sprawdzenie loga- problem z xp18.com i amvo

**Posty:** 38 · przez **renik** 14 Kwi 2008, 20:10

Mam problemy z kompem,a mianowicie przy próbie wejscia do jakiegokolwiek dysku pojawiał sie komunikat że zablokowano niebezpieczny program amvo lub
xp19.com . ściągnelam sdfix i combofix. prosze o sprawdzenie logow z combofix oraz hijackthis czy jest tam jeszcze jakis wirus, dodatkowo przesylam jeszcze raport z sdfix. Dla mnie jest to czarna magia
:roll:

raport z sdfix:

SDFix: Version 1.170
Run by Renia on 2008-04-13 at 17:52

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\autorun.inf - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 17:58:36
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000007a
"TracesSuccessful"=dword:00000070

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 16 Mar 2008 101,295 ..SHR --- "C:\xp19.com"
Sun 16 Mar 2008 101,295 ..SHR --- "C:\WINDOWS\system32\amvo.exe"
Sun 13 Apr 2008 72,192 ..SHR --- "C:\WINDOWS\system32\amvo0.dll"
Sun 11 Nov 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 20 Jan 2008 318,976 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL0002.tmp"
Thu 24 Jan 2008 530,944 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL0003.tmp"
Tue 22 Jan 2008 105,984 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL0136.tmp"
Mon 21 Jan 2008 48,640 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL0213.tmp"
Tue 22 Jan 2008 140,800 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL0425.tmp"
Mon 21 Jan 2008 44,032 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL0651.tmp"
Tue 22 Jan 2008 138,240 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL0866.tmp"
Tue 22 Jan 2008 118,272 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL1027.tmp"
Tue 22 Jan 2008 103,936 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL1207.tmp"
Mon 21 Jan 2008 320,512 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL1210.tmp"
Mon 21 Jan 2008 68,608 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL1229.tmp"
Tue 22 Jan 2008 121,856 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL1348.tmp"
Mon 21 Jan 2008 347,648 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL1409.tmp"
Mon 21 Jan 2008 77,824 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL1656.tmp"
Mon 21 Jan 2008 72,704 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL1954.tmp"
Mon 21 Jan 2008 65,024 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL2105.tmp"
Tue 22 Jan 2008 121,856 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL2142.tmp"
Tue 22 Jan 2008 124,928 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL2400.tmp"
Tue 22 Jan 2008 131,584 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL2475.tmp"
Tue 22 Jan 2008 130,048 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL2583.tmp"
Tue 22 Jan 2008 108,544 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL2605.tmp"
Mon 21 Jan 2008 47,104 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL2783.tmp"
Sun 20 Jan 2008 162,304 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL3062.tmp"
Tue 22 Jan 2008 121,856 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL3343.tmp"
Mon 21 Jan 2008 347,648 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL3555.tmp"
Tue 22 Jan 2008 96,768 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL3714.tmp"
Tue 22 Jan 2008 107,520 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL3761.tmp"
Tue 22 Jan 2008 138,240 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL3771.tmp"
Mon 21 Jan 2008 92,672 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL3860.tmp"
Tue 22 Jan 2008 108,544 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL4001.tmp"
Sun 20 Jan 2008 259,584 ...H. --- "C:\Documents and Settings\Renia\Pulpit\~WRL4072.tmp"
Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"

Finished!

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16:10, on 2008-04-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zegarynka] G:\Zegarynka\Zegarynka.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &Pobierz przez ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz &wszystko przez ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6934DD53-510F-4F85-AAD4-8CDA6EF29EA0}: NameServer = 194.204.159.1,195.116.24.195
O17 - HKLM\System\CS1\Services\Tcpip\..\{6934DD53-510F-4F85-AAD4-8CDA6EF29EA0}: NameServer = 194.204.159.1,195.116.24.195
O17 - HKLM\System\CS2\Services\Tcpip\..\{6934DD53-510F-4F85-AAD4-8CDA6EF29EA0}: NameServer = 194.204.159.1,195.116.24.195
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe

--
End of file - 7702 bytes

oraz combofix:

ComboFix 08-04-13.1 - Renia 2008-04-13 21:55:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.181 [GMT 2:00]
Running from: C:\Documents and Settings\Renia\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
D:\Autorun.inf
F:\Autorun.inf
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-13 20:45 . 2008-04-13 20:46 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-04-13 19:18 . 2008-04-13 19:43 <DIR> d-------- C:\Program Files\SkanerOnline
2008-04-13 19:16 . 2008-04-13 19:16 <DIR> d---s---- C:\Documents and Settings\Renia\UserData
2008-04-13 17:49 . 2008-04-13 17:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-13 17:39 . 2008-04-13 21:36 <DIR> d-------- C:\SDFix
2008-04-11 19:53 . 2008-03-16 20:12 101,295 -r-hs---- C:\xp19.com
2008-04-03 18:01 . 2008-04-03 18:01 63 --a------ C:\WINDOWS\WINHELP.BMK
2008-03-16 16:43 . 2008-04-10 18:41 <DIR> d-------- C:\Documents and Settings\Renia\Dane aplikacji\skypePM
2008-03-16 16:43 . 2008-03-16 16:43 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-03-16 16:32 . 2008-04-10 20:51 <DIR> d-------- C:\Documents and Settings\Renia\Dane aplikacji\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Program Files\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 18:09 --------- d-----w C:\Program Files\ReGetDx
2008-04-13 16:36 260,156 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-04-13 16:36 260,156 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-04-13 16:36 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-04-13 16:36 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-04-01 21:04 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\U3
2008-03-07 06:53 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\Autodesk
2008-03-07 06:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Autodesk
2008-03-07 06:42 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-07 06:42 --------- d-----w C:\Program Files\AnswerWorks 4.0
2008-03-07 06:33 --------- d-----w C:\Program Files\Autodesk
2008-03-06 09:14 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\Ahead
2008-02-28 13:06 --------- d-----w C:\Program Files\Gadu-Gadu
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 22:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Zegarynka"="G:\Zegarynka\Zegarynka.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [2007-07-23 19:30 406832]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 16:17 27952]
"Resume copy"="copyfstq.exe" [2007-11-10 17:43 73728 C:\WINDOWS\copyfstq.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 09:57 143360]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 07:28 36352]
"NWEReboot"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 03:48:00 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 02:01:00 734872]
Przyspieszenie uruchomienia programu AutoCAD.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 17:18:22 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 16:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 09:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 14:49]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\xp19.com
\Shell\explore\Command - C:\xp19.com
\Shell\open\Command - C:\xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\xp19.com
\Shell\explore\Command - D:\xp19.com
\Shell\open\Command - D:\xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\xp19.com
\Shell\explore\Command - F:\xp19.com
\Shell\open\Command - F:\xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\xp19.com
\Shell\explore\Command - I:\xp19.com
\Shell\open\Command - I:\xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27eca4f4-000f-11dd-8035-000c6e9c5804}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ddc430e-8f9f-11dc-9158-000c6e9c5804}]
\Shell\AutoRun\command - J:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f05776-90f3-11dc-9162-000c6e9c5804}]
\Shell\AutoRun\command - K:\xp19.com
\Shell\explore\Command - K:\xp19.com
\Shell\open\Command - K:\xp19.com

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 22:01:05
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13 22:02:28
ComboFix-quarantined-files.txt 2008-04-13 20:02:16
Pre-Run: 22,670,295,040 bajtów wolnych
Post-Run: 22,660,247,552 bajtów wolnych

[ Dodano: Dzisiaj o 20:16 ]
zapomniałam dodać,że wklejałam coś do notatnika oraz przeciągnęłam i upuściłam na ikonę ComboFixa, czy mam dodać ten log z combofixa :?:

**Posty:** 18165 · przez **wojtas** 14 Kwi 2008, 20:17

renik napisał(a):zapomniałam dodać,że wklejałam coś do notatnika oraz przeciągnęłam i upuściłam na ikonę ComboFixa, czy mam dodać ten log z combofixa

Jak Ci nikt nie kazał nie rób tego

pewnie wzięłaś sobie ten skrypt z innego tematu ALE dla każdego jest inny skrypt więc czekaj jak ktoś Ci poda prawidłowy i dopiero wtedy przeciagniesz

przeskanuj ten plik:

C:\WINDOWS\WINHELP.BMK

tu

http://virusscan.jotti.org/
http://www.virustotal.com/

zapisz sobie raporty ze skanów

wklej do notatnika:

File::
C:\xp19.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f05776-90f3-11dc-9162-000c6e9c5804}]

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . odczekaj az wygeneruje sie nowy log i go daj na forum oraz wspomniane wyżej raporty

**Posty:** 38 · przez **renik** 15 Kwi 2008, 01:45

zrobiłam to co mi kazałeś, wkleiłam do notatnika,po czym upuściłam na combofix. czekałam,aż wygeneruje się log. niestety czekałam prawie 3 godzinki i nic, nic się nie wyświetlało poza:"please wait Combofix is preparing to run"(zamknęłam ).Czy mam powtarzać tę czynność dotąd aż wygeneruje się mi ten log :?:

czy powodem takiego stanu może być moje samowolne wklejenie skryptu z innego tematu :?:

dla lepszego zorientowania się podaje skrypt który sama wkleiłam oraz nowo powstały po tym log:

File::
C:\v.com
C:\x6.bat
C:\u2.cmd
C:\x.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29125f82-f377-11dc-a1ed-001d7d9e4314}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6de746fb-f1ee-11dc-a1e7-001d7d9e4314}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70e6c388-d670-11dc-a177-001d7d9e4314}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cba1e150-d18d-11dc-a15a-001d7d9e4314}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5619ef7-d034-11dc-a152-001d7d9e4314}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e54b8710-cf6a-11dc-a14b-001d7d9e4314}]

ComboFix 08-04-13.1 - Renia 2008-04-13 23:33:12.3 - NTFSx86
Running from: C:\Documents and Settings\Renia\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-13 20:45 . 2008-04-13 20:46 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-04-13 19:18 . 2008-04-13 19:43 <DIR> d-------- C:\Program Files\SkanerOnline
2008-04-13 19:16 . 2008-04-13 19:16 <DIR> d---s---- C:\Documents and Settings\Renia\UserData
2008-04-13 17:49 . 2008-04-13 17:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-13 17:39 . 2008-04-13 21:36 <DIR> d-------- C:\SDFix
2008-04-11 19:53 . 2008-03-16 20:12 101,295 -r-hs---- C:\xp19.com
2008-04-03 18:01 . 2008-04-03 18:01 63 --a------ C:\WINDOWS\WINHELP.BMK
2008-03-16 16:43 . 2008-04-10 18:41 <DIR> d-------- C:\Documents and Settings\Renia\Dane aplikacji\skypePM
2008-03-16 16:43 . 2008-03-16 16:43 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-03-16 16:32 . 2008-04-10 20:51 <DIR> d-------- C:\Documents and Settings\Renia\Dane aplikacji\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Program Files\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 20:12 260,156 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-04-13 20:12 260,156 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-04-13 20:12 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-04-13 20:12 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-04-13 18:09 --------- d-----w C:\Program Files\ReGetDx
2008-04-01 21:04 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\U3
2008-03-07 06:53 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\Autodesk
2008-03-07 06:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Autodesk
2008-03-07 06:42 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-07 06:42 --------- d-----w C:\Program Files\AnswerWorks 4.0
2008-03-07 06:33 --------- d-----w C:\Program Files\Autodesk
2008-03-06 09:14 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\Ahead
2008-02-28 13:06 --------- d-----w C:\Program Files\Gadu-Gadu
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 22:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Zegarynka"="G:\Zegarynka\Zegarynka.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [2007-07-23 19:30 406832]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 16:17 27952]
"Resume copy"="copyfstq.exe" [2007-11-10 17:43 73728 C:\WINDOWS\copyfstq.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 09:57 143360]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 07:28 36352]
"NWEReboot"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 03:48:00 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 02:01:00 734872]
Przyspieszenie uruchomienia programu AutoCAD.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 17:18:22 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 16:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 09:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 14:49]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\xp19.com
\Shell\explore\Command - C:\xp19.com
\Shell\open\Command - C:\xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\xp19.com
\Shell\explore\Command - D:\xp19.com
\Shell\open\Command - D:\xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\xp19.com
\Shell\explore\Command - F:\xp19.com
\Shell\open\Command - F:\xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\xp19.com
\Shell\explore\Command - I:\xp19.com
\Shell\open\Command - I:\xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27eca4f4-000f-11dd-8035-000c6e9c5804}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ddc430e-8f9f-11dc-9158-000c6e9c5804}]
\Shell\AutoRun\command - J:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f05776-90f3-11dc-9162-000c6e9c5804}]
\Shell\AutoRun\command - K:\xp19.com
\Shell\explore\Command - K:\xp19.com
\Shell\open\Command - K:\xp19.com

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 23:38:09
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13 23:40:05
ComboFix-quarantined-files.txt 2008-04-13 21:39:42
ComboFix2.txt 2008-04-13 20:21:33
Pre-Run: 23,014,236,160 bajtów wolnych
Post-Run: 23,005,405,184 bajtów wolnych

podaje także raporty ze skanów(jeśli o to chodziło):
virusscan:

Scanner results
Scan taken on 14 Apr 2008 21:59:51 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

virtustotal:

Plik WINHELP.BMK otrzymany 2008.04.15 00:06:16 (CET)
Antywirus Wersja Ostatnia aktualizacja Wynik
AhnLab-V3 2008.4.15.0 2008.04.14 -
AntiVir 7.6.0.85 2008.04.14 -
Authentium 4.93.8 2008.04.14 -
Avast 4.8.1169.0 2008.04.14 -
AVG 7.5.0.516 2008.04.14 -
BitDefender 7.2 2008.04.14 -
CAT-QuickHeal 9.50 2008.04.14 -
ClamAV 0.92.1 2008.04.15 -
DrWeb 4.44.0.09170 2008.04.14 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5699 2008.04.14 -
Ewido 4.0 2008.04.14 -
F-Prot 4.4.2.54 2008.04.14 -
F-Secure 6.70.13260.0 2008.04.14 -
FileAdvisor 1 2008.04.15 -
Fortinet 3.14.0.0 2008.04.14 -
Ikarus T3.1.1.26.0 2008.04.14 -
Kaspersky 7.0.0.125 2008.04.14 -
McAfee 5273 2008.04.14 -
Microsoft 1.3408 2008.04.14 -
NOD32v2 3026 2008.04.14 -
Norman 5.80.02 2008.04.14 -
Panda 9.0.0.4 2008.04.14 -
Rising 20.40.02.00 2008.04.14 -
Sophos 4.28.0 2008.04.14 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.14 -
TheHacker 6.2.92.277 2008.04.14 -
VBA32 3.12.6.4 2008.04.14 -
VirusBuster 4.3.26:9 2008.04.14 -
Webwasher-Gateway 6.6.2 2008.04.14 -
Dodatkowe informacje
File size: 63 bytes
MD5...: 338a36e915abd38b97fad015dd78cf34
SHA1..: a79138303196de9cb96d93b2d873dd437b6d7c20
SHA256: 60590bc5fdbb693aee38895284084a3ceed96341ba95bfb26af24f6fbe90b8e8
SHA512: 3b801217b91a3234141b38b8c958ba0c623822fccd6b913fc169f148ef64bd5e<br>377f99b2de9a121b7f7e3d90355e11f13db7d6a21e483190aa3692fb23e30532
PEiD..: -
PEInfo: -
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=338a36e915abd38b97fad015dd78cf34

[ Dodano: Dzisiaj o 16:23 ]
Już wiem jaki błąd popełniłam,że nie mógł wygenerować się nowy log...wystarczyło wyłączyć program antywirusowy :papryczka:

...widać jaka ze mnie informatyczka :roll:

podaje nowy log:

ComboFix 08-04-13.1 - Renia 2008-04-15 16:08:33.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.224 [GMT 2:00]
Running from: C:\Documents and Settings\Renia\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Renia\Pulpit\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\xp19.com
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\xp19.com

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 19:14 . 2008-04-14 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 20:45 . 2008-04-13 20:46 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-04-13 19:18 . 2008-04-13 19:43 <DIR> d-------- C:\Program Files\SkanerOnline
2008-04-13 19:16 . 2008-04-13 19:16 <DIR> d---s---- C:\Documents and Settings\Renia\UserData
2008-04-13 17:49 . 2008-04-13 17:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-13 17:39 . 2008-04-13 21:36 <DIR> d-------- C:\SDFix
2008-04-03 18:01 . 2008-04-03 18:01 63 --a------ C:\WINDOWS\WINHELP.BMK
2008-03-16 16:43 . 2008-04-10 18:41 <DIR> d-------- C:\Documents and Settings\Renia\Dane aplikacji\skypePM
2008-03-16 16:43 . 2008-03-16 16:43 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-03-16 16:32 . 2008-04-10 20:51 <DIR> d-------- C:\Documents and Settings\Renia\Dane aplikacji\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Program Files\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-16 16:31 . 2008-03-16 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 14:06 262,328 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-04-15 14:06 262,328 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-04-15 14:06 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-04-15 14:06 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-04-13 18:09 --------- d-----w C:\Program Files\ReGetDx
2008-04-01 21:04 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\U3
2008-03-07 06:53 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\Autodesk
2008-03-07 06:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Autodesk
2008-03-07 06:42 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-07 06:42 --------- d-----w C:\Program Files\AnswerWorks 4.0
2008-03-07 06:33 --------- d-----w C:\Program Files\Autodesk
2008-03-06 09:14 --------- d-----w C:\Documents and Settings\Renia\Dane aplikacji\Ahead
2008-02-28 13:06 --------- d-----w C:\Program Files\Gadu-Gadu
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 22:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Zegarynka"="G:\Zegarynka\Zegarynka.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [2007-07-23 19:30 406832]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 16:17 27952]
"Resume copy"="copyfstq.exe" [2007-11-10 17:43 73728 C:\WINDOWS\copyfstq.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 09:57 143360]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 07:28 36352]
"NWEReboot"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 03:48:00 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 02:01:00 734872]
Przyspieszenie uruchomienia programu AutoCAD.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 17:18:22 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 16:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 09:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 14:49]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27eca4f4-000f-11dd-8035-000c6e9c5804}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ddc430e-8f9f-11dc-9158-000c6e9c5804}]
\Shell\AutoRun\command - J:\USBNB.exe

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 16:10:37
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-15 16:11:10
ComboFix-quarantined-files.txt 2008-04-15 14:11:00
ComboFix2.txt 2008-04-13 21:40:08
Pre-Run: 22,956,363,776 bajtów wolnych
Post-Run: 22,946,959,360 bajtów wolnych

**Posty:** 18165 · przez **wojtas** 15 Kwi 2008, 17:21

Czysto, wykonaj:

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp

2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem

Autor postu otrzymał pochwałę

**Posty:** 38 · przez **renik** 15 Kwi 2008, 22:35

wszystko wykonałam :papryczka:

komputer działa sprawniej.
dzięki za pomoc
:banan:

jeszcze male pytanko:czy w tym temacie moge zapytać sie o narzędzia konfiguracji systemu(co mam odznaczyć) czy mam utworzyc nowy temat. Pozdro

**Posty:** 18165 · przez **wojtas** 16 Kwi 2008, 12:57

odhacz:

O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

**Posty:** 38 · przez **renik** 16 Kwi 2008, 15:59

odhaczone

jeszcze raz dziękuje za pomoc

sprawdzenie loga- problem z xp18.com i amvo

sprawdzenie loga- problem z xp18.com i amvo

Kto jest na forum