Wirus win32/heur w różnych plikach

[grzesiek811]

Chyba jakieś wirusy wlazły mi na kompa. AVG 8 Free daje komunikat o wirusie Win32/Heur i to w różnych plikach. Mam dysk 500GB podzielony na 3 partycje i prawie w całości zapełniony. Całkowity format wszystkich partycji raczej nie wchodzi w grę. Mam trochę plików PDF, DOC, RAR, które muszę zostawić. Ostatnio nie działa mi też wyświetlanie ukrytych plików w opcjach folderów, a od wczoraj zmienił mi się ekran logowania (nie miałem ekranu logowania) i program Yahoo widget nie wyświetla wszystkich widgetów.

Log HijackThis:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:10:54, on 2009-05-17
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN1.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\IONA63\asp\6.3\bin\itconfig_rep.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UGS\I-DEAS\Resource Locking\lmgrd.exe
C:\Program Files\UGS\I-DEAS\Resource Locking\lmgrd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\UGS\I-DEAS\Resource Locking\ideasrl.exe
C:\WINDOWS\system32\svchost.exe
C:\UGS\UGSLicensing\lmgrd.exe
C:\UGS\UGSLicensing\lmgrd.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\UGS\UGSLicensing\ugslmd.exe
C:\Program Files\IONA63\asp\6.3\bin\itlocator.exe
C:\Program Files\IONA63\asp\6.3\bin\itnaming.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\IONA63\asp\6.3\bin\itnode_daemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp325.exe
C:\WINDOWS\vsnp325.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Grzesiek\reader_s.exe
E:\Grzesiek\Programy\visualtooltip22\VisualToolTip.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Windows Internet Explorer dostarczony przez Grupę Onet.pl S.A.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp325] C:\WINDOWS\tsnp325.exe
O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Grzesiek\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: VisualToolTip.lnk = E:\Grzesiek\Programy\visualtooltip22\VisualToolTip.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15107/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7420507-8E07-48E3-9FE6-B927EEE6DDD3}: NameServer = 83.238.255.76,213.241.79.37
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Input Service (InputService) - and-81 - C:\Program Files\IR Server Suite\Input Service\Input Service.exe
O23 - Service: IT iona_services.config_rep.grzesiek-pc cfr-NX_IDEAS_5 - IONA Technologies - C:\Program Files\IONA63\asp\6.3\bin\itconfig_rep.exe
O23 - Service: IT iona_services.locator.grzesiek-pc NX_IDEAS_5 - IONA Technologies - C:\Program Files\IONA63\asp\6.3\bin\itlocator.exe
O23 - Service: IT iona_services.naming.grzesiek-pc NX_IDEAS_5 - IONA Technologies - C:\Program Files\IONA63\asp\6.3\bin\itnaming.exe
O23 - Service: IT iona_services.node_daemon.grzesiek-pc NX_IDEAS_5 - IONA Technologies - C:\Program Files\IONA63\asp\6.3\bin\itnode_daemon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NX I-DEAS Resource Locking Service - Macrovision Corporation - C:\Program Files\UGS\I-DEAS\Resource Locking\lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: TVService - Team MediaPortal - C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
O23 - Service: UGS License Server (ugslmd) - Macrovision Corporation - C:\UGS\UGSLicensing\lmgrd.exe

--
End of file - 10914 bytes


[wojtas]

zastosuj sie do tego ; masz Viruta
http://www.searchengines.pl/Infekcje-plikow-wykonywalnych-exe-dll-scr-t122692.html
daj loga z
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

[grzesiek811]

Log z ComboFix:

Kod: Zaznacz wszystko

ComboFix 09-05-16.05 - Grzesiek 2009-05-17 21:34.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.3071.2760 [GMT 2:00]
Uruchomiony z: C:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Grzesiek\reader_s.exe
c:\windows\dhcp\svchost.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\reader_s.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\tmp81.tmp
c:\windows\system32\tmp82.tmp
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
f:\$recycle.bin\S-1-5-21-4068751278-3946003106-518262499-1001\$IAY8859.srt

.
(((((((((((((((((((((((((((((((((((((((   Sterowniki/Usługi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHCPSRV
-------\Service_restore


(((((((((((((((((((((((((   Pliki utworzone od 2009-04-17 do 2009-05-17  )))))))))))))))))))))))))))))))
.

2009-05-17 19:21 . 2009-04-27 18:39   100944   ----a-w   c:\windows\system32\drivers\VBoxDrv.sys
2009-05-17 19:21 . 2009-04-27 18:39   79888   ----a-w   c:\windows\system32\drivers\VBoxNetAdp.sys
2009-05-17 19:20 . 2009-05-17 19:20   --------   d-----w   c:\program files\Sun
2009-05-17 17:48 . 2009-05-17 17:48   47   ----a-w   c:\documents and settings\Grzesiek\exec448.bat
2009-05-17 17:48 . 2009-05-17 17:48   126   ----a-w   c:\documents and settings\Grzesiek\.STOP_PRC448.CMD
2009-05-17 17:48 . 2009-05-17 17:48   651   ----a-w   c:\documents and settings\Grzesiek\STOP_SDRC448.CMD
2009-05-17 17:23 . 2009-05-17 17:24   2988937   ----a-r   C:\ComboFix.exe
2009-05-17 16:52 . 2009-05-17 16:56   --------   d-----w   c:\documents and settings\Grzesiek\DoctorWeb
2009-05-17 16:40 . 2009-05-17 16:40   724952   ----a-w   C:\avenger.zip
2009-05-17 16:39 . 2009-05-17 16:39   2986872   ----a-w   C:\FixVirut.com
2009-05-17 13:06 . 2009-05-17 15:03   331552   --sha-w   c:\windows\system32\drivers\fidbox.dat
2009-05-17 13:06 . 2009-05-17 15:03   37664   --sha-w   c:\windows\system32\drivers\fidbox2.dat
2009-05-17 12:54 . 2009-05-17 12:54   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ParetoLogic Anti-Virus PLUS
2009-05-17 12:54 . 2009-05-17 13:25   --------   d-----w   c:\program files\Common Files\ParetoLogic
2009-05-17 12:54 . 2009-05-17 13:25   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ParetoLogic
2009-05-17 12:54 . 2009-05-17 12:54   --------   d-----w   c:\documents and settings\Grzesiek\Ustawienia lokalne\Dane aplikacji\Downloaded Installations
2009-05-17 11:36 . 2009-05-17 11:36   --------   d-sh--w   c:\windows\system32\config\systemprofile\PrivacIE
2009-05-17 11:35 . 2009-05-17 11:35   --------   d-sh--w   c:\windows\system32\config\systemprofile\IETldCache
2009-05-16 19:04 . 2009-05-16 19:04   --------   d-----r   c:\documents and settings\LocalService\Ulubione
2009-05-16 19:01 . 2009-05-17 19:07   --------   d-----w   c:\windows\system32\3361
2009-05-16 19:01 . 2009-05-16 19:01   --------   d-sh--w   c:\documents and settings\LocalService\IETldCache
2009-05-16 19:01 . 2009-05-17 19:34   --------   d-----w   c:\windows\dhcp
2009-05-15 14:49 . 2009-05-15 14:49   --------   d-----w   c:\documents and settings\Grzesiek\Dane aplikacji\HP
2009-05-07 16:24 . 2009-05-07 16:24   --------   d-----w   c:\program files\xp-AntiSpy
2009-05-05 20:11 . 2009-05-05 20:11   47   ----a-w   c:\documents and settings\Grzesiek\exec1384.bat
2009-05-05 20:02 . 2009-05-05 20:12   125   ----a-w   c:\documents and settings\Grzesiek\.STOP_PRC1384.CMD
2009-05-05 20:02 . 2009-05-05 20:02   663   ----a-w   c:\documents and settings\Grzesiek\STOP_SDRC1384.CMD
2009-05-05 15:13 . 2009-05-05 15:13   47   ----a-w   c:\documents and settings\Grzesiek\exec2084.bat
2009-05-05 15:13 . 2009-05-05 15:13   126   ----a-w   c:\documents and settings\Grzesiek\.STOP_PRC2084.CMD
2009-05-05 15:13 . 2009-05-05 15:13   663   ----a-w   c:\documents and settings\Grzesiek\STOP_SDRC2084.CMD
2009-05-02 21:32 . 2009-05-02 21:32   --------   d-----w   c:\documents and settings\Grzesiek\Ustawienia lokalne\Dane aplikacji\PCHealth
2009-05-02 14:28 . 2009-05-02 14:28   --------   d-----w   c:\documents and settings\Grzesiek\Dane aplikacji\OpenOffice.org
2009-05-02 14:28 . 2009-05-02 14:31   --------   d-----w   c:\program files\Webmajster
2009-05-02 14:24 . 2009-05-02 14:24   --------   d-----w   c:\program files\OpenOffice.org 3
2009-04-30 20:07 . 2009-04-30 20:07   --------   d-----w   c:\program files\Microsoft Works
2009-04-30 17:32 . 2009-04-30 17:32   --------   d-----w   c:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\PCHealth
2009-04-30 17:15 . 2009-04-30 17:15   47   ----a-w   c:\documents and settings\Grzesiek\exec2304.bat
2009-04-30 17:15 . 2009-04-30 17:15   124   ----a-w   c:\documents and settings\Grzesiek\.STOP_PRC2304.CMD
2009-04-30 17:15 . 2009-04-30 17:15   663   ----a-w   c:\documents and settings\Grzesiek\STOP_SDRC2304.CMD
2009-04-27 21:33 . 2009-05-09 16:16   --------   d-----w   c:\documents and settings\Grzesiek\Dane aplikacji\gtk-2.0
2009-04-27 21:29 . 2009-04-27 21:29   --------   d-----w   c:\documents and settings\Grzesiek\.thumbnails
2009-04-27 21:28 . 2009-05-14 22:19   --------   d-----w   c:\documents and settings\Grzesiek\.gimp-2.6
2009-04-27 21:28 . 2009-04-27 21:28   --------   d-----w   c:\documents and settings\Grzesiek\.gegl-0.0
2009-04-27 20:06 . 2009-05-03 16:51   --------   d-----w   c:\documents and settings\Grzesiek\Dane aplikacji\FileZilla
2009-04-27 20:06 . 2009-04-27 20:06   --------   d-----w   c:\program files\FileZilla FTP Client
2009-04-27 19:57 . 2009-04-27 19:57   --------   d-----w   c:\documents and settings\Grzesiek\.crossftp
2009-04-24 23:38 . 2009-04-24 23:38   --------   d-----w   c:\program files\7-Zip
2009-04-19 16:55 . 2009-04-19 16:55   47   ----a-w   c:\documents and settings\Grzesiek\exec5604.bat
2009-04-19 16:54 . 2009-04-19 16:55   91   ----a-w   c:\documents and settings\Grzesiek\.STOP_PRC5604.CMD
2009-04-19 16:54 . 2009-04-19 16:54   663   ----a-w   c:\documents and settings\Grzesiek\STOP_SDRC5604.CMD
2009-04-19 16:54 . 2009-04-19 16:54   --------   d-----w   C:\Team
2009-04-19 16:46 . 2009-04-19 17:35   --------   d-----w   C:\UGS
2009-04-19 16:02 . 2009-04-19 16:02   --------   d-----w   c:\program files\Recover My Files
2009-04-19 14:11 . 2009-04-19 14:11   --------   d-----w   c:\program files\UGS
2009-04-19 09:56 . 2009-04-19 09:56   60   ----a-w   c:\documents and settings\Grzesiek\.STOP_PRC3196.CMD
2009-04-19 09:56 . 2009-04-19 09:56   663   ----a-w   c:\documents and settings\Grzesiek\STOP_SDRC3196.CMD
2009-04-19 09:38 . 2009-04-19 16:42   --------   d-----w   c:\program files\IONA63

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 19:41 . 2009-05-17 19:41   44   ----a-w   c:\windows\system32\6.tmp
2009-05-17 19:29 . 2009-05-17 19:29   44   ----a-w   c:\windows\system32\5.tmp
2009-05-17 19:27 . 2009-02-03 22:48   --------   d-----w   c:\program files\Live_TV
2009-05-17 19:16 . 2009-05-17 19:16   44   ----a-w   c:\windows\system32\13B5.tmp
2009-05-17 16:05 . 2009-01-15 21:46   --------   d-----w   c:\program files\Mozilla Thunderbird
2009-05-17 15:03 . 2009-05-17 13:06   7736   --sha-w   c:\windows\system32\drivers\fidbox2.idx
2009-05-17 15:03 . 2009-05-17 13:06   10736   --sha-w   c:\windows\system32\drivers\fidbox.idx
2009-05-17 14:12 . 2009-05-17 13:12   12921   ----a-w   c:\windows\system32\3.tmp
2009-05-17 13:12 . 2008-04-14 20:51   285696   ----a-w   c:\windows\winhlp32.exe
2009-05-17 13:12 . 2009-05-17 13:11   44   ----a-w   c:\windows\system32\2.tmp
2009-05-17 11:36 . 2008-04-13 22:50   212224   ----a-w   c:\windows\system32\drivers\ndis.sys
2009-05-17 11:36 . 2009-05-17 11:36   0   ----a-w   c:\windows\system32\7.tmp
2009-05-17 11:35 . 2009-05-17 11:35   44   ----a-w   c:\windows\system32\4.tmp
2009-05-09 10:15 . 2009-01-25 18:51   --------   d-----w   c:\program files\CoreCodec
2009-05-02 14:29 . 2009-01-15 21:16   31560   ----a-w   c:\documents and settings\Grzesiek\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-04-30 20:07 . 2009-02-09 17:06   --------   d-----w   c:\program files\Microsoft.NET
2009-04-27 18:39 . 2009-03-31 20:17   133648   ----a-w   c:\windows\system32\VBoxNetFltNotify.dll
2009-04-27 18:39 . 2009-03-31 20:17   87696   ----a-w   c:\windows\system32\drivers\VBoxNetFlt.sys
2009-04-27 18:39 . 2009-01-26 19:21   41424   ----a-w   c:\windows\system32\drivers\VBoxUSBMon.sys
2009-04-25 15:09 . 2001-10-26 18:15   536992   ----a-w   c:\windows\system32\perfh015.dat
2009-04-25 15:09 . 2001-10-26 18:15   101302   ----a-w   c:\windows\system32\perfc015.dat
2009-04-24 20:07 . 2009-02-10 20:46   --------   d-----w   c:\program files\Nowe Gadu-Gadu
2009-04-19 16:13 . 2009-04-06 18:55   --------   d-----w   c:\program files\Common Files\Intel
2009-04-19 11:31 . 2009-04-04 14:31   --------   d-----w   c:\program files\IONA
2009-04-19 09:37 . 2009-04-04 14:31   --------   d-----w   c:\program files\JavaSoft
2009-04-17 16:25 . 2009-04-17 16:09   --------   d-----w   c:\program files\PFConfig
2009-04-13 19:37 . 2009-01-15 21:37   --------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-04-13 19:36 . 2009-01-15 21:37   --------   d-----w   c:\program files\AGEIA Technologies
2009-04-13 13:21 . 2009-04-13 13:21   --------   d-----w   c:\program files\Rainbow Technologies
2009-04-13 09:11 . 2009-04-12 13:14   1407   ----a-w   c:\windows\system32\setacl.bat
2009-04-12 14:06 . 2009-01-26 16:03   --------   d-----w   c:\program files\Winamp
2009-04-12 13:23 . 2009-01-15 21:25   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-04-12 13:03 . 2009-04-12 13:03   235   ----a-w   c:\windows\system32\check_ping.bat
2009-04-11 21:31 . 2009-04-11 21:29   --------   d-----w   c:\program files\Unlocker
2009-04-10 14:31 . 2009-04-10 14:29   330080   ----a-w   c:\documents and settings\Grzesiek\Plyta_5x500x300.dat
2009-04-10 14:19 . 2009-04-10 14:18   2052   ----a-w   c:\documents and settings\Grzesiek\none.dat
2009-04-07 01:30 . 2009-04-13 19:34   9986048   ----a-w   c:\windows\system32\nvoglnt.dll
2009-04-07 01:30 . 2009-04-13 19:34   802816   ----a-w   c:\windows\system32\nvapi.dll
2009-04-07 01:30 . 2009-04-13 19:34   659456   ----a-w   c:\windows\system32\nvcuvid.dll
2009-04-07 01:30 . 2009-04-13 19:34   1720320   ----a-w   c:\windows\system32\nvcuda.dll
2009-04-07 01:30 . 2009-04-13 19:34   1502234   ----a-w   c:\windows\system32\nvdata.bin
2009-04-07 01:30 . 2009-04-13 19:34   139264   ----a-w   c:\windows\system32\nvcodins.dll
2009-04-07 01:30 . 2009-04-13 19:34   139264   ----a-w   c:\windows\system32\nvcod.dll
2009-04-07 01:30 . 2009-04-13 19:34   1310720   ----a-w   c:\windows\system32\nvcuvenc.dll
2009-04-07 01:30 . 2009-01-15 21:37   453152   ----a-w   c:\windows\system32\nvudisp.exe
2009-04-07 01:30 . 2008-12-25 23:08   8030624   ----a-w   c:\windows\system32\drivers\nv4_mini.sys
2009-04-07 01:30 . 2008-12-25 23:08   5882496   ----a-w   c:\windows\system32\nv4_disp.dll
2009-04-05 15:09 . 2009-01-16 23:36   --------   d-----w   c:\program files\Common Files\Adobe
2009-04-05 12:49 . 2009-04-05 12:49   --------   d-----w   c:\program files\Yahoo!
2009-04-05 08:28 . 2009-04-02 21:15   --------   d-----w   c:\program files\Google
2009-04-04 16:44 . 2009-04-04 16:44   146   ----a-w   c:\documents and settings\Grzesiek\.STOP_PRC648.CMD
2009-04-04 16:44 . 2009-04-04 16:44   47   ----a-w   c:\documents and settings\Grzesiek\exec648.bat
2009-04-04 16:44 . 2009-04-04 16:44   651   ----a-w   c:\documents and settings\Grzesiek\STOP_SDRC648.CMD
2009-04-04 14:31 . 2009-04-04 14:31   --------   d-----w   c:\program files\Common Files\Java
2009-04-03 20:26 . 2009-04-03 20:26   --------   d-----w   c:\program files\Common Files\CyberLink
2009-04-03 20:26 . 2009-04-03 20:26   --------   d-----w   c:\program files\CyberLink
2009-04-03 20:24 . 2009-04-03 20:25   29480   ----a-w   c:\windows\system32\msxml3a.dll
2009-04-03 20:24 . 2009-01-15 21:34   505128   ----a-w   c:\windows\system32\msvcp71.dll
2009-04-03 20:24 . 2009-01-15 21:34   353576   ----a-w   c:\windows\system32\msvcr71.dll
2009-04-02 21:46 . 2009-04-02 21:46   --------   d-----w   c:\program files\WinAmp Control
2009-04-01 21:42 . 2009-04-01 21:42   --------   d-----w   c:\program files\CWK
2009-03-31 21:36 . 2009-03-31 21:36   --------   d-----r   c:\program files\Skype
2009-03-31 20:27 . 2009-01-20 19:41   --------   d-----w   c:\program files\Java
2009-03-27 06:14 . 2009-01-15 21:18   453152   ----a-w   c:\windows\system32\NVUNINST.EXE
2009-03-22 14:14 . 2009-03-22 14:14   --------   d-----w   c:\program files\Common Files\DirectX
2009-03-09 03:19 . 2009-01-20 19:41   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-03-08 02:34 . 2008-04-14 20:50   914944   ----a-w   c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2008-04-14 20:50   43008   ----a-w   c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2008-04-14 20:50   18944   ----a-w   c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2008-04-14 20:50   420352   ----a-w   c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2008-04-14 20:49   72704   ----a-w   c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2008-04-14 20:50   71680   ----a-w   c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2008-04-14 20:50   34816   ----a-w   c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2008-04-14 19:32   48128   ----a-w   c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2008-04-14 20:51   45568   ----a-w   c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2001-10-26 19:26   156160   ----a-w   c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-04-14 20:50   285696   ----a-w   c:\windows\system32\pdh.dll
.

------- Sigcheck -------

[-] 2009-05-17 11:36   212224   !MD5: COULD NOT OPEN FILE !   c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-17 11:36   212224   36385691398D7FB1C5BD260C9776A387   c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 20:51   1055744   7FB1CBB64E8C4A09A580DED6C7856B10   c:\windows\explorer.exe
[-] 2008-04-14 20:51   1035264   50ECC52955A3CE85F7628F056E6223A1   c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 20:51   35840   6CD7AB35273433A4338C72A3DC17E6B2   c:\windows\system32\ctfmon.exe
[-] 2008-04-14 20:51   15360   2C5FC82024C6DB116CAA1FA4F2BC6220   c:\windows\system32\dllcache\ctfmon.exe

[-] 2008-04-14 20:51   47104   16323EAE1536CCF6FD960D99721E2EE5   c:\windows\system32\userinit.exe
[-] 2008-04-14 20:51   26624   865ECA58E1010D46EEFCED1B5A7224D1   c:\windows\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 35840]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-11-23 203208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-12 40960]
"tsnp325"="c:\windows\tsnp325.exe" [2007-04-21 290816]
"snp325"="c:\windows\vsnp325.exe" [2007-04-25 856064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 77824]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 110592]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-31 1601304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-06 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-06 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-06 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 35840]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Grzesiek\Menu Start\Programy\Autostart\
VisualToolTip.lnk - e:\grzesiek\Programy\visualtooltip22\VisualToolTip.exe [2009-1-20 1009152]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-19 4762664]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-8-6 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-31 14:46   10520   ----a-w   c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Grzesiek^Menu Start^Programy^Autostart^MagicDisc.lnk]
path=c:\documents and settings\Grzesiek\Menu Start\Programy\Autostart\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"f:\\GRY\\GRID\\GRID.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"e:\\CAD\\CATIA\\B17\\intel_a\\code\\bin\\CNEXT.exe"=
"e:\\CAD\\Pro Engineer\\Wildfire 4\\i486_nt\\nms\\nmsd.exe"=
"e:\\CAD\\Pro Engineer\\Wildfire 4\\i486_nt\\obj\\pro_comm_msg.exe"=
"e:\\CAD\\Pro Engineer\\Wildfire 4\\i486_nt\\obj\\xtop.exe"=
"f:\\GRY\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"f:\\GRY\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"f:\\GRY\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"f:\\GRY\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"f:\\GRY\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"f:\\GRY\\Burnout Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"f:\\GRY\\Burnout Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"f:\\GRY\\Burnout Paradise The Ultimate Box\\BurnoutParadise.exe"=
"e:\\Do filmów\\Narzędzia\\QNapi\\qnapi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\ideas\\ideas.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\oarun\\dpsmgr.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\gif\\pcm.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\stb\\suptab.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\tda\\tdas.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\tmg\\exe\\flow.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\iges3d\\iges3dexoi.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\iges3d\\iges3dimoi.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\gif\\ideas2nut.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\gif\\nut2ideas.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\step\\stepoi.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\geo\\geomod.exe"=
"C:0\\CAD\\UGS\\IDEAS12\\ideas\\ideast.exe"=
"e:\\Grzesiek\\Programy\\Do Torrentów\\uTorrent\\utorrent.exe"=
"e:\\Grzesiek\\Programy\\eMule Mody\\eMule - MorphXT\\emule.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\UGS\\I-DEAS\\Resource Locking\\lmgrd.exe"=
"C:0\\CAD\\UGS\\NXI5\\ideas\\ideas.exe"=
"C:0\\CAD\\UGS\\NXI5\\oarun\\dpsmgr.exe"=
"C:0\\CAD\\UGS\\NXI5\\gif\\pcm.exe"=
"C:0\\CAD\\UGS\\NXI5\\stb\\suptab.exe"=
"C:0\\CAD\\UGS\\NXI5\\tda\\tdas.exe"=
"C:0\\CAD\\UGS\\NXI5\\tmg\\exe\\flow.exe"=
"C:0\\CAD\\UGS\\NXI5\\iges3d\\iges3dexoi.exe"=
"C:0\\CAD\\UGS\\NXI5\\iges3d\\iges3dimoi.exe"=
"C:0\\CAD\\UGS\\NXI5\\step\\stepoi.exe"=
"C:0\\CAD\\UGS\\NXI5\\geo\\geomod.exe"=
"C:0\\CAD\\UGS\\NXI5\\ideas\\ideast.exe"=
"c:\\Program Files\\IONA63\\asp\\6.3\\bin\\itconfig_rep.exe"=
"c:\\Program Files\\IONA63\\asp\\6.3\\bin\\itlocator.exe"=
"c:\\Program Files\\IONA63\\asp\\6.3\\bin\\itnaming.exe"=
"c:\\Program Files\\IONA63\\asp\\6.3\\bin\\itnode_daemon.exe"=
"c:\\Program Files\\IONA63\\asp\\6.3\\bin\\itadmin.exe"=
"c:\\UGS\\NXI5\\ideas\\ideas.exe"=
"c:\\UGS\\NXI5\\oarun\\dpsmgr.exe"=
"c:\\UGS\\NXI5\\gif\\pcm.exe"=
"c:\\UGS\\NXI5\\stb\\suptab.exe"=
"c:\\UGS\\NXI5\\tda\\tdas.exe"=
"c:\\UGS\\NXI5\\tmg\\exe\\flow.exe"=
"c:\\UGS\\NXI5\\iges3d\\iges3dexoi.exe"=
"c:\\UGS\\NXI5\\iges3d\\iges3dimoi.exe"=
"c:\\UGS\\NXI5\\step\\stepoi.exe"=
"c:\\UGS\\NXI5\\geo\\geomod.exe"=
"c:\\UGS\\NXI5\\ideas\\ideast.exe"=
"C:0\\GRY\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"e:\\Grzesiek\\Internet TV\\TVAnts\\Tvants.exe"=
"e:\\Grzesiek\\Internet TV\\SopCast\\SopCast.exe"=
"e:\\Grzesiek\\Internet TV\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2185:TCP"= 2185:TCP:I-DEAS
"28000:TCP"= 28000:TCP:I-DEAS

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-19 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-19 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-19 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-19 298264]
R2 IT iona_services.config_rep.grzesiek-pc cfr-NX_IDEAS_5;IT iona_services.config_rep.grzesiek-pc cfr-NX_IDEAS_5;c:\program files\IONA63\asp\6.3\bin\itconfig_rep.exe [2007-02-26 151606]
R2 IT iona_services.locator.grzesiek-pc NX_IDEAS_5;IT iona_services.locator.grzesiek-pc NX_IDEAS_5;c:\program files\IONA63\asp\6.3\bin\itlocator.exe [2007-02-26 151606]
R2 IT iona_services.naming.grzesiek-pc NX_IDEAS_5;IT iona_services.naming.grzesiek-pc NX_IDEAS_5;c:\program files\IONA63\asp\6.3\bin\itnaming.exe [2007-02-26 151606]
R2 NX I-DEAS Resource Locking Service;NX I-DEAS Resource Locking Service;c:\program files\UGS\I-DEAS\Resource Locking\lmgrd.exe [2007-02-02 1347584]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);c:\ugs\UGSLicensing\lmgrd.exe [2007-02-03 1347584]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [2009-01-15 10343168]
RUnknown IT iona_services.node_daemon.grzesiek-pc NX_IDEAS_5;IT iona_services.node_daemon.grzesiek-pc NX_IDEAS_5; [x]
S2 aunclutkk;Time Shell;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 bgtofcjhg;Driver Task;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 blpweshjq;System Time;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 dctif;Image Boot;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 dxaqctki;Server Center;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 ecrcn;Shell Driver;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 eogevyfi;gbvnzryh;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 hwgyif;Installer Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 InputService;Input Service;c:\program files\IR Server Suite\Input Service\Input Service.exe [2007-12-17 61440]
S2 ixqfrdebi;Monitor Config;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 jlbdtf;Installer Update;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 jsdozekjc;Server Helper;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 rqucrot;Image Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 TVService;TVService;c:\program files\Team MediaPortal\MediaPortal TV Server\TvService.exe [2008-12-21 208896]
S2 xrofstqaz;Support Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S2 zgvkv;Microsoft Universal;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-03-31 87696]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2009-01-26 31824]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
eogevyfi
hwgyif
jsdozekjc
aunclutkk
rqucrot
dctif
ecrcn
dxaqctki
zgvkv
ixqfrdebi
bgtofcjhg
jlbdtf
xrofstqaz
blpweshjq
.
Zawartość folderu 'Zaplanowane zadania'

2009-05-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-05-17 c:\windows\Tasks\User_Feed_Synchronization-{9D9E3A82-DCAF-430B-97F4-FA940A13B14F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-reader_s - c:\documents and settings\Grzesiek\reader_s.exe
HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
HKU-Default-Run-reader_s - c:\documents and settings\Grzesiek\reader_s.exe


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.onet.pl/
uInternet Settings,ProxyOverride = <local>
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Pobierz plik wideo we Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Pobierz w Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Pobierz wszystkie pliki w Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Pobierz zaznaczone w Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
TCP: {C7420507-8E07-48E3-9FE6-B927EEE6DDD3} = 83.238.255.76,213.241.79.37
FF - ProfilePath - c:\documents and settings\Grzesiek\Dane aplikacji\Mozilla\Firefox\Profiles\vox6uwz5.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (pl)
FF - prefs.js: browser.startup.homepage - www.google.pl/firefox
FF - component: c:\documents and settings\Grzesiek\Dane aplikacji\Mozilla\Firefox\Profiles\vox6uwz5.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Grzesiek\Dane aplikacji\Mozilla\Firefox\Profiles\vox6uwz5.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\activex-plugin@ff-activex-host.code.google.com\plugins\npffax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 21:42
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aunclutkk]
"ServiceDll"="c:\windows\system32\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bgtofcjhg]
"ServiceDll"="c:\windows\system32\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\blpweshjq]
"ServiceDll"="c:\windows\system32\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dctif]
"ServiceDll"="c:\windows\system32\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dxaqctki]
"ServiceDll"="c:\program files\Internet Explorer\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ecrcn]
"ServiceDll"="c:\windows\system32\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eogevyfi]
"ServiceDll"="c:\windows\system32\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hwgyif]
"ServiceDll"="c:\windows\system32\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ixqfrdebi]
"ServiceDll"="c:\program files\Movie Maker\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jlbdtf]
"ServiceDll"="c:\program files\Internet Explorer\tiddi.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jsdozekjc]
"ServiceDll"="c:\program files\Movie Maker\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rqucrot]
"ServiceDll"="c:\windows\system32\tiddi.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xrofstqaz]
"ServiceDll"="c:\program files\Movie Maker\tiddi.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zgvkv]
"ServiceDll"="c:\windows\system32\tiddi.dll"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,29,42,57,09,12,d4,43,b7,14,53,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,29,42,57,09,12,d4,43,b7,14,53,\

[HKEY_USERS\S-1-5-21-343818398-1844237615-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FD923CCD-6387-F466-0537-EE295F53158E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abedadekjcgeopnckaelikbfjipkhkjfbk"=hex:61,62,6f,64,65,66,69,62,70,6b,64,64,
   63,61,6c,6c,6a,6a,68,6f,67,6d,6f,6e,6b,65,6c,64,67,6d,6f,64,6e,69,00,77
"bbedadekjcgeopnckalkbljdabpmckljjjip"=hex:61,62,62,65,69,70,6b,6d,6c,63,6d,63,
   70,63,6f,6c,6a,62,69,6c,62,67,6d,67,6a,63,63,6c,63,61,6d,64,64,70,00,77

[HKEY_USERS\S-1-5-21-343818398-1844237615-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d1,6c,26,a7,cb,02,08,bf,51,65,db,fc,79,a5,aa,2c,b5,9a,25,da,68,7e,4f,
   5c,81,f2,82,6d,28,3c,76,a7,18,ec,13,2d,45,a8,81,dc,6c,d8,e5,98,53,d7,4e,9b,\
"??"=hex:59,e5,97,70,47,08,a5,1e,f6,13,83,cc,52,0d,a6,6c

[HKEY_USERS\S-1-5-21-343818398-1844237615-1417001333-1003\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:c0,e2,a5,82,60,eb,bd,3e,a5,1a,c5,37,7c,fd,23,9d,40,d4,3e,8e,9a,
   ce,7f,38,b8,95,5c,b8,62,95,50,7f,6d,b1,82,43,1b,ae,58,24,85,4f,f1,fc,b2,19,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(54548)
e:\grzesiek\Programy\visualtooltip22\VisualTooltip.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\UGS\I-DEAS\Resource Locking\ideasrl.exe
c:\ugs\UGSLicensing\ugslmd.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\IONA63\asp\6.3\bin\itnode_daemon.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir
c:\program files\Skype\Phone\Skype.exe
c:\program files\Mozilla Thunderbird\thunderbird.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Czas ukończenia: 2009-05-17 21:51 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2009-05-17 19:51

Przed: 17 483 218 944 bajtów wolnych
Po: 18 031 136 768 bajtów wolnych

504   --- E O F ---   2009-05-14 19:20


[wojtas]

wykonujesz skan:
http://www.programosy.pl/program,malwarebytes-anti-malware.html
kasujesz wszystko co znajdzie potem Wykonaj skan Dr. Web CureIt

Otworz notatnik i wklej w nim to:

File::
c:\program files\Movie Maker\tiddi.dll
c:\windows\system32\tiddi.dll
c:\windows\system32\6.tmp
c:\windows\system32\5.tmp
c:\windows\system32\13B5.tmp
c:\windows\system32\3.tmp
c:\windows\system32\7.tmp
c:\windows\system32\4.tmp
c:\windows\system32\2.tmp

Folder::
c:\windows\system32\3361

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aunclutkk]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bgtofcjhg]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\blpweshjq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dctif]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dxaqctki]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ecrcn]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eogevyfi]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hwgyif]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ixqfrdebi]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jlbdtf]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jsdozekjc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rqucrot]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xrofstqaz]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zgvkv]

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

[grzesiek811]

Chyba nic z tego nie będzie, przygotowuję się do formata.
Gdy przenoszę CFScript.txt na plik ComboFix.exe to wyskakuje informacja, że combofix jest zainfekowany i tak się dzieje cały czas, nawet jak ściągnę nową wersję.
Wirus włącza mi przeglądarkę ze stroną porno albo reklamą viagry.
Dawno nie miałem formata, wiec oczyszczę komputer totalnie i sformatuje wszystkie dyski.
Nie widzę szansy na uratowanie tego. Systemu.