Scanner online wykrył zainfekowane pliki

[Royalmarcin]

Witam,

wczoraj skonowałem kompa scannerem online eset nood32 i wykryło mi 11 zainfekowanych plików, potem zrobiłem scan swoim av również eset nood i nic mi nie wykryło więc jak to możliwe? (tak dla wiadomożci to tego swojego nooda mam scracowanego)
Później zrobiłem scana combofixem, więc wżycam dwa logi
hijackthis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:38, on 2009-01-30
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\AhnRpta.exe
D:\WINDOWS\system32\VTTimer.exe
D:\WINDOWS\system32\VTtrayp.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Documents and Settings\Royal\Pulpit\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NodLogin] D:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [cdoosoft] D:\WINDOWS\system32\olhrwef.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 3317 bytes


combofix

Kod: Zaznacz wszystko

ComboFix 09-01-21.04 - Royal 2009-01-30  1:54:16.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.478.239 [GMT 1:00]
Uruchomiony z: d:\documents and settings\Royal\Pulpit\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.
- TRYB ZREDUKOWANEJ FUNKCJONALNOŚCI -
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-12-28 do 2009-01-30  )))))))))))))))))))))))))))))))
.

2009-12-22 23:35 . 2009-12-22 23:35   <DIR>   d--------   d:\program files\Hamachi
2009-12-22 23:32 . 2009-01-29 22:03   <DIR>   d--------   d:\documents and settings\Royal\Dane aplikacji\Hamachi
2009-12-22 23:32 . 2009-12-22 23:35   15,440   --a------   d:\windows\system32\drivers\hamachi.sys
2009-01-29 21:05 . 2009-01-29 21:05   108,861   -r-hs----   D:\8.bat
2009-01-29 19:53 . 2009-01-29 20:12   <DIR>   d--------   d:\program files\EsetOnlineScanner
2009-01-29 19:50 . 2009-01-29 19:50   <DIR>   d--------   d:\windows\system32\Kaspersky Lab
2009-01-29 19:50 . 2009-01-29 19:50   <DIR>   d--------   d:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab
2009-01-28 13:32 . 2009-01-28 13:32   <DIR>   d--------   d:\program files\Total Video Converter
2009-01-28 13:32 . 2000-05-22 22:58   608,448   --a------   d:\windows\system32\comctl32.ocx
2009-01-28 13:08 . 2009-01-28 13:08   <DIR>   d--------   d:\program files\You Ripper
2009-01-21 20:34 . 2009-01-23 14:53   107,882   -r-hs----   D:\w98.com
2009-01-20 09:20 . 2009-01-21 10:09   108,869   -r-hs----   D:\gy.exe
2009-01-16 10:06 . 2009-01-17 12:44   110,003   -r-hs----   D:\x2csvg.exe
2009-01-14 19:42 . 2009-01-15 15:43   110,883   -r-hs----   D:\ve.exe
2009-01-14 01:12 . 2009-01-29 21:05   95,744   -r-hs----   d:\windows\system32\nmdfgds1.dll
2009-01-14 01:03 . 2009-01-29 21:05   108,861   -r-hs----   d:\windows\system32\olhrwef.exe
2009-01-14 01:03 . 2009-01-30 01:50   95,744   -r-hs----   d:\windows\system32\nmdfgds0.dll
2009-01-13 09:35 . 2009-01-13 12:30   107,692   -r-hs----   D:\bd3q0qix.exe
2009-01-12 23:23 . 2009-01-12 23:23   <DIR>   d--------   d:\program files\MMTNO
2009-01-12 16:20 . 2008-04-15 13:00   70,144   --a------   d:\windows\AhnRpta.exe
2009-01-10 21:47 . 2009-01-10 21:47   <DIR>   d--------   d:\program files\CCleaner
2009-01-09 14:42 . 2009-01-09 14:41   120,952   -r-hs----   D:\xn9uu8.exe
2009-01-08 12:03 . 2009-01-13 12:22   90,112   -r-hs----   d:\windows\system32\ciuytr1.dll
2009-01-08 11:15 . 2009-01-08 11:15   <DIR>   d--------   d:\documents and settings\Royal\Dane aplikacji\Thinstall
2009-01-05 13:29 . 2009-01-05 13:29   <DIR>   d--------   d:\program files\Common Files\Adobe
2009-01-05 13:27 . 2009-01-05 13:27   <DIR>   d--------   d:\windows\Cache
2009-01-04 13:17 . 2009-01-09 23:43   <DIR>   d--------   d:\program files\K-Lite Codec Pack
2009-01-04 13:17 . 2007-09-04 17:56   164,352   --a------   d:\windows\system32\unrar.dll
2009-01-04 07:03 . 2009-01-04 07:03   <DIR>   d--------   d:\program files\ESET
2009-01-04 07:03 . 2009-01-04 07:03   <DIR>   d--------   d:\documents and settings\All Users\Dane aplikacji\ESET
2008-12-31 15:31 . 2001-08-18 06:36   8,704   --a------   d:\windows\system32\kbdjpn.dll
2008-12-31 15:31 . 2001-08-18 06:36   8,704   --a--c---   d:\windows\system32\dllcache\kbdjpn.dll
2008-12-31 15:31 . 2001-08-18 06:36   8,192   --a------   d:\windows\system32\kbdkor.dll
2008-12-31 15:31 . 2001-08-18 06:36   8,192   --a--c---   d:\windows\system32\dllcache\kbdkor.dll
2008-12-31 15:31 . 2008-04-14 22:39   6,144   --a------   d:\windows\system32\kbd106.dll
2008-12-31 15:31 . 2001-08-17 22:55   6,144   --a------   d:\windows\system32\kbd101c.dll
2008-12-31 15:31 . 2001-08-17 22:55   6,144   --a------   d:\windows\system32\kbd101b.dll
2008-12-31 15:31 . 2008-04-14 22:39   6,144   --a--c---   d:\windows\system32\dllcache\kbd106.dll
2008-12-31 15:31 . 2001-08-17 22:55   6,144   --a--c---   d:\windows\system32\dllcache\kbd101c.dll
2008-12-31 15:31 . 2001-08-17 22:55   6,144   --a--c---   d:\windows\system32\dllcache\kbd101b.dll
2008-12-31 15:31 . 2001-08-17 22:55   5,632   --a------   d:\windows\system32\kbd103.dll
2008-12-31 15:31 . 2001-08-17 22:55   5,632   --a--c---   d:\windows\system32\dllcache\kbd103.dll
2008-12-28 16:13 . 2008-12-28 16:14   <DIR>   d--------   d:\program files\Winamp
2008-12-28 16:13 . 2008-12-28 22:02   <DIR>   d--------   d:\documents and settings\Royal\Dane aplikacji\Winamp
2008-12-26 11:16 . 2008-12-26 11:16   <DIR>   d--------   d:\documents and settings\Royal\Dane aplikacji\Gadu-Gadu
2008-12-22 22:34 . 2008-12-22 22:34   <DIR>   d--------   d:\program files\Realtek Sound Manager
2008-12-22 22:34 . 2008-12-22 22:34   <DIR>   d--------   d:\program files\AvRack
2008-12-22 22:34 . 2004-08-02 00:00   7,546,880   --a------   d:\windows\system32\RTLCPL.EXE
2008-12-22 21:39 . 2008-12-22 21:39   <DIR>   d--------   d:\program files\S3
2008-12-22 21:39 . 2006-11-23 16:52   3,523,072   --a------   d:\windows\system32\vtdisp.dll
2008-12-22 21:35 . 2008-12-22 21:35   <DIR>   d--------   d:\windows\system32\Lang
2008-12-22 21:30 . 2008-12-22 22:34   <DIR>   d--h-----   d:\program files\InstallShield Installation Information
2008-12-22 21:30 . 2008-12-22 22:33   <DIR>   d--------   d:\program files\Common Files\InstallShield
2008-12-22 21:30 . 2006-12-16 04:29   499,712   -r-------   d:\windows\RtlExUpd.dll
2008-12-22 21:15 . 2008-12-22 21:15   0   --a------   d:\windows\nsreg.dat
2008-12-22 21:08 . 2008-12-22 21:08   <DIR>   d--------   d:\documents and settings\Royal\Dane aplikacji\iPlus
2008-12-22 21:00 . 2008-12-22 21:00   4,444   --a------   d:\windows\system32\pid.PNF

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 13:46   ---------   d-----w   d:\program files\Gadu-Gadu
2008-12-22 19:11   ---------   d-----w   d:\program files\microsoft frontpage
2008-12-22 19:09   ---------   d-----w   d:\program files\Usługi online
2008-04-15 12:00   171,376   --sha-r   d:\windows\system32\khelo.dll
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"Gadu-Gadu"="d:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]
"cdoosoft"="d:\windows\system32\olhrwef.exe" [2009-01-29 108861]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"egui"="d:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"NodLogin"="d:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [2008-02-07 299238]
"VTTimer"="VTTimer.exe" [2006-09-21 d:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-09-28 d:\windows\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-08-02 d:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{BB4C402F-882A-4526-8C08-51278EA437C1}"= "d:\windows\system32\afmain1.dll" [2008-04-15 78848]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Gry\\Heroes of Might and Magic III - Zlota Edycja\\Heroes33.exe"=
"d:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3066:TCP"= 3066:TCP:qwoobydl

R1 epfwtdir;epfwtdir;d:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R4 ekrn;Eset Service;d:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
S4 rwfsxij;Server Boot;d:\windows\system32\svchost.exe -k netsvcs [2008-04-15 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
rwfsxij

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eebbe3d3-dd69-11dd-8461-0040cacf5a42}]
\Shell\AutoRun\command - F:\xcisvxl.com
\Shell\open\Command - F:\xcisvxl.com
.
.
------- Skan uzupełniający -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - d:\documents and settings\Royal\Dane aplikacji\Mozilla\Firefox\Profiles\t02vf86c.default\
FF - prefs.js: browser.startup.homepage - google.pl
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 01:54:28
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rwfsxij]
"ServiceDll"="d:\windows\system32\khelo.dll"
.
Czas ukończenia: 2009-01-30  1:55:46
ComboFix-quarantined-files.txt  2009-01-30 00:55:39
ComboFix2.txt  2009-01-29 19:44:20

Przed: 4 839 276 544 bajtów wolnych
Po: 4,832,935,936 bajtów wolnych

143


Dodano 30.01.2009 19:39:14:
wczorajszy log z combofixa

Kod: Zaznacz wszystko

ComboFix 09-01-21.04 - Royal 2009-01-29 20:41:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.478.162 [GMT 1:00]
Uruchomiony z: d:\documents and settings\Royal\Pulpit\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\8.bat
C:\Autorun.inf
C:\gfqgq.cmd
C:\iq.bat
C:\j60osk9.cmd
C:\qoes.bat
C:\uvsqfgwd.cmd
C:\x2tpc.cmd
C:\xcisvxl.com
D:\8.bat
D:\Autorun.inf
D:\gfqgq.cmd
D:\iq.bat
D:\j60osk9.cmd
D:\qoes.bat
D:\uvsqfgwd.cmd
d:\windows\expiorer.exe
d:\windows\system32\ciuytr0.dll
d:\windows\system32\vamsoft.exe
D:\x2tpc.cmd
D:\xcisvxl.com

.
((((((((((((((((((((((((( Pliki utworzone od 2008-12-28 do 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-12-22 23:35 . 2009-12-22 23:35 <DIR> d-------- d:\program files\Hamachi
2009-12-22 23:32 . 2009-01-29 00:52 <DIR> d-------- d:\documents and settings\Royal\Dane aplikacji\Hamachi
2009-01-29 19:53 . 2009-01-29 20:12 <DIR> d-------- d:\program files\EsetOnlineScanner
2009-01-29 19:50 . 2009-01-29 19:50 <DIR> d-------- d:\windows\system32\Kaspersky Lab
2009-01-29 19:50 . 2009-01-29 19:50 <DIR> d-------- d:\windows\LastGood
2009-01-29 19:50 . 2009-01-29 19:50 <DIR> d-------- d:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab
2009-01-28 13:32 . 2009-01-28 13:32 <DIR> d-------- d:\program files\Total Video Converter
2009-01-28 13:32 . 2000-05-22 22:58 608,448 --a------ d:\windows\system32\comctl32.ocx
2009-01-28 13:08 . 2009-01-28 13:08 <DIR> d-------- d:\program files\You Ripper
2009-01-21 20:34 . 2009-01-23 14:53 107,882 -r-hs---- D:\w98.com
2009-01-20 09:20 . 2009-01-21 10:09 108,869 -r-hs---- D:\gy.exe
2009-01-16 10:06 . 2009-01-17 12:44 110,003 -r-hs---- D:\x2csvg.exe
2009-01-14 19:42 . 2009-01-15 15:43 110,883 -r-hs---- D:\ve.exe
2009-01-14 01:12 . 2009-01-28 16:03 95,744 -r-hs---- d:\windows\system32\nmdfgds1.dll
2009-01-14 01:03 . 2009-01-29 19:51 108,861 -r-hs---- d:\windows\system32\olhrwef.exe
2009-01-14 01:03 . 2009-01-29 19:51 95,744 -r-hs---- d:\windows\system32\nmdfgds0.dll
2009-01-13 09:35 . 2009-01-13 12:30 107,692 -r-hs---- D:\bd3q0qix.exe
2009-01-12 23:23 . 2009-01-12 23:23 <DIR> d-------- d:\program files\MMTNO
2009-01-12 16:20 . 2008-04-15 13:00 70,144 --a------ d:\windows\AhnRpta.exe
2009-01-10 21:47 . 2009-01-10 21:47 <DIR> d-------- d:\program files\CCleaner
2009-01-09 14:42 . 2009-01-09 14:41 120,952 -r-hs---- D:\xn9uu8.exe
2009-01-08 12:03 . 2009-01-13 12:22 90,112 -r-hs---- d:\windows\system32\ciuytr1.dll
2009-01-08 11:15 . 2009-01-08 11:15 <DIR> d-------- d:\documents and settings\Royal\Dane aplikacji\Thinstall
2009-01-05 13:29 . 2009-01-05 13:29 <DIR> d-------- d:\program files\Common Files\Adobe
2009-01-05 13:27 . 2009-01-05 13:27 <DIR> d-------- d:\windows\Cache
2009-01-04 13:17 . 2009-01-09 23:43 <DIR> d-------- d:\program files\K-Lite Codec Pack
2009-01-04 13:17 . 2007-09-04 17:56 164,352 --a------ d:\windows\system32\unrar.dll
2009-01-04 07:03 . 2009-01-04 07:03 <DIR> d-------- d:\program files\ESET
2009-01-04 07:03 . 2009-01-04 07:03 <DIR> d-------- d:\documents and settings\All Users\Dane aplikacji\ESET
2008-12-31 15:31 . 2001-08-18 06:36 8,704 --a------ d:\windows\system32\kbdjpn.dll
2008-12-31 15:31 . 2001-08-18 06:36 8,704 --a--c--- d:\windows\system32\dllcache\kbdjpn.dll
2008-12-31 15:31 . 2001-08-18 06:36 8,192 --a------ d:\windows\system32\kbdkor.dll
2008-12-31 15:31 . 2001-08-18 06:36 8,192 --a--c--- d:\windows\system32\dllcache\kbdkor.dll
2008-12-31 15:31 . 2008-04-14 22:39 6,144 --a------ d:\windows\system32\kbd106.dll
2008-12-31 15:31 . 2001-08-17 22:55 6,144 --a------ d:\windows\system32\kbd101c.dll
2008-12-31 15:31 . 2001-08-17 22:55 6,144 --a------ d:\windows\system32\kbd101b.dll
2008-12-31 15:31 . 2008-04-14 22:39 6,144 --a--c--- d:\windows\system32\dllcache\kbd106.dll
2008-12-31 15:31 . 2001-08-17 22:55 6,144 --a--c--- d:\windows\system32\dllcache\kbd101c.dll
2008-12-31 15:31 . 2001-08-17 22:55 6,144 --a--c--- d:\windows\system32\dllcache\kbd101b.dll
2008-12-31 15:31 . 2001-08-17 22:55 5,632 --a------ d:\windows\system32\kbd103.dll
2008-12-31 15:31 . 2001-08-17 22:55 5,632 --a--c--- d:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-12-22 22:35 15,440 ----a-w d:\windows\system32\drivers\hamachi.sys
2008-12-28 21:02 --------- d-----w d:\documents and settings\Royal\Dane aplikacji\Winamp
2008-12-28 15:14 --------- d-----w d:\program files\Winamp
2008-12-28 13:46 --------- d-----w d:\program files\Gadu-Gadu
2008-12-26 10:16 --------- d-----w d:\documents and settings\Royal\Dane aplikacji\Gadu-Gadu
2008-12-22 21:34 --------- d--h--w d:\program files\InstallShield Installation Information
2008-12-22 21:34 --------- d-----w d:\program files\Realtek Sound Manager
2008-12-22 21:34 --------- d-----w d:\program files\AvRack
2008-12-22 21:33 --------- d-----w d:\program files\Common Files\InstallShield
2008-12-22 20:39 --------- d-----w d:\program files\S3
2008-12-22 20:08 --------- d-----w d:\documents and settings\Royal\Dane aplikacji\iPlus
2008-12-22 19:11 --------- d-----w d:\program files\microsoft frontpage
2008-12-22 19:09 --------- d-----w d:\program files\Usługi online
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"Gadu-Gadu"="d:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]
"cdoosoft"="d:\windows\system32\olhrwef.exe" [2009-01-29 108861]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"egui"="d:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"NodLogin"="d:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [2008-02-07 299238]
"VTTimer"="VTTimer.exe" [2006-09-21 d:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-09-28 d:\windows\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-08-02 d:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{BB4C402F-882A-4526-8C08-51278EA437C1}"= "d:\windows\system32\afmain1.dll" [2008-04-15 78848]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Gry\\Heroes of Might and Magic III - Zlota Edycja\\Heroes33.exe"=
"d:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=

R1 epfwtdir;epfwtdir;d:\windows\system32\drivers\epfw tdir.sys [2008-02-20 33800]
R4 ekrn;Eset Service;d:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{eebbe3d3-dd69-11dd-8461-0040cacf5a42}]
\Shell\AutoRun\command - F:\xcisvxl.com
\Shell\open\Command - F:\xcisvxl.com
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-vamsoft - d:\windows\system32\vamsoft.exe


.
------- Skan uzupełniający -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - d:\documents and settings\Royal\Dane aplikacji\Mozilla\Firefox\Profiles\t02vf86c.defaul t\
FF - prefs.js: browser.startup.homepage - google.pl
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 20:42:59
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

************************************************** ************************
.
Czas ukończenia: 2009-01-29 20:44:18
ComboFix-quarantined-files.txt 2009-01-29 19:44:03

Przed: 4*034*445*312 bajtów wolnych
Po: 4,086,296,576 bajtów wolnych

150