zagadkowa infekcja z nikad

[Thunderas]

Witam witam. Taki oto smieszny problem mam.
Wczoraj wieczorem zmieniła mi sie tapeta na taka

Było by to zrozumiałe przy explolerze, ale jako shell używam astona więc ot taka zmiana tapety systemowa nie ma wpływu na to.
Log z hijackthis wyglada tak:

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 22:38:22, on 2008-02-29
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
D:\Aston\aston.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe
C:\WINNT\vsnpstd3.exe
D:\Tlen.pl\tlen.exe
D:\DAEMON Tools\daemon.exe
D:\Directory Opus\dopus.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
D:\Opera\Opera.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Rapget] D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe
O4 - HKLM\..\Run: [hx] %windir%\system32\logoff.exe
O4 - HKLM\..\Run: [dwarf] %windir%\system32\logoff.exe
O4 - HKLM\..\Run: [perm_run] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [perm_run2] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm2] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root2] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [perm_run3] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm3] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root3] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [centrum] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [copier1] %windir%\system32\drivers\copier.bat
O4 - HKLM\..\Run: [copier2] %windir%\system32\copier.bat
O4 - HKLM\..\Run: [copier3] %windir%\system\copier.bat
O4 - HKLM\..\Run: [sysx_maker] %windir%\sysx_maker.bat
O4 - HKCU\..\Run: [Komunikator] D:\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [DOpus] D:\Directory Opus\dopus.exe
O8 - Extra context menu item: Download with Rapget - D:\rapget136_(www.programosy.pl)\rapget136\rapget.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASWLSVC - Unknown owner - C:\WINNT\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe



Jak widac sa dziwne wpisy, tylko nie wiem z czego one sie wzieły.
otatnio nic nie instalowałem z programów tymbardziej z polskich serwisuw z lewym oprogramowaniem.
Antywirus nic nie wykrywa, a ad-aware "tylko" takie typowe wpisy.
[/code]

[wojtas]

fajna tapetka

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz z hijacka

[Thunderas]

Zrobione wg tego co podałes oto logi.
Z combofix

Kod: Zaznacz wszystko

ComboFix 08-03-01.3 - Thunderas 2008-03-01 10:21:46.1 - NTFSx86
Microsoft Windows 2000 Professional  5.0.2195.4.1250.1.1045.18.687 [GMT 0:00]
Running from: D:\OPERA\profile\cache4\temporary_download\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\cbeedbbcc8_d.dll
C:\WINNT\Web\default.htt

.
(((((((((((((((((((((((((   Files Created from 2008-02-01 to 2008-03-01  )))))))))))))))))))))))))))))))
.

2008-03-01 10:14 . 08-03-01 10:14    <DIR>   d--------   C:\WINNT\ERUNT
2008-03-01 10:03 . 08-03-01 10:19    <DIR>   d--------   C:\SDFix
2008-03-01 10:00 . 08-03-01 10:01    1,312,321   --a------   C:\SDFix.exe
2008-03-01 09:53 . 07-09-24 23:31    69,632   --a------   C:\WINNT\system32\javacpl.cpl
2008-02-29 09:24 . 08-02-29 09:24    2,359,350   --a------   C:\captemp.bmp
2008-02-28 19:35 . 08-02-28 19:35    3,120   --a------   C:\WINNT\system32\TGPK3FPF.ocx
2008-02-28 14:27 . 01-03-13 14:51    1,066,176   --a------   C:\WINNT\system32\Mscomctl.ocx
2008-02-28 14:27 . 00-11-11 21:12    675,840   --a------   C:\WINNT\system32\_ISource2.dll
2008-02-28 14:27 . 00-05-22 01:00    608,448   --a------   C:\WINNT\system32\Comctl32.ocx
2008-02-28 14:27 . 04-04-19 10:41    284,373   --a------   C:\WINNT\system32\InnovaAlert2.ocx
2008-02-28 14:27 . 04-03-09 00:00    224,016   --a------   C:\WINNT\system32\Tabctl32.ocx
2008-02-28 14:27 . 04-03-09 00:00    132,880   --a------   C:\WINNT\system32\Msinet.ocx
2008-02-28 14:27 . 04-03-09 17:45    124,688   --a------   C:\WINNT\system32\mswinsck.ocx
2008-02-28 14:27 . 98-06-24 01:00    103,744   --a------   C:\WINNT\system32\Mscomm32.ocx
2008-02-28 14:27 . 99-06-08 19:44    18,432   --a------   C:\WINNT\system32\cm17a.ocx
2008-02-28 10:12 . 08-02-28 10:12    <DIR>   d--------   C:\WINNT\Cache
2008-02-27 23:42 . 08-02-27 23:42    <DIR>   d---s----   C:\Documents and Settings\Thunderas\UserData
2008-02-27 23:28 . 08-02-27 23:46    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-02-27 23:26 . 08-02-27 23:26    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Lavasoft
2008-02-27 23:22 . 08-02-27 23:24    48   --a------   C:\WINNT\iltwain.ini
2008-02-27 23:01 . 04-09-12 22:55    663,552   --a------   C:\WINNT\system32\videocapx.ocx
2008-02-27 23:01 . 01-12-14 08:00    434,176   --a------   C:\WINNT\system32\WebX.ocx
2008-02-27 23:01 . 00-11-11 22:01    389,120   --a------   C:\WINNT\system32\ImgX4.dll
2008-02-27 23:01 . 01-03-13 15:49    140,288   --a------   C:\WINNT\system32\Comdlg32.ocx
2008-02-27 23:01 . 02-01-01 11:45    92,672   --a------   C:\WINNT\system32\See32.dll
2008-02-27 23:01 . 03-01-21 08:00    69,632   --a------   C:\WINNT\system32\CM11A.ocx
2008-02-27 23:01 . 03-01-27 16:26    57,856   --a------   C:\WINNT\system32\Fce32.dll
2008-02-27 23:01 . 03-01-27 16:26    57,856   --a------   C:\WINNT\Fce32.dll
2008-02-27 23:01 . 04-10-04 14:14    45,056   --a------   C:\WINNT\system32\offer.exe
2008-02-27 22:55 . 00-02-21 21:07    413,760   --a------   C:\WINNT\system32\MPG4C32.DLL
2008-02-27 22:49 . 08-02-27 22:57    16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_368.dat
2008-02-27 22:42 . 00-03-09 00:35    258,320   --a------   C:\WINNT\system32\msh263.drv
2008-02-27 22:42 . 03-06-19 12:05    52,496   --a------   C:\WINNT\system32\vfwwdm32.dll
2008-02-27 22:42 . 03-06-19 12:05    52,496   --a--c---   C:\WINNT\system32\dllcache\vfwwdm32.dll
2008-02-27 22:42 . 00-03-09 00:34    45,840   --a------   C:\WINNT\system32\iyuv_32.dll
2008-02-27 22:42 . 00-03-09 00:34    45,840   --a--c---   C:\WINNT\system32\dllcache\iyuv_32.dll
2008-02-27 22:42 . 00-03-09 00:34    12,560   --a------   C:\WINNT\system32\tsbyuv.dll
2008-02-27 22:42 . 00-03-09 00:34    12,560   --a--c---   C:\WINNT\system32\dllcache\tsbyuv.dll
2008-02-27 22:37 . 08-02-27 22:37    <DIR>   d--------   C:\Program Files\Common Files\snpstd3
2008-02-27 22:37 . 05-04-14 17:23    472,960   --a------   C:\WINNT\system32\drivers\snpstd3.sys
2008-02-27 22:37 . 05-01-14 11:00    339,968   --a------   C:\WINNT\vsnpstd3.exe
2008-02-27 22:37 . 04-08-09 17:43    94,208   --a------   C:\WINNT\amcap.exe
2008-02-27 22:37 . 04-02-16 13:59    61,440   --a------   C:\WINNT\system32\csnpstd3.dll
2008-02-27 22:37 . 05-02-01 13:45    57,344   --a------   C:\WINNT\system32\rsnpstd3.dll
2008-02-27 22:37 . 04-11-25 12:59    36,864   --a------   C:\WINNT\system32\vsnpstd3.dll
2008-02-27 22:37 . 05-04-14 17:31    36,864   --a------   C:\WINNT\system32\dsnpstd3.ax
2008-02-27 22:37 . 04-12-08 18:40    20,480   --a------   C:\WINNT\usnpstd3.exe
2008-02-27 22:37 . 04-02-27 17:36    15,498   --a------   C:\WINNT\snpstd3.ini
2008-02-27 22:37 . 04-02-27 17:36    13,023   --a------   C:\WINNT\snpstd3.src
2008-02-27 14:04 . 06-08-29 14:56    32,377   --a------   C:\WINNT\system32\drivers\prodigy.sys
2008-02-27 13:57 . 08-02-27 13:57    <DIR>   d--------   C:\Program Files\Nokia
2008-02-27 13:57 . 08-02-27 13:57    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Nokia
2008-02-26 22:20 . 08-02-26 22:20    <DIR>   d--------   C:\Program Files\Techland
2008-02-26 22:14 . 08-02-26 22:15    <DIR>   d--h-----   C:\WINNT\msdownld.tmp
2008-02-26 19:45 . 08-02-26 19:45    145,408   --a------   C:\WINNT\system32\msconfig.exe
2008-02-26 15:44 . 99-09-25 03:17    18,704   --a------   C:\WINNT\system32\drivers\RTL8139.sys
2008-02-26 15:44 . 99-09-25 03:17    18,704   --a--c---   C:\WINNT\system32\dllcache\rtl8139.sys
2008-02-26 00:15 . 07-02-21 02:11    68,888   --a------   C:\WINNT\system32\xinput1_3.dll
2008-02-25 19:10 . 08-02-25 19:10    <DIR>   d--------   C:\Program Files\Common Files\PCSuite
2008-02-25 19:10 . 08-02-27 13:57    <DIR>   d--------   C:\Program Files\Common Files\Nokia
2008-02-25 19:10 . 08-02-29 09:33    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Nokia
2008-02-25 19:09 . 08-02-25 19:09    <DIR>   d--------   C:\Program Files\PC Connectivity Solution
2008-02-25 19:08 . 07-02-22 11:15    137,216   --a------   C:\WINNT\system32\drivers\nmwcd.sys
2008-02-25 19:08 . 07-02-22 11:15    90,624   --a------   C:\WINNT\system32\nmwcdcls.dll
2008-02-25 19:08 . 07-02-22 11:15    65,536   --a------   C:\WINNT\system32\nmwcdcocls.dll
2008-02-25 19:08 . 07-02-22 11:15    12,288   --a------   C:\WINNT\system32\drivers\nmwcdcm.sys
2008-02-25 19:08 . 07-02-22 11:15    12,288   --a------   C:\WINNT\system32\drivers\nmwcdcj.sys
2008-02-25 19:08 . 07-02-22 11:15    8,320   --a------   C:\WINNT\system32\drivers\nmwcdc.sys
2008-02-25 19:07 . 08-02-25 19:07    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-02-25 18:58 . 08-02-25 19:13    <DIR>   d--hs----   C:\Documents and Settings\Thunderas\Phone Browser
2008-02-25 10:04 . 04-05-24 18:23    311,296   --a------   C:\WINNT\system32\LEXBCES.EXE
2008-02-25 10:04 . 04-05-24 18:21    201,216   --a------   C:\WINNT\system32\LEXP2P32.DLL
2008-02-25 10:04 . 04-05-24 18:42    200,704   --a------   C:\WINNT\system32\lexlmpm.dll
2008-02-25 10:04 . 04-05-24 18:26    198,144   --a------   C:\WINNT\system32\LEX2KUSB.DLL
2008-02-25 10:04 . 04-05-24 18:22    174,592   --a------   C:\WINNT\system32\LEXPPS.EXE
2008-02-25 10:04 . 04-05-24 18:22    147,456   --a------   C:\WINNT\system32\LEXBCE.DLL
2008-02-25 10:04 . 06-03-28 10:29    73,728   --a------   C:\WINNT\system32\lxdapwr.dll
2008-02-25 10:04 . 08-02-28 10:10    252   --a------   C:\WINNT\LEXSTAT.INI
2008-02-25 10:03 . 08-02-25 10:03    <DIR>   d--------   C:\Program Files\Lexmark 640 Series
2008-02-25 10:03 . 97-04-18 11:52    298,496   --a------   C:\WINNT\unin0415.exe
2008-02-25 10:02 . 03-06-19 12:05    21,872   --a------   C:\WINNT\system32\drivers\usbprint.sys
2008-02-25 10:02 . 03-06-19 12:05    21,872   --a--c---   C:\WINNT\system32\dllcache\usbprint.sys
2008-02-24 15:55 . 08-02-24 17:50    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\GanymedeNet
2008-02-24 14:22 . 08-03-01 10:19    172   --a------   C:\ASWL2K.ini
2008-02-16 08:28 . 08-02-16 08:28    <DIR>   d--------   C:\Documents and Settings\Administrator\Phone Browser
2008-02-16 08:28 . 08-02-16 08:28    <DIR>   d--------   C:\Documents and Settings\Administrator\Dane aplikacji\PC Suite
2008-02-15 19:31 . 08-02-29 14:52    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\OpenOffice.org2
2008-02-15 14:49 . 08-02-28 10:14    <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-02-15 13:02 . 08-02-27 16:59    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Nokia Multimedia Player
2008-02-15 12:58 . 08-02-15 12:58    <DIR>   d--------   C:\Program Files\DIFX
2008-02-15 12:55 . 08-02-15 13:03    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\PC Suite
2008-02-15 12:55 . 08-02-29 09:33    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2008-02-15 12:54 . 08-02-25 19:09    <DIR>   d----c---   C:\WINNT\system32\DRVSTORE
2008-02-15 12:54 . 08-02-25 19:09    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Downloaded Installations
2008-02-15 12:09 . 08-02-29 22:41    116   --a------   C:\WINNT\NeroDigital.ini
2008-02-15 12:06 . 08-02-15 12:06    <DIR>   d--------   C:\Program Files\Common Files\Adaptec Shared
2008-02-15 12:04 . 08-02-15 18:31    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Any Video Converter
2008-02-15 11:23 . 08-02-15 11:23    66   --a------   C:\WINNT\Power Video Converter.INI
2008-02-15 07:50 . 08-02-15 07:50    <DIR>   d--h-----   C:\WINNT\PIF
2008-02-14 21:25 . 08-02-14 21:25    16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_67c.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 14:51   60,062   ----a-w   C:\WINNT\system32\drivers\oszukali.bmp
2008-02-29 14:51   358   ----a-w   C:\WINNT\system32\drivers\functions_perm.bat
2008-02-29 14:51   258   ----a-w   C:\WINNT\system32\drivers\copier_run.reg
2008-02-29 14:51   134   ----a-w   C:\WINNT\system32\drivers\NoChangeWallp.reg
2008-02-29 14:51   120   ----a-w   C:\WINNT\system32\drivers\logoff_run.reg
2008-02-29 14:51   117   ----a-w   C:\WINNT\system32\drivers\perm.reg
2008-02-29 14:51   117   ----a-w   C:\WINNT\system32\drivers\NoClose_current.reg
2008-02-29 14:51   111   ----a-w   C:\WINNT\system32\drivers\wallpaper_cur.reg
2008-02-29 14:51   1,661   ----a-w   C:\WINNT\system32\drivers\copier.bat
2008-02-15 12:06   58,000   ----a-w   C:\WINNT\system32\drivers\cdr4_2K.sys
2008-02-15 12:06   57,344   ----a-w   C:\WINNT\uneng.exe
2008-02-15 12:06   49,152   ----a-w   C:\WINNT\system32\cdrtc.dll
2008-02-15 12:06   45,056   ----a-w   C:\WINNT\system32\cdral.dll
2008-02-15 12:06   23,420   ----a-w   C:\WINNT\system32\drivers\cdralw2k.sys
2008-02-14 14:47   892,928   ----a-w   C:\WINNT\system32\iconv.dll
2008-02-14 14:46   921,600   ----a-w   C:\WINNT\system32\vorbisenc.dll
2008-02-14 14:46   9,216   ----a-w   C:\WINNT\system32\cpuinf32.dll
2008-02-14 14:46   524,288   ----a-w   C:\WINNT\system32\DivXsm.exe
2008-02-14 14:46   45,056   ----a-w   C:\WINNT\system32\ogg.dll
2008-02-14 14:46   245,760   ----a-w   C:\WINNT\system32\mplvpx.dll
2008-02-14 14:46   237,568   ----a-w   C:\WINNT\system32\OggDS.dll
2008-02-14 14:46   188,416   ----a-w   C:\WINNT\system32\vorbis.dll
2008-02-14 14:46   1,559,040   ----a-w   C:\WINNT\system32\xvidcore.dll
2008-02-14 14:46   1,415,680   ----a-w   C:\WINNT\system32\WMV9VCM.dll
2008-02-14 11:49   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-02-14 11:48   271   ---h--w   C:\Program Files\desktop.ini
2008-02-14 11:48   22,039   ---h--w   C:\Program Files\folder.htt
2008-02-14 11:47   ---------   d-----w   C:\Program Files\Accessories
2000-03-20 23:00   32,528   ----a-w   C:\WINNT\inf\wbfirdma.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Komunikator"="D:\Tlen.pl\tlen.exe" [07-09-27 11:43  6226432]
"DAEMON Tools Lite"="D:\DAEMON Tools\daemon.exe" [08-01-17 16:51  486856]
"DOpus"="D:\Directory Opus\dopus.exe" [06-06-26 05:46  5261232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINNT\UpdReg.EXE" [00-05-11 01:00  90112]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [06-08-15 15:48  1696256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11  132496]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-02-16 08:29  249896]
"Rapget"="D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe" [07-10-07 18:51  171008]
"Synchronization Manager"="mobsync.exe" [03-06-19 10:05  111888 C:\WINNT\system32\mobsync.exe]
"snpstd3"="C:\WINNT\vsnpstd3.exe" [05-01-14 11:00  339968]
"hx"="%windir%\system32\logoff.exe" [ ]
"dwarf"="%windir%\system32\logoff.exe" [ ]
"perm_run"="%windir%\system32\functions_perm.bat" [ ]
"functions_perm"="%windir%\system\functions_perm.bat" [ ]
"functions_root"="%windir%\functions_perm.bat" [ ]
"perm_run2"="%windir%\system32\functions_perm.bat" [ ]
"functions_perm2"="%windir%\system\functions_perm.bat" [ ]
"functions_root2"="%windir%\functions_perm.bat" [ ]
"perm_run3"="%windir%\system32\functions_perm.bat" [ ]
"functions_perm3"="%windir%\system\functions_perm.bat" [ ]
"functions_root3"="%windir%\functions_perm.bat" [ ]
"centrum"="%windir%\functions_perm.bat" [ ]
"copier1"="%windir%\system32\drivers\copier.bat" [ ]
"copier2"="%windir%\system32\copier.bat" [ ]
"copier3"="%windir%\system\copier.bat" [ ]
"sysx_maker"="%windir%\sysx_maker.bat" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="D:\Nokia\Nokia PC Suite 6\PcSync2.exe" [07-06-19 10:17  1241088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 10:05  188688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= D:\Directory Opus\dopuslib.dll [06-06-20 07:00  489400]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"shell"="D:\\Aston\\aston.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
-ra------ 05-05-03 11:38  64512 C:\WINNT\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--------- 07-06-18 15:10  271360 D:\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 05-03-24 19:20  77824 C:\WINNT\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 03-06-19 10:05  111888 C:\WINNT\system32\mobsync.exe

R0 avgntmgr;avgntmgr;C:\WINNT\system32\DRIVERS\avgntmgr.sys [07-07-18 14:21 ]
R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys [07-08-09 13:03 ]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINNT\system32\ASNDIS5.SYS [02-09-09 19:54 ]
R3 usbhub20;Obsługa koncentratora USB;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 11:05 ]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [04-06-14 16:52 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 10:22:19
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 10:22:37
ComboFix-quarantined-files.txt  2008-03-01 10:22:35


Z SDFix'a

Kod: Zaznacz wszystko


[b]SDFix: Version 1.149 [/b]

Run by Thunderas on So 2008-03-01 at 10:15

Microsoft Windows 2000 [Wersja 5.00.2195]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 10:18:46
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

IPC error: 2 System nie może odnaleźć określonego pliku.
scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0c45&Pid_60fe&Mi_01\6&1da22124&0&1\Device Parameters]
"HWRevision?U\x2039\x11b\x81\x11b\x11a?"="101"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="D:\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ab,98,22,ef,25,95,aa,62,4f,25,dd,6e,4b,2a,9c,12,cb,f6,c4,a2,67,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b4,3b,44,0e,35,df,83,63,d4,57,68,34,c8,65,e5,6c,5a,..
"khjeh"=hex:6a,18,71,3f,41,dd,75,aa,e6,f2,e6,6a,16,ca,56,61,bd,f6,e6,85,98,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:de,df,f8,3a,91,90,4a,5e,ab,10,5a,0d,2e,1d,9f,bc,da,70,00,67,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0c45&Pid_60fe&Mi_01\6&1da22124&0&1\Device Parameters]
"HWRevision?U\x2039\x11b\x81\x11b\x11a?"="101"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="D:\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ab,98,22,ef,25,95,aa,62,4f,25,dd,6e,4b,2a,9c,12,cb,f6,c4,a2,67,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b4,3b,44,0e,35,df,83,63,d4,57,68,34,c8,65,e5,6c,5a,..
"khjeh"=hex:6a,18,71,3f,41,dd,75,aa,e6,f2,e6,6a,16,ca,56,61,bd,f6,e6,85,98,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:de,df,f8,3a,91,90,4a,5e,ab,10,5a,0d,2e,1d,9f,bc,da,70,00,67,1b,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,fc,00,00,00,01,00,00,00,03,00,00,00,76,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:



[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Thu 14 Feb 2008            23 A.SH. --- "C:\WINNT\system32\cbeedbbcc8_d.dll"
Tue 26 Feb 2008             0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT3.tmp"

[b]Finished![/b]



i z hijackthis

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 10:24:38, on 2008-03-01
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
D:\Aston\aston.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe
C:\WINNT\vsnpstd3.exe
D:\Tlen.pl\tlen.exe
D:\DAEMON Tools\daemon.exe
D:\Directory Opus\dopus.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\notepad.exe
D:\Opera\Opera.exe
D:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Rapget] D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe
O4 - HKLM\..\Run: [hx] %windir%\system32\logoff.exe
O4 - HKLM\..\Run: [dwarf] %windir%\system32\logoff.exe
O4 - HKLM\..\Run: [perm_run] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [perm_run2] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm2] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root2] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [perm_run3] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm3] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root3] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [centrum] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [copier1] %windir%\system32\drivers\copier.bat
O4 - HKLM\..\Run: [copier2] %windir%\system32\copier.bat
O4 - HKLM\..\Run: [copier3] %windir%\system\copier.bat
O4 - HKLM\..\Run: [sysx_maker] %windir%\sysx_maker.bat
O4 - HKCU\..\Run: [Komunikator] D:\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [DOpus] D:\Directory Opus\dopus.exe
O8 - Extra context menu item: Download with Rapget - D:\rapget136_(www.programosy.pl)\rapget136\rapget.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASWLSVC - Unknown owner - C:\WINNT\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe



i jak to teraz wyglada?

[ Dodano: Dzisiaj o 10:31 ]
W hijackthis pozbyłem sie wpisów

Kod: Zaznacz wszystko

O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe
O4 - HKLM\..\Run: [hx] %windir%\system32\logoff.exe
O4 - HKLM\..\Run: [dwarf] %windir%\system32\logoff.exe
O4 - HKLM\..\Run: [perm_run] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [perm_run2] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm2] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root2] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [perm_run3] %windir%\system32\functions_perm.bat
O4 - HKLM\..\Run: [functions_perm3] %windir%\system\functions_perm.bat
O4 - HKLM\..\Run: [functions_root3] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [centrum] %windir%\functions_perm.bat
O4 - HKLM\..\Run: [copier1] %windir%\system32\drivers\copier.bat
O4 - HKLM\..\Run: [copier2] %windir%\system32\copier.bat
O4 - HKLM\..\Run: [copier3] %windir%\system\copier.bat
O4 - HKLM\..\Run: [sysx_maker] %windir%\sysx_maker.bat

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


te dwa ostatnie chyba dla zasady bo przewaznie wtym jest wykrywane ad-aware.

[wojtas]

przeskanuj te pliki;

C:\WINNT\system32\Fce32.dll
C:\WINNT\system32\TGPK3FPF.ocx
C:\WINNT\inf\wbfirdma.sys

tu:

http://virusscan.jotti.org/
http://www.virustotal.com/


to trzeba bylo zostawic:

O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe

Otworz notatnik i wklej w nim to:

File::
C:\WINNT\system32\drivers\oszukali.bmp
C:\WINNT\system32\drivers\functions_perm.bat
C:\WINNT\system32\drivers\copier_run.reg
C:\WINNT\system32\drivers\NoChangeWallp.reg
C:\WINNT\system32\drivers\logoff_run.reg
C:\WINNT\system32\drivers\perm.reg
C:\WINNT\system32\drivers\NoClose_current.reg
C:\WINNT\system32\drivers\wallpaper_cur.reg
C:\WINNT\system32\drivers\copier.bat

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . odczekaj az wygeneruje sie nowy log i go daj na forum + raporty z plikow

[Thunderas]

C:\WINNT\system32\Fce32.dll
C:\WINNT\system32\TGPK3FPF.ocx
C:\WINNT\inf\wbfirdma.sys

Pliki sa czyste

Kod: Zaznacz wszystko

O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe

wspis jednak jest to chyba dobrze

Kod: Zaznacz wszystko

ComboFix 08-03-01.3 - Thunderas 2008-03-01 19:03:50.2 - NTFSx86
Microsoft Windows 2000 Professional  5.0.2195.4.1250.1.1045.18.646 [GMT 0:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINNT\system32\drivers\copier.bat
C:\WINNT\system32\drivers\copier_run.reg
C:\WINNT\system32\drivers\functions_perm.bat
C:\WINNT\system32\drivers\logoff_run.reg
C:\WINNT\system32\drivers\NoChangeWallp.reg
C:\WINNT\system32\drivers\NoClose_current.reg
C:\WINNT\system32\drivers\oszukali.bmp
C:\WINNT\system32\drivers\perm.reg
C:\WINNT\system32\drivers\wallpaper_cur.reg
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\drivers\copier_run.reg
C:\WINNT\system32\drivers\logoff_run.reg
C:\WINNT\system32\drivers\NoChangeWallp.reg
C:\WINNT\system32\drivers\NoClose_current.reg
C:\WINNT\system32\drivers\oszukali.bmp
C:\WINNT\system32\drivers\perm.reg
C:\WINNT\system32\drivers\wallpaper_cur.reg

.
(((((((((((((((((((((((((   Files Created from 2008-02-01 to 2008-03-01  )))))))))))))))))))))))))))))))
.

2008-03-01 19:03 . 08-03-01 19:03    1,579,712   --a------   C:\ComboFix.exe
2008-03-01 12:42 . 08-03-01 12:42    6,592   --a------   C:\WINNT\gwpreset.ini
2008-03-01 12:42 . 08-03-01 12:42    3,362   --a------   C:\WINNT\express.eqx
2008-03-01 12:42 . 08-03-01 12:45    514   --a------   C:\WINNT\goldwave.ini
2008-03-01 11:01 . 08-03-01 11:01    <DIR>   d--------   C:\WINNT\system32\Macromed
2008-03-01 10:14 . 08-03-01 10:14    <DIR>   d--------   C:\WINNT\ERUNT
2008-03-01 10:03 . 08-03-01 10:19    <DIR>   d--------   C:\SDFix
2008-03-01 10:00 . 08-03-01 10:01    1,312,321   --a------   C:\SDFix.exe
2008-03-01 09:53 . 07-09-24 23:31    69,632   --a------   C:\WINNT\system32\javacpl.cpl
2008-02-29 14:51 . 08-02-29 14:51    258   --a------   C:\WINNT\system32\copier_run.reg
2008-02-29 14:51 . 08-02-29 14:51    134   --a------   C:\WINNT\system\NoChangeWallp.reg
2008-02-29 14:51 . 08-02-29 14:51    117   --a------   C:\WINNT\system32\perm.reg
2008-02-29 14:51 . 08-02-29 14:51    117   --a------   C:\WINNT\system\NoClose_current.reg
2008-02-29 14:51 . 08-02-29 14:51    111   --a------   C:\WINNT\system\wallpaper_cur.reg
2008-02-29 09:24 . 08-02-29 09:24    2,359,350   --a------   C:\captemp.bmp
2008-02-28 19:35 . 08-02-28 19:35    3,120   --a------   C:\WINNT\system32\TGPK3FPF.ocx
2008-02-28 14:27 . 01-03-13 14:51    1,066,176   --a------   C:\WINNT\system32\Mscomctl.ocx
2008-02-28 14:27 . 00-11-11 21:12    675,840   --a------   C:\WINNT\system32\_ISource2.dll
2008-02-28 14:27 . 00-05-22 01:00    608,448   --a------   C:\WINNT\system32\Comctl32.ocx
2008-02-28 14:27 . 04-04-19 10:41    284,373   --a------   C:\WINNT\system32\InnovaAlert2.ocx
2008-02-28 14:27 . 04-03-09 00:00    224,016   --a------   C:\WINNT\system32\Tabctl32.ocx
2008-02-28 14:27 . 04-03-09 00:00    132,880   --a------   C:\WINNT\system32\Msinet.ocx
2008-02-28 14:27 . 04-03-09 17:45    124,688   --a------   C:\WINNT\system32\mswinsck.ocx
2008-02-28 14:27 . 98-06-24 01:00    103,744   --a------   C:\WINNT\system32\Mscomm32.ocx
2008-02-28 14:27 . 99-06-08 19:44    18,432   --a------   C:\WINNT\system32\cm17a.ocx
2008-02-28 10:12 . 08-02-28 10:12    <DIR>   d--------   C:\WINNT\Cache
2008-02-27 23:42 . 08-02-27 23:42    <DIR>   d---s----   C:\Documents and Settings\Thunderas\UserData
2008-02-27 23:28 . 08-02-27 23:46    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-02-27 23:26 . 08-02-27 23:26    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Lavasoft
2008-02-27 23:22 . 08-02-27 23:24    48   --a------   C:\WINNT\iltwain.ini
2008-02-27 23:01 . 04-09-12 22:55    663,552   --a------   C:\WINNT\system32\videocapx.ocx
2008-02-27 23:01 . 01-12-14 08:00    434,176   --a------   C:\WINNT\system32\WebX.ocx
2008-02-27 23:01 . 00-11-11 22:01    389,120   --a------   C:\WINNT\system32\ImgX4.dll
2008-02-27 23:01 . 01-03-13 15:49    140,288   --a------   C:\WINNT\system32\Comdlg32.ocx
2008-02-27 23:01 . 02-01-01 11:45    92,672   --a------   C:\WINNT\system32\See32.dll
2008-02-27 23:01 . 03-01-21 08:00    69,632   --a------   C:\WINNT\system32\CM11A.ocx
2008-02-27 23:01 . 03-01-27 16:26    57,856   --a------   C:\WINNT\system32\Fce32.dll
2008-02-27 23:01 . 03-01-27 16:26    57,856   --a------   C:\WINNT\Fce32.dll
2008-02-27 23:01 . 04-10-04 14:14    45,056   --a------   C:\WINNT\system32\offer.exe
2008-02-27 22:55 . 00-02-21 21:07    413,760   --a------   C:\WINNT\system32\MPG4C32.DLL
2008-02-27 22:49 . 08-02-27 22:57    16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_368.dat
2008-02-27 22:42 . 00-03-09 00:35    258,320   --a------   C:\WINNT\system32\msh263.drv
2008-02-27 22:42 . 03-06-19 12:05    52,496   --a------   C:\WINNT\system32\vfwwdm32.dll
2008-02-27 22:42 . 03-06-19 12:05    52,496   --a--c---   C:\WINNT\system32\dllcache\vfwwdm32.dll
2008-02-27 22:42 . 00-03-09 00:34    45,840   --a------   C:\WINNT\system32\iyuv_32.dll
2008-02-27 22:42 . 00-03-09 00:34    45,840   --a--c---   C:\WINNT\system32\dllcache\iyuv_32.dll
2008-02-27 22:42 . 00-03-09 00:34    12,560   --a------   C:\WINNT\system32\tsbyuv.dll
2008-02-27 22:42 . 00-03-09 00:34    12,560   --a--c---   C:\WINNT\system32\dllcache\tsbyuv.dll
2008-02-27 22:37 . 08-02-27 22:37    <DIR>   d--------   C:\Program Files\Common Files\snpstd3
2008-02-27 22:37 . 05-04-14 17:23    472,960   --a------   C:\WINNT\system32\drivers\snpstd3.sys
2008-02-27 22:37 . 05-01-14 11:00    339,968   --a------   C:\WINNT\vsnpstd3.exe
2008-02-27 22:37 . 04-08-09 17:43    94,208   --a------   C:\WINNT\amcap.exe
2008-02-27 22:37 . 04-02-16 13:59    61,440   --a------   C:\WINNT\system32\csnpstd3.dll
2008-02-27 22:37 . 05-02-01 13:45    57,344   --a------   C:\WINNT\system32\rsnpstd3.dll
2008-02-27 22:37 . 04-11-25 12:59    36,864   --a------   C:\WINNT\system32\vsnpstd3.dll
2008-02-27 22:37 . 05-04-14 17:31    36,864   --a------   C:\WINNT\system32\dsnpstd3.ax
2008-02-27 22:37 . 04-12-08 18:40    20,480   --a------   C:\WINNT\usnpstd3.exe
2008-02-27 22:37 . 04-02-27 17:36    15,498   --a------   C:\WINNT\snpstd3.ini
2008-02-27 22:37 . 04-02-27 17:36    13,023   --a------   C:\WINNT\snpstd3.src
2008-02-27 14:04 . 06-08-29 14:56    32,377   --a------   C:\WINNT\system32\drivers\prodigy.sys
2008-02-27 13:57 . 08-02-27 13:57    <DIR>   d--------   C:\Program Files\Nokia
2008-02-27 13:57 . 08-02-27 13:57    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Nokia
2008-02-26 22:20 . 08-02-26 22:20    <DIR>   d--------   C:\Program Files\Techland
2008-02-26 22:14 . 08-02-26 22:15    <DIR>   d--h-----   C:\WINNT\msdownld.tmp
2008-02-26 19:45 . 08-02-26 19:45    145,408   --a------   C:\WINNT\system32\msconfig.exe
2008-02-26 15:44 . 99-09-25 03:17    18,704   --a------   C:\WINNT\system32\drivers\RTL8139.sys
2008-02-26 15:44 . 99-09-25 03:17    18,704   --a--c---   C:\WINNT\system32\dllcache\rtl8139.sys
2008-02-26 00:15 . 07-02-21 02:11    68,888   --a------   C:\WINNT\system32\xinput1_3.dll
2008-02-25 19:10 . 08-02-25 19:10    <DIR>   d--------   C:\Program Files\Common Files\PCSuite
2008-02-25 19:10 . 08-02-27 13:57    <DIR>   d--------   C:\Program Files\Common Files\Nokia
2008-02-25 19:10 . 08-03-01 12:49    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Nokia
2008-02-25 19:09 . 08-02-25 19:09    <DIR>   d--------   C:\Program Files\PC Connectivity Solution
2008-02-25 19:08 . 07-02-22 11:15    137,216   --a------   C:\WINNT\system32\drivers\nmwcd.sys
2008-02-25 19:08 . 07-02-22 11:15    90,624   --a------   C:\WINNT\system32\nmwcdcls.dll
2008-02-25 19:08 . 07-02-22 11:15    65,536   --a------   C:\WINNT\system32\nmwcdcocls.dll
2008-02-25 19:08 . 07-02-22 11:15    12,288   --a------   C:\WINNT\system32\drivers\nmwcdcm.sys
2008-02-25 19:08 . 07-02-22 11:15    12,288   --a------   C:\WINNT\system32\drivers\nmwcdcj.sys
2008-02-25 19:08 . 07-02-22 11:15    8,320   --a------   C:\WINNT\system32\drivers\nmwcdc.sys
2008-02-25 19:07 . 08-02-25 19:07    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-02-25 18:58 . 08-02-25 19:13    <DIR>   d--hs----   C:\Documents and Settings\Thunderas\Phone Browser
2008-02-25 10:04 . 04-05-24 18:23    311,296   --a------   C:\WINNT\system32\LEXBCES.EXE
2008-02-25 10:04 . 04-05-24 18:21    201,216   --a------   C:\WINNT\system32\LEXP2P32.DLL
2008-02-25 10:04 . 04-05-24 18:42    200,704   --a------   C:\WINNT\system32\lexlmpm.dll
2008-02-25 10:04 . 04-05-24 18:26    198,144   --a------   C:\WINNT\system32\LEX2KUSB.DLL
2008-02-25 10:04 . 04-05-24 18:22    174,592   --a------   C:\WINNT\system32\LEXPPS.EXE
2008-02-25 10:04 . 04-05-24 18:22    147,456   --a------   C:\WINNT\system32\LEXBCE.DLL
2008-02-25 10:04 . 06-03-28 10:29    73,728   --a------   C:\WINNT\system32\lxdapwr.dll
2008-02-25 10:04 . 08-02-28 10:10    252   --a------   C:\WINNT\LEXSTAT.INI
2008-02-25 10:03 . 08-02-25 10:03    <DIR>   d--------   C:\Program Files\Lexmark 640 Series
2008-02-25 10:03 . 97-04-18 11:52    298,496   --a------   C:\WINNT\unin0415.exe
2008-02-25 10:02 . 03-06-19 12:05    21,872   --a------   C:\WINNT\system32\drivers\usbprint.sys
2008-02-25 10:02 . 03-06-19 12:05    21,872   --a--c---   C:\WINNT\system32\dllcache\usbprint.sys
2008-02-24 15:55 . 08-02-24 17:50    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\GanymedeNet
2008-02-24 14:22 . 08-03-01 11:06    172   --a------   C:\ASWL2K.ini
2008-02-16 08:28 . 08-02-16 08:28    <DIR>   d--------   C:\Documents and Settings\Administrator\Phone Browser
2008-02-16 08:28 . 08-02-16 08:28    <DIR>   d--------   C:\Documents and Settings\Administrator\Dane aplikacji\PC Suite
2008-02-15 19:31 . 08-03-01 16:53    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\OpenOffice.org2
2008-02-15 14:49 . 08-02-28 10:14    <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-02-15 13:02 . 08-02-27 16:59    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Nokia Multimedia Player
2008-02-15 12:58 . 08-02-15 12:58    <DIR>   d--------   C:\Program Files\DIFX

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:06   58,000   ----a-w   C:\WINNT\system32\drivers\cdr4_2K.sys
2008-02-15 12:06   57,344   ----a-w   C:\WINNT\uneng.exe
2008-02-15 12:06   49,152   ----a-w   C:\WINNT\system32\cdrtc.dll
2008-02-15 12:06   45,056   ----a-w   C:\WINNT\system32\cdral.dll
2008-02-15 12:06   23,420   ----a-w   C:\WINNT\system32\drivers\cdralw2k.sys
2008-02-14 14:47   892,928   ----a-w   C:\WINNT\system32\iconv.dll
2008-02-14 14:46   921,600   ----a-w   C:\WINNT\system32\vorbisenc.dll
2008-02-14 14:46   9,216   ----a-w   C:\WINNT\system32\cpuinf32.dll
2008-02-14 14:46   524,288   ----a-w   C:\WINNT\system32\DivXsm.exe
2008-02-14 14:46   45,056   ----a-w   C:\WINNT\system32\ogg.dll
2008-02-14 14:46   245,760   ----a-w   C:\WINNT\system32\mplvpx.dll
2008-02-14 14:46   237,568   ----a-w   C:\WINNT\system32\OggDS.dll
2008-02-14 14:46   188,416   ----a-w   C:\WINNT\system32\vorbis.dll
2008-02-14 14:46   1,559,040   ----a-w   C:\WINNT\system32\xvidcore.dll
2008-02-14 14:46   1,415,680   ----a-w   C:\WINNT\system32\WMV9VCM.dll
2008-02-14 11:49   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-02-14 11:48   271   ---h--w   C:\Program Files\desktop.ini
2008-02-14 11:48   22,039   ---h--w   C:\Program Files\folder.htt
2008-02-14 11:47   ---------   d-----w   C:\Program Files\Accessories
2000-03-20 23:00   32,528   ----a-w   C:\WINNT\inf\wbfirdma.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Komunikator"="D:\Tlen.pl\tlen.exe" [07-09-27 11:43  6226432]
"DAEMON Tools Lite"="D:\DAEMON Tools\daemon.exe" [08-01-17 16:51  486856]
"DOpus"="D:\Directory Opus\dopus.exe" [06-06-26 05:46  5261232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINNT\UpdReg.EXE" [00-05-11 01:00  90112]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [06-08-15 15:48  1696256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11  132496]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-02-16 08:29  249896]
"Rapget"="D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe" [07-10-07 18:51  171008]
"Synchronization Manager"="mobsync.exe" [03-06-19 10:05  111888 C:\WINNT\system32\mobsync.exe]
"snpstd3"="C:\WINNT\vsnpstd3.exe" [05-01-14 11:00  339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="D:\Nokia\Nokia PC Suite 6\PcSync2.exe" [07-06-19 10:17  1241088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 10:05  188688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= D:\Directory Opus\dopuslib.dll [06-06-20 07:00  489400]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"shell"="D:\\Aston\\aston.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
-ra------ 05-05-03 11:38  64512 C:\WINNT\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--------- 07-06-18 15:10  271360 D:\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 05-03-24 19:20  77824 C:\WINNT\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 03-06-19 10:05  111888 C:\WINNT\system32\mobsync.exe

R0 avgntmgr;avgntmgr;C:\WINNT\system32\DRIVERS\avgntmgr.sys [07-07-18 14:21 ]
R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys [07-08-09 13:03 ]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINNT\system32\ASNDIS5.SYS [02-09-09 19:54 ]
R3 usbhub20;Obsługa koncentratora USB;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 11:05 ]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [04-06-14 16:52 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 19:04:28
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 19:04:46
ComboFix-quarantined-files.txt  2008-03-01 19:04:45
ComboFix2.txt  2008-03-01 10:22:37


i hijackthis

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 19:16:19, on 2008-03-01
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
D:\Aston\aston.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe
C:\WINNT\vsnpstd3.exe
C:\WINNT\system32\lexpps.exe
D:\DAEMON Tools\daemon.exe
D:\Directory Opus\dopus.exe
C:\WINNT\system32\stisvc.exe
D:\Opera\Opera.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Rapget] D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe
O4 - HKCU\..\Run: [Komunikator] D:\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [DOpus] D:\Directory Opus\dopus.exe
O8 - Extra context menu item: Download with Rapget - D:\rapget136_(www.programosy.pl)\rapget136\rapget.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASWLSVC - Unknown owner - C:\WINNT\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe



I jak to teraz wygląda?

[wojtas]

C:\WINNT\system32\copier_run.reg
C:\WINNT\system\NoChangeWallp.reg
C:\WINNT\system32\perm.reg
C:\WINNT\system\NoClose_current.reg
C:\WINNT\system\wallpaper_cur.reg

skasuj te pliki i daj nowego loga

[Thunderas]

Pliki poszły w kosmos.
Log z hijackthis

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 20:29:21, on 2008-03-01
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
D:\Aston\aston.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINNT\vsnpstd3.exe
C:\WINNT\system32\lexpps.exe
D:\DAEMON Tools\daemon.exe
D:\Directory Opus\dopus.exe
C:\WINNT\system32\stisvc.exe
D:\Opera\Opera.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Rapget] D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe
O4 - HKCU\..\Run: [Komunikator] D:\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [DOpus] D:\Directory Opus\dopus.exe
O8 - Extra context menu item: Download with Rapget - D:\rapget136_(www.programosy.pl)\rapget136\rapget.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASWLSVC - Unknown owner - C:\WINNT\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe



Kod: Zaznacz wszystko

ComboFix 08-03-01.3 - Thunderas 2008-03-01 20:30:31.3 - NTFSx86
Microsoft Windows 2000 Professional  5.0.2195.4.1250.1.1045.18.641 [GMT 0:00]
Running from: C:\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-02-01 to 2008-03-01  )))))))))))))))))))))))))))))))
.

2008-03-01 19:03 . 08-03-01 19:03    1,579,712   --a------   C:\ComboFix.exe
2008-03-01 12:42 . 08-03-01 12:42    6,592   --a------   C:\WINNT\gwpreset.ini
2008-03-01 12:42 . 08-03-01 12:42    3,362   --a------   C:\WINNT\express.eqx
2008-03-01 12:42 . 08-03-01 12:45    514   --a------   C:\WINNT\goldwave.ini
2008-03-01 11:01 . 08-03-01 11:01    <DIR>   d--------   C:\WINNT\system32\Macromed
2008-03-01 10:14 . 08-03-01 10:14    <DIR>   d--------   C:\WINNT\ERUNT
2008-03-01 10:03 . 08-03-01 10:19    <DIR>   d--------   C:\SDFix
2008-03-01 10:00 . 08-03-01 10:01    1,312,321   --a------   C:\SDFix.exe
2008-03-01 09:53 . 07-09-24 23:31    69,632   --a------   C:\WINNT\system32\javacpl.cpl
2008-02-29 09:24 . 08-02-29 09:24    2,359,350   --a------   C:\captemp.bmp
2008-02-28 19:35 . 08-02-28 19:35    3,120   --a------   C:\WINNT\system32\TGPK3FPF.ocx
2008-02-28 14:27 . 01-03-13 14:51    1,066,176   --a------   C:\WINNT\system32\Mscomctl.ocx
2008-02-28 14:27 . 00-11-11 21:12    675,840   --a------   C:\WINNT\system32\_ISource2.dll
2008-02-28 14:27 . 00-05-22 01:00    608,448   --a------   C:\WINNT\system32\Comctl32.ocx
2008-02-28 14:27 . 04-04-19 10:41    284,373   --a------   C:\WINNT\system32\InnovaAlert2.ocx
2008-02-28 14:27 . 04-03-09 00:00    224,016   --a------   C:\WINNT\system32\Tabctl32.ocx
2008-02-28 14:27 . 04-03-09 00:00    132,880   --a------   C:\WINNT\system32\Msinet.ocx
2008-02-28 14:27 . 04-03-09 17:45    124,688   --a------   C:\WINNT\system32\mswinsck.ocx
2008-02-28 14:27 . 98-06-24 01:00    103,744   --a------   C:\WINNT\system32\Mscomm32.ocx
2008-02-28 14:27 . 99-06-08 19:44    18,432   --a------   C:\WINNT\system32\cm17a.ocx
2008-02-28 10:12 . 08-02-28 10:12    <DIR>   d--------   C:\WINNT\Cache
2008-02-27 23:42 . 08-02-27 23:42    <DIR>   d---s----   C:\Documents and Settings\Thunderas\UserData
2008-02-27 23:28 . 08-02-27 23:46    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-02-27 23:26 . 08-02-27 23:26    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Lavasoft
2008-02-27 23:22 . 08-02-27 23:24    48   --a------   C:\WINNT\iltwain.ini
2008-02-27 23:01 . 04-09-12 22:55    663,552   --a------   C:\WINNT\system32\videocapx.ocx
2008-02-27 23:01 . 01-12-14 08:00    434,176   --a------   C:\WINNT\system32\WebX.ocx
2008-02-27 23:01 . 00-11-11 22:01    389,120   --a------   C:\WINNT\system32\ImgX4.dll
2008-02-27 23:01 . 01-03-13 15:49    140,288   --a------   C:\WINNT\system32\Comdlg32.ocx
2008-02-27 23:01 . 02-01-01 11:45    92,672   --a------   C:\WINNT\system32\See32.dll
2008-02-27 23:01 . 03-01-21 08:00    69,632   --a------   C:\WINNT\system32\CM11A.ocx
2008-02-27 23:01 . 03-01-27 16:26    57,856   --a------   C:\WINNT\system32\Fce32.dll
2008-02-27 23:01 . 03-01-27 16:26    57,856   --a------   C:\WINNT\Fce32.dll
2008-02-27 23:01 . 04-10-04 14:14    45,056   --a------   C:\WINNT\system32\offer.exe
2008-02-27 22:55 . 00-02-21 21:07    413,760   --a------   C:\WINNT\system32\MPG4C32.DLL
2008-02-27 22:49 . 08-02-27 22:57    16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_368.dat
2008-02-27 22:42 . 00-03-09 00:35    258,320   --a------   C:\WINNT\system32\msh263.drv
2008-02-27 22:42 . 03-06-19 12:05    52,496   --a------   C:\WINNT\system32\vfwwdm32.dll
2008-02-27 22:42 . 03-06-19 12:05    52,496   --a--c---   C:\WINNT\system32\dllcache\vfwwdm32.dll
2008-02-27 22:42 . 00-03-09 00:34    45,840   --a------   C:\WINNT\system32\iyuv_32.dll
2008-02-27 22:42 . 00-03-09 00:34    45,840   --a--c---   C:\WINNT\system32\dllcache\iyuv_32.dll
2008-02-27 22:42 . 00-03-09 00:34    12,560   --a------   C:\WINNT\system32\tsbyuv.dll
2008-02-27 22:42 . 00-03-09 00:34    12,560   --a--c---   C:\WINNT\system32\dllcache\tsbyuv.dll
2008-02-27 22:37 . 08-02-27 22:37    <DIR>   d--------   C:\Program Files\Common Files\snpstd3
2008-02-27 22:37 . 05-04-14 17:23    472,960   --a------   C:\WINNT\system32\drivers\snpstd3.sys
2008-02-27 22:37 . 05-01-14 11:00    339,968   --a------   C:\WINNT\vsnpstd3.exe
2008-02-27 22:37 . 04-08-09 17:43    94,208   --a------   C:\WINNT\amcap.exe
2008-02-27 22:37 . 04-02-16 13:59    61,440   --a------   C:\WINNT\system32\csnpstd3.dll
2008-02-27 22:37 . 05-02-01 13:45    57,344   --a------   C:\WINNT\system32\rsnpstd3.dll
2008-02-27 22:37 . 04-11-25 12:59    36,864   --a------   C:\WINNT\system32\vsnpstd3.dll
2008-02-27 22:37 . 05-04-14 17:31    36,864   --a------   C:\WINNT\system32\dsnpstd3.ax
2008-02-27 22:37 . 04-12-08 18:40    20,480   --a------   C:\WINNT\usnpstd3.exe
2008-02-27 22:37 . 04-02-27 17:36    15,498   --a------   C:\WINNT\snpstd3.ini
2008-02-27 22:37 . 04-02-27 17:36    13,023   --a------   C:\WINNT\snpstd3.src
2008-02-27 14:04 . 06-08-29 14:56    32,377   --a------   C:\WINNT\system32\drivers\prodigy.sys
2008-02-27 13:57 . 08-02-27 13:57    <DIR>   d--------   C:\Program Files\Nokia
2008-02-27 13:57 . 08-02-27 13:57    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Nokia
2008-02-26 22:20 . 08-02-26 22:20    <DIR>   d--------   C:\Program Files\Techland
2008-02-26 22:14 . 08-02-26 22:15    <DIR>   d--h-----   C:\WINNT\msdownld.tmp
2008-02-26 19:45 . 08-02-26 19:45    145,408   --a------   C:\WINNT\system32\msconfig.exe
2008-02-26 15:44 . 99-09-25 03:17    18,704   --a------   C:\WINNT\system32\drivers\RTL8139.sys
2008-02-26 15:44 . 99-09-25 03:17    18,704   --a--c---   C:\WINNT\system32\dllcache\rtl8139.sys
2008-02-26 00:15 . 07-02-21 02:11    68,888   --a------   C:\WINNT\system32\xinput1_3.dll
2008-02-25 19:10 . 08-02-25 19:10    <DIR>   d--------   C:\Program Files\Common Files\PCSuite
2008-02-25 19:10 . 08-02-27 13:57    <DIR>   d--------   C:\Program Files\Common Files\Nokia
2008-02-25 19:10 . 08-03-01 12:49    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Nokia
2008-02-25 19:09 . 08-02-25 19:09    <DIR>   d--------   C:\Program Files\PC Connectivity Solution
2008-02-25 19:08 . 07-02-22 11:15    137,216   --a------   C:\WINNT\system32\drivers\nmwcd.sys
2008-02-25 19:08 . 07-02-22 11:15    90,624   --a------   C:\WINNT\system32\nmwcdcls.dll
2008-02-25 19:08 . 07-02-22 11:15    65,536   --a------   C:\WINNT\system32\nmwcdcocls.dll
2008-02-25 19:08 . 07-02-22 11:15    12,288   --a------   C:\WINNT\system32\drivers\nmwcdcm.sys
2008-02-25 19:08 . 07-02-22 11:15    12,288   --a------   C:\WINNT\system32\drivers\nmwcdcj.sys
2008-02-25 19:08 . 07-02-22 11:15    8,320   --a------   C:\WINNT\system32\drivers\nmwcdc.sys
2008-02-25 19:07 . 08-02-25 19:07    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-02-25 18:58 . 08-02-25 19:13    <DIR>   d--hs----   C:\Documents and Settings\Thunderas\Phone Browser
2008-02-25 10:04 . 04-05-24 18:23    311,296   --a------   C:\WINNT\system32\LEXBCES.EXE
2008-02-25 10:04 . 04-05-24 18:21    201,216   --a------   C:\WINNT\system32\LEXP2P32.DLL
2008-02-25 10:04 . 04-05-24 18:42    200,704   --a------   C:\WINNT\system32\lexlmpm.dll
2008-02-25 10:04 . 04-05-24 18:26    198,144   --a------   C:\WINNT\system32\LEX2KUSB.DLL
2008-02-25 10:04 . 04-05-24 18:22    174,592   --a------   C:\WINNT\system32\LEXPPS.EXE
2008-02-25 10:04 . 04-05-24 18:22    147,456   --a------   C:\WINNT\system32\LEXBCE.DLL
2008-02-25 10:04 . 06-03-28 10:29    73,728   --a------   C:\WINNT\system32\lxdapwr.dll
2008-02-25 10:04 . 08-02-28 10:10    252   --a------   C:\WINNT\LEXSTAT.INI
2008-02-25 10:03 . 08-02-25 10:03    <DIR>   d--------   C:\Program Files\Lexmark 640 Series
2008-02-25 10:03 . 97-04-18 11:52    298,496   --a------   C:\WINNT\unin0415.exe
2008-02-25 10:02 . 03-06-19 12:05    21,872   --a------   C:\WINNT\system32\drivers\usbprint.sys
2008-02-25 10:02 . 03-06-19 12:05    21,872   --a--c---   C:\WINNT\system32\dllcache\usbprint.sys
2008-02-24 15:55 . 08-02-24 17:50    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\GanymedeNet
2008-02-24 14:22 . 08-03-01 11:06    172   --a------   C:\ASWL2K.ini
2008-02-16 08:28 . 08-02-16 08:28    <DIR>   d--------   C:\Documents and Settings\Administrator\Phone Browser
2008-02-16 08:28 . 08-02-16 08:28    <DIR>   d--------   C:\Documents and Settings\Administrator\Dane aplikacji\PC Suite
2008-02-15 19:31 . 08-03-01 16:53    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\OpenOffice.org2
2008-02-15 14:49 . 08-02-28 10:14    <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-02-15 13:02 . 08-02-27 16:59    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\Nokia Multimedia Player
2008-02-15 12:58 . 08-02-15 12:58    <DIR>   d--------   C:\Program Files\DIFX
2008-02-15 12:55 . 08-02-15 13:03    <DIR>   d--------   C:\Documents and Settings\Thunderas\Dane aplikacji\PC Suite
2008-02-15 12:55 . 08-02-29 09:33    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2008-02-15 12:54 . 08-02-25 19:09    <DIR>   d----c---   C:\WINNT\system32\DRVSTORE
2008-02-15 12:54 . 08-02-25 19:09    <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Downloaded Installations
2008-02-15 12:09 . 08-03-01 16:14    116   --a------   C:\WINNT\NeroDigital.ini

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:06   58,000   ----a-w   C:\WINNT\system32\drivers\cdr4_2K.sys
2008-02-15 12:06   57,344   ----a-w   C:\WINNT\uneng.exe
2008-02-15 12:06   49,152   ----a-w   C:\WINNT\system32\cdrtc.dll
2008-02-15 12:06   45,056   ----a-w   C:\WINNT\system32\cdral.dll
2008-02-15 12:06   23,420   ----a-w   C:\WINNT\system32\drivers\cdralw2k.sys
2008-02-14 14:47   892,928   ----a-w   C:\WINNT\system32\iconv.dll
2008-02-14 14:46   921,600   ----a-w   C:\WINNT\system32\vorbisenc.dll
2008-02-14 14:46   9,216   ----a-w   C:\WINNT\system32\cpuinf32.dll
2008-02-14 14:46   524,288   ----a-w   C:\WINNT\system32\DivXsm.exe
2008-02-14 14:46   45,056   ----a-w   C:\WINNT\system32\ogg.dll
2008-02-14 14:46   245,760   ----a-w   C:\WINNT\system32\mplvpx.dll
2008-02-14 14:46   237,568   ----a-w   C:\WINNT\system32\OggDS.dll
2008-02-14 14:46   188,416   ----a-w   C:\WINNT\system32\vorbis.dll
2008-02-14 14:46   1,559,040   ----a-w   C:\WINNT\system32\xvidcore.dll
2008-02-14 14:46   1,415,680   ----a-w   C:\WINNT\system32\WMV9VCM.dll
2008-02-14 11:49   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-02-14 11:48   271   ---h--w   C:\Program Files\desktop.ini
2008-02-14 11:48   22,039   ---h--w   C:\Program Files\folder.htt
2008-02-14 11:47   ---------   d-----w   C:\Program Files\Accessories
2000-03-20 23:00   32,528   ----a-w   C:\WINNT\inf\wbfirdma.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Komunikator"="D:\Tlen.pl\tlen.exe" [07-09-27 11:43  6226432]
"DAEMON Tools Lite"="D:\DAEMON Tools\daemon.exe" [08-01-17 16:51  486856]
"DOpus"="D:\Directory Opus\dopus.exe" [06-06-26 05:46  5261232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINNT\UpdReg.EXE" [00-05-11 01:00  90112]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [06-08-15 15:48  1696256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11  132496]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-02-16 08:29  249896]
"Rapget"="D:\rapget136_(www.programosy.pl)\rapget136\rapget.exe" [07-10-07 18:51  171008]
"Synchronization Manager"="mobsync.exe" [03-06-19 10:05  111888 C:\WINNT\system32\mobsync.exe]
"snpstd3"="C:\WINNT\vsnpstd3.exe" [05-01-14 11:00  339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="D:\Nokia\Nokia PC Suite 6\PcSync2.exe" [07-06-19 10:17  1241088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 10:05  188688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= D:\Directory Opus\dopuslib.dll [06-06-20 07:00  489400]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"shell"="D:\\Aston\\aston.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
-ra------ 05-05-03 11:38  64512 C:\WINNT\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--------- 07-06-18 15:10  271360 D:\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 05-03-24 19:20  77824 C:\WINNT\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 03-06-19 10:05  111888 C:\WINNT\system32\mobsync.exe

R0 avgntmgr;avgntmgr;C:\WINNT\system32\DRIVERS\avgntmgr.sys [07-07-18 14:21 ]
R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys [07-08-09 13:03 ]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINNT\system32\ASNDIS5.SYS [02-09-09 19:54 ]
R3 usbhub20;Obsługa koncentratora USB;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 11:05 ]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [04-06-14 16:52 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 20:30:58
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 20:31:15
ComboFix-quarantined-files.txt  2008-03-01 20:31:14
ComboFix2.txt  2008-03-01 19:04:47
ComboFix3.txt  2008-03-01 10:22:37


[wojtas]

przeskanuj ten plik"

C:\WINNT\system32\offer.exe

jak sytuacja z kompem?

[Thunderas]

Plik przeskanowany.
jednak cos siedzi tam skasować go, czy odzyskac z płyty systemowej?
cześć raportu

Kod: Zaznacz wszystko

Avast - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -


Sytuacja z kompem spoko bez jakis dziwnych efektów i innych objawów.

[wojtas]

wg. tej strony:

http://www.spywaredata.com/spyware/malware/see32.dll.php

2008-02-27 23:01 . 04-09-12 22:55 663,552 --a------ C:\WINNT\system32\videocapx.ocx
2008-02-27 23:01 . 01-12-14 08:00 434,176 --a------ C:\WINNT\system32\WebX.ocx
2008-02-27 23:01 . 00-11-11 22:01 389,120 --a------ C:\WINNT\system32\ImgX4.dll
2008-02-27 23:01 . 01-03-13 15:49 140,288 --a------ C:\WINNT\system32\Comdlg32.ocx
2008-02-27 23:01 . 02-01-01 11:45 92,672 --a------ C:\WINNT\system32\See32.dll
2008-02-27 23:01 . 03-01-21 08:00 69,632 --a------ C:\WINNT\system32\CM11A.ocx
2008-02-27 23:01 . 03-01-27 16:26 57,856 --a------ C:\WINNT\system32\Fce32.dll
2008-02-27 23:01 . 03-01-27 16:26 57,856 --a------ C:\WINNT\Fce32.dll
2008-02-27 23:01 . 04-10-04 14:14 45,056 --a------ C:\WINNT\system32\offer.exe

pogrubiony plik jest syfem i te pliki powstały wraz z nim o tej samej godzinie ... i nie wiem własnie co to jest

[Dzi@dek]

The see32.dll file is installed and used by iOpusEmailLogger

Zapodaj sobie skana on-line

http://skaner.mks.com.pl/skaner.html
http://www.kaspersky.pl/virusscanner.html
http://www.drweb32.pl/

Najlepiej na IE ( tak sobie życzą )

[Thunderas]

Oki więc tak, system przeskanowany tymi on-line
Raporty wyglądadaja tak:
http://skaner.mks.com.pl/skaner.html wykazał, że czysto
http://www.kaspersky.pl/virusscanner.html wykopał kilka "śmieci" oto log

Kod: Zaznacz wszystko

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
      2 marzec 2008 12:08:23
      System operacyjny: Microsoft Windows 2000 Professional, Service Pack 4
      (Build 2195)
      Kaspersky Online Scanner wersja: 5.0.98.0
      Ostatnia aktualizacja Kaspersky Anti-Virus 2/03/2008
      Liczba wpisów w bazie danych Kaspersky Anti-Virus593485


      Ustawienia skanowania
      Skanowanie przy użyciu następujących baz danychrozszerzone
      Skanuj archiwatak
      Skanuj pocztowe bazy danychtak

      Obszar skanowaniaMój komputer
      C:\
      D:\
      E:\
      F:\
      G:\
      H:\
      I:\
      J:\
      K:\
      N:\
      X:\
      Y:\
      Z:\

      Statystyki skanowania
      Liczba skanowanych obiektów70393
      Liczba wykrytych wirusów2
      Liczba zainfekowanych obiektów5
      Liczba podejrzanych obiektów0
      Czas trwania skanowania01:08:05

      Nazwa zainfekowanego obiektuNazwa wirusaOstatnie działanie
      C:\Documents and Settings\Thunderas\Cookies\index.dat Object is locked
      pominięty

      C:\Documents and Settings\Thunderas\Dane
      aplikacji\Tlen.pl\Profiles\thunderas\DataBase\chats.dat Object is locked
      pominięty

      C:\Documents and Settings\Thunderas\Dane
      aplikacji\Tlen.pl\Profiles\thunderas\DataBase\chats.idx Object is locked
      pominięty

      C:\Documents and Settings\Thunderas\NTUSER.DAT Object is locked pominięty

      C:\Documents and Settings\Thunderas\NTUSER.dat.LOG Object is locked
      pominięty

      C:\Documents and Settings\Thunderas\Ustawienia lokalne\Dane
      aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

      C:\Documents and Settings\Thunderas\Ustawienia lokalne\Dane
      aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

      C:\Documents and Settings\Thunderas\Ustawienia
      lokalne\Historia\History.IE5\index.dat Object is locked pominięty

      C:\Documents and Settings\Thunderas\Ustawienia
      lokalne\Temp\hsperfdata_Thunderas\664 Object is locked pominięty

      C:\Documents and Settings\Thunderas\Ustawienia lokalne\Temporary Internet
      Files\Content.IE5\index.dat Object is locked pominięty

      C:\mksbasel.cpp.log Object is locked pominięty

      C:\WINNT\CSC\00000001 Object is locked pominięty

      C:\WINNT\Debug\ipsecpa.log Object is locked pominięty

      C:\WINNT\Debug\oakley.log Object is locked pominięty

      C:\WINNT\Debug\PASSWD.LOG Object is locked pominięty

      C:\WINNT\security\logs\scepol.log Object is locked pominięty

      C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked
      pominięty

      C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked
      pominięty

      C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked
      pominięty

      C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked
      pominięty

      C:\WINNT\Sti_Trace.log Object is locked pominięty

      C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked pominięty

      C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked pominięty

      C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd
      Object is locked pominięty

      C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk
      Object is locked pominięty

      C:\WINNT\system32\config\AppEvent.Evt Object is locked pominięty

      C:\WINNT\system32\config\default Object is locked pominięty

      C:\WINNT\system32\config\default.LOG Object is locked pominięty

      C:\WINNT\system32\config\SAM Object is locked pominięty

      C:\WINNT\system32\config\SAM.LOG Object is locked pominięty

      C:\WINNT\system32\config\SecEvent.Evt Object is locked pominięty

      C:\WINNT\system32\config\SECURITY Object is locked pominięty

      C:\WINNT\system32\config\SECURITY.LOG Object is locked pominięty

      C:\WINNT\system32\config\software Object is locked pominięty

      C:\WINNT\system32\config\software.LOG Object is locked pominięty

      C:\WINNT\system32\config\SysEvent.Evt Object is locked pominięty

      C:\WINNT\system32\config\system Object is locked pominięty

      C:\WINNT\system32\config\SYSTEM.ALT Object is locked pominięty

      C:\WINNT\system32\drivers\sptd.sys Object is locked pominięty

      C:\WINNT\WindowsUpdate.log Object is locked pominięty

      D:\Opera\mail\indexer\indexer.dat Object is locked pominięty

      D:\Opera\mail\lexicon\lexicon.dat Object is locked pominięty

      D:\Opera\mail\mailbase.dat Object is locked pominięty

      E:\Nokia n95\Aplikacje\ultramp3keygen.zip/keygen.exe/9 Zainfekowanych:
      Trojan-Spy.Win32.Delf.bcn pominięty

      E:\Nokia n95\Aplikacje\ultramp3keygen.zip/keygen.exe Zainfekowanych:
      Trojan-Spy.Win32.Delf.bcn pominięty

      E:\Nokia n95\Aplikacje\ultramp3keygen.zip ZIP: zainfekowany - 2 pominięty

      F:\vdownloader.zip/VDownloader.exe Zainfekowanych:
      not-a-virus:Downloader.Win32.VDown.a pominięty

      F:\vdownloader.zip ZIP: zainfekowany - 1 pominięty

      Skanowanie zostało przerwane przez użytkownika


http://www.drweb32.pl/ Plik see32.dll jest czysty.
To co z tamtymi zrobić? To poza partycja c: oczywiście wykasować a reszta na systemowej?

[wojtas]

tylko jakies keygeny wygrywa jako wirusy. zostaw tamte pliki

Autor postu otrzymał pochwałę

[Thunderas]

Oki dzieki to tamte pliki ida w kosnow a reszte zostawiam
Dzięki za pomoc

[Dzi@dek]

Wyłącz i włącz przywracanie systemu jeśli masz włączone.

[Thunderas]

Wyłącz i włącz przywracanie systemu

Takiej usługi nie ma w win2k i bardzo dobrze
Takze spokojnie moge sobie juz kompa dalej męczyć ale jednak trzeba sie pilnować.