Zainfekowany komputer

[raiylo]

No panowie wyglada na to, ze pierwszy raz od dluzszego czasu cos mi wlazlo do PC i niezle nabroilo. Sciagnalem film torrentem, avast wywalil monit o zagrozeniu wiec przerwalem dzialanie i wyszedlem z domu, z koniecznosci. Dzisiaj po uruchomieniu systemu juz mam niesamowite problemy ze stabilnoscia systemu.

Programy dzialaja tragicznie, zamykaja sie i otwieraja nieoczekiwanie. Avast wykryl i wywalil kilkanascie zainfekowanych plikow, to jednak nie na wiele sie zdalo, zadnych widocznych rezultatow. ComboFix wykryl zainfekowanie typu rootkit. Pomozcie w miare mozliwosci ;p

ComboFix:

Kod: Zaznacz wszystko

ComboFix 08-12-14.04 - Tomek Ostrowski 2008-12-15 14:57:50.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.1023.724 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Tomek Ostrowski\Pulpit\ComboFix.exe

[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\program files\Mozilla Firefox\components\iamfamous.dll
C:\resycled
c:\windows\system32\drivers\msqpdxmqltoixh.sys
c:\windows\system32\h@tkeysh@@k.dll
c:\windows\system32\msqpdxosvdbrsr.dll
D:\Autorun.inf
D:\resycled

.
(((((((((((((((((((((((((((((((((((((((   Sterowniki/Usługi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS
-------\Legacy_MSQPDXSERV.SYS
-------\Legacy_icf


(((((((((((((((((((((((((   Pliki utworzone od 2008-11-15 do 2008-12-15  )))))))))))))))))))))))))))))))
.

2008-12-15 09:05 . 2008-12-15 09:05   160   --a------   C:\log.udt
2008-12-15 08:58 . 2008-12-15 08:58   188,416   --a------   c:\windows\system32\hackhound.exe
2008-12-15 08:58 . 2008-12-15 15:00   93,420   --a------   c:\windows\system32\drivers\8619261b.sys
2008-12-14 22:28 . 2008-12-14 22:33   <DIR>   d--------   c:\program files\uTorrent
2008-12-14 22:28 . 2008-12-15 09:02   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\uTorrent
2008-12-14 20:26 . 2008-12-14 20:26   <DIR>   d--------   c:\program files\Nuclear Coffee
2008-12-14 12:50 . 2008-12-14 12:50   <DIR>   d--------   c:\windows\system32\Adobe
2008-12-13 22:34 . 2008-12-13 22:34   <DIR>   d--------   c:\program files\SopCast
2008-12-13 22:24 . 2008-12-13 22:24   <DIR>   d--------   c:\program files\SopFilter
2008-12-13 13:15 . 2008-12-13 13:15   <DIR>   d--------   c:\program files\FileZilla FTP Client
2008-12-12 21:02 . 2008-12-12 21:02   <DIR>   d--------   c:\program files\MSXML 4.0
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\program files\NewSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\program files\Common Files\NewSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\ScanSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Newsoft
2008-12-11 18:26 . 2008-12-11 18:26   1,846   --a------   c:\windows\if42le.ini
2008-12-11 18:26 . 2008-12-11 18:26   308   --a------   c:\windows\Pexplore.ini
2008-12-11 18:18 . 2008-04-13 19:47   25,856   --a------   c:\windows\system32\drivers\usbprint.sys
2008-12-11 18:18 . 2008-04-13 19:47   25,856   --a--c---   c:\windows\system32\dllcache\usbprint.sys
2008-12-11 18:18 . 2008-12-11 18:18   404   --a------   c:\windows\BRWMARK.INI
2008-12-11 18:18 . 2008-12-11 18:18   27   --a------   c:\windows\BRPP2KA.INI
2008-12-11 18:10 . 2008-12-11 18:10   <DIR>   d--------   c:\program files\Brother
2008-12-11 18:09 . 2008-12-11 18:09   <DIR>   d--------   c:\program files\Nuance
2008-12-11 18:09 . 2008-12-11 18:09   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\InstallShield
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\program files\ScanSoft
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\program files\Common Files\ScanSoft Shared
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\ScanSoft
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\InstallShield
2008-12-11 18:08 . 2006-10-24 15:34   31,567   --a------   c:\windows\maxlink.ini
2008-12-11 18:07 . 2008-12-11 18:07   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Brother
2008-12-08 19:29 . 2008-12-10 21:35   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2008-12-08 19:29 . 2008-12-15 09:00   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-12-07 20:58 . 2008-04-13 19:45   32,128   --a------   c:\windows\system32\drivers\usbccgp.sys
2008-12-07 20:58 . 2008-04-13 19:45   32,128   --a--c---   c:\windows\system32\dllcache\usbccgp.sys
2008-12-07 20:58 . 2008-04-13 19:45   26,368   --a--c---   c:\windows\system32\dllcache\usbstor.sys
2008-12-05 09:51 . 2008-12-05 09:51   427   --a------   c:\windows\ODBC.INI
2008-12-05 09:48 . 2008-12-05 09:48   <DIR>   d--------   c:\windows\ShellNew
2008-12-05 09:46 . 2008-12-05 09:46   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Microsoft Web Folders
2008-12-03 15:57 . 2008-12-03 15:57   <DIR>   d--------   c:\program files\Net Equities
2008-12-03 15:57 . 2008-12-03 15:57   720   --a------   c:\windows\Nteqeefp32.dll
2008-12-03 15:37 . 2008-12-08 19:23   <DIR>   d--------   c:\program files\eMule
2008-12-02 12:56 . 2008-12-02 12:56   <DIR>   d--------   c:\program files\CCleaner
2008-11-30 18:30 . 2007-12-26 17:30   1,970,176   --a------   c:\windows\system32\d3dx9.dll
2008-11-30 18:30 . 2007-12-26 17:30   679,936   --a------   c:\windows\system32\D3DX81ab.dll
2008-11-30 18:29 . 2008-12-08 19:23   <DIR>   d--------   c:\program files\Cheat Engine
2008-11-29 21:17 . 2008-11-29 21:29   <DIR>   d--------   c:\program files\Ygoow
2008-11-28 18:54 . 2008-11-28 18:54   <DIR>   d--------   c:\program files\IrfanView
2008-11-28 16:39 . 2008-11-28 16:39   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Sports Interactive
2008-11-28 16:36 . 2008-11-28 16:36   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Sports Interactive
2008-11-28 16:33 . 2008-12-08 19:22   <DIR>   d--------   c:\program files\Football Manager 2009
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--h-----   c:\program files\Zero G Registry
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--------   c:\program files\Sports Interactive
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--h-----   c:\documents and settings\Tomek Ostrowski\InstallAnywhere
2008-11-28 16:19 . 2008-11-28 16:19   <DIR>   d--------   c:\program files\DAEMON Tools Lite
2008-11-28 16:17 . 2008-11-28 16:17   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\DAEMON Tools
2008-11-28 16:17 . 2008-11-28 16:17   717,296   --a------   c:\windows\system32\drivers\sptd.sys
2008-11-27 22:55 . 2008-11-27 22:56   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\gtk-2.0
2008-11-27 22:55 . 2008-11-27 22:55   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.thumbnails
2008-11-27 22:54 . 2008-11-27 22:54   <DIR>   d--------   c:\program files\GIMP-2.0
2008-11-27 22:54 . 2008-12-12 14:08   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.gimp-2.6
2008-11-27 22:54 . 2008-11-27 22:54   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.gegl-0.0
2008-11-27 21:54 . 2008-11-27 21:54   <DIR>   d--------   c:\program files\Apple Software Update
2008-11-27 21:54 . 2008-11-27 21:54   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple
2008-11-27 21:51 . 2008-11-27 21:51   <DIR>   d--------   c:\program files\Common Files\Apple
2008-11-27 21:51 . 2008-11-27 21:51   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple Computer
2008-11-26 22:55 . 2008-11-26 22:55   <DIR>   d--------   c:\program files\VS Revo Group
2008-11-26 19:15 . 2008-12-13 22:29   69   --a------   c:\windows\NeroDigital.ini
2008-11-26 19:10 . 2008-11-26 19:11   <DIR>   d--------   C:\xampp
2008-11-26 18:05 . 2008-11-26 18:05   <DIR>   d--------   c:\program files\Foxit Software
2008-11-26 18:05 . 2008-11-26 18:05   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Foxit
2008-11-25 20:31 . 2008-11-25 20:31   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Apple Computer
2008-11-25 20:14 . 2008-11-27 21:52   <DIR>   d--------   c:\program files\QuickTime
2008-11-24 22:02 . 2008-12-14 20:30   <DIR>   d--------   c:\program files\MoorHunt
2008-11-22 23:17 . 2008-11-22 23:17   249,856   ---------   c:\windows\Setup1.exe
2008-11-22 23:17 . 2008-11-22 23:17   73,216   --a------   c:\windows\ST6UNST.EXE
2008-11-22 20:44 . 2008-12-14 22:31   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\X-Chat 2
2008-11-22 20:43 . 2008-12-08 19:22   <DIR>   d--------   c:\program files\xchat
2008-11-22 16:57 . 2008-11-22 16:57   <DIR>   d--------   c:\program files\Hamachi
2008-11-22 13:19 . 2008-11-22 13:19   <DIR>   d--------   c:\windows\ERUNT
2008-11-22 12:59 . 2008-12-07 11:19   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Hamachi
2008-11-22 12:59 . 2008-11-22 16:57   25,280   --a------   c:\windows\system32\drivers\hamachi.sys
2008-11-22 10:51 . 2008-11-22 10:51   <DIR>   d--h-----   c:\windows\system32\GroupPolicy
2008-11-21 21:17 . 2008-11-21 21:17   <DIR>   d--------   c:\program files\Alwil Software
2008-11-21 21:17 . 2003-03-18 20:14   499,712   --a------   c:\windows\system32\MSVCP71.dll
2008-11-21 21:16 . 2008-11-21 21:16   <DIR>   d--------   c:\program files\Microsoft Application Compatibility Toolkit 5
2008-11-21 20:32 . 2008-04-14 18:20   219,648   --a------   c:\windows\system32\uxtheme.uxtender
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\system32\pl
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\system32\bits
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\l2schemas
2008-11-21 20:23 . 2008-11-21 20:23   <DIR>   d--------   c:\windows\ServicePackFiles
2008-11-21 20:19 . 2008-12-14 23:53   <DIR>   d--------   c:\program files\Championship Manager 01-02
2008-11-21 20:18 . 1998-10-29 16:45   306,688   --a------   c:\windows\IsUninst.exe
2008-11-21 20:16 . 2008-11-21 20:17   <DIR>   d--------   c:\program files\Winamp
2008-11-21 20:16 . 2008-11-28 18:44   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Winamp
2008-11-21 20:15 . 2008-11-21 20:15   <DIR>   d--------   c:\program files\ToniArts
2008-11-21 20:02 . 2004-08-03 22:41   1,309,184   ---------   c:\windows\system32\drivers\mtlstrm.sys
2008-11-21 20:01 . 2004-08-04 00:35   701,440   ---------   c:\windows\system32\drivers\ati2mtag.sys

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 13:21   ---------   d-----w   c:\program files\Mozilla Thunderbird
2008-12-11 17:26   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-11 17:08   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-12-05 08:46   ---------   d-----w   c:\program files\microsoft frontpage
2008-11-21 18:44   ---------   d-----w   c:\program files\TechSmith
2008-11-21 18:44   ---------   d-----w   c:\program files\Common Files\TechSmith Shared
2008-11-21 18:44   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\TechSmith
2008-11-21 18:37   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Talkback
2008-11-21 18:36   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Thunderbird
2008-11-21 18:30   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Gadu-Gadu
2008-11-21 18:29   ---------   d-----w   c:\program files\Gadu-Gadu
2008-11-21 18:26   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Teeworlds
2008-11-21 18:25   ---------   d-----w   c:\program files\Teeworlds
2008-11-21 17:52   ---------   d-----w   c:\program files\Common Files\Ahead
2008-11-21 17:52   ---------   d-----w   c:\program files\Ahead
2008-11-21 17:51   ---------   d-----w   c:\program files\CyberLink DVD Solution
2008-11-21 17:42   ---------   d-----w   c:\program files\Analog Devices
2008-11-21 17:32   ---------   d-----w   c:\program files\Usługi online
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2004-10-01 14:00   40,960   ----a-w   c:\program files\Uninstall_CDS.exe
2008-12-15 08:05   66,576   ----a-w   c:\program files\mozilla firefox\components\febccdcf.dll
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}]
2006-04-08 13:15   52752   --a------   c:\windows\system32\spria.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-11-21 2127296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"c:\\Program Files\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:ut
"6112:UDP"= 6112:UDP:ut

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-21 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-21 20560]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys []
.
Zawartość folderu 'Zaplanowane zadania'

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Skan uzupełniający -------
.
IE: {{88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
FF - ProfilePath - c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Mozilla\Firefox\Profiles\pj9k26nu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 15:00:47
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...


c:\windows\system32\18353d1d88ab58afd14f876aba64d12e.sys 36864 bytes executable
c:\windows\system32\_18353d1d88ab58afd14f876aba64d12e.sys_.vir 36864 bytes executable

skanowanie pomyślnie ukończone
ukryte pliki: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\18353d1d88ab58afd14f876aba64d12e]
"ImagePath"="system32\18353d1d88ab58afd14f876aba64d12e.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8619261b]
"ImagePath"="\SystemRoot\System32\drivers\8619261b.sys"
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Czas ukończenia: 2008-12-15 15:02:38 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2008-12-15 14:02:35

Przed: 20,719,357,952 bajtów wolnych
Po: 20,664,758,272 bajtów wolnych

232   --- E O F ---   2008-12-12 20:02:43


HijackThis:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:20, on 2008-12-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: ORBta - {ada8c222-95d2-47b5-950b-aebc0a508839} - C:\WINDOWS\system32\spria.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Dane aplikacji\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4428 bytes


[wojtas]

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[raiylo]

Zastosowalem sie podanego przez Ciebie tematu, wszystko przebieglo wporzadku. Ponadto logi:

SDFix:

Kod: Zaznacz wszystko

[b]SDFix: Version 1.240 [/b]
Run by Administrator on 2008-12-15 at 17:24

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 17:34:52
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ec,39,ca,9d,da,83,ed,8b,78,52,2e,92,e4,c9,fc,ff,7c,ee,0c,98,32,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,9e,83,9f,53,56,b4,c4,04,82,c0,fb,42,5e,0e,e2,1a,d0,..
"khjeh"=hex:00,21,94,fa,e4,32,11,9b,d2,a0,b5,d7,42,9a,3c,71,a8,b0,97,28,48,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:cb,34,40,d7,a2,a4,e9,e8,76,05,9c,c7,06,42,df,c3,75,23,cf,1d,52,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ec,39,ca,9d,da,83,ed,8b,78,52,2e,92,e4,c9,fc,ff,7c,ee,0c,98,32,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,9e,83,9f,53,56,b4,c4,04,82,c0,fb,42,5e,0e,e2,1a,d0,..
"khjeh"=hex:00,21,94,fa,e4,32,11,9b,d2,a0,b5,d7,42,9a,3c,71,a8,b0,97,28,48,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:cb,34,40,d7,a2,a4,e9,e8,76,05,9c,c7,06,42,df,c3,75,23,cf,1d,52,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\xchat\\xchat.exe"="C:\\Program Files\\xchat\\xchat.exe:*:Enabled:XChat IRC Client"
"C:\\Program Files\\Football Manager 2009\\fm.exe"="C:\\Program Files\\Football Manager 2009\\fm.exe:*:Enabled:Football Manager 2009"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Wed 22 Oct 2008       949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008     1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon  7 Jul 2008     1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon  7 Jul 2008     4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008     1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008       962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"

[b]Finished![/b]



ComboFix:

Kod: Zaznacz wszystko

ComboFix 08-12-14.05 - Tomek Ostrowski 2008-12-15 17:50:43.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.1023.640 [GMT 1:00]
Uruchomiony z: c:\program files\ComboFix\ComboFix.exe
* Utworzono nowy punkt przywracania
.

(((((((((((((((((((((((((   Pliki utworzone od 2008-11-15 do 2008-12-15  )))))))))))))))))))))))))))))))
.

2008-12-15 17:40 . 2008-12-15 17:41   <DIR>   d--------   c:\program files\ComboFix
2008-12-15 17:23 . 2008-12-15 17:23   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll
2008-12-15 17:22 . 2008-12-15 17:51   <DIR>   d--h-----   c:\documents and settings\Administrator\Ustawienia lokalne
2008-12-15 17:22 . 2008-11-21 19:22   <DIR>   d--------   c:\documents and settings\Administrator\Ulubione
2008-12-15 17:22 . 2008-11-21 18:30   <DIR>   d--h-----   c:\documents and settings\Administrator\Szablony
2008-12-15 17:22 . 2008-12-15 17:35   <DIR>   d--------   c:\documents and settings\Administrator\Pulpit
2008-12-15 17:22 . 2008-11-21 19:22   <DIR>   d--------   c:\documents and settings\Administrator\Moje dokumenty
2008-12-15 17:22 . 2008-11-21 19:22   <DIR>   dr-------   c:\documents and settings\Administrator\Menu Start
2008-12-15 17:22 . 2008-12-15 17:34   <DIR>   dr-h-----   c:\documents and settings\Administrator\Dane aplikacji
2008-12-15 17:22 . 2008-12-15 17:22   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-15 17:18 . 2008-12-15 17:35   <DIR>   d--------   C:\SDFix
2008-12-15 15:03 . 2008-12-15 15:03   <DIR>   d--------   c:\program files\Trend Micro
2008-12-15 14:58 . 2008-12-15 14:58   36,864   --a------   c:\windows\system32\_18353d1d88ab58afd14f876aba64d12e.sys_.vir
2008-12-15 09:05 . 2008-12-15 09:05   160   --a------   C:\log.udt
2008-12-15 08:58 . 2008-12-15 08:58   188,416   --a------   c:\windows\system32\hackhound.exe
2008-12-15 08:58 . 2008-12-15 17:51   93,420   --a------   c:\windows\system32\drivers\8619261b.sys
2008-12-14 22:28 . 2008-12-14 22:33   <DIR>   d--------   c:\program files\uTorrent
2008-12-14 22:28 . 2008-12-15 09:02   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\uTorrent
2008-12-14 20:26 . 2008-12-14 20:26   <DIR>   d--------   c:\program files\Nuclear Coffee
2008-12-14 12:50 . 2008-12-14 12:50   <DIR>   d--------   c:\windows\system32\Adobe
2008-12-13 22:34 . 2008-12-13 22:34   <DIR>   d--------   c:\program files\SopCast
2008-12-13 22:24 . 2008-12-13 22:24   <DIR>   d--------   c:\program files\SopFilter
2008-12-13 13:15 . 2008-12-13 13:15   <DIR>   d--------   c:\program files\FileZilla FTP Client
2008-12-12 21:02 . 2008-12-12 21:02   <DIR>   d--------   c:\program files\MSXML 4.0
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\program files\NewSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\program files\Common Files\NewSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\ScanSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Newsoft
2008-12-11 18:26 . 2008-12-11 18:26   1,846   --a------   c:\windows\if42le.ini
2008-12-11 18:26 . 2008-12-11 18:26   308   --a------   c:\windows\Pexplore.ini
2008-12-11 18:18 . 2008-04-13 19:47   25,856   --a------   c:\windows\system32\drivers\usbprint.sys
2008-12-11 18:18 . 2008-04-13 19:47   25,856   --a--c---   c:\windows\system32\dllcache\usbprint.sys
2008-12-11 18:18 . 2008-12-11 18:18   404   --a------   c:\windows\BRWMARK.INI
2008-12-11 18:18 . 2008-12-11 18:18   27   --a------   c:\windows\BRPP2KA.INI
2008-12-11 18:10 . 2008-12-11 18:10   <DIR>   d--------   c:\program files\Brother
2008-12-11 18:09 . 2008-12-11 18:09   <DIR>   d--------   c:\program files\Nuance
2008-12-11 18:09 . 2008-12-11 18:09   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\InstallShield
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\program files\ScanSoft
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\program files\Common Files\ScanSoft Shared
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\ScanSoft
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\InstallShield
2008-12-11 18:08 . 2006-10-24 15:34   31,567   --a------   c:\windows\maxlink.ini
2008-12-11 18:07 . 2008-12-11 18:07   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Brother
2008-12-08 19:29 . 2008-12-10 21:35   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2008-12-08 19:29 . 2008-12-15 15:21   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-12-07 20:58 . 2008-04-13 19:45   32,128   --a------   c:\windows\system32\drivers\usbccgp.sys
2008-12-07 20:58 . 2008-04-13 19:45   32,128   --a--c---   c:\windows\system32\dllcache\usbccgp.sys
2008-12-07 20:58 . 2008-04-13 19:45   26,368   --a--c---   c:\windows\system32\dllcache\usbstor.sys
2008-12-05 09:51 . 2008-12-05 09:51   427   --a------   c:\windows\ODBC.INI
2008-12-05 09:48 . 2008-12-05 09:48   <DIR>   d--------   c:\windows\ShellNew
2008-12-05 09:46 . 2008-12-05 09:46   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Microsoft Web Folders
2008-12-03 15:57 . 2008-12-03 15:57   <DIR>   d--------   c:\program files\Net Equities
2008-12-03 15:57 . 2008-12-03 15:57   720   --a------   c:\windows\Nteqeefp32.dll
2008-12-03 15:37 . 2008-12-08 19:23   <DIR>   d--------   c:\program files\eMule
2008-12-02 12:56 . 2008-12-02 12:56   <DIR>   d--------   c:\program files\CCleaner
2008-11-30 18:30 . 2007-12-26 17:30   1,970,176   --a------   c:\windows\system32\d3dx9.dll
2008-11-30 18:30 . 2007-12-26 17:30   679,936   --a------   c:\windows\system32\D3DX81ab.dll
2008-11-30 18:29 . 2008-12-08 19:23   <DIR>   d--------   c:\program files\Cheat Engine
2008-11-29 21:17 . 2008-11-29 21:29   <DIR>   d--------   c:\program files\Ygoow
2008-11-28 18:54 . 2008-11-28 18:54   <DIR>   d--------   c:\program files\IrfanView
2008-11-28 16:39 . 2008-11-28 16:39   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Sports Interactive
2008-11-28 16:36 . 2008-11-28 16:36   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Sports Interactive
2008-11-28 16:33 . 2008-12-08 19:22   <DIR>   d--------   c:\program files\Football Manager 2009
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--h-----   c:\program files\Zero G Registry
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--------   c:\program files\Sports Interactive
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--h-----   c:\documents and settings\Tomek Ostrowski\InstallAnywhere
2008-11-28 16:19 . 2008-11-28 16:19   <DIR>   d--------   c:\program files\DAEMON Tools Lite
2008-11-28 16:17 . 2008-11-28 16:17   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\DAEMON Tools
2008-11-28 16:17 . 2008-11-28 16:17   717,296   --a------   c:\windows\system32\drivers\sptd.sys
2008-11-27 22:55 . 2008-11-27 22:56   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\gtk-2.0
2008-11-27 22:55 . 2008-11-27 22:55   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.thumbnails
2008-11-27 22:54 . 2008-11-27 22:54   <DIR>   d--------   c:\program files\GIMP-2.0
2008-11-27 22:54 . 2008-12-12 14:08   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.gimp-2.6
2008-11-27 22:54 . 2008-11-27 22:54   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.gegl-0.0
2008-11-27 21:54 . 2008-11-27 21:54   <DIR>   d--------   c:\program files\Apple Software Update
2008-11-27 21:54 . 2008-11-27 21:54   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple
2008-11-27 21:51 . 2008-11-27 21:51   <DIR>   d--------   c:\program files\Common Files\Apple
2008-11-27 21:51 . 2008-11-27 21:51   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple Computer
2008-11-26 22:55 . 2008-11-26 22:55   <DIR>   d--------   c:\program files\VS Revo Group
2008-11-26 19:15 . 2008-12-13 22:29   69   --a------   c:\windows\NeroDigital.ini
2008-11-26 19:10 . 2008-11-26 19:11   <DIR>   d--------   C:\xampp
2008-11-26 18:05 . 2008-11-26 18:05   <DIR>   d--------   c:\program files\Foxit Software
2008-11-26 18:05 . 2008-11-26 18:05   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Foxit
2008-11-25 20:31 . 2008-11-25 20:31   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Apple Computer
2008-11-25 20:14 . 2008-11-27 21:52   <DIR>   d--------   c:\program files\QuickTime
2008-11-24 22:02 . 2008-12-14 20:30   <DIR>   d--------   c:\program files\MoorHunt
2008-11-22 23:17 . 2008-11-22 23:17   249,856   ---------   c:\windows\Setup1.exe
2008-11-22 23:17 . 2008-11-22 23:17   73,216   --a------   c:\windows\ST6UNST.EXE
2008-11-22 20:44 . 2008-12-14 22:31   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\X-Chat 2
2008-11-22 20:43 . 2008-12-08 19:22   <DIR>   d--------   c:\program files\xchat
2008-11-22 16:57 . 2008-11-22 16:57   <DIR>   d--------   c:\program files\Hamachi
2008-11-22 13:19 . 2008-12-15 17:22   <DIR>   d--------   c:\windows\ERUNT
2008-11-22 12:59 . 2008-12-07 11:19   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Hamachi
2008-11-22 12:59 . 2008-11-22 16:57   25,280   --a------   c:\windows\system32\drivers\hamachi.sys
2008-11-22 10:51 . 2008-11-22 10:51   <DIR>   d--h-----   c:\windows\system32\GroupPolicy
2008-11-21 21:17 . 2008-11-21 21:17   <DIR>   d--------   c:\program files\Alwil Software
2008-11-21 21:17 . 2003-03-18 20:14   499,712   --a------   c:\windows\system32\MSVCP71.dll
2008-11-21 21:16 . 2008-11-21 21:16   <DIR>   d--------   c:\program files\Microsoft Application Compatibility Toolkit 5
2008-11-21 20:32 . 2008-04-14 18:20   219,648   --a------   c:\windows\system32\uxtheme.uxtender
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\system32\pl
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\system32\bits
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\l2schemas
2008-11-21 20:23 . 2008-11-21 20:23   <DIR>   d--------   c:\windows\ServicePackFiles
2008-11-21 20:19 . 2008-12-15 16:47   <DIR>   d--------   c:\program files\Championship Manager 01-02
2008-11-21 20:18 . 1998-10-29 16:45   306,688   --a------   c:\windows\IsUninst.exe
2008-11-21 20:16 . 2008-11-21 20:17   <DIR>   d--------   c:\program files\Winamp
2008-11-21 20:16 . 2008-11-28 18:44   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Winamp
2008-11-21 20:15 . 2008-11-21 20:15   <DIR>   d--------   c:\program files\ToniArts
2008-11-21 20:02 . 2004-08-03 22:41   1,309,184   ---------   c:\windows\system32\drivers\mtlstrm.sys
2008-11-21 20:01 . 2004-08-04 00:35   701,440   ---------   c:\windows\system32\drivers\ati2mtag.sys

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 15:14   ---------   d-----w   c:\program files\Mozilla Thunderbird
2008-12-15 07:59   14,336   ----a-w   c:\windows\system32\svchost.exe
2008-12-11 17:26   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-11 17:08   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-12-05 08:46   ---------   d-----w   c:\program files\microsoft frontpage
2008-11-21 19:32   219,648   ----a-w   c:\windows\system32\uxtheme.dll
2008-11-21 18:44   ---------   d-----w   c:\program files\TechSmith
2008-11-21 18:44   ---------   d-----w   c:\program files\Common Files\TechSmith Shared
2008-11-21 18:44   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\TechSmith
2008-11-21 18:37   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Talkback
2008-11-21 18:36   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Thunderbird
2008-11-21 18:30   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Gadu-Gadu
2008-11-21 18:29   ---------   d-----w   c:\program files\Gadu-Gadu
2008-11-21 18:26   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Teeworlds
2008-11-21 18:25   ---------   d-----w   c:\program files\Teeworlds
2008-11-21 17:52   ---------   d-----w   c:\program files\Common Files\Ahead
2008-11-21 17:52   ---------   d-----w   c:\program files\Ahead
2008-11-21 17:51   ---------   d-----w   c:\program files\CyberLink DVD Solution
2008-11-21 17:42   ---------   d-----w   c:\program files\Analog Devices
2008-11-21 17:32   ---------   d-----w   c:\program files\Usługi online
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-03 10:04   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-09-30 15:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-09-15 15:27   1,846,656   ----a-w   c:\windows\system32\win32k.sys
2004-10-01 14:00   40,960   ----a-w   c:\program files\Uninstall_CDS.exe
2008-12-15 08:05   66,576   ----a-w   c:\program files\mozilla firefox\components\febccdcf.dll
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}]
2006-04-08 13:15   52752   --a------   c:\windows\system32\spria.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-11-21 2127296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"c:\\Program Files\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:ut
"6112:UDP"= 6112:UDP:ut

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-21 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-21 20560]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys []
.
Zawartość folderu 'Zaplanowane zadania'

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Skan uzupełniający -------
.
IE: {{88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
FF - ProfilePath - c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Mozilla\Firefox\Profiles\pj9k26nu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 17:51:39
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8619261b]
"ImagePath"="\SystemRoot\System32\drivers\8619261b.sys"
.
Czas ukończenia: 2008-12-15 17:52:13
ComboFix-quarantined-files.txt  2008-12-15 16:52:07

Przed: 20 499 091 456 bajtów wolnych
Po: 20,489,674,752 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

234   --- E O F ---   2008-12-12 20:02:43


HijackThis:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:54:28, on 2008-12-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: ORBta - {ada8c222-95d2-47b5-950b-aebc0a508839} - C:\WINDOWS\system32\spria.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Dane aplikacji\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4395 bytes


[wojtas]

wklej do notatnika

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}]

[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8619261b]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....


Pobierz i uruchom narzędzie
The Avenger
w bialym polu wklej tekst:

Files to delete:

c:\windows\system32\_18353d1d88ab58afd14f876aba64d12e.sys_.vir
c:\windows\system32\hackhound.exe
c:\windows\system32\drivers\8619261b.sys
c:\windows\if42le.ini
c:\windows\Pexplore.ini

Kopiujesz - Klikasz na Paste Script from Clipboard - Execute - Potwierdzasz i zgadzasz się na restart klikając OK.
Po wykonaniu skasuj z dysku plik: C:\Avenger\backup.zip i wklej raport na forum C:\avenger.txt oraz nowy log z combofixa

[raiylo]

Wykonałem to, co kazałeś Na marginesie zaznaczam, że imponujesz mi wiedzą na temat zagrożenia w sieci, bardzo przydatne rzeczy. Logi:

The Avenger:

Kod: Zaznacz wszystko

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\_18353d1d88ab58afd14f876aba64d12e.sys_.vir" deleted successfully.
File "c:\windows\system32\hackhound.exe" deleted successfully.
File "c:\windows\system32\drivers\8619261b.sys" deleted successfully.
File "c:\windows\if42le.ini" deleted successfully.
File "c:\windows\Pexplore.ini" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


ComboFix:

Kod: Zaznacz wszystko

ComboFix 08-12-14.05 - Tomek Ostrowski 2008-12-15 21:14:44.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.1023.605 [GMT 1:00]
Uruchomiony z: c:\program files\ComboFix\ComboFix.exe
.

(((((((((((((((((((((((((   Pliki utworzone od 2008-11-15 do 2008-12-15  )))))))))))))))))))))))))))))))
.

2008-12-15 20:49 . 2008-12-15 20:49   <DIR>   d--------   c:\program files\JkDefrag
2008-12-15 18:06 . 2008-12-15 21:15   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Gajim
2008-12-15 18:05 . 2008-12-15 18:05   <DIR>   d--------   c:\program files\Gajim
2008-12-15 17:40 . 2008-12-15 17:41   <DIR>   d--------   c:\program files\ComboFix
2008-12-15 17:23 . 2008-12-15 17:23   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll
2008-12-15 17:22 . 2008-12-15 21:15   <DIR>   d--h-----   c:\documents and settings\Administrator\Ustawienia lokalne
2008-12-15 17:22 . 2008-11-21 19:22   <DIR>   d--------   c:\documents and settings\Administrator\Ulubione
2008-12-15 17:22 . 2008-11-21 18:30   <DIR>   d--h-----   c:\documents and settings\Administrator\Szablony
2008-12-15 17:22 . 2008-12-15 17:35   <DIR>   d--------   c:\documents and settings\Administrator\Pulpit
2008-12-15 17:22 . 2008-11-21 19:22   <DIR>   d--------   c:\documents and settings\Administrator\Moje dokumenty
2008-12-15 17:22 . 2008-11-21 19:22   <DIR>   dr-------   c:\documents and settings\Administrator\Menu Start
2008-12-15 17:22 . 2008-12-15 17:34   <DIR>   dr-h-----   c:\documents and settings\Administrator\Dane aplikacji
2008-12-15 17:22 . 2008-12-15 17:22   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-15 15:03 . 2008-12-15 15:03   <DIR>   d--------   c:\program files\Trend Micro
2008-12-15 09:05 . 2008-12-15 09:05   160   --a------   C:\log.udt
2008-12-14 22:28 . 2008-12-14 22:33   <DIR>   d--------   c:\program files\uTorrent
2008-12-14 22:28 . 2008-12-15 09:02   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\uTorrent
2008-12-14 20:26 . 2008-12-14 20:26   <DIR>   d--------   c:\program files\Nuclear Coffee
2008-12-14 12:50 . 2008-12-14 12:50   <DIR>   d--------   c:\windows\system32\Adobe
2008-12-13 22:34 . 2008-12-13 22:34   <DIR>   d--------   c:\program files\SopCast
2008-12-13 22:24 . 2008-12-13 22:24   <DIR>   d--------   c:\program files\SopFilter
2008-12-13 13:15 . 2008-12-13 13:15   <DIR>   d--------   c:\program files\FileZilla FTP Client
2008-12-12 21:02 . 2008-12-12 21:02   <DIR>   d--------   c:\program files\MSXML 4.0
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\program files\NewSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\program files\Common Files\NewSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\ScanSoft
2008-12-11 18:26 . 2008-12-11 18:26   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Newsoft
2008-12-11 18:18 . 2008-04-13 19:47   25,856   --a------   c:\windows\system32\drivers\usbprint.sys
2008-12-11 18:18 . 2008-04-13 19:47   25,856   --a--c---   c:\windows\system32\dllcache\usbprint.sys
2008-12-11 18:18 . 2008-12-11 18:18   404   --a------   c:\windows\BRWMARK.INI
2008-12-11 18:18 . 2008-12-11 18:18   27   --a------   c:\windows\BRPP2KA.INI
2008-12-11 18:10 . 2008-12-11 18:10   <DIR>   d--------   c:\program files\Brother
2008-12-11 18:09 . 2008-12-11 18:09   <DIR>   d--------   c:\program files\Nuance
2008-12-11 18:09 . 2008-12-11 18:09   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\InstallShield
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\program files\ScanSoft
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\program files\Common Files\ScanSoft Shared
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\ScanSoft
2008-12-11 18:08 . 2008-12-11 18:08   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\InstallShield
2008-12-11 18:08 . 2006-10-24 15:34   31,567   --a------   c:\windows\maxlink.ini
2008-12-11 18:07 . 2008-12-11 18:07   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Brother
2008-12-08 19:29 . 2008-12-10 21:35   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2008-12-08 19:29 . 2008-12-15 15:21   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-12-07 20:58 . 2008-04-13 19:45   32,128   --a------   c:\windows\system32\drivers\usbccgp.sys
2008-12-07 20:58 . 2008-04-13 19:45   32,128   --a--c---   c:\windows\system32\dllcache\usbccgp.sys
2008-12-07 20:58 . 2008-04-13 19:45   26,368   --a--c---   c:\windows\system32\dllcache\usbstor.sys
2008-12-05 09:51 . 2008-12-05 09:51   427   --a------   c:\windows\ODBC.INI
2008-12-05 09:48 . 2008-12-05 09:48   <DIR>   d--------   c:\windows\ShellNew
2008-12-05 09:46 . 2008-12-05 09:46   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Microsoft Web Folders
2008-12-03 15:57 . 2008-12-03 15:57   <DIR>   d--------   c:\program files\Net Equities
2008-12-03 15:57 . 2008-12-03 15:57   720   --a------   c:\windows\Nteqeefp32.dll
2008-12-03 15:37 . 2008-12-08 19:23   <DIR>   d--------   c:\program files\eMule
2008-12-02 12:56 . 2008-12-02 12:56   <DIR>   d--------   c:\program files\CCleaner
2008-11-30 18:30 . 2007-12-26 17:30   1,970,176   --a------   c:\windows\system32\d3dx9.dll
2008-11-30 18:30 . 2007-12-26 17:30   679,936   --a------   c:\windows\system32\D3DX81ab.dll
2008-11-30 18:29 . 2008-12-08 19:23   <DIR>   d--------   c:\program files\Cheat Engine
2008-11-29 21:17 . 2008-11-29 21:29   <DIR>   d--------   c:\program files\Ygoow
2008-11-28 18:54 . 2008-11-28 18:54   <DIR>   d--------   c:\program files\IrfanView
2008-11-28 16:39 . 2008-11-28 16:39   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Sports Interactive
2008-11-28 16:36 . 2008-11-28 16:36   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Sports Interactive
2008-11-28 16:33 . 2008-12-08 19:22   <DIR>   d--------   c:\program files\Football Manager 2009
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--h-----   c:\program files\Zero G Registry
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--------   c:\program files\Sports Interactive
2008-11-28 16:20 . 2008-11-28 16:20   <DIR>   d--h-----   c:\documents and settings\Tomek Ostrowski\InstallAnywhere
2008-11-28 16:19 . 2008-11-28 16:19   <DIR>   d--------   c:\program files\DAEMON Tools Lite
2008-11-28 16:17 . 2008-11-28 16:17   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\DAEMON Tools
2008-11-28 16:17 . 2008-11-28 16:17   717,296   --a------   c:\windows\system32\drivers\sptd.sys
2008-11-27 22:55 . 2008-11-27 22:56   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\gtk-2.0
2008-11-27 22:55 . 2008-11-27 22:55   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.thumbnails
2008-11-27 22:54 . 2008-11-27 22:54   <DIR>   d--------   c:\program files\GIMP-2.0
2008-11-27 22:54 . 2008-12-12 14:08   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.gimp-2.6
2008-11-27 22:54 . 2008-11-27 22:54   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\.gegl-0.0
2008-11-27 21:54 . 2008-11-27 21:54   <DIR>   d--------   c:\program files\Apple Software Update
2008-11-27 21:54 . 2008-11-27 21:54   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple
2008-11-27 21:51 . 2008-11-27 21:51   <DIR>   d--------   c:\program files\Common Files\Apple
2008-11-27 21:51 . 2008-11-27 21:51   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Apple Computer
2008-11-26 22:55 . 2008-11-26 22:55   <DIR>   d--------   c:\program files\VS Revo Group
2008-11-26 19:15 . 2008-12-13 22:29   69   --a------   c:\windows\NeroDigital.ini
2008-11-26 19:10 . 2008-11-26 19:11   <DIR>   d--------   C:\xampp
2008-11-26 18:05 . 2008-11-26 18:05   <DIR>   d--------   c:\program files\Foxit Software
2008-11-26 18:05 . 2008-11-26 18:05   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Foxit
2008-11-25 20:31 . 2008-11-25 20:31   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Apple Computer
2008-11-25 20:14 . 2008-11-27 21:52   <DIR>   d--------   c:\program files\QuickTime
2008-11-24 22:02 . 2008-12-14 20:30   <DIR>   d--------   c:\program files\MoorHunt
2008-11-22 23:17 . 2008-11-22 23:17   249,856   ---------   c:\windows\Setup1.exe
2008-11-22 23:17 . 2008-11-22 23:17   73,216   --a------   c:\windows\ST6UNST.EXE
2008-11-22 20:44 . 2008-12-15 19:05   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\X-Chat 2
2008-11-22 20:43 . 2008-12-08 19:22   <DIR>   d--------   c:\program files\xchat
2008-11-22 16:57 . 2008-11-22 16:57   <DIR>   d--------   c:\program files\Hamachi
2008-11-22 13:19 . 2008-12-15 17:22   <DIR>   d--------   c:\windows\ERUNT
2008-11-22 12:59 . 2008-12-07 11:19   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Hamachi
2008-11-22 12:59 . 2008-11-22 16:57   25,280   --a------   c:\windows\system32\drivers\hamachi.sys
2008-11-22 10:51 . 2008-11-22 10:51   <DIR>   d--h-----   c:\windows\system32\GroupPolicy
2008-11-21 21:17 . 2008-11-21 21:17   <DIR>   d--------   c:\program files\Alwil Software
2008-11-21 21:17 . 2003-03-18 20:14   499,712   --a------   c:\windows\system32\MSVCP71.dll
2008-11-21 21:16 . 2008-11-21 21:16   <DIR>   d--------   c:\program files\Microsoft Application Compatibility Toolkit 5
2008-11-21 20:32 . 2008-04-14 18:20   219,648   --a------   c:\windows\system32\uxtheme.uxtender
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\system32\pl
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\system32\bits
2008-11-21 20:24 . 2008-11-21 20:24   <DIR>   d--------   c:\windows\l2schemas
2008-11-21 20:23 . 2008-11-21 20:23   <DIR>   d--------   c:\windows\ServicePackFiles
2008-11-21 20:19 . 2008-12-15 16:47   <DIR>   d--------   c:\program files\Championship Manager 01-02
2008-11-21 20:18 . 1998-10-29 16:45   306,688   --a------   c:\windows\IsUninst.exe
2008-11-21 20:16 . 2008-11-21 20:17   <DIR>   d--------   c:\program files\Winamp
2008-11-21 20:16 . 2008-11-28 18:44   <DIR>   d--------   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Winamp
2008-11-21 20:15 . 2008-11-21 20:15   <DIR>   d--------   c:\program files\ToniArts
2008-11-21 20:02 . 2004-08-03 22:41   1,309,184   ---------   c:\windows\system32\drivers\mtlstrm.sys
2008-11-21 20:01 . 2004-08-04 00:35   701,440   ---------   c:\windows\system32\drivers\ati2mtag.sys

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 19:37   ---------   d-----w   c:\program files\Mozilla Thunderbird
2008-12-15 07:59   14,336   ----a-w   c:\windows\system32\svchost.exe
2008-12-11 17:26   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-11 17:08   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-12-05 08:46   ---------   d-----w   c:\program files\microsoft frontpage
2008-11-21 19:32   219,648   ----a-w   c:\windows\system32\uxtheme.dll
2008-11-21 18:44   ---------   d-----w   c:\program files\TechSmith
2008-11-21 18:44   ---------   d-----w   c:\program files\Common Files\TechSmith Shared
2008-11-21 18:44   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\TechSmith
2008-11-21 18:37   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Talkback
2008-11-21 18:36   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Thunderbird
2008-11-21 18:30   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Gadu-Gadu
2008-11-21 18:29   ---------   d-----w   c:\program files\Gadu-Gadu
2008-11-21 18:26   ---------   d-----w   c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Teeworlds
2008-11-21 18:25   ---------   d-----w   c:\program files\Teeworlds
2008-11-21 17:52   ---------   d-----w   c:\program files\Common Files\Ahead
2008-11-21 17:52   ---------   d-----w   c:\program files\Ahead
2008-11-21 17:51   ---------   d-----w   c:\program files\CyberLink DVD Solution
2008-11-21 17:42   ---------   d-----w   c:\program files\Analog Devices
2008-11-21 17:32   ---------   d-----w   c:\program files\Usługi online
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-03 10:04   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-09-30 15:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-09-15 15:27   1,846,656   ----a-w   c:\windows\system32\win32k.sys
2004-10-01 14:00   40,960   ----a-w   c:\program files\Uninstall_CDS.exe
2008-12-15 08:05   66,576   ----a-w   c:\program files\mozilla firefox\components\febccdcf.dll
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}]
2006-04-08 13:15   52752   --a------   c:\windows\system32\spria.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-11-21 2127296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Tomek Ostrowski\Menu Start\Programy\Autostart\
gajim.lnk - c:\program files\Gajim\src\gajim.exe [2008-12-15 89600]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"c:\\Program Files\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:ut
"6112:UDP"= 6112:UDP:ut

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-21 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-21 20560]
S1 8619261b;8619261b;c:\windows\system32\drivers\8619261b.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys []
.
Zawartość folderu 'Zaplanowane zadania'

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Skan uzupełniający -------
.
IE: {{88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
FF - ProfilePath - c:\documents and settings\Tomek Ostrowski\Dane aplikacji\Mozilla\Firefox\Profiles\pj9k26nu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 21:15:50
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2008-12-15 21:16:28
ComboFix-quarantined-files.txt  2008-12-15 20:16:17

Przed: 20 243 017 728 bajtów wolnych
Po: 20,234,498,048 bajtów wolnych

224   --- E O F ---   2008-12-12 20:02:43


[wojtas]

uruchom narzędzie
The Avenger
w bialym polu wklej tekst:

Files to delete:

c:\windows\system32\spria.dll

Registry keys to delete:

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}

Kopiujesz - Klikasz na Paste Script from Clipboard - Execute - Potwierdzasz i zgadzasz się na restart klikając OK.
Po wykonaniu skasuj z dysku plik: C:\Avenger\backup.zip i wklej raport na forum C:\avenger.txt


1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5.Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.

[raiylo]

Skaner online nic nie wykrył, to znaczy jest czysto, nie ma zainfekowanych plików.

FixIEDef:

Kod: Zaznacz wszystko

********************************************************************************
*                                                                              *
*                                 FixIEDef Log                                 *
*                              Version 1.7.20.6874                             *
*                                                                              *
********************************************************************************

Created at 00:05:03 on Tuesday, December 16, 2008

Time Zone            :

Logged On User       : Tomek Ostrowski

Operating System     : Microsoft Windows XP Professional Dodatek Service Pack 3
OS Version           : 5.1.2600
System Langauge      : Polish
Keyboard Layout      : Polish
Processor            : X86 AMD Athlon(tm) 64 X2 Dual Core Processor 3600+

System Drive         : C:\
Windows Directory    : C:\WINDOWS
System Directory     : C:\WINDOWS\system32

System Drive Type    : Fixed
System Drive Status  : READY
System Drive Label   :
System Drive Size    : 28.47 GB
System Drive Free    : 20.84 GB

Total Physical Memory: 1023 MB
Free Physical Memory : 554 MB
Total Page File      : 1023 MB
Free Page File       : 2114 MB
Total Virtual Memory : 2048 MB
Free Virtual Memory  : 1971 MB

Boot State           : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

No malicious files found

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!

The Avenger:

Kod: Zaznacz wszystko

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "c:\windows\system32\spria.dll" not found!
Deletion of file "c:\windows\system32\spria.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


[Okocza]

jaki, jest ok

[raiylo]

Ok dziekuje serdecznie, rzeczywiscie wyglada na to ze juz wszystko ze soba ladnie wspolgra Szybka i konkretna pomoc, na was zawsze mozna liczyc ;] jeszcze raz dziekuje i pozdrawiam