trojan.win32.zapchast.gc

[pasta271]

Witam!
Po uruchomieniu (przypadkiem) małego pliku is153723.exe znikł pasek zadań i ikony na pulpicie (po ponownym uruchomieniu systemu efekt ten sam).

Jedyne co działało to Alt+Crtl+Delete.

Plik is153723.exe był skanowanym AVG Anti-Spyware 7.5.1.43-3339 oraz Eset NOD32 v3.0.657 (w obu aktualne bazy) oba nic nie wykryły.

Udało mi sie uruchomić ComboFix.exe i najwidoczniej ten coś znalazł i usunął bo wszytko wróciło do normy.

Po przeskanowaniu pliku is153723.exe w http://virusscan.jotti.org/ i http://www.virustotal.com/pl/ okazało że to najprawdopodobniej Trojan.Win32.Zapchast.gc

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1:

Kod: Zaznacz wszystko

Scanner results
Scan taken on 07 Jun 2008 11:50:53 (GMT)
A-Squared    Found nothing
AntiVir    Found TR/Dropper.Gen
ArcaVir    Found Heur.W32
Avast    Found Win32:Zapchast-FM
AVG Antivirus    Found Vundo
BitDefender    Found nothing
ClamAV    Found nothing
CPsecure    Found Troj.W32.Zapchast.gb
Dr.Web    Found nothing
F-Prot Antivirus    Found nothing
F-Secure Anti-Virus    Found Trojan.Win32.Zapchast.gc
Fortinet    Found Virtum.3!tr
Ikarus    Found nothing
Kaspersky Anti-Virus    
Found Trojan.Win32.Zapchast.gc
NOD32    Found nothing
Norman Virus Control    Found W32/Srizbi.U
Panda Antivirus    Found nothing
Sophos Antivirus    Found Troj/Virtum-Gen
VirusBuster    Found nothing
VBA32    Found Trojan.Win32.Zapchast.gc

Virustotal:
http://www.virustotal.com/pl/analisis/b48ad73ea591fbe806a6dc4e296d3c13

Proszę o sprawdzenie log czy czasem nic mi jeszcze nie zostało:
ComboFix:

ComboFix 08-06-06.6 - usr 2008-06-07 13:28:43.11 - NTFSx86
Running from: C:\Documents and Settings\usr\Pulpit\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\usr\Ustawienia lokalne\Temporary Internet Files\CSC2.5U-EN-750-F.sbr.sgn
C:\WINDOWS\system32\gwgqxvcu.ini
C:\WINDOWS\system32\ljJCuUnL.dll
C:\WINDOWS\system32\otjyahkk.ini
C:\WINDOWS\system32\ougakldt.ini
C:\WINDOWS\system32\pmnNfEtU.dll
C:\WINDOWS\system32\UtEfNnmp.ini
C:\WINDOWS\system32\UtEfNnmp.ini2
C:\WINDOWS\system32\vlgkvgam.ini
C:\WINDOWS\system32\wvUoLddd.dll
C:\WINDOWS\system32\yrrwysgs.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-06 16:45 . 2008-06-06 16:47 <DIR> d-------- C:\Program Files\ESET
2008-06-01 16:38 . 2008-06-01 16:38 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-06-01 16:38 . 2008-06-01 16:38 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-01 16:37 . 2008-06-01 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 19:14 . 2004-07-09 04:26 1,230,336 --a--c--- C:\WINDOWS\system32\dllcache\msvidctl.dll
2008-05-31 19:14 . 2004-07-09 04:26 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2008-05-31 19:14 . 2004-07-09 04:26 52,224 --a------ C:\WINDOWS\system32\msdvbnp.ax
2008-05-31 19:14 . 2004-07-09 04:26 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2008-05-31 19:14 . 2004-07-09 04:26 47,104 --a--c--- C:\WINDOWS\system32\dllcache\wstdecod.dll
2008-05-31 19:14 . 2004-07-09 04:26 30,208 --a------ C:\WINDOWS\system32\psisrndr.ax
2008-05-31 19:14 . 2004-07-09 04:26 16,896 --a------ C:\WINDOWS\system32\bdaplgin.ax
2008-05-31 19:14 . 2004-07-09 04:26 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2008-05-31 19:14 . 2002-12-12 00:14 12,288 --a------ C:\WINDOWS\system32\ksolay.ax
2008-05-31 19:14 . 2004-07-09 04:26 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2008-05-31 15:27 . 2008-05-31 15:27 <DIR> d-------- C:\Program Files\GameShadow
2008-05-31 15:18 . 2008-01-08 22:00 799,424 -ra------ C:\WINDOWS\system32\tmp895.tmp
2008-05-31 15:18 . 2008-01-08 22:00 799,424 -ra------ C:\WINDOWS\system32\tmp894.tmp
2008-05-25 03:52 . 2008-05-25 03:52 <DIR> d-------- C:\Documents and Settings\usr\.unizeto
2008-05-24 23:26 . 2008-05-24 23:26 <DIR> d-------- C:\Program Files\Quicksys
2008-05-22 10:37 . 2008-05-22 15:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-22 10:37 . 2008-05-22 10:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-22 00:51 . 2008-05-22 00:51 135 --a------ C:\WINDOWS\huffyuv.ini
2008-05-22 00:45 . 2008-05-22 00:45 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-18 10:02 . 2008-06-01 07:49 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-05-18 10:02 . 2008-05-18 10:02 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-05-17 17:53 . 2008-05-17 17:53 <DIR> d-------- C:\Documents and Settings\usr\Dane aplikacji\mojosoft
2008-05-11 00:18 . 2008-05-11 00:28 <DIR> d-------- C:\Documents and Settings\usr\Dane aplikacji\ImgBurn
2008-05-11 00:03 . 2008-05-11 00:04 <DIR> d-------- C:\Program Files\ImgBurn
2008-05-07 23:13 . 2008-05-07 23:13 <DIR> d-------- C:\WINDOWS\system32\pl
2008-05-07 23:13 . 2008-05-07 23:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-07 23:13 . 2008-05-07 23:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-07 23:11 . 2008-05-07 23:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-07 23:08 . 2008-05-07 23:14 <DIR> d-------- C:\WINDOWS\EHome
2008-05-07 23:02 . 2008-04-14 19:20 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-05-07 23:02 . 2008-04-14 19:20 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-05-07 23:02 . 2008-04-14 19:20 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-05-07 23:00 . 2008-04-14 19:20 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 11:01 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Azureus
2008-06-07 10:22 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\foobar2000
2008-06-03 19:32 --------- d-----w C:\Program Files\foobar2000
2008-06-02 18:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-02 14:42 --------- d-----w C:\Program Files\FlashGet
2008-05-31 13:18 --------- d-----w C:\Program Files\OpenAL
2008-05-30 15:32 --------- d-----w C:\Program Files\SpeedFan
2008-05-23 19:20 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Skype
2008-05-23 19:12 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\skypePM
2008-05-22 16:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 14:12 --------- d-----w C:\Program Files\The Bat!
2008-05-21 23:57 --------- d-----w C:\Program Files\Xvid
2008-05-14 16:07 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\YNWA
2008-05-11 17:00 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Codemasters
2008-05-07 20:48 --------- d-----w C:\Program Files\HD Tune Pro
2008-04-30 20:47 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Hamachi
2008-04-30 19:32 --------- d-----w C:\Program Files\DivX
2008-04-30 18:33 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-30 16:57 --------- d-----w C:\Program Files\RivaTuner v2.08
2008-04-29 18:34 --------- d-----w C:\Program Files\Real Alternative
2008-04-28 19:54 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Eltima Software
2008-04-28 16:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-04-25 18:44 --------- d-----w C:\Program Files\totalcmd
2008-04-25 18:25 --------- d-----w C:\Program Files\Zards software
2008-04-25 16:55 --------- d-----w C:\Program Files\ffdshow
2008-04-24 16:11 --------- d-----w C:\Program Files\SeaTools Enterprise
2008-04-23 13:00 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-04-23 12:53 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-04-23 12:52 40,456 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-04-22 16:36 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\DeskSoft
2008-04-21 15:34 --------- d-----w C:\Program Files\Foxit Software
2008-04-19 21:58 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Zoom Player
2008-04-19 21:32 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ashampoo
2008-04-19 21:26 --------- d-----w C:\Program Files\CoreCodec
2008-04-19 05:55 --------- d-----w C:\Program Files\AdiIRC
2008-04-18 19:26 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\ChemTable Software
2008-04-17 14:33 --------- d-----w C:\Program Files\Azureus
2008-04-14 17:22 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 17:22 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 17:22 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 17:22 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 17:21 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 17:21 285,696 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 17:21 149,504 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 17:21 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 17:21 1,035,264 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 17:20 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 17:20 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 17:20 25,471 ------w C:\WINDOWS\system32\drivers\atv04nt5.dll
2008-04-14 17:20 21,183 ------w C:\WINDOWS\system32\drivers\atv01nt5.dll
2008-04-14 17:20 17,279 ------w C:\WINDOWS\system32\drivers\atv10nt5.dll
2008-04-14 17:20 15,423 ------w C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2008-04-14 17:20 14,143 ------w C:\WINDOWS\system32\drivers\atv06nt5.dll
2008-04-14 17:20 11,359 ------w C:\WINDOWS\system32\drivers\atv02nt5.dll
2008-04-14 17:20 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 16:34 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 16:33 80,256 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 16:33 68,608 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 16:33 120,320 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 16:32 46,848 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 16:22 800,000 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 16:22 153,856 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 16:20 24,960 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 16:18 37,632 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 16:17 40,832 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 16:16 40,448 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 16:11 65,280 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 16:11 53,248 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 16:09 25,728 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 16:05 58,880 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 16:05 273,920 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 16:03 44,672 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 16:01 52,864 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 16:00 39,936 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-04-14 15:58 41,856 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-04-14 15:58 41,472 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-04-14 15:55 23,296 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 15:54 30,208 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 15:54 188,544 ----a-w C:\WINDOWS\system32\drivers\acpi.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 23:07 241664]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-11 23:28 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-11 23:28 81920]
"NodLogin"="C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [ ]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-04-23 14:57 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:21 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide3"="cmd.exe" [2008-04-14 19:21 396288 C:\WINDOWS\system32\cmd.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.MLCY"= mlc.dll
"vidc.yv12"= yv12vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"F:\\StrongDC++\\StrongDC.exe"=
"C:\\Program Files\\Cerberus\\Cerberus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"G:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3478:UDP"= 3478:UDP:stun
"3479:UDP"= 3479:UDP:stun 2
"6112:UDP"= 6112:UDP:stun 3
"5730:UDP"= 5730:UDP:game
"5739:UDP"= 5739:UDP:game 1
"9001:TCP"= 9001:TCP:game 2
"11881:TCP"= 11881:TCP:game 3
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2007-08-29 03:04]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2007-08-29 03:04]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-04-23 15:00]
R2 nxsIO32;NextSensor Kernel I/O Driver;C:\WINDOWS\System32\DRIVERS\nxsIO32.sys [2006-10-25 20:27]
R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 20:45]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 21:34]
S3 KS-959;MA-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-22 10:06]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 18:34]
S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys [2002-01-12 17:30]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 11:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 11:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 11:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 11:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 11:33]
S3 TPP200;USB Storage Adapter V2 (TPP);C:\WINDOWS\system32\DRIVERS\TPP200.SYS [2001-10-05 05:54]
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys [2005-05-25 12:24]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 20:45]
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 17:55]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 13:33:08
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-07 13:35:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-07 11:35:47
ComboFix2.txt 2008-03-06 15:35:44

Pre-Run: 599,232,512 bajtów wolnych
Post-Run: 1,171,075,072 bajt˘w wolnych

270

Trend Micro HijackThis v2.0.2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30, on 2008-06-07
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\foobar2000\foobar2000.exe
E:\_program no install\HijackThis v2.0.2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NodLogin] "C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" /o
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'Default user')
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1190829263421
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200521077953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207326445968
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7086 bytes

PS. Trochę zawiodłem się na NOD32 że nic ie wykrył może ktoś poleci co jeszcze używać (aktualnie używam NOD32 i czasami system skanuje AVG Anti-Spyware)

[wojtas]

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[pasta271]

SDFix v1.189:

SDFix: Version 1.189
Run by usr on 2008-06-07 at 18:51

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\keygen.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 18:55:31
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:9d,d2,79,50,4d,fb,62,1a,39,54,1c,a9,8b,df,2f,3d,00,18,04,07,5d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,92,3e,3a,f6,ab,9a,94,b3,26,e9,26,07,d2,7c,ba,8d,24,..
"khjeh"=hex:69,3d,e8,87,a1,55,21,ae,0a,41,8a,21,e8,d5,21,f6,49,68,f0,5b,73,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ce,86,9a,f5,f3,13,96,32,e6,7f,83,14,e3,d8,e0,68,79,7d,bd,0a,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:fa,5e,bb,a9,f0,a8,dc,82,54,ab,d4,04,67,68,c0,e4,51,37,a2,6a,3b,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:8e,e4,06,01,13,1a,31,33,4d,22,9c,73,25,53,db,6f,96,86,3d,27,83,..
"a0"=hex:20,01,00,00,cf,b3,e8,62,b4,7d,dc,37,23,c9,ec,60,31,99,30,c8,11,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ca,db,f6,33,0e,37,5c,e3,ed,50,93,26,40,51,2b,80,f7,3f,f3,68,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:66b287ec
"s2"=dword:551574bf
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:3d,ad,a9,9b,97,3f,97,aa,96,5b,b9,9e,ca,3d,d2,4a,5c,1d,2d,a1,89,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:eb,a1,53,20,1b,20,9f,73,a3,a8,c5,67,0c,bf,22,da,13,87,66,be,46,..
"p0"="C:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:ea,f0,96,6d,75,d9,d6,45,2a,d2,86,e1,a8,c7,e7,81,c0,41,78,f9,cf,..
"a0"=hex:20,01,00,00,c5,08,b2,0c,b3,1d,de,0a,85,a5,a6,a0,c3,ea,20,60,bb,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b7,b9,35,6b,fd,40,d8,11,34,32,6f,8a,ba,d4,6d,b5,f9,3d,59,6b,0d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:92,dc,38,e9,64,0b,58,8a,39,64,2b,0a,20,76,ad,b8,22,88,99,bc,21,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:3d,ad,a9,9b,97,3f,97,aa,96,5b,b9,9e,ca,3d,d2,4a,5c,1d,2d,a1,89,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:5e,a9,e4,e3,b0,75,61,33,8a,50,05,69,22,1f,fd,0f,25,0b,c5,5b,68,..
"p0"="C:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:10,65,19,60,2f,c9,ed,6b,f2,62,6c,61,d5,08,54,95,71,13,9f,4c,8f,..
"a0"=hex:20,01,00,00,c5,08,b2,0c,b3,1d,de,0a,85,a5,a6,a0,c3,ea,20,60,bb,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dc,3b,60,19,3f,0d,fe,ac,d4,26,78,19,81,d7,fc,bc,69,e4,b5,ea,be,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:92,dc,38,e9,64,0b,58,8a,39,64,2b,0a,20,76,ad,b8,22,88,99,bc,21,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:3d,ad,a9,9b,97,3f,97,aa,96,5b,b9,9e,ca,3d,d2,4a,5c,1d,2d,a1,89,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:eb,a1,53,20,1b,20,9f,73,a3,a8,c5,67,0c,bf,22,da,13,87,66,be,46,..
"p0"="C:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:ea,f0,96,6d,75,d9,d6,45,2a,d2,86,e1,a8,c7,e7,81,c0,41,78,f9,cf,..
"a0"=hex:20,01,00,00,c5,08,b2,0c,b3,1d,de,0a,85,a5,a6,a0,c3,ea,20,60,bb,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b7,b9,35,6b,fd,40,d8,11,34,32,6f,8a,ba,d4,6d,b5,f9,3d,59,6b,0d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:92,dc,38,e9,64,0b,58,8a,39,64,2b,0a,20,76,ad,b8,22,88,99,bc,21,..
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\27*é\r\x2039XH_W]
"c\x2d9??\x2d9\x2d9\20T"=hex:28,8c,50,15,94,8d,c7,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\x00d72z(:d\xa4N:\xb8\x81\no~\x88]
"c\x2d9??\x2d9\x2d9\20T"=hex:28,8c,50,15,94,8d,c7,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\CAv`~\xb8pL\xa6\16\x201d>o*|Ç]
"c\x2d9??\x2d9\x2d9\20T"=hex:28,8c,50,15,94,8d,c7,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\x00b1b\16d.mL|`mH\36oeÂ]
"c\x2d9??\x2d9\x2d9\20T"=hex:28,8c,50,15,94,8d,c7,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\ÔS\x267by‡\x2d0cŽ\x335b]
"c\x2d9??\x2d9\x2d9\20T"=hex:ce,29,4e,15,94,8d,c7,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\ţŮÄ`\x381·\x177c\xf7]
"c\x2d9??\x2d9\x2d9\20T"=hex:28,8c,50,15,94,8d,c7,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\°\xe5373\xabb9\xf161\xf485]
"c\x2d9??\x2d9\x2d9\20T"=hex:ce,29,4e,15,94,8d,c7,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\xa77d–eŻ\x30b8\x7c6\x19aaY]
"c\x2d9??\x2d9\x2d9\20T"=hex:ce,29,4e,15,94,8d,c7,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\Ş÷Ŕźˇq\x2355]
"c\x2d9??\x2d9\x2d9\tT"=hex:1c,a1,b0,c5,37,e5,33,4d,b9,ab,61,f1,85,f4,05,ac,01,00,00,00,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\xd91c\xf1ec\xa541‡Śž§·]
"c\x2d9??\x2d9\x2d9\20T"=hex:28,8c,50,15,94,8d,c7,01,02,00,00,00,01,00,00,00

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FB02DF3C-E167-6C6B-4815-C03532086983}]
"nagenjighbecdeohfahcaeikbpip"=hex:69,61,6c,6b,6c,6a,6d,65,6f,67,64,65,65,63,6c,62,65,6d,00,00
"kaodhahfkokiknmccgbjam"=hex:62,61,6b,6b,00,00
"pamdbbffjimenabhlfdknladleengpjj"=hex:69,61,63,6c,6d,64,6c,61,68,6f,66,65,69,68,6c,6e,67,6b,00,00
"oagenjighbecdeohfahcaeallanobp"=hex:69,61,63,6c,6d,64,6c,61,68,6f,66,65,69,68,6c,6e,67,6b,00,00
"pamdbbffjimenabhlfdknladlednldej"=hex:69,61,63,6c,6d,64,6c,61,68,6f,66,65,69,68,6c,6e,67,6b,00,00
"oagenjighbecdeohfahcaealmakoga"=hex:69,61,63,6c,6d,64,6c,61,68,6f,66,65,69,68,6c,6e,67,6b,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"F:\\StrongDC++\\StrongDC.exe"="F:\\StrongDC++\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Program Files\\Cerberus\\Cerberus.exe"="C:\\Program Files\\Cerberus\\Cerberus.exe:*:Enabled:Cerberus FTP Server"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"G:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"="G:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 27 Mar 2008 433 A..H. --- "C:\WINDOWS\Fix.reg"
Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 19 May 2008 2,724 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 7 Jun 2008 8 ..SHR --- "C:\Documents and Settings\All Users\Dane aplikacji\0752030127.sys"
Sat 7 Jun 2008 2,828 A.SH. --- "C:\Documents and Settings\All Users\Dane aplikacji\KGyGaAvL.sys"
Sat 31 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 25 May 2008 1,332 ...HR --- "C:\Documents and Settings\usr\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"

Finished!

ComboFix:

ComboFix 08-06-06.6 - usr 2008-06-07 19:11:43.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.639 [GMT 2:00]
Running from: C:\Documents and Settings\usr\Pulpit\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-07 18:35 . 2008-06-07 18:57 <DIR> d-------- C:\SDFix
2008-06-07 15:55 . 2008-06-07 16:53 2,828 --ahs---- C:\Documents and Settings\All Users\Dane aplikacji\KGyGaAvL.sys
2008-06-07 15:55 . 2008-06-07 15:55 8 -r-hs---- C:\Documents and Settings\All Users\Dane aplikacji\0752030127.sys
2008-06-07 15:53 . 2008-06-07 15:53 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-06-07 15:53 . 2008-06-07 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Corel
2008-06-07 15:51 . 2008-06-07 15:51 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-06-07 14:44 . 2008-06-07 14:44 <DIR> d-------- C:\Program Files\PrevxCSI
2008-06-07 14:44 . 2008-06-07 14:44 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-06-07 14:42 . 2008-06-07 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\PrevxCSI
2008-06-06 16:45 . 2008-06-06 16:47 <DIR> d-------- C:\Program Files\ESET
2008-06-01 16:38 . 2008-06-01 16:38 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-06-01 16:38 . 2008-06-01 16:38 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-01 16:37 . 2008-06-01 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 19:14 . 2004-07-09 04:26 1,230,336 --a--c--- C:\WINDOWS\system32\dllcache\msvidctl.dll
2008-05-31 19:14 . 2004-07-09 04:26 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2008-05-31 19:14 . 2004-07-09 04:26 52,224 --a------ C:\WINDOWS\system32\msdvbnp.ax
2008-05-31 19:14 . 2004-07-09 04:26 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2008-05-31 19:14 . 2004-07-09 04:26 47,104 --a--c--- C:\WINDOWS\system32\dllcache\wstdecod.dll
2008-05-31 19:14 . 2004-07-09 04:26 30,208 --a------ C:\WINDOWS\system32\psisrndr.ax
2008-05-31 19:14 . 2004-07-09 04:26 16,896 --a------ C:\WINDOWS\system32\bdaplgin.ax
2008-05-31 19:14 . 2004-07-09 04:26 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2008-05-31 19:14 . 2002-12-12 00:14 12,288 --a------ C:\WINDOWS\system32\ksolay.ax
2008-05-31 19:14 . 2004-07-09 04:26 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2008-05-31 15:27 . 2008-05-31 15:27 <DIR> d-------- C:\Program Files\GameShadow
2008-05-31 15:18 . 2008-01-08 22:00 799,424 -ra------ C:\WINDOWS\system32\tmp895.tmp
2008-05-31 15:18 . 2008-01-08 22:00 799,424 -ra------ C:\WINDOWS\system32\tmp894.tmp
2008-05-25 03:52 . 2008-05-25 03:52 <DIR> d-------- C:\Documents and Settings\usr\.unizeto
2008-05-24 23:26 . 2008-05-24 23:26 <DIR> d-------- C:\Program Files\Quicksys
2008-05-22 10:37 . 2008-05-22 15:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-22 10:37 . 2008-05-22 10:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-22 00:51 . 2008-05-22 00:51 135 --a------ C:\WINDOWS\huffyuv.ini
2008-05-22 00:45 . 2008-05-22 00:45 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-18 10:02 . 2008-06-01 07:49 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-05-18 10:02 . 2008-05-18 10:02 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-05-17 17:53 . 2008-05-17 17:53 <DIR> d-------- C:\Documents and Settings\usr\Dane aplikacji\mojosoft
2008-05-11 00:18 . 2008-05-11 00:28 <DIR> d-------- C:\Documents and Settings\usr\Dane aplikacji\ImgBurn
2008-05-11 00:03 . 2008-05-11 00:04 <DIR> d-------- C:\Program Files\ImgBurn
2008-05-07 23:13 . 2008-05-07 23:13 <DIR> d-------- C:\WINDOWS\system32\pl
2008-05-07 23:13 . 2008-05-07 23:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-07 23:13 . 2008-05-07 23:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-07 23:11 . 2008-05-07 23:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-07 23:08 . 2008-05-07 23:14 <DIR> d-------- C:\WINDOWS\EHome
2008-05-07 23:02 . 2008-04-14 19:20 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-05-07 23:02 . 2008-04-14 19:20 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-05-07 23:02 . 2008-04-14 19:20 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-05-07 23:00 . 2008-04-14 19:20 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 16:35 --------- d-----w C:\Program Files\SpeedFan
2008-06-07 14:55 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Azureus
2008-06-07 12:34 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\foobar2000
2008-06-03 19:32 --------- d-----w C:\Program Files\foobar2000
2008-06-02 18:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-02 14:42 --------- d-----w C:\Program Files\FlashGet
2008-05-31 13:29 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-31 13:18 418,480 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-05-31 13:18 115,432 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-05-31 13:18 --------- d-----w C:\Program Files\OpenAL
2008-05-23 19:20 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Skype
2008-05-23 19:12 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\skypePM
2008-05-22 16:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 14:12 --------- d-----w C:\Program Files\The Bat!
2008-05-21 23:57 --------- d-----w C:\Program Files\Xvid
2008-05-19 16:05 2,724 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-14 16:07 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\YNWA
2008-05-11 17:00 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Codemasters
2008-05-07 20:48 --------- d-----w C:\Program Files\HD Tune Pro
2008-04-30 20:47 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Hamachi
2008-04-30 19:32 --------- d-----w C:\Program Files\DivX
2008-04-30 18:33 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-30 16:57 --------- d-----w C:\Program Files\RivaTuner v2.08
2008-04-29 18:34 --------- d-----w C:\Program Files\Real Alternative
2008-04-28 19:54 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Eltima Software
2008-04-28 16:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-04-27 08:35 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 08:33 765,952 ----a-w C:\WINDOWS\system32\xvidcore.dll
2008-04-25 18:44 --------- d-----w C:\Program Files\totalcmd
2008-04-25 18:25 --------- d-----w C:\Program Files\Zards software
2008-04-25 16:55 --------- d-----w C:\Program Files\ffdshow
2008-04-24 16:11 --------- d-----w C:\Program Files\SeaTools Enterprise
2008-04-23 13:00 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-04-23 12:53 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-04-23 12:52 40,456 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-04-22 16:36 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\DeskSoft
2008-04-21 15:34 --------- d-----w C:\Program Files\Foxit Software
2008-04-21 13:00 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-04-21 13:00 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll
2008-04-19 21:58 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\Zoom Player
2008-04-19 21:32 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ashampoo
2008-04-19 21:26 --------- d-----w C:\Program Files\CoreCodec
2008-04-19 05:55 --------- d-----w C:\Program Files\AdiIRC
2008-04-18 19:26 --------- d-----w C:\Documents and Settings\usr\Dane aplikacji\ChemTable Software
2008-04-17 14:33 --------- d-----w C:\Program Files\Azureus
2008-04-14 20:51 11,264 ------w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 20:50 997,888 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 20:50 424,960 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 17:46 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 17:26 332,288 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 17:22 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 17:22 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 17:22 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 17:22 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 17:22 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 17:22 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 17:22 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 17:20 999,936 ----a-w C:\WINDOWS\system32\syssetup.dll
2008-04-14 17:19 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 17:18 5,632 ----a-w C:\WINDOWS\system32\wmi.dll
2008-04-14 17:18 1,449,472 ----a-w C:\WINDOWS\system32\winntbbu.dll
2008-04-14 17:17 57,375 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 17:17 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-14 17:13 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 17:12 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 17:06 3,584 ----a-w C:\WINDOWS\system32\icmp.dll
2008-04-14 17:05 9,344 ----a-w C:\WINDOWS\system32\framebuf.dll
2008-04-14 17:05 569,856 ----a-w C:\WINDOWS\system32\gpedit.dll
2008-04-14 17:03 3,072 ----a-w C:\WINDOWS\system32\dpnlobby.dll
2008-04-14 17:03 3,072 ----a-w C:\WINDOWS\system32\dpnaddr.dll
2008-04-14 17:03 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-14 17:01 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll
2008-04-14 17:00 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2008-04-14 16:34 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 16:33 80,256 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 16:33 68,608 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 16:33 120,320 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 16:32 46,848 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 16:30 2,190,336 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 16:29 2,067,200 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 16:25 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-14 16:22 89,600 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-14 16:22 800,000 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 16:22 153,856 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 16:20 80,896 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-14 16:20 24,960 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 16:18 37,632 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 16:17 40,832 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 16:16 40,448 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 16:15 49,664 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-14 16:13 563,200 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-14 16:11 65,280 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 16:11 53,248 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 16:09 25,728 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 16:07 10,240 ----a-w C:\WINDOWS\system32\gpkrsrc.dll
2008-04-14 16:05 67,584 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-14 16:05 58,880 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 16:05 273,920 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 16:05 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-14 16:03 44,672 ----a-w C:\WINDOWS\system32\drivers\fips.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 23:07 241664]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-11 23:28 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-11 23:28 81920]
"NodLogin"="C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [ ]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-04-23 14:57 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:21 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide3"="cmd.exe" [2008-04-14 19:21 396288 C:\WINDOWS\system32\cmd.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.MLCY"= mlc.dll
"vidc.yv12"= yv12vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"F:\\StrongDC++\\StrongDC.exe"=
"C:\\Program Files\\Cerberus\\Cerberus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"G:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3478:UDP"= 3478:UDP:stun
"3479:UDP"= 3479:UDP:stun 2
"6112:UDP"= 6112:UDP:stun 3
"5730:UDP"= 5730:UDP:game
"5739:UDP"= 5739:UDP:game 1
"9001:TCP"= 9001:TCP:game 2
"11881:TCP"= 11881:TCP:game 3
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-06-07 14:44]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2007-08-29 03:04]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2007-08-29 03:04]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-04-23 15:00]
R2 CSIScanner;CSIScanner;"C:\Program Files\PrevxCSI\prevxcsi.exe" /service []
R2 nxsIO32;NextSensor Kernel I/O Driver;C:\WINDOWS\System32\DRIVERS\nxsIO32.sys [2006-10-25 20:27]
R2 PSI_SVC_2;Protexis Licensing V2;"C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 11:15]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 21:34]
S3 KS-959;MA-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-22 10:06]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 18:34]
S3 PortTalk;PortTalk;C:\WINDOWS\system32\Drivers\PortTalk.sys [2002-01-12 17:30]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 11:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 11:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 11:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 11:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 11:33]
S3 TPP200;USB Storage Adapter V2 (TPP);C:\WINDOWS\system32\DRIVERS\TPP200.SYS [2001-10-05 05:54]
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys [2005-05-25 12:24]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 20:45]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 20:45]
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 17:55]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 19:13:10
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-07 19:14:17
ComboFix-quarantined-files.txt 2008-06-07 17:14:05

Pre-Run: 1,103,802,368 bajtów wolnych
Post-Run: 1,088,430,080 bajtów wolnych

256

Trend Micro HijackThis v2.0.2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:26, on 2008-06-07
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\_program no install\HijackThis v2.0.2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NodLogin] "C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" /o
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'Default user')
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1190829263421
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200521077953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207326445968
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 7325 bytes

[wojtas]

te plik/i :

C:\Documents and Settings\All Users\Dane aplikacji\0752030127.sys

przesaknuj tu

http://virusscan.jotti.org/
http://www.virustotal.com/

i daj raporty ze skanow

[pasta271]

http://www.virustotal.com/pl/analisis/759ea97c7d6ffd762c121f637e9caa00

[wojtas]

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem