Trojan? głosy z głośników

[mokkunia]

Witam,
niestety znowu mam problem, z którym sama sobie poradzić nie umiem.
Nagle zaczęły mi gadać głosy w głośnikach, a raczej brzmiało to jak ścieżka dźwiękowa z filmu porno.

Użyłam Combofixa:

Kod: Zaznacz wszystko

ComboFix 08-12-14.01 - Maciuś 2008-12-14 20:34:37.17 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.1023.321 [GMT 1:00]
Running from: c:\documents and settings\Maciuś\Pulpit\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

(((((((((((((((((((((((((   Files Created from 2008-11-14 to 2008-12-14  )))))))))))))))))))))))))))))))
.

2008-12-14 20:33 . 2008-12-14 20:33   <DIR>   d--------   C:\32788R22FWJFW
2008-12-14 10:00 . 2008-03-03 14:25   5,702   --ah-----   c:\windows\nod32restoretemdono.reg
2008-12-14 10:00 . 2008-03-03 18:21   568   --ah-----   c:\windows\nod32fixtemdono.reg
2008-12-14 09:59 . 2008-12-14 09:59   <DIR>   d--------   c:\program files\ESET
2008-12-14 09:35 . 2008-12-14 20:36   <DIR>   d--h-----   c:\documents and settings\Administrator\Ustawienia lokalne
2008-12-14 09:35 . 2008-02-29 18:01   <DIR>   d--------   c:\documents and settings\Administrator\Ulubione
2008-12-14 09:35 . 2008-02-29 17:07   <DIR>   d--h-----   c:\documents and settings\Administrator\Szablony
2008-12-14 09:35 . 2008-08-16 21:12   <DIR>   d--------   c:\documents and settings\Administrator\Pulpit
2008-12-14 09:35 . 2008-02-29 18:01   <DIR>   d--------   c:\documents and settings\Administrator\Moje dokumenty
2008-12-14 09:35 . 2008-02-29 18:01   <DIR>   dr-------   c:\documents and settings\Administrator\Menu Start
2008-12-14 09:35 . 2008-02-29 18:01   <DIR>   dr-h-----   c:\documents and settings\Administrator\Dane aplikacji
2008-12-14 09:35 . 2008-12-14 09:35   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-14 09:32 . 2008-12-14 09:42   <DIR>   d--------   C:\SDFix
2008-12-12 20:49 . 2008-12-12 20:49   24   --a------   c:\windows\AM_D7.PRF
2008-12-12 20:48 . 2008-12-12 20:48   <DIR>   d--------   C:\ECG_ON_CDROM
2008-12-12 19:38 . 2008-12-14 10:02   3,373,917   --a------   c:\windows\{00000001-00000000-00000007-00001102-00000002-80271102}.BAK
2008-12-11 15:55 . 2008-12-11 15:55   233,984   --ahs----   c:\windows\odb.exe
2008-12-11 14:37 . 2008-12-12 20:48   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-11 14:37 . 2008-12-11 14:37   1,409   --a------   c:\windows\QTFont.for
2008-12-10 21:45 . 2008-12-11 15:57   162   --ahs----   c:\windows\system32\1424550033.dat
2008-11-21 21:11 . 2008-11-21 21:11   <DIR>   d--------   c:\program files\Avidemux 2.4
2008-11-21 21:11 . 2008-11-21 21:11   <DIR>   d--------   c:\documents and settings\Maciuś\Dane aplikacji\gtk-2.0
2008-11-21 21:11 . 2008-11-21 21:12   <DIR>   d--------   c:\documents and settings\Maciuś\Dane aplikacji\avidemux

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 17:43   ---------   d-----w   c:\program files\Mozilla Thunderbird
2008-12-14 11:34   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\avg8
2008-12-14 09:34   ---------   d-----w   c:\program files\StreamDown v6.1
2008-12-14 08:07   ---------   d-----w   c:\program files\Odkurzacz
2008-12-11 16:08   ---------   d-----w   c:\program files\Lavasoft
2008-12-11 16:08   ---------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2008-11-29 15:55   ---------   d-----w   c:\documents and settings\Maciuś\Dane aplikacji\Offline Explorer
2008-11-21 20:08   ---------   d-----w   c:\program files\Google Hacks
2008-11-01 13:35   ---------   d-----w   c:\documents and settings\Maciuś\Dane aplikacji\Gadu-Gadu
2008-10-31 10:54   456,272   ----a-w   c:\documents and settings\All Users\Dane aplikacji\pswi_preloaded.exe
2008-10-31 08:55   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\WinZip
2008-10-27 20:41   ---------   d-----w   c:\documents and settings\Maciuś\Dane aplikacji\OnlineArmor
2008-10-26 10:20   ---------   d-----w   c:\program files\SiteThief
2008-10-26 09:29   97,928   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2008-10-26 09:29   76,040   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2008-10-26 09:29   10,520   ----a-w   c:\windows\system32\avgrsstx.dll
2008-10-26 08:42   ---------   d-----w   c:\program files\eMule
2008-10-19 19:33   ---------   d-----w   c:\program files\Norton Security Scan
2008-09-14 12:20   29   ----a-w   c:\windows\Fonts\AWVEXA.INI
2008-09-14 11:58   262,144   ----a-w   c:\windows\system32\gfkernel.dll
2008-08-20 10:44   47,360   ----a-w   c:\documents and settings\Maciuś\Dane aplikacji\pcouffin.sys
2008-02-29 18:36   32   ----a-w   c:\documents and settings\All Users\Dane aplikacji\ezsid.dat
2008-12-11 18:19   66,578   ----a-w   c:\program files\mozilla firefox\components\ecdfcacdd.dll
.

------- Sigcheck -------

2004-08-03 22:14  359040  1745b00fc1141404b28f4b94f69a8871   c:\windows\system32\dllcache\tcpip.sys
2004-08-03 22:14  359040  1745b00fc1141404b28f4b94f69a8871   c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((   snapshot@2008-12-14_ 8.49.42,26   )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28   163,328   ----a-w   c:\windows\erdnt\Hiv-backup\ERDNT.EXE
- 2008-04-18 07:43:22   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
- 2008-04-19 14:30:05   3,006,464   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-12-14 08:36:09   376,832   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-04-19 14:30:05   167,936   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-12-14 08:36:09   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-12-14 09:00:10   10,134   ----a-r   c:\windows\Installer\{45BF5088-655E-4BDB-9F63-CDEF3BA74D40}\callmsi.exe
+ 2008-12-14 09:00:10   136,448   ----a-r   c:\windows\Installer\{45BF5088-655E-4BDB-9F63-CDEF3BA74D40}\egui.exe
+ 2008-03-13 15:43:42   40,456   ----a-w   c:\windows\system32\drivers\eamon.sys
+ 2008-03-13 15:44:36   29,704   ----a-w   c:\windows\system32\drivers\easdrv.sys
+ 2008-03-13 15:52:18   33,800   ----a-w   c:\windows\system32\drivers\epfwtdir.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Maciuś\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" [2008-10-27 133104]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-10-12 294912]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-16 185896]
"odb"="c:\windows\odb.exe" [2008-12-11 233984]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD]
--a------ 2008-03-03 13:44 266240 c:\program files\Odkurzacz\odk_mcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-16 06:26 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57132:TCP"= 57132:TCP:Pando P2P TCP Listening Port
"57132:UDP"= 57132:UDP:Pando P2P UDP Listening Port
"57531:TCP"= 57531:TCP:Pando P2P TCP Listening Port
"57531:UDP"= 57531:UDP:Pando P2P UDP Listening Port
"56856:TCP"= 56856:TCP:Pando P2P TCP Listening Port
"56856:UDP"= 56856:UDP:Pando P2P UDP Listening Port

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-04 97928]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-26 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-26 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-04 76040]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2001-10-26 3584]
S3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2008-02-29 246784]
.
Contents of the 'Scheduled Tasks' folder

2008-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-20 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Maciu[ []

2008-10-19 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 03:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.pl/
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer Pro\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer Pro\Add_AllO.htm
IE: Download linked FLV with GetFLV - c:\program files\GetFLV\iemenu\DownloadLinkFLV.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Pobierz przez NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html
IE: Pobierz wszystko przez NetXfer - c:\program files\Xi\NetXfer\NXAddList.html

c:\windows\system32\SkanerOnlineUninstall.exe - c:\windows\system32\SkanerOnline.dll
O16 -: {68282C51-9459-467B-95BF-3C0E89627E55}
hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
c:\windows\Downloaded Program Files\SkanerOnline.inf
FF - ProfilePath - c:\documents and settings\Maciuś\Dane aplikacji\Mozilla\Firefox\Profiles\nhfjp8ay.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl
FF - plugin: c:\documents and settings\MaciuĹ›\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 20:36:39
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\avgrsstx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'explorer.exe'(9840)
c:\program files\Gadu-Gadu\ggwhook.dll
.
Completion time: 2008-12-14 20:38:00
ComboFix-quarantined-files.txt  2008-12-14 19:37:54
ComboFix2.txt  2008-12-14 17:48:06
ComboFix3.txt  2008-12-14 08:04:01
ComboFix4.txt  2008-12-14 07:50:12

Pre-Run: 3 220 189 184 bajtów wolnych
Post-Run: 3,284,201,472 bajtów wolnych

198


i wklejam jeszcze log z HijackThis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:42:48, on 2008-12-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Documents and Settings\Maciuś\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\odb.exe
C:\WINDOWS\odb.exe
C:\WINDOWS\odb.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Maciuś\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [odb] C:\WINDOWS\odb.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Maciuś\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz przez NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Pobierz wszystko przez NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204304760718
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Usługa iPod (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 6934 bytes


Bardzo proszę o pomoc.

[Okocza]

otwórz notatnik i wklej:

Kod: Zaznacz wszystko

Folder::
C:\32788R22FWJFW

File::
c:\windows\{00000001-00000000-00000007-00001102-00000002-80271102}.BAK
c:\program files\mozilla firefox\components\ecdfcacdd.dll
c:\windows\odb.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"odb"=-


zapisz jako CFScript.txt i przeciągnij na ikonkę combofix.exe

daj nowy log z combofixa

fix w hj

Kod: Zaznacz wszystko

O4 - HKLM\..\Run: [odb] C:\WINDOWS\odb.exe

przeskanuj na http://www.virustotal.com

Kod: Zaznacz wszystko

c:\windows\AM_D7.PRF
c:\windows\system32\1424550033.dat
c:\windows\Fonts\AWVEXA.INI

[mokkunia]

Kod: Zaznacz wszystko

ComboFix 08-12-14.01 - Maciuś 2008-12-14 20:58:34.18 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.1023.343 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Maciuś\Pulpit\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\Maciuś\Pulpit\CFScript.txt
* Utworzono nowy punkt przywracania
* Resident AV is active


FILE ::
c:\program files\mozilla firefox\components\ecdfcacdd.dll
c:\windows\{00000001-00000000-00000007-00001102-00000002-80271102}.BAK
c:\windows\odb.exe
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\mozilla firefox\components\ecdfcacdd.dll
c:\windows\{00000001-00000000-00000007-00001102-00000002-80271102}.BAK
c:\windows\odb.exe

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-11-14 do 2008-12-14  )))))))))))))))))))))))))))))))
.

2008-12-14 10:00 . 2008-03-03 14:25   5,702   --ah-----   c:\windows\nod32restoretemdono.reg
2008-12-14 10:00 . 2008-03-03 18:21   568   --ah-----   c:\windows\nod32fixtemdono.reg
2008-12-14 09:59 . 2008-12-14 09:59   <DIR>   d--------   c:\program files\ESET
2008-12-14 09:35 . 2008-12-14 21:00   <DIR>   d--h-----   c:\documents and settings\Administrator\Ustawienia lokalne
2008-12-14 09:35 . 2008-02-29 18:01   <DIR>   d--------   c:\documents and settings\Administrator\Ulubione
2008-12-14 09:35 . 2008-02-29 17:07   <DIR>   d--h-----   c:\documents and settings\Administrator\Szablony
2008-12-14 09:35 . 2008-08-16 21:12   <DIR>   d--------   c:\documents and settings\Administrator\Pulpit
2008-12-14 09:35 . 2008-02-29 18:01   <DIR>   d--------   c:\documents and settings\Administrator\Moje dokumenty
2008-12-14 09:35 . 2008-02-29 18:01   <DIR>   dr-------   c:\documents and settings\Administrator\Menu Start
2008-12-14 09:35 . 2008-02-29 18:01   <DIR>   dr-h-----   c:\documents and settings\Administrator\Dane aplikacji
2008-12-14 09:35 . 2008-12-14 09:35   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-14 09:32 . 2008-12-14 09:42   <DIR>   d--------   C:\SDFix
2008-12-12 20:49 . 2008-12-12 20:49   24   --a------   c:\windows\AM_D7.PRF
2008-12-12 20:48 . 2008-12-12 20:48   <DIR>   d--------   C:\ECG_ON_CDROM
2008-12-11 14:37 . 2008-12-12 20:48   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-11 14:37 . 2008-12-11 14:37   1,409   --a------   c:\windows\QTFont.for
2008-12-10 21:45 . 2008-12-11 15:57   162   --ahs----   c:\windows\system32\1424550033.dat
2008-11-21 21:11 . 2008-11-21 21:11   <DIR>   d--------   c:\program files\Avidemux 2.4
2008-11-21 21:11 . 2008-11-21 21:11   <DIR>   d--------   c:\documents and settings\Maciuś\Dane aplikacji\gtk-2.0
2008-11-21 21:11 . 2008-11-21 21:12   <DIR>   d--------   c:\documents and settings\Maciuś\Dane aplikacji\avidemux

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 17:43   ---------   d-----w   c:\program files\Mozilla Thunderbird
2008-12-14 11:34   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\avg8
2008-12-14 09:34   ---------   d-----w   c:\program files\StreamDown v6.1
2008-12-14 08:07   ---------   d-----w   c:\program files\Odkurzacz
2008-12-11 16:08   ---------   d-----w   c:\program files\Lavasoft
2008-12-11 16:08   ---------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2008-11-29 15:55   ---------   d-----w   c:\documents and settings\Maciuś\Dane aplikacji\Offline Explorer
2008-11-21 20:08   ---------   d-----w   c:\program files\Google Hacks
2008-11-01 13:35   ---------   d-----w   c:\documents and settings\Maciuś\Dane aplikacji\Gadu-Gadu
2008-10-31 10:54   456,272   ----a-w   c:\documents and settings\All Users\Dane aplikacji\pswi_preloaded.exe
2008-10-31 08:55   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\WinZip
2008-10-27 20:41   ---------   d-----w   c:\documents and settings\Maciuś\Dane aplikacji\OnlineArmor
2008-10-26 10:20   ---------   d-----w   c:\program files\SiteThief
2008-10-26 09:29   97,928   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2008-10-26 09:29   76,040   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2008-10-26 09:29   10,520   ----a-w   c:\windows\system32\avgrsstx.dll
2008-10-26 08:42   ---------   d-----w   c:\program files\eMule
2008-10-19 19:33   ---------   d-----w   c:\program files\Norton Security Scan
2008-09-14 12:20   29   ----a-w   c:\windows\Fonts\AWVEXA.INI
2008-09-14 11:58   262,144   ----a-w   c:\windows\system32\gfkernel.dll
2008-08-20 10:44   47,360   ----a-w   c:\documents and settings\Maciuś\Dane aplikacji\pcouffin.sys
2008-02-29 18:36   32   ----a-w   c:\documents and settings\All Users\Dane aplikacji\ezsid.dat
.

------- Sigcheck -------

2004-08-03 22:14  359040  1745b00fc1141404b28f4b94f69a8871   c:\windows\system32\dllcache\tcpip.sys
2004-08-03 22:14  359040  1745b00fc1141404b28f4b94f69a8871   c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((   snapshot@2008-12-14_ 8.49.42,26   )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28   163,328   ----a-w   c:\windows\erdnt\Hiv-backup\ERDNT.EXE
- 2008-04-18 07:43:22   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
- 2008-04-19 14:30:05   3,006,464   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-12-14 08:36:09   376,832   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-04-19 14:30:05   167,936   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-12-14 08:36:09   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-12-14 09:00:10   10,134   ----a-r   c:\windows\Installer\{45BF5088-655E-4BDB-9F63-CDEF3BA74D40}\callmsi.exe
+ 2008-12-14 09:00:10   136,448   ----a-r   c:\windows\Installer\{45BF5088-655E-4BDB-9F63-CDEF3BA74D40}\egui.exe
+ 2008-03-13 15:43:42   40,456   ----a-w   c:\windows\system32\drivers\eamon.sys
+ 2008-03-13 15:44:36   29,704   ----a-w   c:\windows\system32\drivers\easdrv.sys
+ 2008-03-13 15:52:18   33,800   ----a-w   c:\windows\system32\drivers\epfwtdir.sys
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Maciuś\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" [2008-10-27 133104]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-10-12 294912]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-16 185896]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD]
--a------ 2008-03-03 13:44 266240 c:\program files\Odkurzacz\odk_mcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-16 06:26 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57132:TCP"= 57132:TCP:Pando P2P TCP Listening Port
"57132:UDP"= 57132:UDP:Pando P2P UDP Listening Port
"57531:TCP"= 57531:TCP:Pando P2P TCP Listening Port
"57531:UDP"= 57531:UDP:Pando P2P UDP Listening Port
"56856:TCP"= 56856:TCP:Pando P2P TCP Listening Port
"56856:UDP"= 56856:UDP:Pando P2P UDP Listening Port

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-04 97928]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-26 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-26 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-04 76040]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2001-10-26 3584]
S3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2008-02-29 246784]
.
Zawartość folderu 'Zaplanowane zadania'

2008-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-20 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Maciu[ []

2008-10-19 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 03:08]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer Pro\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer Pro\Add_AllO.htm
IE: Download linked FLV with GetFLV - c:\program files\GetFLV\iemenu\DownloadLinkFLV.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Pobierz przez NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html
IE: Pobierz wszystko przez NetXfer - c:\program files\Xi\NetXfer\NXAddList.html

c:\windows\system32\SkanerOnlineUninstall.exe - c:\windows\system32\SkanerOnline.dll
O16 -: {68282C51-9459-467B-95BF-3C0E89627E55}
hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
c:\windows\Downloaded Program Files\SkanerOnline.inf
FF - ProfilePath - c:\documents and settings\Maciuś\Dane aplikacji\Mozilla\Firefox\Profiles\nhfjp8ay.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl
FF - plugin: c:\documents and settings\MaciuĹ›\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 21:00:08
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\avgrsstx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\avgrsstx.dll
.
Czas ukończenia: 2008-12-14 21:01:13
ComboFix-quarantined-files.txt  2008-12-14 20:01:11
ComboFix2.txt  2008-12-14 19:38:05
ComboFix3.txt  2008-12-14 17:48:06
ComboFix4.txt  2008-12-14 08:04:01
ComboFix5.txt  2008-12-14 19:56:05

Przed: 3 249 917 952 bajtów wolnych
Po: 3,249,881,088 bajtów wolnych

203


W hj już nie było tego wpisu

Kod: Zaznacz wszystko

O4 - HKLM\..\Run: [odb] C:\WINDOWS\odb.exe

Te 3 pliki przeskanowałam na http://www.virustotal.com nic nie znaleziono.

[Okocza]

mokkunia, są jeszcze te 'głosy'

[mokkunia]

Ucichły Dzięki
Oby nie wróciły

[grek9292]

hej...ja tez mam taki problem i za nic nie wiem o co wam chodzi z tym ComboFix prosze pomuzcie mi cos z tym zrobic...

[Okocza]

grek9292, załóż swój temat i opisz swój problem.