robaki/wirusy/wyskakujace info o zamykaniu systemu...pomocy

[Adanedhel]

Witam mam dosc duzy problem z wyskakujacymi okienkami typu: wystapil problem z ta aplikacja i zostanie ona zamknieta. I tu pojawiaja sie dziwne nazwy typu:
aplikacja msdmx...
aplikacja 0x57 (czu cus takiego-w kazdym badz razie to jest robak chyba boster sie pisze)
dodatkowo wyskakuje info o koniecznosci natychmiastowefgo zamkniecia systemu i standardowe odliczanie od 59 sekund(wiem ze mozna to wylaczyc wpisujac cos tam w opcji uruchom ale chcialbym sie tego pozbyc. Komputer nie byl przez dlugi czas niczym zabezpieczony. Polaczenie z internetem ma od niedawna. Zlapal tyle badziewia ze jak sprawdzilem w ctrl+alt+del procesy to bylo z jakies 55 dziwnych rzeczy. Najpierw zaczalem instalowac updaty zabezpieczen do wina (win xp sp1 jest zainstalowany), nastepnie musialem wyczyscic rejestr bo rzeczy byly odinstalowane przez delete czesciowo i byl zapchany. Potem zainstalowalem Avasta i pare trojanow polecialo. Ale to nie pomoglo. nastepnie uzylem sdfix i combofix. Po sdfix i combofixie cus jeszcze zostalo bo wlasnie te dziwne informacje sie pojawiaja (to sa te co mam potem opcje wyslij nie wysylaj i chyba jeszcze debuguj????) Po sdfixie i combo pojawiaja sie jeszcze dziwne informacje ze jakas aplikacja zostaje zamknieta poniewaz czegos tam brakuje no ale jak sie zamyka (bo to jest juz info od windowsa z czerwoonym znaczkiem bledu) to nic sie w sumie nie dzieje. Spedzilem na tej wlace dobre 4 godziny. Pomozcie mi jeszcze to zakonczyc.
wrzucam logi z:

SDFIX:

SDFix: Version 1.124

Run by ppp on 2008-01-05 at 14:13

Microsoft Windows XP [Wersja 5.1.2600]

Running From: D:\DOCUME~1\ppp\Pulpit\NOWYFO~2\SDFix

Safe Mode:
Checking Services:

Name:
FCI
kprof
MSN RAV
ntosnh.sys
ntoss.sys
poof
runtime

Path:
C:\WINDOWS\System32\svchost.exe:ext.exe
\??\C:\WINDOWS\System32\kprof
"C:\WINDOWS\system\msnrav.exe"
\??\C:\WINDOWS\system32\drivers\ntosnh.sys
\??\C:\WINDOWS\system32\drivers\ntoss.sys
\??\C:\WINDOWS\System32\poof
\??\C:\WINDOWS\System32\drivers\runtime.sys

FCI - Deleted
kprof - Deleted
MSN RAV - Deleted
ntosnh.sys - Deleted
ntoss.sys - Deleted
poof - Deleted
runtime - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service asc3550o - Deleted after Reboot
Service xpdx - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
C:\29.TMP - Deleted
C:\2A.TMP - Deleted
C:\2B.TMP - Deleted
C:\2C.TMP - Deleted
C:\2D.TMP - Deleted
C:\2E.TMP - Deleted
C:\2F.TMP - Deleted
C:\30.TMP - Deleted
C:\31.TMP - Deleted
C:\32.TMP - Deleted
C:\33.TMP - Deleted
C:\34.TMP - Deleted
C:\35.TMP - Deleted
C:\36.TMP - Deleted
C:\37.TMP - Deleted
C:\38.TMP - Deleted
C:\141723~1 - Deleted
C:\WINDOWS\SYSTEM32\MDM.EXE - Deleted
C:\WINDOWS\SYSTEM32\WIN32JVE.DLL - Deleted
C:\Program Files\Helper\superfinderusa.dll - Deleted
C:\Program Files\Helper\superfindout.dll - Deleted
C:\WINDOWS\ntfyapp.config - Deleted
C:\WINDOWS\rundll32.exe - Deleted
C:\WINDOWS\system\msnrav.exe - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\0_exception.nls - Deleted
C:\WINDOWS\system32\a.exe - Deleted
C:\WINDOWS\system32\dload.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\igfxsrvc32.exe - Deleted
C:\WINDOWS\system32\koos.exe - Deleted
C:\WINDOWS\system32\kprof - Deleted
C:\WINDOWS\system32\mmdmm.exe - Deleted
C:\WINDOWS\system32\msmsgs.exe - Deleted
C:\WINDOWS\system32\Offlce.exe - Deleted
C:\WINDOWS\system32\poof - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



Folder C:\Program Files\Helper - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
: ADS Found!

svchost.exe: deleted 26112 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 14:21:08
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - D:\DOCUME~1\ppp\Pulpit\NOWYFO~2\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 24 Dec 2007 57,856 ..SH. --- "C:\lo.exe"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\18f04ce5208bf85f21aa56793fc206ed\BIT4.tmp"

Finished!

COMBOFIX:

ComboFix 08-01-04.1 - ppp 2008-01-05 14:28:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.50 [GMT 1:00]
Running from: D:\Documents and Settings\ppp\Pulpit\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\auto.exe
C:\WINDOWS\system32\cftmon.exe
C:\WINDOWS\system32\w32sys3.exe
C:\WINDOWS\system32\w32sys6.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTOSNH.SYS
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_XPDX


((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 14:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 14:12 . 2008-01-05 14:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-05 14:09 . 2002-09-28 23:00 137,216 --a------ D:\Documents and Settings\ppp\regedit.exe
2008-01-05 14:09 . 2002-09-28 23:00 26,112 --a------ D:\Documents and Settings\ppp\findstr.exe
2008-01-05 14:09 . 2002-09-28 23:00 11,264 --a------ D:\Documents and Settings\ppp\attrib.exe
2008-01-05 14:09 . 2002-09-28 23:00 9,216 --a------ D:\Documents and Settings\ppp\find.exe
2008-01-05 13:48 . 2008-01-05 13:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-05 13:10 . 2008-01-05 13:11 41,984 --a------ C:\xfmb.exe
2008-01-05 13:09 . 2008-01-05 13:10 58,368 --a------ C:\einmia.exe
2008-01-05 13:07 . 2008-01-05 13:07 <DIR> d-------- C:\Documents and Settings
2008-01-05 12:52 . 2008-01-05 12:52 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-05 12:52 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-05 12:52 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-05 12:52 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-05 12:52 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-05 12:52 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-05 12:52 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-05 12:52 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-05 12:52 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-05 12:21 . 2008-01-05 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\SecTaskMan
2008-01-05 12:18 . 2008-01-05 12:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 12:12 . 2008-01-05 12:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-05 12:12 . 2005-04-28 20:35 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2008-01-05 12:12 . 2005-04-28 20:35 1,190,400 --a--c--- C:\WINDOWS\system32\dllcache\ole32.dll
2008-01-05 12:12 . 2004-03-06 03:21 535,552 --a------ C:\WINDOWS\system32\rpcrt4.dll
2008-01-05 12:12 . 2004-03-06 03:21 535,552 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-05 12:12 . 2005-04-28 20:35 275,456 --a------ C:\WINDOWS\system32\rpcss.dll
2008-01-05 12:12 . 2005-04-28 20:35 275,456 --a--c--- C:\WINDOWS\system32\dllcache\rpcss.dll
2008-01-05 12:12 . 2005-04-28 20:35 69,120 --a------ C:\WINDOWS\system32\olecli32.dll
2008-01-05 12:07 . 2008-01-05 12:07 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Pro
2008-01-04 17:49 . 2008-01-04 17:52 125,952 --a------ C:\WINDOWS\system32\scr32.exe
2008-01-04 15:07 . 2008-01-05 13:08 1,608 --a------ C:\WINDOWS\accnts.exe
2008-01-03 18:06 . 2008-01-03 18:10 58,368 --a------ C:\WINDOWS\binz.exe
2008-01-01 15:51 . 2008-01-01 15:59 321,994 --a------ C:\WINDOWS\system32\WindowsUpdater.exe
2008-01-01 15:50 . 2008-01-03 17:15 385,024 --a------ C:\WINDOWS\system32\winamp32.exe
2007-12-31 14:08 . 2007-12-31 14:13 78,441 --a------ C:\WINDOWS\system32\avg.exe
2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Creative
2007-12-27 15:57 . 2007-12-27 16:04 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\Creative
2007-12-27 15:53 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2007-12-27 15:52 . 2000-05-22 09:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2007-12-27 15:52 . 2006-10-06 07:17 53,248 --------- C:\WINDOWS\Ctregrun.exe
2007-12-27 15:51 . 2007-12-27 15:52 <DIR> d-------- C:\Program Files\Audible
2007-12-27 15:51 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-27 15:51 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-27 15:51 . 2007-12-27 15:51 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax
2007-12-27 15:51 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-27 15:51 . 2005-02-24 12:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-27 15:48 . 2007-12-27 15:50 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-27 15:48 . 2007-12-27 15:52 <DIR> d-------- C:\Program Files\Creative
2007-12-27 15:48 . 2007-12-27 15:48 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-27 15:48 . 1999-12-13 02:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2007-12-27 15:48 . 1999-11-18 02:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2007-12-27 15:46 . 2007-12-27 15:46 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-27 15:46 . 2007-12-27 15:46 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-26 15:00 . 2008-01-05 13:12 80,533 --a------ C:\WINDOWS\system32\msv.exe
2007-12-24 11:54 . 2007-12-24 11:54 57,856 ---hs---- C:\lo.exe
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d-------- D:\Documents and Settings\ppp\WINDOWS
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d--h----- D:\Documents and Settings\ppp\Ustawienia lokalne
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d---s---- D:\Documents and Settings\ppp\UserData
2007-12-21 13:22 . 2008-01-05 14:04 <DIR> dr------- D:\Documents and Settings\ppp\Ulubione
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d-------- D:\Documents and Settings\ppp\Szablony
2007-12-21 13:21 . 2008-01-05 14:33 <DIR> d-------- D:\Documents and Settings\ppp\Pulpit
2007-12-21 13:20 . 2008-01-04 19:37 <DIR> dr------- D:\Documents and Settings\ppp\Moje dokumenty
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Menu Start
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji\SecuROM
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Nero
2007-12-21 13:20 . 2008-01-01 16:49 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Microsoft Games
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\LEGO Company
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\InterTrust
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\InstallShield
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Hewlett-Packard
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji\CrystalSpace
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Ahead
2007-12-21 13:20 . 2007-12-27 16:04 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\.jpi_cache
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\.java
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d--h----- D:\Documents and Settings\NetworkService\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\NetworkService\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d--h----- D:\Documents and Settings\LocalService\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\LocalService\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\Default User\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Ulubione
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Szablony
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Pulpit
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Moje dokumenty
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\Default User\Menu Start
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\Default User\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\All Users\Ulubione
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\All Users\Szablony
2007-12-21 13:20 . 2008-01-05 13:52 <DIR> d-------- D:\Documents and Settings\All Users\Pulpit
2007-12-21 13:20 . 2008-01-05 13:52 <DIR> dr------- D:\Documents and Settings\All Users\Menu Start
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d---s---- D:\Documents and Settings\All Users\DRM
2007-12-21 13:19 . 2007-12-27 15:51 <DIR> dr------- D:\Documents and Settings\All Users\Dokumenty
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\Vivendi Universal Games
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\The Learning Company
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\QuickTime
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles
2007-12-21 13:19 . 2008-01-01 16:49 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\Microsoft Games
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\Disney Interactive
2007-12-21 13:19 . 2008-01-05 12:21 <DIR> dr------- D:\Documents and Settings\All Users\Dane aplikacji

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 13:33 --------- d-----w C:\Program Files\neostrada tp
2008-01-05 11:58 --------- d-----w C:\Program Files\Bankrut
2008-01-05 10:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 16:40 --------- d-----w C:\Program Files\MarBit
2008-01-04 16:38 --------- d-----w C:\Program Files\Electronic Arts
2008-01-03 16:21 --------- d-----w C:\Program Files\Dracula Twins
2007-12-07 16:32 8,749 ----a-w C:\Program Files\INSTALL.LOG
2007-11-30 16:35 --------- d-----w C:\Program Files\Maxis
1998-04-30 13:56 129,024 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 18:43 90112]
"CTFMON.EXE"="C:\WINDOWS\System32\cftmon.exe" [ ]
"Microsoft Oftice"="C:\WINDOWS\System32\msmsgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 12:12 55296 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-28 08:57 5058560]
"nwiz"="nwiz.exe" [2003-10-28 08:57 741376 C:\WINDOWS\system32\nwiz.exe]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 07:33 45056]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2002-03-20 08:15 10752]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 08:19 172032]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56 40960]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"CMRONLINE"="C:\Program Files\Game Times Online\CMR_ONLINE.EXE" [2003-10-08 14:28 307200]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-07 07:34 98304]
"AdslTaskBar"="stmctrl.dll" [2006-06-02 12:01 151552 C:\WINDOWS\system32\stmctrl.dll]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\GestMaj.exe" [2004-10-14 15:55 32768]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-28 23:00 13312]
"Microsoft Windows Driver"="C:\WINDOWS\rundll32.exe" [ ]
"OfficeWord Monitors"="C:\WINDOWS\System32\Offlce.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\tmp_4ml.dll

R2 athsgt;athsgt;C:\WINDOWS\System32\DRIVERS\athsgt.sys [2007-10-14 12:15]
R2 limsgt;limsgt;C:\WINDOWS\System32\DRIVERS\limsgt.sys [2007-10-14 12:15]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys [2003-08-12 15:51]
R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys [2006-05-25 16:28]
S0 Hmq83;Hmq83;C:\WINDOWS\System32\drivers\Hmq83.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 14:33:11
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 14:36:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 13:36:04

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37:47, on 2008-01-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Game Times Online\CMR_ONLINE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CMRONLINE] C:\Program Files\Game Times Online\CMR_ONLINE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\cftmon.exe
O4 - HKCU\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_4ml.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.naruto.wbijam.pl/tapety/45.jpg
O24 - Desktop Component 1: (no name) - http://www.naruto.wbijam.pl/tapety/43.jpg
O24 - Desktop Component 2: (no name) - http://www.animeresimleri.com/data/media/1/naruto_team.jpg

--
End of file - 5610 bytes

[/quote]

Aha jeszcze zaraz po sdfixie jak skonczyl dzialac pojawill mi sie na pulpicie folder skompresowany o nazwie CATCH ME (:P) oraz plik tekstowy o takiej samej nazwie. Plus pojawila sie dodatkowa ikonka Internet Explorera, a wczesniej (zanim zaczalem walczyc z tym wszystkim) juz byla ikonka IE tyle ze to byl skrot. Natomiast po combofixie zniknal folder skompresowany CATCHME, a zostal tekstowy i ikonka IE.
Z gory dziekuje za zainteresowanie.
pozdro

[Dzi@dek]

ten folder i IE to standard. Daj jeszcze raz nowe logi z hijack combofix i sdfix.
Trochę juz usunęło.

[Adanedhel]

Dobra tylko ze teraz wlasnie wyjechalem i wroce dopiero w sobote rano. Prosze zajrzyj w sobote to postaram sie je okolo 11 wrzucic. Wlasnie wiem ze usunelo duzo badziewia, ale jeszcze te okienka sie pojawiaja i martwie sie czy czyszczac rejestr nie usunelo mi czegos potrzebnego. Do czyszczenia rejestru uzylem regcleanera.

[Dzi@dek]

1. Zastosuj WWDC

2. Otwórz notatnik i wklej:

File::
C:\xfmb.exe
C:\einmia.exe
C:\WINDOWS\system32\scr32.exe
C:\WINDOWS\system32\WindowsUpdater.exe
C:\WINDOWS\system32\winamp32.exe
C:\lo.exe
C:\WINDOWS\system32\msv.exe

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OfficeWord Monitors"=-

>>Plik>>Zapisz jako... >>> CFScript.txt Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe)

I daj nowe logi.

[Adanedhel]

Witam
Zrobilem jak napisales. Najpierw combofixem przy przenoszeniu tej ikonki (CFScript...) i tu jest log z combo:

COMBOFIX

ComboFix 08-01-04.1 - ppp 2008-01-13 12:36:32.2 - NTFSx86
Running from: D:\Documents and Settings\ppp\Pulpit\ComboFix.exe
Command switches used :: D:\Documents and Settings\ppp\Pulpit\CFScript.txt

FILE
C:\einmia.exe
C:\lo.exe
C:\WINDOWS\system32\msv.exe
C:\WINDOWS\system32\scr32.exe
C:\WINDOWS\system32\winamp32.exe
C:\WINDOWS\system32\WindowsUpdater.exe
C:\xfmb.exe
.
ADS - svchost.exe: deleted 51200 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\einmia.exe
C:\lo.exe
C:\Program Files\Helper
C:\Program Files\Helper\superfinderusa.dll
C:\Program Files\Helper\superfindout.dll
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\drivers\Ejn38.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\msv.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\WindowsUpdater.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\Temp\167500.exe
C:\xfmb.exe
C:\WINDOWS\system32\wsnpoem

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_POOF
-------\LEGACY_SMTPDRV
-------\LEGACY_SYMAVC32
-------\runtime
-------\smtpdrv
-------\symavc32


((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 12:57 . 2008-01-12 13:02 154,706 --a------ C:\WINDOWS\system32\page.exe
2008-01-12 12:57 . 2008-01-13 12:46 24,832 --a------ C:\WINDOWS\system32\drivers\Glp62.sys
2008-01-11 14:52 . 2008-01-11 14:52 548,864 --a------ C:\WINDOWS\system32\igfxsrvc32.exe
2008-01-10 17:14 . 2008-01-10 17:14 48,512 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-01-10 14:26 . 2008-01-12 08:47 20,480 --a------ D:\Documents and Settings\ppp\ntuser.exe
2008-01-10 14:26 . 2008-01-12 08:47 20,480 --a------ C:\WINDOWS\system32\drivers\win32.exe
2008-01-10 14:26 . 2008-01-12 08:48 6,144 --a------ D:\Documents and Settings\ppp\msftp.dll
2008-01-10 14:26 . 2008-01-12 08:48 6,144 --a------ C:\WINDOWS\system32\msftp.dll
2008-01-09 14:56 . 2008-01-10 14:31 397,824 --a------ C:\WINDOWS\system32\pagefile.exe
2008-01-08 07:42 . 2008-01-08 07:42 392,704 -r-hsc--- C:\WINDOWS\system32\dllcache\mravsc32.exe
2008-01-07 17:10 . 2008-01-07 17:10 17,305 --a------ C:\ueyjt.exe
2008-01-07 16:09 . 2008-01-12 08:47 20 --a-s---- C:\WINDOWS\system32\dllsys.dll
2008-01-07 14:02 . 2008-01-07 17:10 58,880 --a------ C:\uovrga.exe
2008-01-07 14:02 . 2008-01-07 17:10 54,272 --a------ C:\edxybciv.exe
2008-01-07 14:02 . 2008-01-07 15:02 41,984 --a------ C:\0x57.exe
2008-01-06 19:06 . 2008-01-08 18:58 21,760 --a------ C:\WINDOWS\Xdh84.sys
2008-01-06 17:40 . 2008-01-06 17:40 21,760 --a------ C:\WINDOWS\system32\drivers\Xdh84.sys
2008-01-06 17:37 . 2008-01-06 18:27 27,648 --a------ C:\plrnp.exe
2008-01-06 12:11 . 2008-01-06 12:11 54,768 --a------ C:\WINDOWS\system32\mp32s.sys
2008-01-06 12:11 . 2008-01-07 17:11 2 --a------ C:\141723823
2008-01-06 12:10 . 2008-01-06 12:10 385,024 -r-hs---- C:\WINDOWS\system\msnrav.exe
2008-01-06 12:10 . 2008-01-12 12:57 71 --a------ C:\WINDOWS\system32\i
2008-01-05 14:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 14:12 . 2008-01-05 14:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-05 14:09 . 2002-09-28 23:00 137,216 --a------ D:\Documents and Settings\ppp\regedit.exe
2008-01-05 14:09 . 2002-09-28 23:00 26,112 --a------ D:\Documents and Settings\ppp\findstr.exe
2008-01-05 14:09 . 2002-09-28 23:00 11,264 --a------ D:\Documents and Settings\ppp\attrib.exe
2008-01-05 14:09 . 2002-09-28 23:00 9,216 --a------ D:\Documents and Settings\ppp\find.exe
2008-01-05 13:48 . 2008-01-05 13:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-05 13:07 . 2008-01-05 13:07 <DIR> d-------- C:\Documents and Settings
2008-01-05 12:52 . 2008-01-05 12:52 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-05 12:52 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-05 12:52 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-05 12:52 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-05 12:52 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-05 12:52 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-05 12:52 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-05 12:52 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-05 12:52 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-05 12:21 . 2008-01-05 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\SecTaskMan
2008-01-05 12:18 . 2008-01-05 12:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 12:12 . 2008-01-05 12:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-05 12:12 . 2005-04-28 20:35 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2008-01-05 12:12 . 2005-04-28 20:35 1,190,400 --a--c--- C:\WINDOWS\system32\dllcache\ole32.dll
2008-01-05 12:12 . 2004-03-06 03:21 535,552 --a------ C:\WINDOWS\system32\rpcrt4.dll
2008-01-05 12:12 . 2004-03-06 03:21 535,552 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-05 12:12 . 2005-04-28 20:35 275,456 --a------ C:\WINDOWS\system32\rpcss.dll
2008-01-05 12:12 . 2005-04-28 20:35 275,456 --a--c--- C:\WINDOWS\system32\dllcache\rpcss.dll
2008-01-05 12:12 . 2005-04-28 20:35 69,120 --a------ C:\WINDOWS\system32\olecli32.dll
2008-01-05 12:07 . 2008-01-05 12:07 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Pro
2008-01-04 15:07 . 2008-01-05 13:08 1,608 --a------ C:\WINDOWS\accnts.exe
2008-01-03 18:06 . 2008-01-03 18:10 58,368 --a------ C:\WINDOWS\binz.exe
2007-12-31 14:08 . 2007-12-31 14:13 78,441 --a------ C:\WINDOWS\system32\avg.exe
2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Creative
2007-12-27 15:57 . 2007-12-27 16:04 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\Creative
2007-12-27 15:53 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2007-12-27 15:52 . 2000-05-22 09:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2007-12-27 15:52 . 2006-10-06 07:17 53,248 --------- C:\WINDOWS\Ctregrun.exe
2007-12-27 15:51 . 2007-12-27 15:52 <DIR> d-------- C:\Program Files\Audible
2007-12-27 15:51 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-27 15:51 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-27 15:51 . 2007-12-27 15:51 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax
2007-12-27 15:51 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-27 15:51 . 2005-02-24 12:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-27 15:48 . 2007-12-27 15:50 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-27 15:48 . 2007-12-27 15:52 <DIR> d-------- C:\Program Files\Creative
2007-12-27 15:48 . 2007-12-27 15:48 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-27 15:48 . 1999-12-13 02:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2007-12-27 15:48 . 1999-11-18 02:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2007-12-27 15:46 . 2007-12-27 15:46 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-27 15:46 . 2007-12-27 15:46 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d-------- D:\Documents and Settings\ppp\WINDOWS
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d--h----- D:\Documents and Settings\ppp\Ustawienia lokalne
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d---s---- D:\Documents and Settings\ppp\UserData
2007-12-21 13:22 . 2008-01-05 14:41 <DIR> dr------- D:\Documents and Settings\ppp\Ulubione
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d-------- D:\Documents and Settings\ppp\Szablony
2007-12-21 13:21 . 2008-01-13 12:47 <DIR> d-------- D:\Documents and Settings\ppp\Pulpit
2007-12-21 13:20 . 2008-01-04 19:37 <DIR> dr------- D:\Documents and Settings\ppp\Moje dokumenty
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Menu Start
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji\SecuROM
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Nero
2007-12-21 13:20 . 2008-01-01 16:49 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Microsoft Games
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\LEGO Company
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\InterTrust
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\InstallShield
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Hewlett-Packard
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji\CrystalSpace
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Ahead
2007-12-21 13:20 . 2007-12-27 16:04 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\.jpi_cache
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\.java
2007-12-21 13:20 . 2008-01-05 14:36 <DIR> d--h----- D:\Documents and Settings\NetworkService\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\NetworkService\Dane aplikacji
2007-12-21 13:20 . 2008-01-05 14:36 <DIR> d--h----- D:\Documents and Settings\LocalService\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\LocalService\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\Default User\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Ulubione
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Szablony
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Pulpit
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Moje dokumenty

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 10:34 --------- d-----w C:\Program Files\neostrada tp
2008-01-07 15:32 --------- d-----w C:\Program Files\Taxi Challenge Londyn
2008-01-07 15:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 11:58 --------- d-----w C:\Program Files\Bankrut
2008-01-04 16:40 --------- d-----w C:\Program Files\MarBit
2008-01-04 16:38 --------- d-----w C:\Program Files\Electronic Arts
2008-01-03 16:21 --------- d-----w C:\Program Files\Dracula Twins
2007-12-07 16:32 8,749 ----a-w C:\Program Files\INSTALL.LOG
2007-11-30 16:35 --------- d-----w C:\Program Files\Maxis
1998-04-30 13:56 129,024 ----a-w C:\Program Files\UNWISE.EXE
2002-09-28 22:00 81,074 --sh--r C:\WINDOWS\system32\mmdmm.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_14.35.49.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-05 12:12:55 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-13 11:47:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-05 12:12:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-01-13 11:47:26 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-01-10 17:25:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008011020080111\index.dat
+ 2008-01-12 07:47:50 20,480 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\C5M3W5ER\chetver[1].exe
- 2008-01-05 12:12:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-13 11:47:26 147,456 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-10 13:26:37 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\KXURCTMB\bzu[1].exe
+ 2008-01-11 19:43:21 17,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OTEF8HEZ\bot[1].exe
+ 2008-01-08 06:42:15 27,648 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OTEF8HEZ\loader[1].exe
- 2008-01-05 12:10:47 12,800 -c--a-w C:\WINDOWS\system32\dllcache\svchost.exe
+ 2008-01-07 16:10:32 12,800 -c--a-w C:\WINDOWS\system32\dllcache\svchost.exe
- 2008-01-05 12:10:47 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
+ 2008-01-07 16:10:32 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
+ 2006-07-05 10:55:20 14,336 --s-a-w C:\WINDOWS\system32\sysfldr.dll
+ 2008-01-13 11:47:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_458.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 18:43 90112]
"CTFMON.EXE"="C:\WINDOWS\System32\cftmon.exe" [ ]
"Microsoft Oftice"="C:\WINDOWS\System32\msmsgs.exe" [ ]
"MicroSoft Visual SP2"="igfxsrvc32.exe" [2008-01-11 14:52 548864 C:\WINDOWS\system32\igfxsrvc32.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MicroSoft Visual SP2"="igfxsrvc32.exe" [2008-01-11 14:52 548864 C:\WINDOWS\system32\igfxsrvc32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 12:12 55296 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-28 08:57 5058560]
"nwiz"="nwiz.exe" [2003-10-28 08:57 741376 C:\WINDOWS\system32\nwiz.exe]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 07:33 45056]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2002-03-20 08:15 10752]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 08:19 172032]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56 40960]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"CMRONLINE"="C:\Program Files\Game Times Online\CMR_ONLINE.EXE" [2003-10-08 14:28 307200]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-07 07:34 98304]
"AdslTaskBar"="stmctrl.dll" [2006-06-02 12:01 151552 C:\WINDOWS\system32\stmctrl.dll]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\GestMaj.exe" [2004-10-14 15:55 32768]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"mmsass"="mmdmm.exe" [2002-09-28 23:00 81074 C:\WINDOWS\system32\mmdmm.exe]
"MicroSoft Visual SP2"="igfxsrvc32.exe" [2008-01-11 14:52 548864 C:\WINDOWS\system32\igfxsrvc32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MicroSoft Visual SP2"="igfxsrvc32.exe" [2008-01-11 14:52 548864 C:\WINDOWS\system32\igfxsrvc32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"mmsass"="mmdmm.exe" [2002-09-28 23:00 81074 C:\WINDOWS\system32\mmdmm.exe]
"MicroSoft Visual SP2"="igfxsrvc32.exe" [2008-01-11 14:52 548864 C:\WINDOWS\system32\igfxsrvc32.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-28 23:00 13312]
"Microsoft Windows Driver"="C:\WINDOWS\rundll32.exe" [ ]
"auto"="C:\WINDOWS\system32\drivers\win32.exe" [2008-01-12 08:47 20480]
"ntuser"="D:\Documents and Settings\ppp\ntuser.exe" [2008-01-12 08:47 20480]
"MicroSoft Visual SP2"="igfxsrvc32.exe" [2008-01-11 14:52 548864 C:\WINDOWS\system32\igfxsrvc32.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MicroSoft Visual SP2"="igfxsrvc32.exe" [2008-01-11 14:52 548864 C:\WINDOWS\system32\igfxsrvc32.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysfldr]
sysfldr.dll 2006-07-05 11:55 14336 C:\WINDOWS\system32\sysfldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\tmp_4ml.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ejn38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Glp62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xdh84.sys]
@="Driver"

R0 Glp62;Glp62;C:\WINDOWS\System32\Drivers\Glp62.sys [2008-01-13 12:46]
R0 Xdh84;Xdh84;C:\WINDOWS\System32\Drivers\Xdh84.sys [2008-01-06 17:40]
R2 athsgt;athsgt;C:\WINDOWS\System32\DRIVERS\athsgt.sys [2007-10-14 12:15]
R2 Distributed Allocated Memory Unit;Distributed Allocated Memory Unit;"C:\WINDOWS\system32\dllcache\mravsc32.exe" [2008-01-08 07:42]
R2 limsgt;limsgt;C:\WINDOWS\System32\DRIVERS\limsgt.sys [2007-10-14 12:15]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys [2003-08-12 15:51]
R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys [2006-05-25 16:28]
R4 update.microsoft.com;MicroSoft Visual SP2;"C:\WINDOWS\System32\igfxsrvc32.exe" [2008-01-11 14:52]
S0 Ejn38;Ejn38;C:\WINDOWS\System32\Drivers\Ejn38.sys []
S0 Hmq83;Hmq83;C:\WINDOWS\System32\drivers\Hmq83.sys []
S2 FFI;FFI;C:\WINDOWS\System32\svchost.exe:exm.exe []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 12:48:02
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\6_exception.nls 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FFI]
"ImagePath"="C:\WINDOWS\System32\svchost.exe:exm.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sysfldr.dll
.
Completion time: 2008-01-13 12:51:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 11:51:10

nastepnie wlaczylem Sdfixa. I tu zaczely sie schody, poniewaz tym razem SD nie skonczyl sprawdzania. To znaczy w pewnym momencie ma sie zrebootowac (gdy jeszcze pracuje w awaryjnym), ale on wlasnie sie nie chcial. Zniknelo okno , w ktorym bylo napisane ze zaraz sie zrebootoje i tyle. Poczekalem 5 minut i musialem wcisnac mu restarta recznie. Tylko ze jedyna opcja bylo na obudowie bo na ekranie mialem tylko napisy TRYB AWARYJNY i oprocz tego nic. Ok zresetowalem go recznie i win uruchamial sie dlugo. Po czym przed zaladowaniem wszystkich programow pokazala sie informacja ze nie moze odnalezc pliku igfxsrvc32.exe sprobuj odnalezc go sam i podac sciezke(czy cus takiego)i pod spodem ok. Dobra dalem ok i sie zaladowal win. Sdfix loga z prawdziwego zdarzenia nie zrobil. Wrzucam co zrobil:

SDFIX:

SDFix: Version 1.124

Run by ppp on 2008-01-13 at 12:55

Microsoft Windows XP [Wersja 5.1.2600]

Running From: D:\DOCUME~1\ppp\Pulpit\NOWYFO~2\SDFix

Safe Mode:
Checking Services:

Name:
Distributed Allocated Memory Unit
XDH84

Path:
"C:\WINDOWS\system32\dllcache\mravsc32.exe"
System32\Drivers\Xdh84.sys

Distributed Allocated Memory Unit - Deleted
XDH84 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Oprocz tego w folderze Sdfix'a pojawilo sie pelno ikonek notepada o tytulach typu: findrun1, findrun155, findmulo...

W razie czego nie robilem nowego testu SDFIXEM.

Ok i daje loga z Hijacka:

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:54, on 2008-01-13
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Game Times Online\CMR_ONLINE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
C:\PROGRA~1\NEOSTR~1\neostradatp.exe
C:\PROGRA~1\NEOSTR~1\ComComp.exe
C:\PROGRA~1\NEOSTR~1\Toaster.exe
C:\PROGRA~1\NEOSTR~1\Inactivity.exe
C:\PROGRA~1\NEOSTR~1\PollingModule.exe
C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
C:\PROGRA~1\NEOSTR~1\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\ECC7D73B.exe
C:\WINDOWS\TEMP\9E66146A.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\superfindout.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CMRONLINE] C:\Program Files\Game Times Online\CMR_ONLINE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\Run: [MicroSoft Visual SP2] igfxsrvc32.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [MicroSoft Visual SP2] igfxsrvc32.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\cftmon.exe
O4 - HKCU\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [MicroSoft Visual SP2] igfxsrvc32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-920026266-682003330-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-2000478354-920026266-682003330-1003\..\Run: [MicroSoft Visual SP2] igfxsrvc32.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicroSoft Visual SP2] igfxsrvc32.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicroSoft Visual SP2] igfxsrvc32.exe (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{038F2FBF-9EEB-4CF6-B099-C5EF45EBC284}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS2\Services\Tcpip\..\{038F2FBF-9EEB-4CF6-B099-C5EF45EBC284}: NameServer = 194.204.159.1 217.98.63.164
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_4ml.dll
O20 - Winlogon Notify: sysfldr - sysfldr.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe (file missing)
O23 - Service: FFI - Unknown owner - C:\WINDOWS\System32\svchost.exe:exm.exe (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.naruto.wbijam.pl/tapety/45.jpg
O24 - Desktop Component 1: (no name) - http://www.naruto.wbijam.pl/tapety/43.jpg
O24 - Desktop Component 2: (no name) - http://www.animeresimleri.com/data/media/1/naruto_team.jpg

--
End of file - 7357 bytes

Pozdrawiam

[Dzi@dek]

Pobierz http://www.idg.pl/ftp/pobierz/pc/9705.html i wyczyść wszystko.

Skasuj wpisy w hijackthis:

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\superfindout.dll
O4 - HKLM\..\Run: [CMRONLINE] C:\Program Files\Game Times Online\CMR_ONLINE.EXE
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\Run: [MicroSoft Visual SP2] igfxsrvc32.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [MicroSoft Visual SP2] igfxsrvc32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\cftmon.exe
O4 - HKCU\..\Run: [MicroSoft Visual SP2] igfxsrvc32.exe
O4 - HKUS\S-1-5-21-2000478354-920026266-682003330-1003\..\Run: [MicroSoft Visual SP2] igfxsrvc32.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicroSoft Visual SP2] igfxsrvc32.exe (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicroSoft Visual SP2] igfxsrvc32.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: sysfldr - sysfldr.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_4ml.dll
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe (file missing)
O23 - Service: FFI - Unknown owner - C:\WINDOWS\System32\svchost.exe:exm.exe (file missing)

Otwórz notatnik i wklej:

File::
C:\WINDOWS\TEMP\ECC7D73B.exe
C:\WINDOWS\TEMP\9E66146A.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\WINDOWS\system32\igfxsrvc32.exe
C:\WINDOWS\system32\mmdmm.exe
C:\WINDOWS\system32\sysfldr.dll
C:\WINDOWS\System32\cftmon.exe
C:\WINDOWS\system32\drivers\win32.exe
D:\Documents and Settings\ppp\ntuser.exe
C:\WINDOWS\System32\svchost.exe:exm.exe

Folder::
C:\Program Files\Helper

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroSoft Visual SP2"=-
"CTFMON.EXE"=-
"Microsoft Oftice"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MicroSoft Visual SP2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mmsass"=-
"MicroSoft Visual SP2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MicroSoft Visual SP2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"mmsass"=-
"MicroSoft Visual SP2"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"auto"=-
"ntuser"=-
"MicroSoft Visual SP2"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MicroSoft Visual SP2"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysfldr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ejn38.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Glp62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xdh84.sys]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FFI]
"ImagePath"=-

Driver::
Glp62
Xdh84
Distributed Allocated Memory Unit
MicroSoft Visual SP2
Ejn38
Hmq83
FFI

Plik Zapisz jako... CFScript - najlepiej jeśli zapiszesz w

takiej lokalizacji, by ikona CFScript.txt znalazła się obok ikony ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
Potwierdz zresetuje sie komputer.

Jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER. Rozpocznie się proces usuwania.

Daj nowe logi z Combofix oraz Hijackthis.

[Adanedhel]

Hej

COMBOFIX:

ComboFix 08-01-04.1 - ppp 2008-01-13 14:33:01.3 - NTFSx86

Running from: D:\Documents and Settings\ppp\Pulpit\ComboFix.exe
Command switches used :: D:\Documents and Settings\ppp\Pulpit\CFScript.txt

FILE
C:\WINDOWS\System32\cftmon.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\WINDOWS\system32\drivers\win32.exe
C:\WINDOWS\system32\igfxsrvc32.exe
C:\WINDOWS\system32\mmdmm.exe
C:\WINDOWS\System32\svchost.exe:exm.exe
C:\WINDOWS\system32\sysfldr.dll
C:\WINDOWS\TEMP\9E66146A.exe
C:\WINDOWS\TEMP\ECC7D73B.exe
D:\Documents and Settings\ppp\ntuser.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\Program Files\Helper\superfindout.dll
C:\WINDOWS\system32\drivers\win32.exe
C:\WINDOWS\system32\mmdmm.exe
D:\Documents and Settings\ppp\ntuser.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DISTRIBUTED_ALLOCATED_MEMORY_UNIT
-------\LEGACY_EJN38
-------\LEGACY_FFI
-------\LEGACY_GLP62
-------\LEGACY_HMQ83
-------\LEGACY_SMTPDRV
-------\LEGACY_XDH84
-------\Distributed Allocated Memory Unit
-------\Ejn38
-------\FFI
-------\Glp62
-------\Hmq83
-------\smtpdrv
-------\Xdh84


((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 13:52 . 2008-01-13 13:52 71 --a------ C:\WINDOWS\system32\i
2008-01-12 12:57 . 2008-01-13 13:55 84,820 --a------ C:\WINDOWS\system32\page.exe
2008-01-12 12:57 . 2008-01-13 14:39 24,832 --a------ C:\WINDOWS\system32\drivers\Glp62.sys
2008-01-10 17:14 . 2008-01-10 17:14 48,512 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-01-10 14:26 . 2008-01-12 08:48 6,144 --a------ D:\Documents and Settings\ppp\msftp.dll
2008-01-10 14:26 . 2008-01-12 08:48 6,144 --a------ C:\WINDOWS\system32\msftp.dll
2008-01-09 14:56 . 2008-01-10 14:31 397,824 --a------ C:\WINDOWS\system32\pagefile.exe
2008-01-07 16:09 . 2008-01-12 08:47 20 --a-s---- C:\WINDOWS\system32\dllsys.dll
2008-01-06 19:06 . 2008-01-08 18:58 21,760 --a------ C:\WINDOWS\Xdh84.sys
2008-01-06 12:11 . 2008-01-13 13:10 54,764 --a------ C:\WINDOWS\system32\mp32s.sys
2008-01-05 14:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 14:12 . 2008-01-05 14:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-05 14:09 . 2002-09-28 23:00 137,216 --a------ D:\Documents and Settings\ppp\regedit.exe
2008-01-05 14:09 . 2002-09-28 23:00 26,112 --a------ D:\Documents and Settings\ppp\findstr.exe
2008-01-05 14:09 . 2002-09-28 23:00 11,264 --a------ D:\Documents and Settings\ppp\attrib.exe
2008-01-05 14:09 . 2002-09-28 23:00 9,216 --a------ D:\Documents and Settings\ppp\find.exe
2008-01-05 13:48 . 2008-01-05 13:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-05 13:07 . 2008-01-05 13:07 <DIR> d-------- C:\Documents and Settings
2008-01-05 12:52 . 2008-01-05 12:52 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-05 12:52 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-05 12:52 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-05 12:52 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-05 12:52 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-05 12:52 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-05 12:52 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-05 12:52 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-05 12:52 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-05 12:21 . 2008-01-05 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\SecTaskMan
2008-01-05 12:18 . 2008-01-05 12:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 12:12 . 2008-01-05 12:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-05 12:12 . 2005-04-28 20:35 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2008-01-05 12:12 . 2005-04-28 20:35 1,190,400 --a--c--- C:\WINDOWS\system32\dllcache\ole32.dll
2008-01-05 12:12 . 2004-03-06 03:21 535,552 --a------ C:\WINDOWS\system32\rpcrt4.dll
2008-01-05 12:12 . 2004-03-06 03:21 535,552 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-05 12:12 . 2005-04-28 20:35 275,456 --a------ C:\WINDOWS\system32\rpcss.dll
2008-01-05 12:12 . 2005-04-28 20:35 275,456 --a--c--- C:\WINDOWS\system32\dllcache\rpcss.dll
2008-01-05 12:12 . 2005-04-28 20:35 69,120 --a------ C:\WINDOWS\system32\olecli32.dll
2008-01-05 12:07 . 2008-01-05 12:07 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Pro
2008-01-04 15:07 . 2008-01-05 13:08 1,608 --a------ C:\WINDOWS\accnts.exe
2008-01-03 18:06 . 2008-01-03 18:10 58,368 --a------ C:\WINDOWS\binz.exe
2007-12-31 14:08 . 2007-12-31 14:13 78,441 --a------ C:\WINDOWS\system32\avg.exe
2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Creative
2007-12-27 15:57 . 2007-12-27 16:04 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\Creative
2007-12-27 15:53 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2007-12-27 15:52 . 2000-05-22 09:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2007-12-27 15:52 . 2006-10-06 07:17 53,248 --------- C:\WINDOWS\Ctregrun.exe
2007-12-27 15:51 . 2007-12-27 15:52 <DIR> d-------- C:\Program Files\Audible
2007-12-27 15:51 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-27 15:51 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-27 15:51 . 2007-12-27 15:51 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax
2007-12-27 15:51 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-27 15:51 . 2005-02-24 12:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-27 15:48 . 2007-12-27 15:50 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-27 15:48 . 2007-12-27 15:52 <DIR> d-------- C:\Program Files\Creative
2007-12-27 15:48 . 2007-12-27 15:48 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-27 15:48 . 1999-12-13 02:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2007-12-27 15:48 . 1999-11-18 02:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2007-12-27 15:46 . 2007-12-27 15:46 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-27 15:46 . 2007-12-27 15:46 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d-------- D:\Documents and Settings\ppp\WINDOWS
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d--h----- D:\Documents and Settings\ppp\Ustawienia lokalne
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d---s---- D:\Documents and Settings\ppp\UserData
2007-12-21 13:22 . 2008-01-05 14:41 <DIR> dr------- D:\Documents and Settings\ppp\Ulubione
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d-------- D:\Documents and Settings\ppp\Szablony
2007-12-21 13:21 . 2008-01-13 14:40 <DIR> d-------- D:\Documents and Settings\ppp\Pulpit
2007-12-21 13:20 . 2008-01-04 19:37 <DIR> dr------- D:\Documents and Settings\ppp\Moje dokumenty
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Menu Start
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji\SecuROM
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Nero
2007-12-21 13:20 . 2008-01-01 16:49 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Microsoft Games
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\LEGO Company
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\InterTrust
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\InstallShield
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Hewlett-Packard
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji\CrystalSpace
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\Dane aplikacji\Ahead
2007-12-21 13:20 . 2007-12-27 16:04 <DIR> dr------- D:\Documents and Settings\ppp\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\.jpi_cache
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\ppp\.java
2007-12-21 13:20 . 2008-01-13 12:51 <DIR> d--h----- D:\Documents and Settings\NetworkService\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\NetworkService\Dane aplikacji
2007-12-21 13:20 . 2008-01-05 14:36 <DIR> d--h----- D:\Documents and Settings\LocalService\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\LocalService\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\Default User\Ustawienia lokalne
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Ulubione
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Szablony
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Pulpit
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\Default User\Moje dokumenty
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\Default User\Menu Start
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> dr------- D:\Documents and Settings\Default User\Dane aplikacji
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\All Users\Ulubione
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d-------- D:\Documents and Settings\All Users\Szablony
2007-12-21 13:20 . 2008-01-05 13:52 <DIR> d-------- D:\Documents and Settings\All Users\Pulpit
2007-12-21 13:20 . 2008-01-05 13:52 <DIR> dr------- D:\Documents and Settings\All Users\Menu Start
2007-12-21 13:20 . 2007-12-21 13:20 <DIR> d---s---- D:\Documents and Settings\All Users\DRM
2007-12-21 13:19 . 2007-12-27 15:51 <DIR> dr------- D:\Documents and Settings\All Users\Dokumenty
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\Vivendi Universal Games
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\The Learning Company
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\QuickTime
2007-12-21 13:19 . 2007-12-21 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 13:41 --------- d-----w C:\Program Files\neostrada tp
2008-01-13 13:28 --------- d-----w C:\Program Files\Game Times Online
2008-01-13 12:49 --------- d-----w C:\Program Files\GameSpy Arcade
2008-01-07 15:32 --------- d-----w C:\Program Files\Taxi Challenge Londyn
2008-01-07 15:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 11:58 --------- d-----w C:\Program Files\Bankrut
2008-01-04 16:40 --------- d-----w C:\Program Files\MarBit
2008-01-04 16:38 --------- d-----w C:\Program Files\Electronic Arts
2008-01-03 16:21 --------- d-----w C:\Program Files\Dracula Twins
2007-12-07 16:32 8,749 ----a-w C:\Program Files\INSTALL.LOG
2007-11-30 16:35 --------- d-----w C:\Program Files\Maxis
1998-04-30 13:56 129,024 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_14.35.49.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-05 13:12:51 3,371,008 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-13 11:54:54 3,403,776 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-01-05 13:12:51 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-13 11:54:54 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-01-05 12:12:55 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-13 13:31:03 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-05 12:12:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-01-13 13:31:03 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-01-10 17:25:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008011020080111\index.dat
+ 2008-01-12 07:47:50 20,480 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\C5M3W5ER\chetver[1].exe
- 2008-01-05 12:12:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-13 13:31:03 147,456 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-10 13:26:37 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\KXURCTMB\bzu[1].exe
+ 2008-01-11 19:43:21 17,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OTEF8HEZ\bot[1].exe
+ 2008-01-08 06:42:15 27,648 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OTEF8HEZ\loader[1].exe
- 2008-01-05 12:10:47 12,800 -c--a-w C:\WINDOWS\system32\dllcache\svchost.exe
+ 2008-01-07 16:10:32 12,800 -c--a-w C:\WINDOWS\system32\dllcache\svchost.exe
- 2008-01-05 12:10:47 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
+ 2008-01-07 16:10:32 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
+ 2008-01-13 13:40:22 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_454.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 12:12 55296 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-28 08:57 5058560]
"nwiz"="nwiz.exe" [2003-10-28 08:57 741376 C:\WINDOWS\system32\nwiz.exe]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 07:33 45056]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2002-03-20 08:15 10752]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 08:19 172032]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56 40960]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-07 07:34 98304]
"AdslTaskBar"="stmctrl.dll" [2006-06-02 12:01 151552 C:\WINDOWS\system32\stmctrl.dll]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 13:49 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\GestMaj.exe" [2004-10-14 15:55 32768]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Driver"="C:\WINDOWS\rundll32.exe" [ ]

R2 athsgt;athsgt;C:\WINDOWS\System32\DRIVERS\athsgt.sys [2007-10-14 12:15]
R2 limsgt;limsgt;C:\WINDOWS\System32\DRIVERS\limsgt.sys [2007-10-14 12:15]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys [2003-08-12 15:51]
R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys [2006-05-25 16:28]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 14:40:50
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 14:43:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 13:43:42
ComboFix2.txt 2008-01-13 11:51:15

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:47:57, on 2008-01-13
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\neostrada tp\neostradatp.exe
C:\Program Files\neostrada tp\ComComp.exe
C:\PROGRA~1\NEOSTR~1\Toaster.exe
C:\PROGRA~1\NEOSTR~1\Inactivity.exe
C:\PROGRA~1\NEOSTR~1\PollingModule.exe
C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
C:\Program Files\neostrada tp\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\superfindout.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{038F2FBF-9EEB-4CF6-B099-C5EF45EBC284}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS2\Services\Tcpip\..\{038F2FBF-9EEB-4CF6-B099-C5EF45EBC284}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.naruto.wbijam.pl/tapety/45.jpg
O24 - Desktop Component 1: (no name) - http://www.naruto.wbijam.pl/tapety/43.jpg
O24 - Desktop Component 2: (no name) - http://www.animeresimleri.com/data/media/1/naruto_team.jpg

--
End of file - 5374 bytes

Jest jeszcze jeden problem. Avast caly czas skanuje mi wysylana poczte, a ja nic nie wysylam. Co jakis czas pokazuje mi sie info ze Avast wykryl ze jest zbyt duzo listow o tej samej tematyce wysylanych i opcja nie wysylaj i kontynuuj. Przy tym pokazuje mi ze wysyla z jakis dziwnych kont.

[Dzi@dek]

Do usunięcia w hijackthis

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\superfindout.dll
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'Default user')

A w notatniku wklej:

File::
C:\WINDOWS\rundll32.exe

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Driver"=-

Plik Zapisz jako... CFScript - najlepiej jeśli zapiszesz w

takiej lokalizacji, by ikona CFScript.txt znalazła się obok ikony ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
Potwierdz zresetuje sie komputer.

Jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER. Rozpocznie się proces usuwania.

Daj nowe logi z Combofix oraz Hijackthis.

[Adanedhel]

Hej. Niestety nie udalo mi sie zrobic tego co napisales. Komputer juz zupelnie zwariowal. Co kilka sekund pojawialy sie informacje o wirusach. Az wkoncu pojawiala sie informacja ze nalezy odlaczyc sie od sieci i sam sie komputer restartowal. Przeinstalowalem wiec system i teraz nie moge zainstalowac neo, poniewaz nie wykrywa mi modemu. ??? Ale z tym to juz musze sobie sam poradzic. Dzieki za pomoc Dzi@dek. Pozdro