podejrzenie o trojana,keyloggera -prosze o sprawdzenie

[casin007]

po formacie mam pewne podejrzenia uzasadnione co prawda ze posaidam nadal jakiegos trojana czy keyloogera i bylbym wdzieczny o sprawdzenie logów

ComboFix

Kod: Zaznacz wszystko

ComboFix 08-06-16.2 - Łukasz 2008-06-17 15:02:33.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1250.1.1045.18.1078 [GMT 2:00]
Running from: C:\Documents and Settings\Łukasz\Pulpit\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-05-17 to 2008-06-17  )))))))))))))))))))))))))))))))
.

2008-06-17 14:49 . 2008-06-17 14:49   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-06-17 14:36 . 2008-06-17 14:59   <DIR>   d--------   C:\SDFix
2008-06-17 13:42 . 2008-06-17 13:42   <DIR>   d--------   C:\Program Files\Java
2008-06-16 14:44 . 2008-06-16 15:22   <DIR>   d--------   C:\WINDOWS\BDOSCAN8
2008-06-15 19:41 . 2008-06-15 19:41   <DIR>   d--------   C:\Documents and Settings\Łukasz\Dane aplikacji\CyberLink
2008-06-15 19:41 . 2008-06-15 19:41   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2008-06-15 19:34 . 2008-06-15 19:34   <DIR>   d--------   C:\Program Files\CyberLink
2008-06-15 19:34 . 2008-06-15 19:34   <DIR>   d--------   C:\Program Files\Common Files\CyberLink
2008-06-15 18:50 . 2008-06-15 18:50   <DIR>   d--------   C:\Program Files\Codec Pack - All In 1
2008-06-15 18:50 . 2008-06-15 18:50   737,280   --a------   C:\WINDOWS\iun6002.exe
2008-06-15 18:42 . 2008-06-15 18:42   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\AVS4YOU
2008-06-15 18:40 . 2008-06-15 18:58   <DIR>   d--------   C:\Program Files\Common Files\AVSMedia
2008-06-15 18:40 . 2003-05-22 00:50   82,944   --a------   C:\WINDOWS\system32\vct3216.acm
2008-06-15 18:40 . 2004-02-04 22:11   81,920   --a------   C:\WINDOWS\system32\AC3ACM.acm
2008-06-15 18:40 . 2003-05-22 00:50   38,912   --a------   C:\WINDOWS\system32\alf2cd.acm
2008-06-15 18:40 . 2000-03-14 21:55   13,239   --a------   C:\WINDOWS\system32\Scg726.acm
2008-06-15 18:39 . 2008-06-15 18:58   <DIR>   d--------   C:\Program Files\AVS4YOU
2008-06-14 19:16 . 2008-06-14 19:16   <DIR>   d--------   C:\Program Files\MarBit
2008-06-14 19:12 . 2008-03-28 19:40   6,144   --a------   C:\WINDOWS\system32\ff_acm.acm
2008-06-14 19:12 . 2007-07-10 18:10   547   --a------   C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-06-14 19:11 . 2008-06-14 19:12   <DIR>   d--------   C:\Program Files\ffdshow
2008-06-14 19:11 . 2007-04-24 17:30   60,273   --a------   C:\WINDOWS\system32\pthreadGC2.dll
2008-06-14 19:11 . 2008-03-28 19:41   7,680   --a------   C:\WINDOWS\system32\ff_vfw.dll
2008-06-12 07:46 . 2008-06-12 07:48   <DIR>   d--------   C:\[u]0[/u]9acf77be70bb5fd6e8f
2008-06-11 09:04 . 2008-04-14 17:53   273,024   -----c---   C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 17:38 . 2008-06-09 17:44   <DIR>   d--------   C:\Documents and Settings\Adrian\Dane aplikacji\DeepBurner
2008-06-09 17:37 . 2008-06-09 17:37   <DIR>   d--------   C:\Program Files\Astonsoft
2008-06-07 00:03 . 2003-02-28 18:26   139,536   --a------   C:\WINDOWS\system32\javaee.dll
2008-06-07 00:03 . 2003-02-28 18:26   46,352   --a------   C:\WINDOWS\setdebug.exe
2008-06-07 00:03 . 2003-02-28 16:54   7,315   --a------   C:\WINDOWS\system32\javasup.vxd
2008-06-07 00:03 . 2003-02-28 16:35   6,550   --a------   C:\WINDOWS\jautoexp.dat
2008-06-07 00:02 . 2003-02-28 16:38   113   --a------   C:\WINDOWS\system32\zonedon.reg
2008-06-07 00:02 . 2003-02-28 16:38   113   --a------   C:\WINDOWS\system32\zonedoff.reg
2008-06-06 13:08 . 2008-06-07 11:47   <DIR>   d--------   C:\Program Files\TibiaCam TV Lite
2008-06-03 19:16 . 2008-06-03 19:16   <DIR>   d--------   C:\Documents and Settings\Łukasz\Dane aplikacji\Ventrilo
2008-06-03 19:15 . 2008-06-03 19:15   <DIR>   d--------   C:\Program Files\Ventrilo
2008-06-03 17:30 . 2008-03-03 14:25   5,702   --ah-----   C:\WINDOWS\nod32restoretemdono.reg
2008-06-03 17:30 . 2008-03-03 18:21   568   --ah-----   C:\WINDOWS\nod32fixtemdono.reg
2008-06-03 17:28 . 2008-06-03 17:28   <DIR>   d--------   C:\Program Files\ESET
2008-06-03 17:28 . 2008-06-03 17:28   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-06-03 08:28 . 2008-06-03 08:28   <DIR>   d---s----   C:\Documents and Settings\Mama\UserData
2008-06-03 08:18 . 2008-06-12 07:54   <DIR>   d--------   C:\Documents and Settings\Mama\Dane aplikacji\VMware
2008-06-03 08:18 . 2008-06-03 08:18   <DIR>   d--------   C:\Documents and Settings\Mama\Dane aplikacji\Comodo
2008-06-03 08:16 . 2008-06-17 15:03   <DIR>   d--h-----   C:\Documents and Settings\Mama\Ustawienia lokalne
2008-06-03 08:16 . 2008-06-04 15:40   <DIR>   dr-------   C:\Documents and Settings\Mama\Ulubione
2008-06-03 08:16 . 2008-05-31 17:54   <DIR>   d--h-----   C:\Documents and Settings\Mama\Szablony
2008-06-03 08:16 . 2008-06-08 21:35   <DIR>   d--------   C:\Documents and Settings\Mama\Pulpit
2008-06-03 08:16 . 2008-06-04 16:05   <DIR>   dr-------   C:\Documents and Settings\Mama\Moje dokumenty
2008-06-03 08:16 . 2008-05-31 18:48   <DIR>   dr-------   C:\Documents and Settings\Mama\Menu Start
2008-06-03 08:16 . 2008-06-04 15:38   <DIR>   dr-h-----   C:\Documents and Settings\Mama\Dane aplikacji
2008-06-03 08:16 . 2008-06-03 08:28   <DIR>   d--------   C:\Documents and Settings\Mama
2008-06-02 16:48 . 2008-06-02 21:34   <DIR>   d--------   C:\Program Files\PhotoScape
2008-06-01 21:09 . 2004-08-04 09:44   159,232   --a------   C:\WINDOWS\system32\ptpusd.dll
2008-06-01 21:09 . 2004-08-04 07:58   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-01 21:09 . 2001-10-26 17:29   5,632   --a------   C:\WINDOWS\system32\ptpusb.dll
2008-06-01 16:47 . 2005-03-22 14:48   77,824   -ra------   C:\WINDOWS\system32\hpzids01.dll
2008-06-01 16:47 . 2005-10-14 22:42   46,592   --a------   C:\WINDOWS\system32\hpzll43a.dll
2008-06-01 16:41 . 2004-08-04 08:01   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-01 16:40 . 2004-08-04 08:08   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-01 15:57 . 2007-05-01 22:51   30,768   -ra------   C:\WINDOWS\system32\drivers\vmusb.sys
2008-06-01 11:59 . 2008-06-01 11:59   <DIR>   d--------   C:\Program Files\Blackd Tools
2008-06-01 11:36 . 2007-03-08 01:51   43,528   ---------   C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-06-01 11:36 . 2007-03-08 01:51   9,464   ---------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-01 11:36 . 2007-03-08 01:51   9,336   ---------   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-01 11:35 . 2007-03-08 01:51   129,784   ---------   C:\WINDOWS\system32\pxafs.dll
2008-06-01 08:55 . 2008-06-01 21:27   <DIR>   d--------   C:\Program Files\Winamp
2008-06-01 08:31 . 2008-06-01 08:32   <DIR>   d--------   C:\Documents and Settings\Łukasz\Dane aplikacji\Tibia
2008-06-01 00:22 . 2008-06-15 13:31   <DIR>   d--------   C:\Program Files\ewido anti-spyware 4.0
2008-05-31 23:31 . 2008-05-31 23:31   <DIR>   d---s----   C:\Documents and Settings\Adrian\UserData
2008-05-31 22:39 . 2007-07-09 15:11   584,192   -----c---   C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-31 22:31 . 2008-05-31 22:32   <DIR>   d--------   C:\Documents and Settings\Adrian\Gadu-Gadu
2008-05-31 22:31 . 2008-06-17 09:12   <DIR>   d--------   C:\Documents and Settings\Adrian\Dane aplikacji\VMware
2008-05-31 22:31 . 2008-05-31 22:31   <DIR>   d--------   C:\Documents and Settings\Adrian\Dane aplikacji\Comodo
2008-05-31 22:21 . 2008-05-31 22:22   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-05-31 22:21 . 2008-05-31 22:27   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-05-31 22:16 . 2008-06-01 11:32   <DIR>   d--------   C:\Documents and Settings\Łukasz\Gadu-Gadu
2008-05-31 22:16 . 2008-06-01 11:32   <DIR>   d--------   C:\Documents and Settings\Łukasz\Gadu-Gadu
2008-05-31 22:15 . 2008-05-31 22:16   <DIR>   d--------   C:\Program Files\Gadu-Gadu
2008-05-31 21:40 . 2008-05-31 21:40   <DIR>   d--------   C:\Program Files\AskSBar
2008-05-31 21:39 . 2008-05-31 21:40   <DIR>   d--------   C:\Program Files\COMODO
2008-05-31 21:39 . 2008-05-31 21:39   <DIR>   d--------   C:\Documents and Settings\Łukasz\Dane aplikacji\Comodo
2008-05-31 21:39 . 2008-05-31 21:47   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\comodo
2008-05-31 21:39 . 2008-05-31 21:39   143,104   --a------   C:\WINDOWS\system32\guard32.dll
2008-05-31 21:39 . 2008-05-31 21:39   87,056   --a------   C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-31 21:39 . 2008-05-31 21:39   24,208   --a------   C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-31 21:37 . 2008-05-31 21:37   <DIR>   d--------   C:\Documents and Settings\LocalService\Menu Start
2008-05-31 21:33 . 2003-06-05 18:30   316,640   --a------   C:\WINDOWS\WMSysPr9.prx
2008-05-31 21:32 . 2008-05-31 21:32   <DIR>   d--------   C:\WINDOWS\provisioning
2008-05-31 21:32 . 2008-05-31 21:32   <DIR>   d--------   C:\WINDOWS\peernet
2008-05-31 21:31 . 2008-05-31 21:31   <DIR>   d--------   C:\WINDOWS\ServicePackFiles
2008-05-31 21:28 . 2008-05-31 21:28   <DIR>   d--------   C:\WINDOWS\EHome
2008-05-31 21:25 . 2002-04-15 21:11   67,866   ---------   C:\WINDOWS\system32\drivers\netwlan5.img
2008-05-31 21:25 . 2004-08-04 00:44   11,776   ---------   C:\WINDOWS\system32\spnpinst.exe
2008-05-31 21:25 . 2004-08-02 14:20   7,208   ---------   C:\WINDOWS\system32\secupd.sig
2008-05-31 21:25 . 2004-08-02 14:20   4,569   ---------   C:\WINDOWS\system32\secupd.dat
2008-05-31 20:19 . 2008-06-17 14:59   <DIR>   d--------   C:\Documents and Settings\Łukasz\Dane aplikacji\VMware
2008-05-31 20:19 . 2008-06-17 14:57   <DIR>   d--------   C:\Documents and Settings\LocalService\Dane aplikacji\VMware
2008-05-31 20:12 . 2008-05-31 20:12   <DIR>   d--------   C:\Documents and Settings\NetworkService\Dane aplikacji\VMware
2008-05-31 20:12 . 2007-05-01 22:51   17,712   -ra------   C:\WINDOWS\system32\drivers\vmnet.sys
2008-05-31 20:12 . 2007-05-01 22:51   16,816   -ra------   C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-05-31 20:12 . 2007-05-01 22:51   13,104   -ra------   C:\WINDOWS\system32\vnetinst.dll
2008-05-31 20:11 . 2008-06-17 14:57   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\VMware
2008-05-31 20:11 . 2007-05-01 22:51   437,040   --a------   C:\WINDOWS\system32\vnetlib.dll
2008-05-31 20:11 . 2007-05-01 22:52   150,320   --a------   C:\WINDOWS\system32\vmnat.exe
2008-05-31 20:11 . 2007-05-01 22:51   121,648   --a------   C:\WINDOWS\system32\vmnetdhcp.exe
2008-05-31 20:11 . 2007-05-01 22:51   50,992   -ra------   C:\WINDOWS\system32\vmnetbridge.dll
2008-05-31 20:11 . 2007-05-01 22:51   28,592   -ra------   C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-05-31 20:11 . 2007-05-01 22:52   25,264   --a------   C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-05-31 20:11 . 2007-05-01 22:52   21,040   --a------   C:\WINDOWS\system32\drivers\VMkbd.sys
2008-05-31 20:11 . 2008-05-31 20:11   1,024   --a------   C:\.rnd
2008-05-31 20:10 . 2008-05-31 20:11   <DIR>   d--------   C:\VMware
2008-05-31 20:10 . 2008-05-31 20:10   <DIR>   d--------   C:\Program Files\VMware
2008-05-31 20:10 . 2008-05-31 20:10   <DIR>   d--------   C:\Program Files\Common Files\VMware
2008-05-31 18:59 . 2005-10-21 00:30   1,092,608   --a------   C:\WINDOWS\system32\SET48D.tmp
2008-05-31 18:50 . 2004-08-04 09:44   77,312   --a------   C:\WINDOWS\system32\usbui.dll
2008-05-31 18:50 . 2004-08-04 09:35   58,624   --a------   C:\WINDOWS\system32\drivers\redbook.sys
2008-05-31 18:50 . 2001-10-26 17:57   12,160   --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-31 18:50 . 2004-08-04 08:08   10,624   --a------   C:\WINDOWS\system32\drivers\gameenum.sys
2008-05-31 18:50 . 2001-08-17 23:02   9,600   --a------   C:\WINDOWS\system32\drivers\hidusb.sys
2008-05-31 18:50 . 2001-08-17 22:59   3,072   --a------   C:\WINDOWS\system32\drivers\audstub.sys
2008-05-31 18:49 . 2008-06-03 19:15   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 18:48 . 2008-06-17 14:46   <DIR>   d--------   C:\WINDOWS\system32\CatRoot2
2008-05-31 18:48 . 2008-05-31 18:48   <DIR>   dr-h-----   C:\Documents and Settings\Default User\Ustawienia lokalne
2008-05-31 18:48 . 2008-05-31 18:48   <DIR>   d--------   C:\Documents and Settings\Default User\Ulubione
2008-05-31 18:48 . 2008-05-31 17:54   <DIR>   d--h-----   C:\Documents and Settings\Default User\Szablony

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 17:10   ---------   d-----w   C:\Program Files\MoorHunt
2008-05-31 15:58   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-05-31 15:57   558,142   ----a-w   C:\WINDOWS\java\Packages\VHVZ1BT3.ZIP
2008-05-31 15:57   155,995   ----a-w   C:\WINDOWS\java\Packages\JHN75JXB.ZIP
2008-05-31 15:54   ---------   d-----w   C:\Program Files\Usługi online
2008-05-08 12:28   202,752   ----a-w   C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16   1,291,264   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-04-21 07:03   662,016   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-03-25 04:52   621,344   ----a-w   C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52   178,976   ----a-w   C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09   1,845,504   ----a-w   C:\WINDOWS\system32\win32k.sys
2001-11-23 04:08   712,704   ----a-r   C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2002-09-23 14:00  12800  b3c95bfeef6781a82a1c429f466a3a11   C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 09:44  14336  ba98327e90022dbd6ee76490e0622e2e   C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 09:44  14336  ba98327e90022dbd6ee76490e0622e2e   C:\WINDOWS\system32\svchost.exe

2005-03-02 20:21  578560  6a93565be9b8422eb7538c66ac732d76   C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 17:51  579584  11abdecc02efc1d2b6a6a0fa46c26594   C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2002-09-23 14:00  561664  3a4892a57cfe05d61e4bbc3ec3e24a63   C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 09:44  578560  0c81764f50f32d376e6e4b9e9f4b01a0   C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 20:18  578560  b7eeb1a1af740306049241ddf61f21ff   C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2004-08-04 09:44  578560  0c81764f50f32d376e6e4b9e9f4b01a0   C:\WINDOWS\ServicePackFiles\i386\user32.dll
2005-03-02 20:22  562688  d37cc072267311e7a5d3629f1d06c0b0   C:\WINDOWS\SoftwareDistribution\Download\c2a23d563d78a05c2a24aaa1cbe8c4fb\sp1qfe\user32.dll
2007-03-08 17:38  579072  a37a4637f84f8dd771274eaf8d17fa65   C:\WINDOWS\system32\user32.dll
2007-03-08 17:38  579072  a37a4637f84f8dd771274eaf8d17fa65   C:\WINDOWS\system32\dllcache\user32.dll

2002-09-23 14:00  75264  9b7d1c56cc12d806314b853bf52ecb4c   C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 09:44  82944  ab82237486b727dd7dab36a76f38a3a2   C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 09:44  82944  ab82237486b727dd7dab36a76f38a3a2   C:\WINDOWS\system32\ws2_32.dll

2002-09-23 14:00  519168  8b6e6bb5d451f8bbc0621203b687d993   C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 09:44  504832  0344407089b08548d4feba62bb0f32d0   C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 09:44  504832  0344407089b08548d4feba62bb0f32d0   C:\WINDOWS\system32\winlogon.exe

2002-09-23 14:00  167552  3b350e5a2a5e951453f3993275a4523a   C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-04 08:14  182912  558635d3af1c7546d26067d5d9b6959e   C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-04 08:14  182912  558635d3af1c7546d26067d5d9b6959e   C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 08:00  29056  4448006b6bc60e6c027932cfc38d6855   C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 08:00  29056  4448006b6bc60e6c027932cfc38d6855   C:\WINDOWS\system32\drivers\ip6fw.sys

2002-09-23 14:00  101888  bf4cbefdce42a699389791647cb95ca2   C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 09:44  108544  3da8d964d2cc12ef8e8c342471a37917   C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 09:44  108544  3da8d964d2cc12ef8e8c342471a37917   C:\WINDOWS\system32\services.exe

2002-09-23 14:00  11776  fa2c871f57352339f0a1802bb9aea6e7   C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 09:44  13312  f485fefc8cc4fd29243d800be5d275d1   C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 09:44  13312  f485fefc8cc4fd29243d800be5d275d1   C:\WINDOWS\system32\lsass.exe

2002-09-23 14:00  13312  0c4c012b0a8960f48a666c240a7baa3d   C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 09:44  15360  cbfa30492d70ce3938d8a7783d0c0436   C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 09:44  15360  cbfa30492d70ce3938d8a7783d0c0436   C:\WINDOWS\system32\ctfmon.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2008-05-31 21:40 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:44 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2005-03-31 11:18 790528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 21:10 339968]
"NVRaidService"="C:\WINDOWS\System32\nvraidservice.exe" [2004-06-11 12:15 83968]
"C-Media Speaker Configuration"="E:\Setup.exe" [ ]
"Cmaudio"="cmicnfg.cpl" []
"vmware-tray"="C:\VMware\vmware-tray.exe" [2007-05-01 22:52 68400]
"VMware hqtray"="C:\VMware\hqtray.exe" [2007-05-01 22:52 56112]
"css"="C:\Program Files\Comodo\Css\cssurf.exe" [2008-05-22 16:16 188160]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-31 22:04 1655552]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll C:\PROGRA~1\Comodo\Css\cssdll32.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-31 21:39]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-31 21:39]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2002-09-23 14:00]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 15:03:51
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-06-17 15:04:30
ComboFix-quarantined-files.txt  2008-06-17 13:04:27
ComboFix2.txt  2008-06-17 12:46:44

Pre-Run: 40,164,921,344 bajtów wolnych
Post-Run: 40,154,894,336 bajtów wolnych

243   --- E O F ---   2008-06-12 05:48:13


HijackThis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:05:41, on 2008-06-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\VMware\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\VMware\vmware-tray.exe
C:\VMware\hqtray.exe
C:\Program Files\Comodo\Css\cssurf.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Łukasz\Pulpit\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [C-Media Speaker Configuration] E:\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [vmware-tray] C:\VMware\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\VMware\hqtray.exe"
O4 - HKLM\..\Run: [css] C:\Program Files\Comodo\Css\cssurf.exe /s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212251483453
O17 - HKLM\System\CCS\Services\Tcpip\..\{9237204F-25E4-4366-B824-376400B963E4}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs:  C:\WINDOWS\system32\guard32.dll C:\PROGRA~1\Comodo\Css\cssdll32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\VMware\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\VMware\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 6357 bytes


SDFix

Kod: Zaznacz wszystko

[b]SDFix: Version 1.194 [/b]
Run by ťukasz on 2008-06-17 at 14:55

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 14:58:27
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DocFolderPaths]
"A\1u?k?a?s?z?"="C:\Documents and Settings\Aukasz\Moje dokumenty"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" C:\WINDOWS\system32\guard32.dll C:\PROGRA~1\Comodo\Css\cssdll32.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"LoadAppInit_DLLs"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"="C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"="C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Mon  3 Mar 2008           568 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Mon  3 Mar 2008         5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"
Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun  1 Jun 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT8.tmp"

[b]Finished![/b]



pozniej jescze wstawie logi z drugeigo komputera bo nie wiem na ktorym mam ten syf ale to chyba w nowym temacie

[Magik]

Witam

na moje tureckie oko tu nic nie ma

pozniej jescze wstawie logi z drugeigo komputera bo nie wiem na ktorym mam ten syf ale to chyba w nowym temacie

wrzuc do tego samego

[Okocza]

Wykonaj to co jest podane w tym temacie

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Przeskanuj komputer pod względem Trojanów tym programem


Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[casin007]

zrobielm to co mi dales... sie defragmentuje jescze a tu logi z drugeigo komputera:

HijackThis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:47, on 2008-06-17
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\CF29401.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Właściciel\Pulpit\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Sound Card Driver] C:\Program Files\Common Files\Microsoft Shared\DAO\DANIEL\svchost.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212505634062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212505808859
O20 - AppInit_DLLs:  C:\WINDOWS\system32\guard32.dll
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6069 bytes


ComboFix

Kod: Zaznacz wszystko

ComboFix 08-06-16.5 - Właściciel 2008-06-17 19:53:15.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1250.1.1045.18.72 [GMT 2:00]
Running from: C:\Documents and Settings\Właściciel\Pulpit\ComboFix.exe
* Created a new restore point
* Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\winhelp.ini

.
(((((((((((((((((((((((((   Files Created from 2008-05-17 to 2008-06-17  )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 16:30   ---------   d-----w   C:\Program Files\ewido anti-spyware 4.0
2008-06-17 12:11   ---------   d-----w   C:\Program Files\Wolfenstein - Enemy Territory
2008-06-16 15:09   ---------   d-----w   C:\Documents and Settings\Właściciel\Dane aplikacji\HouseCall 6.6
2008-06-15 18:18   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-15 13:45   ---------   d-----w   C:\Documents and Settings\Właściciel\Dane aplikacji\gtk-2.0
2008-06-15 13:18   ---------   d-----w   C:\Program Files\GIMP-2.0
2008-06-15 11:20   410,976   ----a-w   C:\WINDOWS\system32\deploytk.dll
2008-06-15 11:20   ---------   d-----w   C:\Program Files\Java
2008-06-15 09:22   ---------   d-----w   C:\Documents and Settings\Właściciel\Dane aplikacji\Winamp
2008-06-15 08:36   ---------   d-----w   C:\Program Files\Winamp
2008-06-14 13:35   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-06-14 13:30   ---------   d-----w   C:\Documents and Settings\Michał\Dane aplikacji\Tibia
2008-06-14 13:27   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-06-12 16:42   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Trymedia
2008-06-11 09:26   ---------   d-----w   C:\Documents and Settings\Właściciel\Dane aplikacji\Media Player Classic
2008-06-11 09:19   ---------   d-----w   C:\Program Files\K-Lite Codec Pack
2008-06-11 08:04   ---------   d-----w   C:\Program Files\MarBit
2008-06-04 18:31   ---------   d-----w   C:\Program Files\Blackd Tools
2008-06-04 16:14   ---------   d-----w   C:\Documents and Settings\Michał\Dane aplikacji\Comodo
2008-06-03 19:09   ---------   d-----w   C:\Documents and Settings\Właściciel\Dane aplikacji\Tibia
2008-06-03 18:13   ---------   d-----w   C:\Program Files\Gadu-Gadu
2008-06-03 17:45   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\comodo
2008-06-03 17:38   87,056   ----a-w   C:\WINDOWS\system32\drivers\cmdguard.sys
2008-06-03 17:38   24,208   ----a-w   C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-06-03 17:38   143,104   ----a-w   C:\WINDOWS\system32\guard32.dll
2008-06-03 17:38   ---------   d-----w   C:\Program Files\COMODO
2008-06-03 17:38   ---------   d-----w   C:\Documents and Settings\Właściciel\Dane aplikacji\Comodo
2008-06-03 17:27   ---------   d-----w   C:\Program Files\ESET
2008-06-03 17:27   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-06-03 16:27   ---------   d-----w   C:\Program Files\Realtek AC97
2008-06-03 16:27   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-06-02 15:38   ---------   d-----w   C:\Program Files\SAGEM
2008-06-02 15:29   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-06-02 15:27   ---------   d-----w   C:\Program Files\Usługi online
2008-04-14 20:51   11,264   ----a-w   C:\WINDOWS\system32\spnpinst.exe
2008-04-14 20:50   997,888   ----a-w   C:\WINDOWS\system32\setupapi.dll
2008-04-14 20:50   424,960   ----a-w   C:\WINDOWS\system32\licdll.dll
2008-04-14 17:46   1,804   ----a-w   C:\WINDOWS\system32\dcache.bin
2008-04-14 17:26   332,288   ----a-w   C:\WINDOWS\system32\netsetup.exe
2008-04-14 17:22   92,424   ----a-w   C:\WINDOWS\system32\rdpdd.dll
2008-04-14 17:22   87,176   ----a-w   C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 17:22   695,808   ----a-w   C:\WINDOWS\system32\drmv2clt.dll
2008-04-14 17:22   356,352   ----a-w   C:\WINDOWS\system32\msscp.dll
2008-04-14 17:22   299,520   ----a-w   C:\WINDOWS\system32\drmclien.dll
2008-04-14 17:22   259,072   ----a-w   C:\WINDOWS\system32\msnetobj.dll
2008-04-14 17:22   12,168   ----a-w   C:\WINDOWS\system32\tsddd.dll
2008-04-14 17:20   999,936   ----a-w   C:\WINDOWS\system32\syssetup.dll
2008-04-14 17:19   98,304   ----a-w   C:\WINDOWS\system32\actxprxy.dll
2008-04-14 17:18   5,632   ----a-w   C:\WINDOWS\system32\wmi.dll
2008-04-14 17:18   1,449,472   ----a-w   C:\WINDOWS\system32\winntbbu.dll
2008-04-14 17:17   57,375   ----a-w   C:\WINDOWS\system32\odbcji32.dll
2008-04-14 17:13   4,126   ----a-w   C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 17:12   3,584   ----a-w   C:\WINDOWS\system32\msafd.dll
2008-04-14 17:06   3,584   ----a-w   C:\WINDOWS\system32\icmp.dll
2008-04-14 17:05   9,344   ----a-w   C:\WINDOWS\system32\framebuf.dll
2008-04-14 17:03   3,072   ----a-w   C:\WINDOWS\system32\dpnlobby.dll
2008-04-14 17:03   3,072   ----a-w   C:\WINDOWS\system32\dpnaddr.dll
2008-04-14 17:01   16,896   ----a-w   C:\WINDOWS\system32\cfgmgr32.dll
2008-04-14 17:00   285,696   ----a-w   C:\WINDOWS\system32\atmfd.dll
2008-04-14 16:30   2,190,336   ----a-w   C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 16:29   2,067,200   ----a-w   C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 16:25   4,096   ----a-w   C:\WINDOWS\system32\dsprpres.dll
2008-04-14 16:22   89,600   ------w   C:\WINDOWS\system32\msxml6r.dll
2008-04-14 16:20   80,896   ------w   C:\WINDOWS\system32\msshavmsg.dll
2008-04-14 16:15   49,664   ----a-w   C:\WINDOWS\system32\inetres.dll
2008-04-14 16:15   2,977,792   ----a-w   C:\WINDOWS\system32\wmploc.dll
2008-04-14 16:13   563,200   ----a-w   C:\WINDOWS\system32\shdoclc.dll
2008-04-14 16:09   190,976   ----a-w   C:\WINDOWS\system32\wmerror.dll
2008-04-14 16:07   10,240   ----a-w   C:\WINDOWS\system32\gpkrsrc.dll
2008-04-14 16:05   67,584   ----a-w   C:\WINDOWS\system32\browselc.dll
2008-04-14 16:05   1,845,888   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-04-14 16:02   57,344   ----a-w   C:\WINDOWS\system32\mshtmler.dll
2008-04-14 15:59   8,192   ----a-w   C:\WINDOWS\system32\asferror.dll
2008-04-14 15:59   103,936   ----a-w   C:\WINDOWS\system32\dpcdll.dll
2008-04-13 18:44   17,664   ----a-w   C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:40   427,008   ----a-w   C:\WINDOWS\system32\xpob2res.dll
2008-04-13 18:37   2,953,216   ----a-w   C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 18:35   24,064   ----a-w   C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:35   194,560   ----a-w   C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 18:31   7,424   ----a-w   C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:30   61,440   ----a-w   C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 17:37   208,384   ----a-w   C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37   138,752   ----a-w   C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:26   12,288   ----a-w   C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26   12,288   ----a-w   C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:21   733,696   ----a-w   C:\WINDOWS\system32\qedwipes.dll
2008-04-13 16:48   1,647,616   ----a-w   C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45   216,064   ----a-w   C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23   48,128   ----a-w   C:\WINDOWS\system32\msprivs.dll
2008-04-13 15:39   884,736   ----a-w   C:\WINDOWS\system32\msimsg.dll
2008-03-31 21:25   682,496   ----a-w   C:\WINDOWS\system32\divx.dll
2008-03-28 17:41   7,680   ----a-w   C:\WINDOWS\system32\ff_vfw.dll
2008-03-21 20:30   3,596,288   ----a-w   C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:28   81,920   ----a-w   C:\WINDOWS\system32\dpl100.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-06-15 13:21   34816   --a------   C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-06-15 13:21   73728   --a------   C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:21 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2005-03-31 11:18 790528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"!ewido"="C:\Program Files\ewido anti-spyware 4.0\ewido.exe" [2008-06-03 19:40 6283264]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-06-04 18:22 1655552]
"Sound Card Driver"="C:\Program Files\Common Files\Microsoft Shared\DAO\DANIEL\svchost.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 20:49 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-06-15 13:21 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:21 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-06-03 19:38]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-06-03 19:38]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2006-03-02 14:00]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 19:56:18
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-06-17 19:57:27
ComboFix-quarantined-files.txt  2008-06-17 17:57:23

Pre-Run: 47,917,363,200 bajtów wolnych
Post-Run: 48,003,645,440 bajtów wolnych

170   --- E O F ---   2008-06-17 17:19:35


SDFix

Kod: Zaznacz wszystko

[b]SDFix: Version 1.194 [/b]
Run by Administrator on 2008-06-17 at 19:43

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 19:47:49
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000049

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Mon  3 Mar 2008           568 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Mon  3 Mar 2008         5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"
Thu  5 Jun 2008     1,427,280 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Thu  5 Jun 2008     4,906,832 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu  5 Jun 2008     2,113,360 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

[b]Finished![/b]



[Magik]

syf az milo

na fix

Kod: Zaznacz wszystko

O4 - HKLM\..\Run: [Sound Card Driver] C:\Program Files\Common Files\Microsoft Shared\DAO\DANIEL\svchost.exe

ANTINNY-K WORM

i potem jeszcze raz log z combo'