proszę o sprawdzenie loga

[katani]

Proszę o sprawdzenie loga. Podejrzany jest reklamiarz not-a-virus:Downloader.Win32.WinFixer.au
Niby wszystko usunąłem ale jeszcze coś zostało. Coś próbuje uruchamiać plik explorer.exe który chce łączyć się z witryną www.thanetwork.com.com [81.29.248.50]
jak to usunąć?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:09, on 2007-10-31
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v9\System\vc9secs.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSVPS System - {93205C3F-1221-43F4-847F-007C6A4CE9A5} - C:\WINDOWS\advrepgpd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: The sdrmod - {BA79EE59-166F-4E9E-90A6-56489C45B48A} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O21 - SSODL: hupsrv - {E2F9427A-AF93-4F8F-BBD3-44B9012DC4E8} - C:\WINDOWS\hupsrv.dll
O21 - SSODL: bindmod - {A524554D-F38E-4322-9FC4-FD93BCB43F22} - (no file)
O21 - SSODL: msmhost - {33783296-6BBC-4272-AE83-C285497709AF} - C:\WINDOWS\msmhost.dll (file missing)
O21 - SSODL: msmdev - {00555310-C58B-4D9A-8565-CD4E7A7D4CCE} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\smc.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\vc9secs.exe

--
End of file - 4720 bytes

[Kuba1]

Ściągnij OTMoveIt
Po uruchomieniu aplikacji do lewego okna - Paste List of Files/Folders to be Moved wklej:

C:\WINDOWS\advrepgpd.dll
C:\WINDOWS\hupsrv.dll
C:\WINDOWS\msmhost.dll

Następnie naciskamy - MoveIt!. Pliki zostały przeniesione. Wynik operacji zobaczymy w prawym oknie Results.
Log po pracy programu zobaczymy w lokalizacji - C:\_OTMoveIt\MovedFiles
Po całej operacji należy zresetować komputer.

Uruchamiasz Hijackthis>>Do a system scan>> Zaznaczasz poniższe wpisy i wciskasz Fix Checked

O21 - SSODL: msmdev - {00555310-C58B-4D9A-8565-CD4E7A7D4CCE} - (no file)
O21 - SSODL: msmhost - {33783296-6BBC-4272-AE83-C285497709AF} - C:\WINDOWS\msmhost.dll (file missing)
O21 - SSODL: bindmod - {A524554D-F38E-4322-9FC4-FD93BCB43F22} - (no file)
O21 - SSODL: hupsrv - {E2F9427A-AF93-4F8F-BBD3-44B9012DC4E8} - C:\WINDOWS\hupsrv.dll
O3 - Toolbar: The sdrmod - {BA79EE59-166F-4E9E-90A6-56489C45B48A} - (no file)
O2 - BHO: MSVPS System - {93205C3F-1221-43F4-847F-007C6A4CE9A5} - C:\WINDOWS\advrepgpd.dll

Następnie:

Pobierz narzędzie SDFix


*Klikamy 2 krotknie na ikonę SDFix.exe,program wypakuje się domyślnie do lokalizacji C:\SDFix

*Wchodzimy do trybu awaryjnego z obsługą sieci:
>>>>>>Jak wejść do trybu awaryjnego z obsługą sieci?

*F8 podczas bootowania systemu.
*Używamy narzędzia BootSafe.exe zaznaczamy opcje Safe Mode- Networking i klikamy reboot

*Gdy już jesteśmy w trybie awaryjnym,wchodzimy do folderu SDFix i uruchamiamy narzędzie klikająć
2-krotnie na plik RunThis.bat lewym przyciskiem myszy.

*Wciskamy Y co uruchomi proces usuwania

*Kiedy proces usuwania się zakończy wciskamy dowolny klawisz>>nastąpi restart.

*Po restarcie SDFix dokończy proces usuwania,kiedy w oknie narzędzia SDFix pojawi się napis Finished
klikamy dowolny klawisz,narzędzie zakończy swoją pracę,na pulpicie załadują się ikony.

*Wchodzimy do folderu SDFix i kopiujemy zawartość pliku tekstowego Report.txt i wklejamy go na forum


Następnie zastosuj ComboFix i daj z niego loga.

Następnie zastosuj SmitFraudFix z opcji nr 2 wtrybie awaryjnym.

Podsumowując dajesz raporty z OTMoveIt,SmitFraudFix i SDFix oraz logi z ComboFix, Hijackthis i Silentrunners.

[katani]

ComboFix 07-10-29.1 - Kathanx 2007-10-31 21:25:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.1150 [GMT 1:00]
Running from: C:\Documents and Settings\Kathanx\Pulpit\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nvrssk.dll
C:\WINDOWS\system32\nvrssl.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-31 21:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 21:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-31 17:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-31 16:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-31 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2007-10-31 14:19 <DIR> d-------- C:\gry
2007-10-31 14:18 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-31 14:15 106,496 --a------ C:\WINDOWS\system32\drivers\vdrv9000.sys
2007-10-31 14:15 11,392 --a------ C:\WINDOWS\system32\drivers\HH9Help.sys
2007-10-31 14:14 <DIR> d-------- C:\Program Files\Virtual CD v9
2007-10-31 14:14 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2007-10-31 14:14 1,097,728 --a------ C:\WINDOWS\system32\NMSDVDX.dll
2007-10-31 14:14 1,044,480 --------- C:\WINDOWS\system32\ROBOEX32.DLL
2007-10-31 14:14 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2007-10-31 14:13 <DIR> d-------- C:\Documents and Settings\Kathanx\Dane aplikacji\InstallShield
2007-10-01 12:03 <DIR> d-------- C:\desp1pl
2007-09-22 16:01 <DIR> d-------- C:\Program Files\ALLPlayer
2007-09-19 19:17 <DIR> d-------- C:\Program Files\Sygate
2007-09-19 19:17 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-09-19 19:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-09-19 19:17 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-09-19 19:17 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-09-19 19:17 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-09-19 19:17 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-09-19 19:17 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-09-19 19:05 <DIR> d-------- C:\WINDOWS\pss
2007-09-13 16:04 <DIR> d-------- C:\Program Files\Canon
2007-09-13 16:01 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-09-13 16:00 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-13 15:59 <DIR> d-------- C:\Program Files\Microsoft Works
2007-09-13 15:58 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-13 15:56 <DIR> dr-h----- C:\MSOCache
2007-09-09 12:13 <DIR> d-------- C:\WINDOWS\Sun
2007-09-09 12:11 <DIR> d-------- C:\Program Files\Java
2007-09-09 12:10 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-03 10:20 146,944 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-09-03 10:20 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-03 10:20 13,824 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-03 10:20 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 17:51 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-31 13:28 29,392 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 13:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 10:15 --------- d-----w C:\Program Files\Diablo II
2007-10-10 16:18 --------- d-----w C:\Documents and Settings\Kathanx\Dane aplikacji\teamspeak2
2007-10-02 09:52 --------- d-----w C:\Documents and Settings\Kathanx\Dane aplikacji\Ahead
2007-09-19 15:02 --------- d-----w C:\Program Files\Winamp
2007-09-13 15:11 --------- d-----w C:\Program Files\Avast4
2007-09-13 15:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-19 12:36 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2007-08-19 12:36 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2007-08-19 12:36 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2007-08-19 12:29 106,496 ----a-w C:\WINDOWS\DIIUnin.exe
2007-07-05 00:33 892,928 ----a-w C:\WINDOWS\system32\iconv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 15:50]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2005-09-21 18:23]
"NWEReboot"="" []
"SmcService"="C:\PROGRA~1\Sygate\smc.exe" [2004-10-15 18:40]
"VC9Player"="C:\Program Files\Virtual CD v9\System\VC9Play.exe" [2007-09-20 13:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 17:29]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 08:39]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"


.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 21:28:14
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-31 21:29:09 - machine was rebooted
.
--- E O F ---

SmitFraudFix v2.246

Scan done at 21:35:55,78, 2007-10-31
Run from C:\Documents and Settings\Kathanx\Pulpit\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C920B-EMB Integrated Fast Ethernet Controller - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 81.219.231.42
DNS Server Search Order: 81.219.231.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F0EEAD1F-1980-46CA-80AB-357783D1169A}: DhcpNameServer=81.219.231.42 81.219.231.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F0EEAD1F-1980-46CA-80AB-357783D1169A}: DhcpNameServer=81.219.231.42 81.219.231.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F0EEAD1F-1980-46CA-80AB-357783D1169A}: DhcpNameServer=81.219.231.42 81.219.231.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=81.219.231.42 81.219.231.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=81.219.231.42 81.219.231.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=81.219.231.42 81.219.231.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 21:17:17
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrv9000]
"ServiceBinary"="C:\WINDOWS\System32\drivers\VDRV9000.SYS"
"Group"="SCSI Miniport"
"ImagePath"=str(2):"System32\DRIVERS\vdrv9000.sys"
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"Type"=dword:00000001
"Tag"=dword:00000022

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrv9000\Enum]
"0"="ROOT\SCSIADAPTER\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrv9000\parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrv9000\security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdrv9000]
"ServiceBinary"="C:\WINDOWS\System32\drivers\VDRV9000.SYS"
"Group"="SCSI Miniport"
"ImagePath"=str(2):"System32\DRIVERS\vdrv9000.sys"
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"Type"=dword:00000001
"Tag"=dword:00000022

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdrv9000\Enum]
"0"="ROOT\SCSIADAPTER\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdrv9000\parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdrv9000\security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

SDFix: Version 1.113

Run by Kathanx on 2007-10-31 at 21:14

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\Program Files\VideoAccessCodec\install.ico - Deleted
C:\Program Files\VideoAccessCodec\Uninstall.exe - Deleted
C:\Program Files\VideoAccessCodec\VideoAccessCodec.ocx - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\sdrmod.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\wtopmod.exe - Deleted


Folder C:\Program Files\VideoAccessCodec - Removed
Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 21:17:17
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrv9000]
"ServiceBinary"="C:\WINDOWS\System32\drivers\VDRV9000.SYS"
"Group"="SCSI Miniport"
"ImagePath"=str(2):"System32\DRIVERS\vdrv9000.sys"
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"Type"=dword:00000001
"Tag"=dword:00000022

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrv9000\Enum]
"0"="ROOT\SCSIADAPTER\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrv9000\parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrv9000\security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdrv9000]
"ServiceBinary"="C:\WINDOWS\System32\drivers\VDRV9000.SYS"
"Group"="SCSI Miniport"
"ImagePath"=str(2):"System32\DRIVERS\vdrv9000.sys"
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"Type"=dword:00000001
"Tag"=dword:00000022

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdrv9000\Enum]
"0"="ROOT\SCSIADAPTER\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdrv9000\parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdrv9000\security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\sdfix\SDFix\backups\backups.zip

Files with Hidden Attributes:


Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42:53, on 2007-10-31
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v9\System\vc9secs.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\smc.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\vc9secs.exe

--
End of file - 4104 bytes

Wszystkie negatywne zjawiska znikły. czy teraz już jest czysto?

[wojtas]

skasuj:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

C:\WINDOWS\system32\nvrssk.dll
C:\WINDOWS\system32\nvrssl.dll

te dwa pliki przywroc z C:\qoobox\Quarantine do C:\WINDOWS\system32\ combofix sie pomylil i uznal je jako wirusy...tylko one będą mialy nazwy C:\WINDOWS\system32\nvrssk.dll.vir wtedy edytuj nazwe (kasując .vir) i wklej tam gdzie prosilem

[katani]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03:29, on 2007-10-31
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v9\System\vc9secs.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\smc.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\vc9secs.exe

--
End of file - 3886 bytes

pliki przywróciłem

[wojtas]

czysto

[katani]

Dzięki za pomoc