samoczynne wlaczanie stron

[DARLOS]

Przy wejściu na jedną ze stron posłusznie wykonałem polecenie i oto zainstalował mi sie jakiś śmieć który objawia się ikoną (niebieski znak zapytania) oraz wchodzeniem na różne dziwne strony pod automatycznym uruchomieniu internet explorera. Mam program NOD antywirus i skanowałem kompa kilka razy ale problem nadal pozostaje.
Na tym forum wyczytałem o jakimś programie HijackThis ale nie bardzo wiem jak sie tym obsługiwać.
Proszę o pomoc sprawa dotyczy służbowego laptopa i muszę ja rozwiązać do Poniedziałku.

[Bambosz]

Na tym forum wyczytałem o jakimś programie HijackThis ale nie bardzo wiem jak sie tym obsługiwać.

tu masz wszystko opisane:
http://forum.programosy.pl/hijackthis-amp-silent-runners-gtobsuga-i-umieszczanie-vt9452.html

[DARLOS]

Udało mi się wygenerować Logfile

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 17:25:19, on 2007-09-01
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\irPC\irPC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\totalcmd\totalcmd\TOTALCMD.EXE
C:\DOCUME~1\DLOSIN~1.UNI\USTAWI~1\Temp\_tc\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcworld.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez UNIBIT
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Suchspur - {5D945E9A-DC10-4670-83EB-99DAA616628A} - C:\WINDOWS\system32\Suchspur.dll (file missing)
O2 - BHO: (no name) - {5DDE5591-A8AB-4897-93EF-1E4E943F85A7} - C:\Program Files\Video ActiveX Access\iesplg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Protection Bar - {F06E2ABE-3A50-4079-BE25-FC100D9EAA25} - C:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Startup: irPC.lnk = C:\Program Files\irPC\irPC.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl
O15 - Trusted Zone: http://mks.com.pl
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = unibit.local
O17 - HKLM\Software\..\Telephony: DomainName = unibit.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = unibit.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Odyssey Client for Fujitsu Siemens Computers (odClientService) - Funk Software, Inc. - C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

[wojtas]

Użyj WWDC :
http://www.firewallleaktester.com/wwdc.htm
Zmień opcje z disable na enable. Uruchom ponownie komputer.
Tak powinny wyglądać porty (NetBIOS może być żółty) :
http://www.firewallleaktester.com/images_site/wwdc.jpg

zastosuj:

smitfraudfix z opcji 2:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

oraz te skanery po kilka razy

VundoFix
http://www.atribune.org/ccount/click.php?id=4

VirtumundoBeGone
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

FixVundo
http://securityresponse.symantec.com/avcenter/FixVundo.exe

potem nowy log z hijkaca oraz z combofixa

[DARLOS]

SmitFraudFix v2.219

Scan done at 17:46:58,89, 2007-09-01
Run from D:\bzdury\bzdury\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

Problem while deleting C:\Program Files\Video ActiveX Access\

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 192.168.1.100

Description: Broadcom 802.11g sieciowy adapter - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 62.179.1.60
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6D799E3D-FF15-4BED-8F28-21DA7A21B4CF}: DhcpNameServer=192.168.1.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6FFDE969-9811-4EF4-AE8F-C25F7FA40F1E}: DhcpNameServer=62.179.1.60 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6D799E3D-FF15-4BED-8F28-21DA7A21B4CF}: DhcpNameServer=192.168.1.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6FFDE969-9811-4EF4-AE8F-C25F7FA40F1E}: DhcpNameServer=62.179.1.60 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6D799E3D-FF15-4BED-8F28-21DA7A21B4CF}: DhcpNameServer=192.168.1.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\Program Files\Video ActiveX Access Deleted


»»»»»»»»»»»»»»»»»»»»»»»» End

teraz taki raport wyskakuje mi przy uruchomieniu kompa (powyżej)

[Lukesh]

Edytuj post, a loga zaznacz i obejmij tagami [Code] lub [Quote]

[DARLOS]

nie widzę opcji edytuj ?

[Precel]

zielona ikonka z napisem edytuj z prawej strony gdzie masz post

[DARLOS]

wykonałem zgodnie z instrukcją i wyszło w HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 18:36, on 2007-09-01
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\irPC\irPC.exe
C:\Program Files\totalcmd\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\DLOSIN~1.UNI\USTAWI~1\Temp\_tc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Startup: irPC.lnk = C:\Program Files\irPC\irPC.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl
O15 - Trusted Zone: http://mks.com.pl
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = unibit.local
O17 - HKLM\Software\..\Telephony: DomainName = unibit.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = unibit.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Odyssey Client for Fujitsu Siemens Computers (odClientService) - Funk Software, Inc. - C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

ComboFix

ComboFix 07-08-30.3 - "d.losinszek" 2007-09-01 18:31:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.170 [GMT 2:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 )))))))))))))))))))))))))))))))


2007-09-01 18:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 18:01 <DIR> d-------- C:\VundoFix Backups
2007-09-01 17:46 2,936 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-01 17:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-01 17:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-01 17:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-01 15:46 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\DANEAP~1\TEMP
2007-08-17 13:52 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-17 13:52 249,856 --------- C:\WINDOWS\Setup1.exe
2007-08-02 22:16 <DIR> d-------- C:\Program Files\AnvSoft Mobile Video Converter


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-01 16:23 --------- d-------- C:\Program Files\Xilisoft
2007-09-01 16:23 --------- d-------- C:\Program Files\Warcraft III
2007-09-01 16:20 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-01 16:20 --------- d-------- C:\Program Files\JoWood
2007-08-31 23:14 --------- d-------- C:\Program Files\eMule
2007-08-28 10:11 --------- d-------- C:\Program Files\DYMO Label
2007-08-24 14:18 --------- d-------- C:\DOCUME~1\DLOSIN~1.UNI\DANEAP~1\OpenOffice.ux.pl2
2007-08-20 13:49 --------- d-------- C:\Program Files\English Translator 3
2007-08-02 22:13 --------- d-------- C:\DOCUME~1\DLOSIN~1.UNI\DANEAP~1\ConvertTemp
2007-08-02 21:20 --------- d-------- C:\DOCUME~1\DLOSIN~1.UNI\DANEAP~1\Temporary
2007-08-02 20:23 --------- d-------- C:\DOCUME~1\DLOSIN~1.UNI\DANEAP~1\TransRender
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-18 13:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\LightScribe
2007-07-16 20:56 --------- d-------- C:\DOCUME~1\DLOSIN~1.UNI\DANEAP~1\Samsung
2007-07-16 20:52 --------- d-------- C:\Program Files\Samsung
2007-07-16 08:15 --------- d-------- C:\Program Files\Gadu-Gadu
2007-07-14 21:21 --------- d-------- C:\DOCUME~1\DLOSIN~1.UNI\DANEAP~1\Gadu-Gadu
2007-07-13 15:22 --------- d-------- C:\Program Files\Common Files\LightScribe
2007-07-03 22:24 --------- d-------- C:\Program Files\GameSpy Arcade
2007-07-03 22:03 --------- d-------- C:\Program Files\Aspyr
2007-07-03 15:53 532558 --a------ C:\WINDOWS\system32\odGinaLibrary.dll
2007-07-03 15:53 139330 --a------ C:\WINDOWS\system32\odyGina.dll
2007-07-03 15:53 106496 --a------ C:\WINDOWS\system32\odyEvent.dll
2007-07-03 15:53 --------- d-------- C:\Program Files\Fujitsu Siemens Computers
2007-07-03 15:53 --------- d-------- C:\Program Files\Common Files\Funk Software
2007-06-26 16:53 668160 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 15:57 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-24 19:54 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-19 08:42 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-06-15 10:14 96768 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 10:14 617984 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 10:14 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 10:14 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 10:14 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 10:14 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 10:14 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 10:14 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 10:14 3085312 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 10:14 251904 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 10:14 205824 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 10:14 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 10:14 151552 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 10:14 1498112 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 10:14 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 10:14 1055744 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 10:14 1022976 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 12:32 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 15:23 1034752 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe
2006-10-07 22:54 390023 -rahs---- C:\Program Files\wunauclt.zip
2006-10-07 22:54 390023 -rahs---- C:\Program Files\wunauclt.tbe
2006-09-16 20:26 81920 --a------ C:\DOCUME~1\DLOSIN~1.UNI\DANEAP~1\ezpinst.exe
2006-09-16 20:26 47360 --a------ C:\DOCUME~1\DLOSIN~1.UNI\DANEAP~1\pcouffin.sys
2006-08-27 17:38 1015973 -rahs---- C:\Program Files\serial.tde
2006-08-27 17:19 56239 --a------ C:\Program Files\svchosts.tbe
2006-06-27 18:28:30 56 --sh--r C:\WINDOWS\system32\A06207FCC9.sys
2007-03-16 06:32:23 12,106 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 10:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 10:32]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 15:21]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-10 10:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-10 10:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-19 08:42]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 C:\WINDOWS\system32\bthprops.cpl]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40]
"NWEReboot"="" []
"OdTray.exe"="C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 15:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 12:49]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]

C:\DOCUME~1\DLOSIN~1.UNI\MENUST~1\Programy\AUTOST~1\
irPC.lnk - C:\Program Files\irPC\irPC.exe [2005-12-30 09:15:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2007-07-03 15:53 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P]
Star Wars Empire at War Forces of Corruption

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SvcManager]
secures6.exe

R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys
S1 eusk2par;EUTRON SmartKey Parallel Driver;\??\C:\WINDOWS\system32\Drivers\eusk2par.sys
S3 ewdmaudn;ewdmaudn;\??\C:\DOCUME~1\DLOSIN~1.UNI\USTAWI~1\Temp\ewdmaudn.sys
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e52302-ce18-11db-9ba6-001636070c1d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f820229a-2bd5-11dc-9cb3-001636070c1d}]
AutoRun\command- F:\setupSNK.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-01 18:34:02
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [2364] 0x817EB020


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-01 18:34:59
C:\ComboFix-quarantined-files.txt ... 2007-09-01 18:34

--- E O F ---

Jeszcze raz zresetowałem kompa i wygląda że wirusa niema, potwierdźcie tylko czy napewno. Jestem bardzo wdzięczny dzięki jesteście naprawdę fachowcami (mój administrator w firmie męczył by sie kilka dni) wielkie dzięki.

[Red]

skasuj w hijackiu:

O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM

oraz ręcznie usun:

C:\VundoFix Backups