Zwieszanie się systemu

[Fargo17]

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:47:30, on 2009-01-04
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\ESET\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ESET\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 - Hosts: Set Realmlist 91.121.91.134
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Dl] C:\Program Files\svehost.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ekrn.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 4460 bytes


Kod: Zaznacz wszystko

ComboFix 09-01-02.01 - Fargo 2009-01-04 16:06:02.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.3071.2499 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Fargo\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
* Resident AV is active

.

(((((((((((((((((((((((((   Pliki utworzone od 2008-12-04 do 2009-01-04  )))))))))))))))))))))))))))))))
.

2009-01-04 15:02 . 2009-01-04 15:02   <DIR>   d--------   c:\program files\Ashampoo
2009-01-04 14:34 . 2009-01-04 14:42   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-01-03 14:10 . 2009-01-03 14:10   <DIR>   d--------   c:\documents and settings\Fargo\.ssh
2009-01-03 14:08 . 2009-01-04 11:31   <DIR>   d--------   c:\documents and settings\Fargo\.nx
2008-12-30 22:06 . 2008-07-11 01:28   79,896   --a------   c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-12-30 22:06 . 2008-07-11 01:28   50,200   --a------   c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2008-12-30 22:05 . 2008-12-30 22:05   <DIR>   d--------   c:\windows\system32\RsFx
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\program files\Microsoft.NET
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\program files\Microsoft Visual Studio 9.0
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\windows\system32\XPSViewer
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\program files\Reference Assemblies
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\program files\MSBuild
2008-12-30 21:57 . 2008-07-06 13:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2008-12-30 21:57 . 2008-07-06 13:06   1,676,288   -----c---   c:\windows\system32\dllcache\xpssvcs.dll
2008-12-30 21:57 . 2008-07-06 11:50   597,504   -----c---   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-30 21:57 . 2008-07-06 13:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2008-12-30 21:57 . 2008-07-06 13:06   575,488   -----c---   c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-30 21:57 . 2008-07-06 13:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2008-12-30 21:57 . 2008-07-06 13:06   89,088   -----c---   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-30 21:00 . 2009-01-04 11:07   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\gtk-2.0
2008-12-30 20:59 . 2008-12-30 20:59   <DIR>   d--------   c:\documents and settings\Fargo\.tortoisehg
2008-12-30 20:27 . 2008-12-30 20:27   <DIR>   d--------   c:\program files\MySQL
2008-12-30 20:11 . 2006-04-13 11:30   1,073,152   --a------   c:\windows\system32\libmysql_c.dll
2008-12-23 20:19 . 2008-12-29 01:21   <DIR>   d--------   c:\program files\nLite
2008-12-23 16:36 . 2008-12-23 16:36   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Ubisoft
2008-12-22 02:31 . 2008-12-22 02:31   <DIR>   dr-h-----   c:\documents and settings\Fargo\Dane aplikacji\SecuROM
2008-12-18 23:34 . 2008-12-20 22:29   <DIR>   d--------   c:\program files\sXe Injected
2008-12-13 14:14 . 2008-12-13 14:15   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\PE Explorer
2008-12-12 18:46 . 2008-12-12 18:46   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Saitek
2008-12-12 18:27 . 2004-01-12 00:00   348,160   --a------   c:\windows\system32\msvcr71.dll
2008-12-12 13:21 . 2008-12-12 13:21   266   --a------   c:\windows\game.ini
2008-12-12 13:15 . 2008-12-12 13:15   <DIR>   d--hs----   c:\windows\ftpcache
2008-12-12 12:46 . 2008-12-12 12:46   <DIR>   d--------   c:\program files\Trend Micro
2008-12-12 12:12 . 2008-12-12 12:12   107,888   --a------   c:\windows\system32\CmdLineExt.dll
2008-12-12 12:11 . 2008-12-12 12:11   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\Leadertech
2008-12-12 12:06 . 2008-03-05 15:56   3,786,760   --a------   c:\windows\system32\D3DX9_37.dll
2008-12-12 12:06 . 2007-07-19 18:14   3,727,720   --a------   c:\windows\system32\d3dx9_35.dll
2008-12-12 12:06 . 2007-05-16 16:45   3,497,832   --a------   c:\windows\system32\d3dx9_34.dll
2008-12-12 12:06 . 2007-03-12 16:42   3,495,784   --a------   c:\windows\system32\d3dx9_33.dll
2008-12-12 12:06 . 2006-11-29 13:06   3,426,072   --a------   c:\windows\system32\d3dx9_32.dll
2008-12-12 12:06 . 2005-05-26 15:34   2,297,552   --a------   c:\windows\system32\d3dx9_26.dll
2008-12-12 12:06 . 2007-04-04 18:53   81,768   --a------   c:\windows\system32\xinput1_3.dll
2008-12-11 16:34 . 2008-12-11 16:34   427   --a------   c:\windows\ODBC.INI
2008-12-11 16:33 . 2008-12-11 16:33   <DIR>   d--------   c:\windows\ShellNew
2008-12-10 00:04 . 2008-10-03 11:04   247,326   -----c---   c:\windows\system32\dllcache\strmdll.dll
2008-12-09 12:27 . 2008-12-09 12:32   <DIR>   d-a------   c:\documents and settings\All Users\Dane aplikacji\TEMP
2008-12-09 12:27 . 2006-09-28 16:05   2,414,360   --a------   c:\windows\system32\d3dx9_31.dll
2008-12-07 15:56 . 2008-12-07 15:56   <DIR>   d--------   c:\program files\Ventrilo
2008-12-07 15:56 . 2008-12-07 15:56   262   --a------   c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-07 14:31 . 2008-12-07 14:31   <DIR>   d--h-----   c:\windows\PIF
2008-12-07 14:00 . 2008-12-12 13:08   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 14:47   ---------   d-----w   c:\program files\Firefox
2009-01-04 13:47   ---------   d-----w   c:\program files\VentriloMIX
2009-01-03 14:57   ---------   d-----w   c:\program files\DC++
2009-01-02 20:13   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\foobar2000
2008-12-24 18:29   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-21 23:56   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Hamachi
2008-12-21 22:30   16,224   ----a-w   c:\windows\system32\drivers\hamachi.sys
2008-12-18 17:33   ---------   d-----w   c:\program files\ALLPlayer
2008-12-13 20:06   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\mIRC
2008-12-12 12:07   ---------   d-----w   c:\program files\CursorXP
2008-12-07 14:57   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Ventrilo
2008-12-06 18:07   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\OpenOffice.ux.pl2
2008-12-05 11:26   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\SWiSHMax2WorkFolder
2008-12-04 10:44   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Hermetic Systems
2008-12-03 13:52   ---------   d-----w   c:\program files\notepad2
2008-12-03 11:02   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Logitech
2008-12-01 23:38   ---------   d-----w   c:\program files\BitSpirit
2008-12-01 16:15   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\TC PowerPack
2008-11-30 21:49   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-11-30 15:13   ---------   d-----w   c:\program files\Lavalys
2008-11-29 16:32   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Nero
2008-11-29 16:31   ---------   d-----w   c:\program files\Common Files\Nero
2008-11-29 16:30   ---------   d-----w   c:\program files\Nero
2008-11-29 16:30   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Nero
2008-11-29 16:25   ---------   d-----w   c:\program files\Ahead
2008-11-20 13:15   ---------   d-----w   c:\program files\SWiSH Max2
2008-11-20 11:44   ---------   d-----w   c:\program files\microsoft frontpage
2008-11-19 19:25   ---------   d-----w   c:\program files\Common Files\SWiSHzone.com
2008-11-18 22:13   ---------   d-----w   c:\program files\Macromedia
2008-11-17 19:39   ---------   d-----w   c:\program files\foobar2000
2008-11-17 19:15   ---------   d-----w   c:\program files\Common Files\Adobe
2008-11-17 19:01   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\FindeXer
2008-11-17 19:00   ---------   d-----w   c:\program files\DAEMON Tools Lite
2008-11-17 18:58   717,296   ----a-w   c:\windows\system32\drivers\sptd.sys
2008-11-17 18:58   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\DAEMON Tools
2008-11-17 16:40   8,182   ----a-w   c:\windows\BricoPackFoldersDelete.cmd
2008-11-17 16:40   126,912   ----a-w   c:\windows\BricoPackUninst.cmd
2008-11-17 16:39   ---------   d-----w   c:\program files\RK Launcher
2008-11-17 16:21   ---------   d-----w   c:\program files\TC PowerPack
2008-11-17 16:11   ---------   d-----w   c:\program files\Teamspeak2
2008-11-17 16:11   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\teamspeak2
2008-11-17 16:02   ---------   d-----w   c:\program files\Realtek
2008-11-17 15:35   319,488   ----a-w   c:\windows\HideWin.exe
2008-11-17 15:20   ---------   d-----w   c:\program files\Konnekt
2008-11-17 15:18   ---------   d-----w   c:\program files\ESET
2008-11-17 14:55   ---------   d-----w   c:\program files\Screamer Radio
2008-11-17 14:41   ---------   d-----w   c:\program files\Java
2008-11-17 14:40   ---------   d-----w   c:\program files\Common Files\Java
2008-11-17 14:10   ---------   d-----w   c:\program files\A4Tech
2008-11-17 14:09   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\InterTrust
2008-11-17 14:08   ---------   d-----w   c:\program files\Brownie
2008-11-17 14:07   ---------   d-----w   c:\program files\Brother
2008-11-17 14:00   737,280   ----a-w   c:\windows\iun6002.exe
2008-11-17 14:00   ---------   d-----w   c:\program files\Codec Pack - All In 1
2008-11-17 13:57   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\ESET
2008-11-17 13:56   77,177   ----a-w   c:\program files\svehost.exe
2008-11-17 13:56   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ESET
2008-11-17 13:51   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\ATI
2008-11-17 13:51   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ATI
2008-11-17 13:49   ---------   d-----w   c:\program files\ATI Technologies
2008-11-17 13:47   ---------   d-----w   c:\program files\Common Files\ATI Technologies
2008-11-17 13:42   ---------   d-----w   c:\program files\GIGABYTE
2008-11-17 13:42   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\InstallShield
2008-11-17 13:38   15,600   ----a-w   c:\windows\gdrv.sys
2008-11-17 13:35   ---------   d-----w   c:\program files\DIFX
2008-11-17 13:33   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\InstallShield
2008-11-17 12:41   ---------   d-----w   c:\program files\Usługi online
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Dl"="c:\program files\svehost.exe" [2008-11-17 77177]
"egui"="c:\program files\ESET\egui.exe" [2008-06-10 1447168]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 171520]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-17 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Fargo^Menu Start^Programy^Autostart^GIGABYTE VGA Utility.lnk]
path=c:\documents and settings\Fargo\Menu Start\Programy\Autostart\GIGABYTE VGA Utility.lnk
backup=c:\windows\pss\GIGABYTE VGA Utility.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 16:02 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
--a------ 2006-02-17 10:14 163840 c:\program files\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R4 atidgllk;atidgllk;c:\program files\GIGABYTE\VGA Utility\atidgllk.sys [2006-07-19 12048]
R4 ekrn;Eset Service;c:\program files\ESET\ekrn.exe [2008-06-10 468224]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2008-11-30 23152]
S3 SaiH0486;SaiH0486;c:\windows\system32\drivers\SaiH0486.sys [2007-05-01 132232]
S3 w89c940;Sterownik karty Winbond W89C940 PCI Ethernet Adapter;c:\windows\system32\drivers\w940nd.sys [2008-11-17 16925]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" --> c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS --> c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [?]

*Newly Created Service* - PROCEXP90
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Pobierz z &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: ÓñČĚŘľ«ÁéĎÂÔŘ(&B)
FF - ProfilePath - c:\documents and settings\Fargo\Dane aplikacji\Mozilla\Firefox\Profiles\3v8dla0b.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.pl/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 16:06:38
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-01-04 16:07:07
ComboFix-quarantined-files.txt  2009-01-04 15:06:58

Przed: 21 562 806 272 bajtów wolnych
Po: 21,570,613,248 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

231   --- E O F ---   2008-12-19 01:28:56


Znalazłem gdzieś tutaj w tematach, że plik o nazwie svehost.exe może być zainfekowany. W związku z tym, chciałbym was prosić o sprawdzenie tego loga. Mam zainstalowanego antywirusa ESET NOD32 3.0.667.0, firewalla w chwili obecnej nie posiadam jednak nie wykluczone że jakiegoś zainstaluję. Od niedawna system zaczął jakby wolniej chodzić, sporadycznie i systematycznie robi on coraz to dłuższe przycinki.

[Okocza]

Fargo17, Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[Fargo17]

Zrobiłem tak jak mówiłeś Okocza, jednak nie bardzo chce mi zmienić NetBIOS, restartowałem już chyba z 10x.
http://img515.imageshack.us/img515/435/81008886iq5.gif
http://img242.imageshack.us/img242/3393/94263960iz0.gif

Kod: Zaznacz wszystko

[b]SDFix: Version 1.240 [/b]
Run by Administrator on 2009-01-04 at 18:05

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 18:07:35
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:7f,5b,32,6d,42,ff,4b,0d,59,06,54,64,be,f7,9f,2e,2c,96,f3,7b,e5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,67,3e,73,9b,bd,63,cf,6c,33,41,6b,1b,b9,9e,80,17,79,..
"khjeh"=hex:88,4c,84,26,2a,b5,3d,f6,c9,45,9e,cc,2b,f7,74,fc,36,82,90,db,a0,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:1a,05,f4,6b,cc,ce,fd,3b,3e,f3,62,34,33,8d,85,cc,fe,e1,44,81,df,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:3d,e0,ff,9d,53,99,0e,a6,90,8c,ff,58,dc,57,b6,ad,88,42,24,26,3f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:7f,5b,32,6d,42,ff,4b,0d,59,06,54,64,be,f7,9f,2e,2c,96,f3,7b,e5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,67,3e,73,9b,bd,63,cf,6c,33,41,6b,1b,b9,9e,80,17,79,..
"khjeh"=hex:64,f7,3a,e8,ca,78,2f,64,05,b1,fa,69,87,68,ba,6b,9e,bc,cd,64,15,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:19,ed,b1,a3,2c,69,af,28,d6,dd,4d,a8,38,92,e3,d1,54,00,f7,53,0b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:7f,5b,32,6d,42,ff,4b,0d,59,06,54,64,be,f7,9f,2e,2c,96,f3,7b,e5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,67,3e,73,9b,bd,63,cf,6c,33,41,6b,1b,b9,9e,80,17,79,..
"khjeh"=hex:88,4c,84,26,2a,b5,3d,f6,c9,45,9e,cc,2b,f7,74,fc,36,82,90,db,a0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:1a,05,f4,6b,cc,ce,fd,3b,3e,f3,62,34,33,8d,85,cc,fe,e1,44,81,df,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:3d,e0,ff,9d,53,99,0e,a6,90,8c,ff,58,dc,57,b6,ad,88,42,24,26,3f,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG11.00.00.01WORKSTATION"="41628ECD9B46236CD3628E5D93D5BD374336D78CD75EE4C06409853A9D270873B60BF02759534C332736DED57C1283685DE5C845531CB5E49BBB28FB68FBC19129CB5E5F7B307EF0562EA3D9FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79335D575E7D6A3B9808A2D97226D213B5550B9504EF9D4D2ABD77DAF151C57441A74C5A645C613F7AC2C96FF92079F65BF85691CECA08A0771675EF212AF28961F7CCE1127EA017AE813F1DEA9A0DEE8CE78C4878528567DDC40ED4F93B584EEF077AAB15BF2F7D3E243AA865FAE6BF422352E895EE0004D7F759E686829FE031A67BE3914F996E5340142BC8C511E1B0A95297DB1C278CC531F1F3798FB915CCFE7D26CF7431978144292C96155E81F3C9B96AA6E7EB48E947F441A307D8EFCF892E04BD87085E3EEDDA2CF499E3FE0BA9B9EB737584386C6286077F9F73ADAA95C2026CF678DAE0D10E9B2C137A6F56C1099B67FD6A8A58014C71A7A8C4BB3145F2198F429DD5A9D72ADF2C5ABF1B1E5FDF6D484ADDA79D74719F5C7F4D3C1C8FF836017F56D1B7BA9C5586D694FD0CA1FC47823CDFA68EE3A42600994F8508BF94BB3DD84901128C55C7EF081DC9AD7F218522C4355663C7988D1D7ED1A3F4F48A7D660B5DC9A1AE4AF94301C4E1774013F5DB6CE938B7EE04CF5E4CA0544720A2C43FE63EC933D972A17EE7B65F3E011B5B064D4B020B79216093B14A8A490BA7CDB1D2DC4F781A4CE9C275E40FBC3388EC9B19EB1DBF5F2F20B07322EA244D69CA4AC5EC5E074F56EF567984EF911BACD63D9022A59E68EFE84EE94052EAD7BB61BB4FE6AE58AB97C6A3558E39BE50DBB6AA0C07EE51B32B062781FDCE106C7629581087AA49B997F2B780BFD0AA41F0A04DF6F97D6931AA371BBAFA21EDA2752F1B3DCD729BD262EE46831AD420AEC81BAED01C0CD7A93D3130281C42BFE397F420207DD9F4280AA822FDE1154DACC5A17EAB5407F534B51C0BF485DA25EF416E279520685EBBA18348A22216C5A4CC228FB04C10FE40EA13F95A264B24DA59071710815A45E7C2D354B62511FDD1C881D819F27D910FB7276CAA2A24A4084B9AF793319C7CD689E30A93FDF1D0C7A61473B5F9D7313679DB76C8052D72B588F876B98455B60897F24DA90259FD68572821E8D6DCC59F94294E2FEEE0BEF00368E32F135C105091312AF9C89C266ED1F9432A45FD1A096E7B5267E26C9D1CB222B437383A83579E474D9B31C2D1E58E3EE085C161DD8372B281939F3407EE14D2022514B07419EB4C8838DA0968AE0C1B25190F60A4760F22FEE7A74ED774269A88630C33A7632C50520D2CE03BFE4BAC5F19B309659AB61393AB4484508A6C90A96E486945DB9054436E4E6D7BDF527F814C"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"="C:\\Program Files\\BitSpirit\\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"="C:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Fri 18 Jun 2004       656,542 A..H. --- "C:\271_icol.dll"

[b]Finished![/b]



Kod: Zaznacz wszystko

ComboFix 09-01-02.01 - Fargo 2009-01-04 18:10:59.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.3071.2541 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Fargo\Pulpit\ComboFix.exe
* Resident AV is active

.

(((((((((((((((((((((((((   Pliki utworzone od 2008-12-04 do 2009-01-04  )))))))))))))))))))))))))))))))
.

2009-01-04 18:05 . 2009-01-04 18:05   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll
2009-01-04 18:04 . 2009-01-04 18:04   <DIR>   d--------   c:\windows\ERUNT
2009-01-04 18:04 . 2009-01-04 18:04   <DIR>   d--------   c:\documents and settings\Administrator
2009-01-04 18:02 . 2009-01-04 18:08   <DIR>   d--------   C:\SDFix
2009-01-04 17:58 . 2009-01-04 18:06   3,810   --a------   c:\windows\system32\oodbs.lor
2009-01-04 17:57 . 2009-01-04 17:57   0   --a------   c:\windows\oodcnt.INI
2009-01-04 16:52 . 2009-01-04 16:52   <DIR>   d--------   c:\windows\system32\oodag
2009-01-04 16:32 . 2009-01-04 16:32   <DIR>   d--------   c:\program files\OO Software
2009-01-04 15:02 . 2009-01-04 15:02   <DIR>   d--------   c:\program files\Ashampoo
2009-01-04 14:34 . 2009-01-04 14:42   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-01-03 14:10 . 2009-01-03 14:10   <DIR>   d--------   c:\documents and settings\Fargo\.ssh
2009-01-03 14:08 . 2009-01-04 11:31   <DIR>   d--------   c:\documents and settings\Fargo\.nx
2008-12-30 22:06 . 2008-07-11 01:28   79,896   --a------   c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-12-30 22:06 . 2008-07-11 01:28   50,200   --a------   c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2008-12-30 22:05 . 2008-12-30 22:05   <DIR>   d--------   c:\windows\system32\RsFx
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\program files\Microsoft.NET
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\program files\Microsoft Visual Studio 9.0
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\windows\system32\XPSViewer
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\program files\Reference Assemblies
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\program files\MSBuild
2008-12-30 21:57 . 2008-07-06 13:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2008-12-30 21:57 . 2008-07-06 13:06   1,676,288   -----c---   c:\windows\system32\dllcache\xpssvcs.dll
2008-12-30 21:57 . 2008-07-06 11:50   597,504   -----c---   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-30 21:57 . 2008-07-06 13:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2008-12-30 21:57 . 2008-07-06 13:06   575,488   -----c---   c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-30 21:57 . 2008-07-06 13:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2008-12-30 21:57 . 2008-07-06 13:06   89,088   -----c---   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-30 21:00 . 2009-01-04 11:07   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\gtk-2.0
2008-12-30 20:59 . 2008-12-30 20:59   <DIR>   d--------   c:\documents and settings\Fargo\.tortoisehg
2008-12-30 20:11 . 2006-04-13 11:30   1,073,152   --a------   c:\windows\system32\libmysql_c.dll
2008-12-23 20:19 . 2008-12-29 01:21   <DIR>   d--------   c:\program files\nLite
2008-12-23 16:36 . 2008-12-23 16:36   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Ubisoft
2008-12-22 02:31 . 2008-12-22 02:31   <DIR>   dr-h-----   c:\documents and settings\Fargo\Dane aplikacji\SecuROM
2008-12-13 14:14 . 2008-12-13 14:15   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\PE Explorer
2008-12-12 18:46 . 2008-12-12 18:46   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Saitek
2008-12-12 18:27 . 2004-01-12 00:00   348,160   --a------   c:\windows\system32\msvcr71.dll
2008-12-12 13:21 . 2008-12-12 13:21   266   --a------   c:\windows\game.ini
2008-12-12 13:15 . 2008-12-12 13:15   <DIR>   d--hs----   c:\windows\ftpcache
2008-12-12 12:46 . 2008-12-12 12:46   <DIR>   d--------   c:\program files\Trend Micro
2008-12-12 12:12 . 2008-12-12 12:12   107,888   --a------   c:\windows\system32\CmdLineExt.dll
2008-12-12 12:11 . 2008-12-12 12:11   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\Leadertech
2008-12-12 12:06 . 2008-03-05 15:56   3,786,760   --a------   c:\windows\system32\D3DX9_37.dll
2008-12-12 12:06 . 2007-07-19 18:14   3,727,720   --a------   c:\windows\system32\d3dx9_35.dll
2008-12-12 12:06 . 2007-05-16 16:45   3,497,832   --a------   c:\windows\system32\d3dx9_34.dll
2008-12-12 12:06 . 2007-03-12 16:42   3,495,784   --a------   c:\windows\system32\d3dx9_33.dll
2008-12-12 12:06 . 2006-11-29 13:06   3,426,072   --a------   c:\windows\system32\d3dx9_32.dll
2008-12-12 12:06 . 2005-05-26 15:34   2,297,552   --a------   c:\windows\system32\d3dx9_26.dll
2008-12-12 12:06 . 2007-04-04 18:53   81,768   --a------   c:\windows\system32\xinput1_3.dll
2008-12-11 16:34 . 2008-12-11 16:34   427   --a------   c:\windows\ODBC.INI
2008-12-11 16:33 . 2008-12-11 16:33   <DIR>   d--------   c:\windows\ShellNew
2008-12-10 00:04 . 2008-10-03 11:04   247,326   -----c---   c:\windows\system32\dllcache\strmdll.dll
2008-12-09 12:27 . 2008-12-09 12:32   <DIR>   d-a------   c:\documents and settings\All Users\Dane aplikacji\TEMP
2008-12-09 12:27 . 2006-09-28 16:05   2,414,360   --a------   c:\windows\system32\d3dx9_31.dll
2008-12-07 15:56 . 2008-12-07 15:56   <DIR>   d--------   c:\program files\Ventrilo
2008-12-07 15:56 . 2008-12-07 15:56   262   --a------   c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-07 14:31 . 2008-12-07 14:31   <DIR>   d--h-----   c:\windows\PIF
2008-12-07 14:00 . 2008-12-12 13:08   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 17:08   ---------   d-----w   c:\program files\Firefox
2009-01-04 16:54   ---------   d-----w   c:\program files\DC++
2009-01-04 15:34   ---------   d-----w   c:\program files\VentriloMIX
2009-01-04 15:34   ---------   d-----w   c:\program files\Konnekt
2009-01-02 20:13   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\foobar2000
2008-12-24 18:29   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-21 22:30   16,224   ----a-w   c:\windows\system32\drivers\hamachi.sys
2008-12-18 17:33   ---------   d-----w   c:\program files\ALLPlayer
2008-12-12 12:07   ---------   d-----w   c:\program files\CursorXP
2008-12-07 14:57   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Ventrilo
2008-12-05 11:26   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\SWiSHMax2WorkFolder
2008-12-04 10:44   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Hermetic Systems
2008-12-03 13:52   ---------   d-----w   c:\program files\notepad2
2008-12-03 11:02   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Logitech
2008-12-01 23:38   ---------   d-----w   c:\program files\BitSpirit
2008-12-01 16:15   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\TC PowerPack
2008-11-30 21:49   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-11-30 15:13   ---------   d-----w   c:\program files\Lavalys
2008-11-29 16:32   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Nero
2008-11-29 16:31   ---------   d-----w   c:\program files\Common Files\Nero
2008-11-29 16:30   ---------   d-----w   c:\program files\Nero
2008-11-29 16:30   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Nero
2008-11-29 16:25   ---------   d-----w   c:\program files\Ahead
2008-11-20 13:15   ---------   d-----w   c:\program files\SWiSH Max2
2008-11-20 11:44   ---------   d-----w   c:\program files\microsoft frontpage
2008-11-19 19:25   ---------   d-----w   c:\program files\Common Files\SWiSHzone.com
2008-11-18 22:13   ---------   d-----w   c:\program files\Macromedia
2008-11-17 19:39   ---------   d-----w   c:\program files\foobar2000
2008-11-17 19:15   ---------   d-----w   c:\program files\Common Files\Adobe
2008-11-17 19:01   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\FindeXer
2008-11-17 19:00   ---------   d-----w   c:\program files\DAEMON Tools Lite
2008-11-17 18:58   717,296   ----a-w   c:\windows\system32\drivers\sptd.sys
2008-11-17 18:58   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\DAEMON Tools
2008-11-17 16:40   8,182   ----a-w   c:\windows\BricoPackFoldersDelete.cmd
2008-11-17 16:40   126,912   ----a-w   c:\windows\BricoPackUninst.cmd
2008-11-17 16:39   ---------   d-----w   c:\program files\RK Launcher
2008-11-17 16:21   ---------   d-----w   c:\program files\TC PowerPack
2008-11-17 16:11   ---------   d-----w   c:\program files\Teamspeak2
2008-11-17 16:11   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\teamspeak2
2008-11-17 16:02   ---------   d-----w   c:\program files\Realtek
2008-11-17 15:35   319,488   ----a-w   c:\windows\HideWin.exe
2008-11-17 15:18   ---------   d-----w   c:\program files\ESET
2008-11-17 14:55   ---------   d-----w   c:\program files\Screamer Radio
2008-11-17 14:41   ---------   d-----w   c:\program files\Java
2008-11-17 14:40   ---------   d-----w   c:\program files\Common Files\Java
2008-11-17 14:10   ---------   d-----w   c:\program files\A4Tech
2008-11-17 14:09   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\InterTrust
2008-11-17 14:08   ---------   d-----w   c:\program files\Brownie
2008-11-17 14:07   ---------   d-----w   c:\program files\Brother
2008-11-17 14:00   737,280   ----a-w   c:\windows\iun6002.exe
2008-11-17 14:00   ---------   d-----w   c:\program files\Codec Pack - All In 1
2008-11-17 13:57   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\ESET
2008-11-17 13:56   77,177   ----a-w   c:\program files\svehost.exe
2008-11-17 13:56   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ESET
2008-11-17 13:51   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\ATI
2008-11-17 13:51   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ATI
2008-11-17 13:49   ---------   d-----w   c:\program files\ATI Technologies
2008-11-17 13:47   ---------   d-----w   c:\program files\Common Files\ATI Technologies
2008-11-17 13:42   ---------   d-----w   c:\program files\GIGABYTE
2008-11-17 13:42   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\InstallShield
2008-11-17 13:38   15,600   ----a-w   c:\windows\gdrv.sys
2008-11-17 13:35   ---------   d-----w   c:\program files\DIFX
2008-11-17 13:33   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\InstallShield
2008-11-17 12:41   ---------   d-----w   c:\program files\Usługi online
2008-11-03 10:46   1,307,904   ----a-w   c:\windows\system32\ooscrsav.scr
2008-11-03 10:45   730,368   ----a-w   c:\windows\system32\oodsvct.exe
2008-11-03 10:45   2,540,800   ----a-w   c:\windows\system32\oodtray.exe
2008-11-03 10:45   1,332,480   ----a-w   c:\windows\system32\oodag.exe
2008-11-03 10:44   194,816   ----a-w   c:\windows\system32\oodbs.exe
2008-11-03 10:42   951,552   ----a-w   c:\windows\system32\oodtrrs.dll
2008-11-03 10:41   9,984   ----a-w   c:\windows\system32\oodbsrs.dll
2008-11-03 10:41   8,448   ----a-w   c:\windows\system32\oodagrs.dll
2008-11-03 10:41   541,952   ----a-w   c:\windows\system32\oodssrs.dll
2008-11-03 10:41   15,616   ----a-w   c:\windows\system32\oodagmg.dll
2008-10-27 14:21   15,104   ----a-w   c:\windows\system32\ootmapi.dll
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
.

(((((((((((((((((((((((((((((   snapshot@2009-01-04_16.06.46,53   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-01-04 17:04:42   385,024   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2009-01-04 17:04:42   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-01-04 17:04:42   385,024   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2009-01-04 17:04:42   8,192   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2009-01-04 15:32:45   292,878   ----a-r   c:\windows\Installer\{F530581E-12FE-43B4-A28D-E5257AAD63E6}\ARPPRODUCTICON.exe
+ 2009-01-04 15:32:45   331,776   ----a-r   c:\windows\Installer\{F530581E-12FE-43B4-A28D-E5257AAD63E6}\NewShortcut1_D840A6EA92214470BCE0FD7EF9D6C0CF.exe
+ 2009-01-04 15:32:45   331,776   ----a-r   c:\windows\Installer\{F530581E-12FE-43B4-A28D-E5257AAD63E6}\NewShortcut11_D840A6EA92214470BCE0FD7EF9D6C0CF.exe
+ 2009-01-04 15:32:45   45,056   ----a-r   c:\windows\Installer\{F530581E-12FE-43B4-A28D-E5257AAD63E6}\NewShortcut3_D840A6EA92214470BCE0FD7EF9D6C0CF.exe
+ 2008-10-27 14:21:56   37,896   ----a-w   c:\windows\system32\drivers\oobctm.sys
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Dl"="c:\program files\svehost.exe" [2008-11-17 77177]
"egui"="c:\program files\ESET\egui.exe" [2008-06-10 1447168]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2008-11-03 2540800]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-17 113664]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\[u]0[/u]OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Fargo^Menu Start^Programy^Autostart^GIGABYTE VGA Utility.lnk]
path=c:\documents and settings\Fargo\Menu Start\Programy\Autostart\GIGABYTE VGA Utility.lnk
backup=c:\windows\pss\GIGABYTE VGA Utility.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 16:02 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
--a------ 2006-02-17 10:14 163840 c:\program files\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R4 ekrn;Eset Service;c:\program files\ESET\ekrn.exe [2008-06-10 468224]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 SaiH0486;SaiH0486;c:\windows\system32\drivers\SaiH0486.sys [2007-05-01 132232]
S3 w89c940;Sterownik karty Winbond W89C940 PCI Ethernet Adapter;c:\windows\system32\drivers\w940nd.sys [2008-11-17 16925]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" --> c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS --> c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [?]
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Pobierz z &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: ÓñČĚŘľ«ÁéĎÂÔŘ(&B)
FF - ProfilePath - c:\documents and settings\Fargo\Dane aplikacji\Mozilla\Firefox\Profiles\3v8dla0b.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.pl/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 18:11:39
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-01-04 18:12:03
ComboFix-quarantined-files.txt  2009-01-04 17:11:58
ComboFix2.txt  2009-01-04 15:07:08

Przed: 21 618 442 240 bajtów wolnych
Po: 21,619,204,096 bajtów wolnych

249   --- E O F ---   2008-12-19 01:28:56


Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:28, on 2009-01-04
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ESET\ekrn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\svehost.exe
C:\Program Files\ESET\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Dl] C:\Program Files\svehost.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ekrn.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 4316 bytes


[wojtas]

sciagnij killbox’a

Odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżkę

c:\program files\svehost.exe

i nacisnij x
Program będzie pytał o restart (oczywiście zgadzasz się)

skasuj:

O4 - HKLM\..\Run: [Dl] C:\Program Files\svehost.exe

te plik/i :

C:\271_icol.dll

przesaknuj tu

http://virusscan.jotti.org/
http://www.virustotal.com/

i daj raporty ze skanow i nowy log..

[Fargo17]

wynik skanowania pliku 271_icol.dll

http://virusscan.jotti.org
AVG Antivirus Found Exploit.BQT
Ikarus Found Exploit.Win32.DComII.b
VBA32 Found Exploit.Win32.DComII.b

http://www.virustotal.com/pl/analisis/856ffcbdb323b13a719e7ec16948ad38

Kod: Zaznacz wszystko

ComboFix 09-01-02.01 - Fargo 2009-01-04 21:36:14.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.3071.2625 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Fargo\Pulpit\ComboFix.exe
* Resident AV is active

.

(((((((((((((((((((((((((   Pliki utworzone od 2008-12-04 do 2009-01-04  )))))))))))))))))))))))))))))))
.

2009-01-04 21:33 . 2009-01-04 21:33   1,277   --a------   c:\windows\system32\oodbs.lor
2009-01-04 21:24 . 2009-01-04 21:25   <DIR>   d--------   C:\!KillBox
2009-01-04 18:30 . 2009-01-04 18:30   <DIR>   d--------   C:\ERDNT
2009-01-04 18:30 . 2009-01-04 18:30   <DIR>   d--------   C:\!FixIEDef
2009-01-04 18:05 . 2009-01-04 18:05   580,096   --a--c---   c:\windows\system32\dllcache\user32.dll
2009-01-04 18:04 . 2009-01-04 18:30   <DIR>   d--------   c:\windows\ERUNT
2009-01-04 18:04 . 2009-01-04 18:04   <DIR>   d--------   c:\documents and settings\Administrator
2009-01-04 18:02 . 2009-01-04 18:08   <DIR>   d--------   C:\SDFix
2009-01-04 17:57 . 2009-01-04 17:57   0   --a------   c:\windows\oodcnt.INI
2009-01-04 16:52 . 2009-01-04 20:23   <DIR>   d--------   c:\windows\system32\oodag
2009-01-04 16:32 . 2009-01-04 16:32   <DIR>   d--------   c:\program files\OO Software
2009-01-04 15:02 . 2009-01-04 15:02   <DIR>   d--------   c:\program files\Ashampoo
2009-01-04 14:34 . 2009-01-04 14:42   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-01-03 14:10 . 2009-01-03 14:10   <DIR>   d--------   c:\documents and settings\Fargo\.ssh
2009-01-03 14:08 . 2009-01-04 11:31   <DIR>   d--------   c:\documents and settings\Fargo\.nx
2008-12-30 22:06 . 2008-07-11 01:28   79,896   --a------   c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-12-30 22:06 . 2008-07-11 01:28   50,200   --a------   c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2008-12-30 22:05 . 2008-12-30 22:05   <DIR>   d--------   c:\windows\system32\RsFx
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\program files\Microsoft.NET
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\program files\Microsoft Visual Studio 9.0
2008-12-30 22:00 . 2009-01-04 14:47   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\windows\system32\XPSViewer
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\program files\Reference Assemblies
2008-12-30 21:58 . 2008-12-30 21:58   <DIR>   d--------   c:\program files\MSBuild
2008-12-30 21:57 . 2008-07-06 13:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2008-12-30 21:57 . 2008-07-06 13:06   1,676,288   -----c---   c:\windows\system32\dllcache\xpssvcs.dll
2008-12-30 21:57 . 2008-07-06 11:50   597,504   -----c---   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-30 21:57 . 2008-07-06 13:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2008-12-30 21:57 . 2008-07-06 13:06   575,488   -----c---   c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-30 21:57 . 2008-07-06 13:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2008-12-30 21:57 . 2008-07-06 13:06   89,088   -----c---   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-30 21:00 . 2009-01-04 11:07   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\gtk-2.0
2008-12-30 20:59 . 2008-12-30 20:59   <DIR>   d--------   c:\documents and settings\Fargo\.tortoisehg
2008-12-30 20:11 . 2006-04-13 11:30   1,073,152   --a------   c:\windows\system32\libmysql_c.dll
2008-12-25 04:47 . 2008-05-08 02:03   453,632   --a------   c:\windows\system32\SetACL.ocx
2008-12-23 20:19 . 2008-12-29 01:21   <DIR>   d--------   c:\program files\nLite
2008-12-23 16:36 . 2008-12-23 16:36   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Ubisoft
2008-12-22 02:31 . 2008-12-22 02:31   <DIR>   dr-h-----   c:\documents and settings\Fargo\Dane aplikacji\SecuROM
2008-12-13 14:14 . 2008-12-13 14:15   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\PE Explorer
2008-12-12 18:46 . 2008-12-12 18:46   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Saitek
2008-12-12 18:27 . 2004-01-12 00:00   348,160   --a------   c:\windows\system32\msvcr71.dll
2008-12-12 13:21 . 2008-12-12 13:21   266   --a------   c:\windows\game.ini
2008-12-12 13:15 . 2008-12-12 13:15   <DIR>   d--hs----   c:\windows\ftpcache
2008-12-12 12:46 . 2008-12-12 12:46   <DIR>   d--------   c:\program files\Trend Micro
2008-12-12 12:12 . 2008-12-12 12:12   107,888   --a------   c:\windows\system32\CmdLineExt.dll
2008-12-12 12:11 . 2008-12-12 12:11   <DIR>   d--------   c:\documents and settings\Fargo\Dane aplikacji\Leadertech
2008-12-12 12:06 . 2008-03-05 15:56   3,786,760   --a------   c:\windows\system32\D3DX9_37.dll
2008-12-12 12:06 . 2007-07-19 18:14   3,727,720   --a------   c:\windows\system32\d3dx9_35.dll
2008-12-12 12:06 . 2007-05-16 16:45   3,497,832   --a------   c:\windows\system32\d3dx9_34.dll
2008-12-12 12:06 . 2007-03-12 16:42   3,495,784   --a------   c:\windows\system32\d3dx9_33.dll
2008-12-12 12:06 . 2006-11-29 13:06   3,426,072   --a------   c:\windows\system32\d3dx9_32.dll
2008-12-12 12:06 . 2005-05-26 15:34   2,297,552   --a------   c:\windows\system32\d3dx9_26.dll
2008-12-12 12:06 . 2007-04-04 18:53   81,768   --a------   c:\windows\system32\xinput1_3.dll
2008-12-11 16:34 . 2008-12-11 16:34   427   --a------   c:\windows\ODBC.INI
2008-12-11 16:33 . 2008-12-11 16:33   <DIR>   d--------   c:\windows\ShellNew
2008-12-10 00:04 . 2008-10-03 11:04   247,326   -----c---   c:\windows\system32\dllcache\strmdll.dll
2008-12-09 12:27 . 2008-12-09 12:32   <DIR>   d-a------   c:\documents and settings\All Users\Dane aplikacji\TEMP
2008-12-09 12:27 . 2006-09-28 16:05   2,414,360   --a------   c:\windows\system32\d3dx9_31.dll
2008-12-07 15:56 . 2008-12-07 15:56   <DIR>   d--------   c:\program files\Ventrilo
2008-12-07 15:56 . 2008-12-07 15:56   262   --a------   c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-07 14:31 . 2008-12-07 14:31   <DIR>   d--h-----   c:\windows\PIF
2008-12-07 14:00 . 2008-12-12 13:08   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 20:34   ---------   d-----w   c:\program files\Firefox
2009-01-04 16:54   ---------   d-----w   c:\program files\DC++
2009-01-04 15:34   ---------   d-----w   c:\program files\VentriloMIX
2009-01-04 15:34   ---------   d-----w   c:\program files\Konnekt
2009-01-02 20:13   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\foobar2000
2008-12-24 18:29   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-21 22:30   16,224   ----a-w   c:\windows\system32\drivers\hamachi.sys
2008-12-18 17:33   ---------   d-----w   c:\program files\ALLPlayer
2008-12-12 12:07   ---------   d-----w   c:\program files\CursorXP
2008-12-07 14:57   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Ventrilo
2008-12-05 11:26   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\SWiSHMax2WorkFolder
2008-12-04 10:44   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Hermetic Systems
2008-12-03 13:52   ---------   d-----w   c:\program files\notepad2
2008-12-03 11:02   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Logitech
2008-12-01 23:38   ---------   d-----w   c:\program files\BitSpirit
2008-12-01 16:15   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\TC PowerPack
2008-11-30 21:49   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-11-30 15:13   ---------   d-----w   c:\program files\Lavalys
2008-11-29 16:32   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\Nero
2008-11-29 16:31   ---------   d-----w   c:\program files\Common Files\Nero
2008-11-29 16:30   ---------   d-----w   c:\program files\Nero
2008-11-29 16:30   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Nero
2008-11-29 16:25   ---------   d-----w   c:\program files\Ahead
2008-11-20 13:15   ---------   d-----w   c:\program files\SWiSH Max2
2008-11-20 11:44   ---------   d-----w   c:\program files\microsoft frontpage
2008-11-19 19:25   ---------   d-----w   c:\program files\Common Files\SWiSHzone.com
2008-11-18 22:13   ---------   d-----w   c:\program files\Macromedia
2008-11-17 19:39   ---------   d-----w   c:\program files\foobar2000
2008-11-17 19:15   ---------   d-----w   c:\program files\Common Files\Adobe
2008-11-17 19:01   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\FindeXer
2008-11-17 19:00   ---------   d-----w   c:\program files\DAEMON Tools Lite
2008-11-17 18:58   717,296   ----a-w   c:\windows\system32\drivers\sptd.sys
2008-11-17 18:58   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\DAEMON Tools
2008-11-17 16:40   8,182   ----a-w   c:\windows\BricoPackFoldersDelete.cmd
2008-11-17 16:40   126,912   ----a-w   c:\windows\BricoPackUninst.cmd
2008-11-17 16:39   ---------   d-----w   c:\program files\RK Launcher
2008-11-17 16:21   ---------   d-----w   c:\program files\TC PowerPack
2008-11-17 16:11   ---------   d-----w   c:\program files\Teamspeak2
2008-11-17 16:11   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\teamspeak2
2008-11-17 16:02   ---------   d-----w   c:\program files\Realtek
2008-11-17 15:35   319,488   ----a-w   c:\windows\HideWin.exe
2008-11-17 15:18   ---------   d-----w   c:\program files\ESET
2008-11-17 14:55   ---------   d-----w   c:\program files\Screamer Radio
2008-11-17 14:41   ---------   d-----w   c:\program files\Java
2008-11-17 14:40   ---------   d-----w   c:\program files\Common Files\Java
2008-11-17 14:10   ---------   d-----w   c:\program files\A4Tech
2008-11-17 14:09   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\InterTrust
2008-11-17 14:08   ---------   d-----w   c:\program files\Brownie
2008-11-17 14:07   ---------   d-----w   c:\program files\Brother
2008-11-17 14:00   737,280   ----a-w   c:\windows\iun6002.exe
2008-11-17 14:00   ---------   d-----w   c:\program files\Codec Pack - All In 1
2008-11-17 13:57   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\ESET
2008-11-17 13:56   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ESET
2008-11-17 13:51   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\ATI
2008-11-17 13:51   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\ATI
2008-11-17 13:49   ---------   d-----w   c:\program files\ATI Technologies
2008-11-17 13:47   ---------   d-----w   c:\program files\Common Files\ATI Technologies
2008-11-17 13:42   ---------   d-----w   c:\program files\GIGABYTE
2008-11-17 13:42   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\InstallShield
2008-11-17 13:38   15,600   ----a-w   c:\windows\gdrv.sys
2008-11-17 13:35   ---------   d-----w   c:\program files\DIFX
2008-11-17 13:33   ---------   d-----w   c:\documents and settings\Fargo\Dane aplikacji\InstallShield
2008-11-17 12:41   ---------   d-----w   c:\program files\Usługi online
2008-11-03 10:46   1,307,904   ----a-w   c:\windows\system32\ooscrsav.scr
2008-11-03 10:45   730,368   ----a-w   c:\windows\system32\oodsvct.exe
2008-11-03 10:45   2,540,800   ----a-w   c:\windows\system32\oodtray.exe
2008-11-03 10:45   1,332,480   ----a-w   c:\windows\system32\oodag.exe
2008-11-03 10:44   194,816   ----a-w   c:\windows\system32\oodbs.exe
2008-11-03 10:42   951,552   ----a-w   c:\windows\system32\oodtrrs.dll
2008-11-03 10:41   9,984   ----a-w   c:\windows\system32\oodbsrs.dll
2008-11-03 10:41   8,448   ----a-w   c:\windows\system32\oodagrs.dll
2008-11-03 10:41   541,952   ----a-w   c:\windows\system32\oodssrs.dll
2008-11-03 10:41   15,616   ----a-w   c:\windows\system32\oodagmg.dll
2008-10-27 14:21   15,104   ----a-w   c:\windows\system32\ootmapi.dll
2008-10-23 12:42   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 20:33   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 13:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 13:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 13:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 13:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 13:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 13:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 13:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 13:08   34,328   ----a-w   c:\windows\system32\wups.dll
.

(((((((((((((((((((((((((((((   snapshot@2009-01-04_16.06.46,53   )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:00:28   157,696   ----a-w   c:\windows\ERUNT\ERUNT.EXE
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-01-04 17:04:42   385,024   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2009-01-04 17:04:42   8,192   ----a-w   c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-08-07 14:27:04   163,328   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-01-04 17:04:42   385,024   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2009-01-04 17:04:42   8,192   ----a-w   c:\windows\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2009-01-04 15:32:45   292,878   ----a-r   c:\windows\Installer\{F530581E-12FE-43B4-A28D-E5257AAD63E6}\ARPPRODUCTICON.exe
+ 2009-01-04 15:32:45   331,776   ----a-r   c:\windows\Installer\{F530581E-12FE-43B4-A28D-E5257AAD63E6}\NewShortcut1_D840A6EA92214470BCE0FD7EF9D6C0CF.exe
+ 2009-01-04 15:32:45   331,776   ----a-r   c:\windows\Installer\{F530581E-12FE-43B4-A28D-E5257AAD63E6}\NewShortcut11_D840A6EA92214470BCE0FD7EF9D6C0CF.exe
+ 2009-01-04 15:32:45   45,056   ----a-r   c:\windows\Installer\{F530581E-12FE-43B4-A28D-E5257AAD63E6}\NewShortcut3_D840A6EA92214470BCE0FD7EF9D6C0CF.exe
+ 2008-10-27 14:21:56   37,896   ----a-w   c:\windows\system32\drivers\oobctm.sys
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"egui"="c:\program files\ESET\egui.exe" [2008-06-10 1447168]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2008-11-03 2540800]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-17 113664]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\[u]0[/u]OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Fargo^Menu Start^Programy^Autostart^GIGABYTE VGA Utility.lnk]
path=c:\documents and settings\Fargo\Menu Start\Programy\Autostart\GIGABYTE VGA Utility.lnk
backup=c:\windows\pss\GIGABYTE VGA Utility.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 16:02 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
--a------ 2006-02-17 10:14 163840 c:\program files\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R4 ekrn;Eset Service;c:\program files\ESET\ekrn.exe [2008-06-10 468224]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 SaiH0486;SaiH0486;c:\windows\system32\drivers\SaiH0486.sys [2007-05-01 132232]
S3 w89c940;Sterownik karty Winbond W89C940 PCI Ethernet Adapter;c:\windows\system32\drivers\w940nd.sys [2008-11-17 16925]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" --> c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS --> c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [?]
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Pobierz z &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: ÓñČĚŘľ«ÁéĎÂÔŘ(&B)
FF - ProfilePath - c:\documents and settings\Fargo\Dane aplikacji\Mozilla\Firefox\Profiles\3v8dla0b.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.pl/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 21:36:50
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-01-04 21:37:14
ComboFix-quarantined-files.txt  2009-01-04 20:37:09
ComboFix2.txt  2009-01-04 17:12:03
ComboFix3.txt  2009-01-04 15:07:08

Przed: 21 818 134 528 bajtów wolnych
Po: 21,806,071,808 bajtów wolnych

253   --- E O F ---   2008-12-19 01:28:56


Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:34:16, on 2009-01-04
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ESET\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ESET\ekrn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ekrn.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 4162 bytes


[wojtas]

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5.Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.

Autor postu otrzymał pochwałę

[Fargo17]

Kod: Zaznacz wszystko

********************************************************************************
*                                                                              *
*                                 FixIEDef Log                                 *
*                              Version 1.7.20.7238                             *
*                                                                              *
********************************************************************************

Created at 23:12:11 on Sunday, January 04, 2009

Time Zone            :

Logged On User       : Fargo

Operating System     : Microsoft Windows XP Professional Dodatek Service Pack 3
OS Version           : 5.1.2600
System Langauge      : Polish
Keyboard Layout      : Polish
Processor            : X86 AMD Phenom(tm) 9550 Quad-Core Processor

System Drive         : C:\
Windows Directory    : C:\WINDOWS
System Directory     : C:\WINDOWS\system32

System Drive Type    : Fixed
System Drive Status  : READY
System Drive Label   :
System Drive Size    : 30 GB
System Drive Free    : 22.56 GB

Total Physical Memory: 3071 MB
Free Physical Memory : 2476 MB
Total Page File      : 3071 MB
Free Page File       : 4567 MB
Total Virtual Memory : 2048 MB
Free Virtual Memory  : 1975 MB

Boot State           : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\OODBS.lor

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!


Kod: Zaznacz wszystko

--------------------------------------------------------------------------------
RAPORT KASPERSKY ONLINE SCANNER 7.0
niedziela, 4 styczeń 2009
System operacyjny: Microsoft Windows XP Professional Dodatek Service Pack 3 (build 2600)
Wersja Kaspersky Online Scanner: 7.0.26.12
Data ostatniej aktualizacji bazy danych: Sunday, January 04, 2009 16:51:21
Liczba wpisów: 1558986
--------------------------------------------------------------------------------

Ustawienia skanowania:
   Typ bazy danych użytej do skanowania: rozszerzona
   Skanuj archiwa: tak
   Skanuj pocztowe bazy danych: tak

Obszar skanowania - Obszary krytyczne:
   C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
   C:\Documents and Settings\Fargo\Menu Start\Programy\Autostart
   C:\Program Files
   C:\WINDOWS

Statystyki skanowania:
   Przeskanowanych plików: 32504
   Nazwa zagrożenia: 0
   Zainfekowanych obiektów: 0
   Podejrzanych obiektów: 0
   Czas skanowania: 00:16:16

Nie wykryto zagrożeń. Obszar skanowania jest czysty.

Wybrany obszar został przeskanowany.


[wojtas]

jest ok..