Problem z spyware guard 2008

[bartekbc1]

Mam problem z Spyware Guard 2008 (j*****y syf) Oto log z Combofixa:

Kod: Zaznacz wszystko

ComboFix 08-12-18.03 - ghg 2008-12-20 16:59:28.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.1023.739 [GMT 1:00]
Uruchomiony z: c:\documents and settings\ghg\Pulpit\ComboFix.exe

[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\ghg\Pulpit\C23C9F08566C52F0\
c:\documents and settings\ghg\Pulpit\C23C9F08566C52F0\\C23C9F08566C52F0.x86
c:\documents and settings\ghg\Pulpit\C23C9F08566C52F0\C23C9F08566C52F0
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\drivers\msqpdxpqltoiqh.sys
c:\windows\system32\drivers\msqpdxserv.sys
c:\windows\system32\fmbbxjvf.ini
c:\windows\system32\fnkcse.dll
c:\windows\system32\iempnapq.dll
c:\windows\system32\iwrnsyxe.ini
c:\windows\system32\jekhdoad.dll
c:\windows\system32\jrjvcbxb.dll
c:\windows\system32\lydhnkgq.dll
c:\windows\system32\mlJBUNGy.dll
c:\windows\system32\msgusv.dll
c:\windows\system32\msqpdxosvdbrsr.dll
c:\windows\system32\NCTAudioFile2.dll
c:\windows\system32\NCTAudioPlayer2.dll
c:\windows\system32\NCTAudioRecord2.dll
c:\windows\system32\pfyflooo.ini
c:\windows\system32\rhrfsqkx.ini
c:\windows\system32\rxryzh.dll
c:\windows\system32\smeapf.dll
c:\windows\system32\szenvu.dll
c:\windows\system32\winscenter.exe
c:\windows\system32\ygptprfm.dll
c:\windows\Tasks\xmihoibb.job
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

----- BITS: Możliwe zainfekowane strony -----

hxxp://childhe.com
.
(((((((((((((((((((((((((((((((((((((((   Sterowniki/Usługi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS
-------\Legacy_MSQPDXSERV.SYS


(((((((((((((((((((((((((   Pliki utworzone od 2008-11-20 do 2008-12-20  )))))))))))))))))))))))))))))))
.

2008-12-20 16:20 . 2008-12-20 16:20   <DIR>   d--------   c:\windows\ERUNT
2008-12-20 16:11 . 2008-12-20 16:30   <DIR>   d--------   C:\SDFix
2008-12-20 15:44 . 2008-12-20 15:44   <DIR>   d--h-----   c:\windows\PIF
2008-12-20 15:40 . 2008-12-20 17:00   <DIR>   d--h-----   c:\documents and settings\Administrator\Ustawienia lokalne
2008-12-20 15:40 . 2008-09-23 00:43   <DIR>   d--------   c:\documents and settings\Administrator\Ulubione
2008-12-20 15:40 . 2008-09-22 22:48   <DIR>   d--h-----   c:\documents and settings\Administrator\Szablony
2008-12-20 15:40 . 2008-09-23 00:43   <DIR>   d--------   c:\documents and settings\Administrator\Pulpit
2008-12-20 15:40 . 2008-09-23 00:43   <DIR>   d--------   c:\documents and settings\Administrator\Moje dokumenty
2008-12-20 15:40 . 2008-09-23 00:43   <DIR>   dr-------   c:\documents and settings\Administrator\Menu Start
2008-12-20 15:40 . 2008-12-20 15:41   <DIR>   dr-h-----   c:\documents and settings\Administrator\Dane aplikacji
2008-12-20 15:40 . 2008-12-20 15:40   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-20 14:21 . 2008-12-20 14:21   <DIR>   d--------   c:\documents and settings\ghg\Dane aplikacji\Malwarebytes
2008-12-20 14:20 . 2008-12-20 14:21   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-20 14:20 . 2008-12-20 14:20   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Malwarebytes
2008-12-20 14:20 . 2008-08-17 15:05   38,472   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-20 14:20 . 2008-08-17 15:05   17,144   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-20 13:56 . 2008-12-20 13:56   <DIR>   d--------   c:\program files\AVG
2008-12-20 13:56 . 2008-12-20 13:56   <DIR>   d--------   c:\documents and settings\ghg\Dane aplikacji\AVGTOOLBAR
2008-12-20 13:54 . 2008-12-20 13:54   185,360   --a------   c:\windows\93F052818150775EEA9A47BDB86D4EF3.exe
2008-12-20 13:43 . 2008-12-20 13:43   160   --a------   C:\log.udt
2008-12-19 20:59 . 2008-12-19 20:59   <DIR>   d--------   C:\Games
2008-12-15 14:59 . 2008-12-15 14:59   <DIR>   d--------   c:\documents and settings\ghg\Dane aplikacji\Activision
2008-12-15 14:56 . 2008-12-15 14:56   286   --a------   c:\windows\game.ini
2008-12-12 11:19 . 2008-12-12 11:32   <DIR>   d--------   c:\program files\eMule
2008-12-12 10:57 . 2008-12-12 11:03   <DIR>   d--------   c:\program files\BitComet
2008-12-12 10:57 . 2008-12-12 10:57   <DIR>   d--------   C:\Downloads
2008-12-11 21:56 . 2008-12-11 21:56   <DIR>   d--------   c:\documents and settings\ghg\Dane aplikacji\HTML Executable
2008-12-11 21:56 . 2008-12-13 14:38   <DIR>   d--------   c:\documents and settings\ghg\Dane aplikacji\Desktopicon
2008-12-11 21:48 . 2008-12-11 21:49   <DIR>   d--------   c:\documents and settings\ghg\Dane aplikacji\concept design
2008-12-11 21:48 . 2006-05-21 15:15   966,144   --a------   c:\windows\system32\NCTAudioInformation2.dll
2008-12-11 21:48 . 2006-05-21 15:15   634,880   --a------   c:\windows\system32\NCTAudioEditor2.dll
2008-12-11 21:48 . 2006-05-21 15:15   522,752   --a------   c:\windows\system32\NCTAudioTransform2.dll
2008-12-11 21:48 . 2006-05-21 15:15   237,568   --a------   c:\windows\system32\lame_enc.dll
2008-12-07 13:47 . 2008-12-07 13:47   <DIR>   d--------   c:\program files\sgs
2008-12-07 11:01 . 2008-12-07 11:01   <DIR>   d--------   c:\program files\DAEMON Tools Pro
2008-12-07 10:52 . 2008-12-07 10:52   <DIR>   d--------   c:\program files\Alcohol Soft
2008-12-07 10:52 . 2004-04-30 09:37   160,640   --a------   c:\windows\system32\drivers\a347bus.sys
2008-12-07 10:52 . 2004-04-30 09:33   5,248   --a------   c:\windows\system32\drivers\a347scsi.sys
2008-12-01 20:38 . 2008-12-18 16:54   <DIR>   d--------   C:\My Downloads
2008-11-30 19:27 . 2008-11-30 19:27   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Trymedia
2008-11-30 19:10 . 2008-11-30 19:10   <DIR>   d--------   c:\program files\Eidos
2008-11-29 20:50 . 2008-11-29 20:51   <DIR>   d--------   c:\documents and settings\ghg\Dane aplikacji\DAEMON Tools Pro
2008-11-29 15:25 . 2008-11-29 15:25   278,984   --a------   c:\windows\system32\drivers\atksgt.sys
2008-11-29 15:25 . 2008-11-29 15:25   25,416   --a------   c:\windows\system32\drivers\lirsgt.sys
2008-11-27 16:31 . 2008-11-27 16:31   604,432   --a------   c:\windows\system32\comctl32.ocx
2008-11-27 16:30 . 2008-12-12 18:58   <DIR>   d--------   c:\program files\TransEsp
2008-11-27 15:53 . 1998-09-02 09:02   194,320   --a------   c:\windows\system32\qcut.dll
2008-11-27 15:53 . 1998-08-27 05:51   182,032   --a------   c:\windows\system32\dxtmsft3.dll
2008-11-27 15:53 . 1998-08-20 12:02   140,800   --a------   c:\windows\system32\tm20dec.ax
2008-11-27 15:53 . 1998-09-02 09:28   63,488   --a------   c:\windows\system32\unam4ie.exe
2008-11-27 15:53 . 1998-09-02 09:28   38,160   --a------   c:\windows\system32\LMRTREND.dll
2008-11-27 15:53 . 1998-08-17 10:21   11,776   --a------   c:\windows\system32\mciqtz.drv
2008-11-27 15:53 . 1998-08-17 10:21   10,240   --a------   c:\windows\system32\vidx16.dll
2008-11-27 15:53 . 1998-08-17 10:21   5,672   --a------   c:\windows\system32\quartz.vxd
2008-11-27 15:53 . 2008-11-27 15:53   4,608   --a------   c:\windows\system32\w95inf32.dll
2008-11-27 15:53 . 2008-11-27 15:53   2,272   --a------   c:\windows\system32\w95inf16.dll
2008-11-27 15:52 . 2008-11-27 15:52   <DIR>   d--------   c:\program files\Auralog
2008-11-27 15:52 . 2008-11-27 16:11   11   --a------   C:\trace.ini
2008-11-24 19:46 . 2008-11-24 20:03   <DIR>   d--------   c:\program files\Gothic III
2008-11-23 19:05 . 2008-11-23 19:05   183,112   --a------   c:\windows\system32\PnkBstrB.exe
2008-11-23 19:05 . 2008-11-23 19:05   138,184   --a------   c:\windows\system32\drivers\PnkBstrK.sys
2008-11-23 19:05 . 2008-11-23 19:05   66,872   --a------   c:\windows\system32\PnkBstrA.exe
2008-11-22 14:10 . 2008-12-02 20:34   <DIR>   d--------   C:\Pro.Evolution.Soccer.2009.Full-Rip.Skullptura

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 15:30   ---------   d-----w   c:\program files\AutoConnect
2008-12-20 14:52   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\avg8
2008-12-20 13:01   ---------   d-----w   c:\documents and settings\ghg\Dane aplikacji\OpenOffice.ux.pl2
2008-12-20 12:40   ---------   d-----w   c:\program files\Google
2008-12-16 09:18   ---------   d-----w   c:\program files\Gadu-Gadu
2008-12-15 13:56   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-28 19:53   ---------   d-----w   c:\program files\NAPI-PROJEKT
2008-11-28 19:53   ---------   d-----w   c:\program files\ALLPlayer
2008-11-22 12:59   ---------   d-----w   c:\program files\bwin
2008-11-19 19:52   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-11-19 19:52   ---------   d-----w   c:\documents and settings\ghg\Dane aplikacji\Leadertech
2008-11-16 22:35   ---------   d-----w   c:\program files\Reference Assemblies
2008-11-16 22:35   ---------   d-----w   c:\program files\MSBuild
2008-11-16 22:30   ---------   d-----w   c:\program files\MSXML 6.0
2008-11-10 14:21   ---------   d-----w   c:\documents and settings\ghg\Dane aplikacji\temp
2008-11-08 23:08   ---------   d-----w   c:\program files\DAEMON Tools Lite
2008-11-08 22:55   ---------   d-----w   c:\program files\DAEMON Tools Toolbar
2008-11-08 12:18   ---------   d-----w   c:\program files\Common Files\xing shared
2008-11-08 12:18   ---------   d-----w   c:\program files\Common Files\Real
2008-11-08 12:17   348,160   ----a-w   c:\windows\system32\msvcr71.dll
2008-11-08 12:17   ---------   d-----w   c:\program files\Real
2008-11-08 06:20   ---------   d-----w   c:\documents and settings\ghg\Dane aplikacji\Lingoes
2008-11-03 18:34   43,520   ----a-w   c:\windows\system32\CmdLineExt03.dll
2008-11-02 13:18   ---------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2008-11-02 11:54   ---------   d-----w   c:\documents and settings\ghg\Dane aplikacji\Sports Interactive
2008-11-02 11:54   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Sports Interactive
2008-11-02 11:53   ---------   d--h--w   c:\program files\Zero G Registry
2008-10-30 04:04   ---------   d-----w   c:\program files\City Interactive
2008-10-27 09:04   70,992   ----a-w   c:\windows\system32\XAPOFX1_2.dll
2008-10-27 09:04   514,384   ----a-w   c:\windows\system32\XAudio2_3.dll
2008-10-27 09:04   235,856   ----a-w   c:\windows\system32\xactengine3_3.dll
2008-10-27 09:04   23,376   ----a-w   c:\windows\system32\X3DAudio1_5.dll
2008-10-27 07:58   22,328   ----a-w   c:\documents and settings\ghg\Dane aplikacji\PnkBstrK.sys
2008-10-27 07:50   ---------   d-----w   c:\program files\Ubisoft
2008-10-24 18:42   ---------   d-----w   c:\documents and settings\ghg\Dane aplikacji\Ahead
2008-10-24 11:10   453,632   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01   283,648   ----a-w   c:\windows\system32\gdi32.dll
2008-10-21 06:10   107,888   ----a-w   c:\windows\system32\CmdLineExt.dll
2008-10-20 11:03   ---------   d-----w   c:\documents and settings\ghg\Dane aplikacji\Mount&Blade
2008-10-20 06:37   ---------   d-----w   c:\program files\AGEIA Technologies
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-11 07:08   24,936   ----a-w   c:\documents and settings\ghg\Dane aplikacji\GDIPFONTCACHEV1.DAT
2008-10-10 03:52   452,440   ----a-w   c:\windows\system32\d3dx10_40.dll
2008-10-10 03:52   4,379,984   ----a-w   c:\windows\system32\D3DX9_40.dll
2008-10-10 03:52   2,036,576   ----a-w   c:\windows\system32\D3DCompiler_40.dll
2008-10-03 10:17   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-09-30 15:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-09-23 18:22   16,608   ----a-w   c:\windows\gdrv.sys
2008-09-23 18:02   315,392   ----a-w   c:\windows\HideWin.exe
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}]
2001-09-12 13:20   52754   --a------   c:\windows\system32\spria.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-10-14 863688]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-10-14 863688]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"AutoConnect"="c:\program files\AutoConnect\AutoConnect.exe" [2006-12-03 310784]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2003-09-05 878080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone - szybkie uruchamianie.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cffafbdbca]
2001-09-12 13:20 313873 c:\windows\system32\cffafbdbca.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nvwcux.dllavgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Bit Lord 1.1\\BitLord.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"d:\\Gry\\FIM Speedway GP 3\\sgp3.exe"=
"c:\\Pro.Evolution.Soccer.2009.Full-Rip.Skullptura\\PES 2009\\pes2009.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8461:TCP"= 8461:TCP:GoD High Port
"8462:TCP"= 8462:TCP:GoD Low Port
"8956:TCP"= 8956:TCP:BitComet 8956 TCP
"8956:UDP"= 8956:UDP:BitComet 8956 UDP

R0 pe3aq6eb;FIM Speedway GP3 Environment Driver (pe3aq6eb);c:\windows\system32\drivers\pe3aq6eb.sys [2008-04-03 69248]
R0 ps7aq6eb;FIM Speedway GP3 Synchronization Driver (ps7aq6eb);c:\windows\system32\drivers\ps7aq6eb.sys [2008-04-03 68744]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-07-05 63352]
S0 6b60e6867f278aade01dd2abd2db9adf;6b60e6867f278aade01dd2abd2db9adf;c:\windows\system32\6b60e6867f278aade01dd2abd2db9adf.sys []
S2 pr2aq6eb;FIM Speedway GP3 Drivers Auto Removal (pr2aq6eb);c:\windows\system32\pr2aq6eb.exe svc []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com c:
\Shell\Open\command - C:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
\Shell\Open\command - d:\resycled\boot.com d:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b56763ac-96dc-11dd-8218-000e5087cc53}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

*Newly Created Service* - PROCEXP90
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://google.bearshare.com/pl
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 17:01:04
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxpqltoiqh.sys"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cffafbdbca.dll
.
Czas ukończenia: 2008-12-20 17:01:51
ComboFix-quarantined-files.txt  2008-12-20 16:01:40

Przed: 7,862,673,408 bajtów wolnych
Po: 7,839,219,712 bajtów wolnych

294   --- E O F ---   2008-12-11 11:59:02

[wojtas]

zmień nazwe tematu oraz prosze objąć log w tagi daj tez loga z combofixa i hijacka

[bartekbc1]

Hijack coś mi nie działa ale mam loga z SDFixa:

Kod: Zaznacz wszystko

[b]SDFix: Version 1.240 [/b]
Run by ghg on 2008-12-20 at 16:23

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\autorun.inf - Deleted
C:\resycled\boot.com - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP12.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP13.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP1D.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP2C.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP2D.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\tmp3.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\tmp4.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP4A.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP4B.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP4C.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP4D.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP52.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP54.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP57.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP58.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP5A.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP5B.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP5C.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP5D.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP60.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP61.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP65.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP66.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP6C.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP6D.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP6F.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP70.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP72.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP74.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP76.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP79.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP7A.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP7B.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP7E.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP80.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP81.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP83.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP88.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP96.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP9C.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMP9D.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMPAF.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMPB3.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMPB4.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMPB7.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMPCF.tmp - Deleted
C:\DOCUME~1\ghg\USTAWI~1\Temp\TMPD.tmp - Deleted



Folder C:\resycled - Removed


Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 16:30:19
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\ghg\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"="C:\\Program Files\\Bit Lord 1.1\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Opera\\opera.exe"="C:\\Program Files\\Opera\\opera.exe:*:Enabled:Opera Internet Browser"
"D:\\Gry\\Counter Strike 1.6\\Counter-Strike 1.6 + Half-Life\\hl.exe"="D:\\Gry\\Counter Strike 1.6\\Counter-Strike 1.6 + Half-Life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Documents and Settings\\ghg\\Pulpit\\Programy\\Nowe Gadu-Gadu\\gg.exe"="C:\\Documents and Settings\\ghg\\Pulpit\\Programy\\Nowe Gadu-Gadu\\gg.exe:*:Enabled:Nowe Gadu-Gadu beta"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"="C:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe:*:Enabled:iMesh"
"D:\\Gry\\Earned\\System\\EiB.exe"="D:\\Gry\\Earned\\System\\EiB.exe:*:Enabled:Brothers In Arms Earned In Blood"
"C:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"="C:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe:*:Enabled:GameCenter"
"D:\\Gry\\Pro Cycling Manager - Season 2008\\PCM.exe"="D:\\Gry\\Pro Cycling Manager - Season 2008\\PCM.exe:*:Enabled:Pro Cycling Manager - Season 2008"
"D:\\Gry\\Pro Cycling Manager - Season 2008\\Autorun\\Exe\\Autorun.exe"="D:\\Gry\\Pro Cycling Manager - Season 2008\\Autorun\\Exe\\Autorun.exe:*:Enabled:Pro Cycling Manager - Season 2008 - AutoRun"
"C:\\Program Files\\Bit Lord 1.1\\Downloads\\PC_Brothers In Arms - Hells Highway (eng)-.direct.play.-ToeD\\Ubisoft\\Gearbox Software\\Brothers in Arms - Hell's Highway\\Binaries\\biahh.exe"="C:\\Program Files\\Bit Lord 1.1\\Downloads\\PC_Brothers In Arms - Hells Highway (eng)-.direct.play.-ToeD\\Ubisoft\\Gearbox Software\\Brothers in Arms - Hell's Highway\\Binaries\\biahh.exe:*:Enabled:biahh"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"="C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe:*:Enabled:Far Cry 2"
"C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"="C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater"
"C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"="C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe:*:Enabled:Editor"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"D:\\Gry\\FM09 Demo\\fm.exe"="D:\\Gry\\FM09 Demo\\fm.exe:*:Disabled:Football Manager 2009 Demo"
"D:\\Gry\\FIM Speedway GP 3\\sgp3.exe"="D:\\Gry\\FIM Speedway GP 3\\sgp3.exe:*:Enabled:Speedway Grand Prix 3"
"D:\\SpiderMan Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"="D:\\SpiderMan Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe:*:Enabled:Spider-Man(R) - Web of Shadows(TM) "
"C:\\Program Files\\Bit Lord 1.1\\Downloads\\Iron Man\\IronMan.exe"="C:\\Program Files\\Bit Lord 1.1\\Downloads\\Iron Man\\IronMan.exe:*:Enabled:A2M Game Engine"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\Pro.Evolution.Soccer.2009.Full-Rip.Skullptura\\PES 2009\\pes2009.exe"="C:\\Pro.Evolution.Soccer.2009.Full-Rip.Skullptura\\PES 2009\\pes2009.exe:*:Enabled:Pro Evolution Soccer 2009"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"
"C:\\Program Files\\concept design\\onlineTV 4\\onlineTV.exe"="C:\\Program Files\\concept design\\onlineTV 4\\onlineTV.exe:*:Enabled:onlineTV"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Disabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\concept design\\onlineTV 4\\onlineTV.exe"="C:\\Program Files\\concept design\\onlineTV 4\\onlineTV.exe:*:Enabled:onlineTV"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Wed  1 Oct 2008         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 11 Oct 2008     1,781,804 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cd67b86ac8b08c5fe3944945be9234e1\BIT641.tmp"
Sat 13 Dec 2008         2,661 ...HR --- "C:\Documents and Settings\ghg\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"
Wed  1 Oct 2008         4,348 ...H. --- "C:\Documents and Settings\ghg\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak"
Wed  1 Oct 2008            20 A..H. --- "C:\Documents and Settings\ghg\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak"
Thu 25 Sep 2008           312 A.SH. --- "C:\Documents and Settings\ghg\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak"

[b]Finished![/b]


[wojtas]

daj loga z combofixa

[bartekbc1]

Jest w pierwszym poście.

[djarta]

Sprawdze Ci te logi z nudów...
Bardzo dziwny ten log z ComboFixa, dużo dla mnie jest rzeczy "nieznanych".

Wklej do Notatnika:

Kod: Zaznacz wszystko

File::
c:\windows\93F052818150775EEA9A47BDB86D4EF3.exe
C:\log.udt
c:\windows\system32\spria.dll
c:\windows\system32\6b60e6867f278aade01dd2abd2db9adf.sys
c:\windows\system32\cffafbdbca.dll

Folder::
C:\DOCUME~1\ghg\USTAWI~1\Temp
c:\program files\DAEMON Tools Toolbar

Driver::
6b60e6867f278aade01dd2abd2db9adf
msqpdxserv

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADA8C222-95D2-47B5-950B-AEBC0A508839}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=-
[-HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[-HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cffafbdbca]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=" msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b56763ac-96dc-11dd-8218-000e5087cc53}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]


>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.



====================
K.

[bartekbc1]

THNX. Już wszystko gra.

[djarta]

No ale daj log po operacji.!



===========
K.