Proszę o sprawdzenie log. [długie wył i wł. komp, alerty]

[dagtss]

Alerty w antywirusie czasami mam problem z restartem, wyłączeniem laptopa i zawieszeniem się systemu.
Wykonałem prawie wszystkie instrukcje w innym moim temacie ale utworzyłem nowy aby nie mylić logów [tam jest stacjonarny - tu laptop]
Jednak dalej mam problemz y dziwnymi wpisami w combofixie i niewiem jak je usunąć.

Log:

Kod: Zaznacz wszystko

ComboFix 09-01-31.02 - DaGts 2009-02-01 14:08:05.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.447.58 [GMT 1:00]
Uruchomiony z: c:\documents and settings\DaGts\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\uvsqfgwd.cmd
D:\Autorun.inf
D:\uvsqfgwd.cmd

.
(((((((((((((((((((((((((   Pliki utworzone od 2009-01-01 do 2009-02-01  )))))))))))))))))))))))))))))))
.

2009-02-01 14:00 . 2009-02-01 14:00   <DIR>   d--------   c:\documents and settings\DaGts\DoctorWeb
2009-02-01 13:57 . 2009-02-01 13:57   <DIR>   d--------   C:\!KillBox
2009-02-01 13:55 . 2009-02-01 13:55   <DIR>   d--------   C:\ERDNT
2009-02-01 13:55 . 2009-02-01 13:55   <DIR>   d--------   C:\!FixIEDef
2009-01-31 21:35 . 2009-02-01 13:55   <DIR>   d--------   c:\windows\ERUNT
2009-01-31 20:56 . 2009-01-31 21:30   109,930   -r-hs----   C:\a2h2.com
2009-01-31 20:55 . 2009-01-31 21:30   95,744   -r-hs----   c:\windows\system32\nmdfgds1.dll
2009-01-30 02:49 . 2009-01-31 19:28   <DIR>   d--------   c:\program files\CzasoWyłącznik
2009-01-29 14:46 . 2009-01-29 21:28   <DIR>   d--------   c:\program files\Rapid Express
2009-01-28 19:09 . 2009-01-28 19:09   <DIR>   d--------   c:\program files\xp-AntiSpy
2009-01-25 00:34 . 2009-02-01 13:49   95,744   -r-hs----   c:\windows\system32\nmdfgds0.dll
2009-01-13 22:05 . 2009-01-13 22:06   <DIR>   d--------   c:\program files\QuickTime
2009-01-13 22:05 . 2009-01-13 22:05   <DIR>   d--------   c:\program files\Common Files\Apple
2009-01-13 22:04 . 2009-01-13 22:04   <DIR>   d--------   c:\program files\Apple Software Update
2009-01-13 22:04 . 2009-01-13 22:04   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple Computer
2009-01-13 22:04 . 2009-01-13 22:04   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple
2009-01-11 17:35 . 2009-01-11 17:35   <DIR>   d--------   c:\documents and settings\DaGts\Dane aplikacji\DAEMON Tools Pro
2009-01-11 17:35 . 2009-01-11 17:35   <DIR>   d--------   c:\documents and settings\DaGts\Dane aplikacji\DAEMON Tools
2009-01-11 17:34 . 2009-01-11 17:34   <DIR>   d--------   c:\program files\DAEMON Tools Lite
2009-01-11 17:34 . 2009-01-11 17:34   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite
2009-01-11 17:27 . 2009-01-11 17:36   <DIR>   d--------   c:\documents and settings\DaGts\Dane aplikacji\DAEMON Tools Lite
2009-01-11 17:27 . 2009-01-11 17:27   717,296   --a------   c:\windows\system32\drivers\sptd.sys

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 21:42   ---------   d-----w   c:\program files\NAPI-PROJEKT
2009-01-21 18:14   ---------   d-----w   c:\program files\ALLPlayer
2009-01-09 23:49   ---------   d-----w   c:\program files\sXe Injected
2008-12-10 00:36   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2008-12-10 00:29   ---------   d-----w   c:\program files\MSBuild
2008-12-10 00:29   ---------   d-----w   c:\program files\Microsoft Works
2008-12-06 17:53   ---------   d-----w   c:\program files\THQ
2008-12-06 07:07   ---------   d-----w   c:\program files\Winamp
2008-11-23 21:20   921,600   ----a-w   c:\windows\system32\vorbisenc.dll
2008-11-23 21:20   892,928   ----a-w   c:\windows\system32\iconv.dll
2008-11-23 21:20   237,568   ----a-w   c:\windows\system32\OggDS.dll
2008-11-23 21:19   9,216   ----a-w   c:\windows\system32\cpuinf32.dll
2008-11-23 21:19   45,056   ----a-w   c:\windows\system32\ogg.dll
2008-11-23 21:19   245,760   ----a-w   c:\windows\system32\mplvpx.dll
2008-11-23 21:19   188,416   ----a-w   c:\windows\system32\vorbis.dll
2008-11-23 21:19   1,415,680   ----a-w   c:\windows\system32\WMV9VCM.dll
2008-11-13 00:08   410,976   ----a-w   c:\windows\system32\deploytk.dll
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dzieńdobry!"="c:\program files\VSD Software\Dzieńdobry!\dziendobry.exe" [2007-04-04 753664]
"TV Watcher"="c:\program files\TV Watcher\TV Watcher.exe" [2007-10-14 1210368]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-13 136600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Counter-Strike\\hl.exe"=
"d:\\Counter-Strike\\hlds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\ATK0100\ASNDIS5.sys [2004-05-28 16269]

--- Inne Usługi/Sterowniki w Pamięci ---

*Deregistered* - DwShield00002702

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{806851ee-b338-11dd-b84b-0015af1e5220}]
\Shell\AutoRun\command - F:\e.cmd
\Shell\explore\Command - F:\e.cmd
\Shell\open\Command - F:\e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c92b7adc-baf1-11dd-b865-0015af1e5220}]
\Shell\AutoRun\command - F:\abk.bat
\Shell\explore\Command - F:\abk.bat
\Shell\open\Command - F:\abk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7db6b56-aaab-11dd-b836-001a92ea4fce}]
\Shell\AutoRun\command - F:\e.cmd
\Shell\explore\Command - F:\e.cmd
\Shell\open\Command - F:\e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f608e31a-bef1-11dd-9953-806d6172696f}]
\Shell\AutoRun\command - F:\e.cmd
\Shell\explore\Command - F:\e.cmd
\Shell\open\Command - F:\e.cmd
.
Zawartość folderu 'Zaplanowane zadania'

2008-11-12 c:\windows\Tasks\Pain - Shut Your Mouth.job
- d:\rock mp3\Pain - Shut Your Mouth.mpg [2007-06-30 07:49]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\DaGts\Dane aplikacji\Mozilla\Firefox\Profiles\9aatto36.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\documents and settings\DaGts\Dane aplikacji\Mozilla\Firefox\Profiles\9aatto36.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 14:09:12
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-02-01 14:10:11
ComboFix-quarantined-files.txt  2009-02-01 13:10:08

Przed: 11 999 264 768 bajtów wolnych
Po: 12,047,138,816 bajtów wolnych

143


log HJ:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:17:28, on 2009-02-01
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DaGts\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto
O4 - HKCU\..\Run: [TV Watcher] "C:\Program Files\TV Watcher\TV Watcher.exe" /a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4576 bytes


[Okocza]

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[dagtss]

1. wykonane
2. raport:

Kod: Zaznacz wszystko

[b]SDFix: Version 1.240 [/b]
Run by DaGts on 2009-02-01 at 14:40

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 14:43:35
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:1b,dd,45,a2,83,39,b4,da,58,58,b2,b1,2b,a8,59,20,e4,35,90,d0,a9,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,65,95,b8,b0,b2,ac,dc,48,e5,5a,9c,56,23,18,ef,73,1b,..
"khjeh"=hex:31,82,e2,cd,d9,3b,ff,ce,3f,5c,2e,1d,df,f8,11,99,4c,68,4d,1d,db,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:39,85,6d,d6,36,7f,3c,15,e1,77,ac,5c,13,82,1a,3f,f7,10,7c,66,4c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:1b,dd,45,a2,83,39,b4,da,58,58,b2,b1,2b,a8,59,20,e4,35,90,d0,a9,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,65,95,b8,b0,b2,ac,dc,48,e5,5a,9c,56,23,18,ef,73,1b,..
"khjeh"=hex:31,82,e2,cd,d9,3b,ff,ce,3f,5c,2e,1d,df,f8,11,99,4c,68,4d,1d,db,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:39,85,6d,d6,36,7f,3c,15,e1,77,ac,5c,13,82,1a,3f,f7,10,7c,66,4c,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Counter-Strike\\hl.exe"="D:\\Counter-Strike\\hl.exe:*:Enabled:Half-Life Launcher"
"D:\\Counter-Strike\\hlds.exe"="D:\\Counter-Strike\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Sat 31 Jan 2009       109,930 ..SHR --- "C:\a2h2.com"
Sat 31 Jan 2009       109,930 A.SHR --- "C:\!KillBox\olhrwef.exe"
Sun  1 Feb 2009        95,744 ..SHR --- "C:\WINDOWS\system32\nmdfgds0.dll"
Sat 31 Jan 2009        95,744 ..SHR --- "C:\WINDOWS\system32\nmdfgds1.dll"

[b]Finished![/b]



3. cf:

Kod: Zaznacz wszystko

ComboFix 09-01-31.02 - DaGts 2009-02-01 14:47:35.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.447.56 [GMT 1:00]
Uruchomiony z: c:\documents and settings\DaGts\Pulpit\ComboFix.exe
.

(((((((((((((((((((((((((   Pliki utworzone od 2009-01-01 do 2009-02-01  )))))))))))))))))))))))))))))))
.

2009-02-01 14:35 . 2009-02-01 14:44   <DIR>   d--------   C:\SDFix
2009-02-01 14:00 . 2009-02-01 14:00   <DIR>   d--------   c:\documents and settings\DaGts\DoctorWeb
2009-02-01 13:57 . 2009-02-01 13:57   <DIR>   d--------   C:\!KillBox
2009-02-01 13:55 . 2009-02-01 13:55   <DIR>   d--------   C:\ERDNT
2009-02-01 13:55 . 2009-02-01 13:55   <DIR>   d--------   C:\!FixIEDef
2009-01-31 21:35 . 2009-02-01 13:55   <DIR>   d--------   c:\windows\ERUNT
2009-01-31 20:56 . 2009-01-31 21:30   109,930   -r-hs----   C:\a2h2.com
2009-01-31 20:55 . 2009-01-31 21:30   95,744   -r-hs----   c:\windows\system32\nmdfgds1.dll
2009-01-30 02:49 . 2009-01-31 19:28   <DIR>   d--------   c:\program files\CzasoWyłącznik
2009-01-29 14:46 . 2009-01-29 21:28   <DIR>   d--------   c:\program files\Rapid Express
2009-01-28 19:09 . 2009-01-28 19:09   <DIR>   d--------   c:\program files\xp-AntiSpy
2009-01-25 00:34 . 2009-02-01 13:49   95,744   -r-hs----   c:\windows\system32\nmdfgds0.dll
2009-01-13 22:05 . 2009-01-13 22:06   <DIR>   d--------   c:\program files\QuickTime
2009-01-13 22:05 . 2009-01-13 22:05   <DIR>   d--------   c:\program files\Common Files\Apple
2009-01-13 22:04 . 2009-01-13 22:04   <DIR>   d--------   c:\program files\Apple Software Update
2009-01-13 22:04 . 2009-01-13 22:04   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple Computer
2009-01-13 22:04 . 2009-01-13 22:04   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple
2009-01-11 17:35 . 2009-01-11 17:35   <DIR>   d--------   c:\documents and settings\DaGts\Dane aplikacji\DAEMON Tools Pro
2009-01-11 17:35 . 2009-01-11 17:35   <DIR>   d--------   c:\documents and settings\DaGts\Dane aplikacji\DAEMON Tools
2009-01-11 17:34 . 2009-01-11 17:34   <DIR>   d--------   c:\program files\DAEMON Tools Lite
2009-01-11 17:34 . 2009-01-11 17:34   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite
2009-01-11 17:27 . 2009-01-11 17:36   <DIR>   d--------   c:\documents and settings\DaGts\Dane aplikacji\DAEMON Tools Lite
2009-01-11 17:27 . 2009-01-11 17:27   717,296   --a------   c:\windows\system32\drivers\sptd.sys

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 21:42   ---------   d-----w   c:\program files\NAPI-PROJEKT
2009-01-21 18:14   ---------   d-----w   c:\program files\ALLPlayer
2009-01-09 23:49   ---------   d-----w   c:\program files\sXe Injected
2008-12-10 00:36   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2008-12-10 00:29   ---------   d-----w   c:\program files\MSBuild
2008-12-10 00:29   ---------   d-----w   c:\program files\Microsoft Works
2008-12-06 17:53   ---------   d-----w   c:\program files\THQ
2008-12-06 07:07   ---------   d-----w   c:\program files\Winamp
2008-11-23 21:20   921,600   ----a-w   c:\windows\system32\vorbisenc.dll
2008-11-23 21:20   892,928   ----a-w   c:\windows\system32\iconv.dll
2008-11-23 21:20   237,568   ----a-w   c:\windows\system32\OggDS.dll
2008-11-23 21:19   9,216   ----a-w   c:\windows\system32\cpuinf32.dll
2008-11-23 21:19   45,056   ----a-w   c:\windows\system32\ogg.dll
2008-11-23 21:19   245,760   ----a-w   c:\windows\system32\mplvpx.dll
2008-11-23 21:19   188,416   ----a-w   c:\windows\system32\vorbis.dll
2008-11-23 21:19   1,415,680   ----a-w   c:\windows\system32\WMV9VCM.dll
2008-11-13 00:08   410,976   ----a-w   c:\windows\system32\deploytk.dll
.

(((((((((((((((((((((((((((((   snapshot@2009-02-01_14.09.36,76   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-31 20:36:10   3,448,832   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\ntuser.dat
+ 2009-02-01 13:38:23   3,448,832   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\ntuser.dat
- 2009-01-31 20:36:10   172,032   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2009-02-01 13:38:24   172,032   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2009-02-01 13:43:08   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_7b8.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dzieńdobry!"="c:\program files\VSD Software\Dzieńdobry!\dziendobry.exe" [2007-04-04 753664]
"TV Watcher"="c:\program files\TV Watcher\TV Watcher.exe" [2007-10-14 1210368]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-13 136600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Counter-Strike\\hl.exe"=
"d:\\Counter-Strike\\hlds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\ATK0100\ASNDIS5.sys [2004-05-28 16269]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{806851ee-b338-11dd-b84b-0015af1e5220}]
\Shell\AutoRun\command - F:\e.cmd
\Shell\explore\Command - F:\e.cmd
\Shell\open\Command - F:\e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c92b7adc-baf1-11dd-b865-0015af1e5220}]
\Shell\AutoRun\command - F:\abk.bat
\Shell\explore\Command - F:\abk.bat
\Shell\open\Command - F:\abk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7db6b56-aaab-11dd-b836-001a92ea4fce}]
\Shell\AutoRun\command - F:\e.cmd
\Shell\explore\Command - F:\e.cmd
\Shell\open\Command - F:\e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f608e31a-bef1-11dd-9953-806d6172696f}]
\Shell\AutoRun\command - F:\e.cmd
\Shell\explore\Command - F:\e.cmd
\Shell\open\Command - F:\e.cmd
.
Zawartość folderu 'Zaplanowane zadania'

2008-11-12 c:\windows\Tasks\Pain - Shut Your Mouth.job
- d:\rock mp3\Pain - Shut Your Mouth.mpg [2007-06-30 07:49]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\DaGts\Dane aplikacji\Mozilla\Firefox\Profiles\9aatto36.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\documents and settings\DaGts\Dane aplikacji\Mozilla\Firefox\Profiles\9aatto36.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 14:48:30
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-02-01 14:49:29
ComboFix-quarantined-files.txt  2009-02-01 13:49:26
ComboFix2.txt  2009-02-01 13:10:12

Przed: 12 049 833 984 bajtów wolnych
Po: 12,039,135,232 bajtów wolnych

142


4. HJ:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:51:52, on 2009-02-01
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TV Watcher\TV Watcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DaGts\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto
O4 - HKCU\..\Run: [TV Watcher] "C:\Program Files\TV Watcher\TV Watcher.exe" /a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4673 bytes


[Okocza]

wklej w notatnik:

Kod: Zaznacz wszystko

File::
C:\a2h2.com
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\nmdfgds0.dll
F:\abk.bat
F:\e.cmd

Folder::
C:\SDFix
C:\!KillBox
C:\ERDNT
C:\!FixIEDef

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{806851ee-b338-11dd-b84b-0015af1e5220}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c92b7adc-baf1-11dd-b865-0015af1e5220}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7db6b56-aaab-11dd-b836-001a92ea4fce}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f608e31a-bef1-11dd-9953-806d6172696f}]

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . odczekaj az wygeneruje sie nowy log i go daj na forum

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER). Rozpocznie się proces usuwania
Potem nowy log z hijacka oraz combofixa

Wykonaj to co jest podane w tym temacie

1. tym programem przejdź komputer)
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Przeskanuj komputer pod względem Trojanów tym programem
6. Wstaw na forum screen z zakładki uruchamianie (start – uruchom – msconfig – uruchamianie) może uda się cos wyrzucic stamtąd.