03-07 17:29   ---------   d-----w   c:\program files\QuickTime
2009-03-07 17:29   ---------   d-----w   c:\program files\PhotoRescue Pro
2009-03-07 17:29   ---------   d-----w   c:\documents and settings\User\Dane aplikacji\Offline Explorer
2009-03-07 10:59   ---------   d-----w   c:\program files\PhotomatixPro3
2009-03-07 10:59   ---------   d-----w   c:\program files\CheckScreen
2009-03-07 10:09   ---------   d-----w   c:\program files\PCRegistryCleaner
2009-03-07 10:08   ---------   d-----w   c:\program files\Jalbum8.1
2009-03-01 23:04   ---------   d-----w   c:\program files\Web Data Extractor 6.1
2009-03-01 19:37   ---------   d-----w   c:\program files\ESET
2009-03-01 12:34   ---------   d-----w   c:\program files\Java
2009-02-26 18:51   ---------   d-----w   c:\program files\Microsoft Silverlight
2009-02-22 09:23   20   ---h--w   c:\documents and settings\All Users\Dane aplikacji\PKP_DLdu.DAT
2009-02-09 18:34   20   ---h--w   c:\documents and settings\All Users\Dane aplikacji\PKP_DLdw.DAT
2008-12-20 23:03   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-12-19 00:32   2,828   --sha-w   c:\windows\system32\KGyGaAvL.sys
2008-07-01 18:38   20   ---h--w   c:\documents and settings\All Users\Dane aplikacji\PKP_DLbz.DAT
2006-06-23 06:48   32,768   ------w   c:\windows\inf\UpdateUSB.exe
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Odkurzacz-MCD"="c:\program files\Odkurzacz\odk_mcd.exe" [2008-08-16 264704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Menu Start\Programy\Autostart\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-06-14 479232]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-06-26 113664]
Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM WiFi manager\WLANUTL.exe [2008-06-20 925696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Start^Programy^Autostart^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\User\Menu Start\Programy\Autostart\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 19:49 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-06-04 45848]
R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2008-06-20 402432]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2006-03-02 3584]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-04 356920]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Zawartość folderu 'Zaplanowane zadania'

2009-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = socks=
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer Enterprise\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer Enterprise\Add_AllO.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\uloq4wwk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
FF - user.js: network.proxy.type - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 17:39:01
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 


**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_045e&Pid_0714&Col02\8&1cedcfc3&0&0001\LogConf]
@DACL=(02 0000)
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Czas ukończenia: 2009-03-09 17:42:18
ComboFix-quarantined-files.txt  2009-03-09 16:41:01

Przed: 4 712 271 872 bajtów wolnych
Po: 4,770,762,752 bajtów wolnych

218   --- E O F ---   2009-03-02 16:33:23


[wojtas]

powinno byc ok