Log - w kazdym folderze plik *.eml, wyskakującepowiadomienia

[Wojtaz]

Witam.
Próbowałem kilka razy Combofixem i nic...
Logi:
Combofix

Kod: Zaznacz wszystko

ComboFix 09-04-14.09 - Krzysiek 2009-04-14 16:07.10 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.255.74 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Krzysiek\Pulpit\ComboFix.exe

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\System\ado\readme.eml
c:\program files\NetMeeting\readme.eml
c:\windows\system32\runouce.exe

.
(((((((((((((((((((((((((   Pliki utworzone od 2009-03-14 do 2009-04-14  )))))))))))))))))))))))))))))))
.

2009-04-14 09:55 . 2009-04-14 10:09   --------   d-----w   c:\documents and settings\Halina\Ustawienia lokalne\Dane aplikacji\Identities
2009-04-13 07:35 . 2009-04-13 07:35   0   ----a-w   C:\38965
2009-04-11 17:06 . 2009-04-14 13:42   14882   ----a-w   C:\KRZYCHU.eml
2009-04-11 17:06 . 2009-04-14 13:42   14882   ----a-w   c:\documents and settings\KRZYCHU.eml
2009-04-11 07:02 . 2009-04-11 07:02   85728   ----a-w   c:\windows\system32\[u]0[/u]2bd4f9a-600c-561d-1268-87d43cf3d841.exe
2009-04-11 07:02 . 2009-04-11 07:02   60018   ----a-w   c:\windows\system32\utesewqgtqbsge.dll-uninst.exe

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 13:14 . 2009-04-11 20:03   14882   ----a-w   c:\program files\Common Files\KRZYCHU.eml
2009-04-14 13:14 . 2009-04-11 20:03   14882   ----a-w   c:\program files\KRZYCHU.eml
2009-04-14 09:59 . 2008-10-23 17:32   --------   d-----w   c:\program files\MyPlayCity
2009-04-12 15:07 . 2009-04-12 14:35   --------   d-----w   c:\program files\Counter-Strike
2009-04-11 20:05 . 2009-03-09 18:46   --------   d-----w   c:\program files\Winamp Toolbar
2009-04-11 20:05 . 2008-12-31 15:46   --------   d-----w   c:\program files\Realtek Sound Manager
2009-04-11 20:05 . 2008-08-19 15:04   --------   d-----w   c:\program files\Winamp
2009-04-11 20:05 . 2008-08-17 19:37   --------   d-----w   c:\program files\WinAce
2009-04-11 20:05 . 2008-06-17 16:43   --------   d-----w   c:\program files\Skype
2009-04-11 20:05 . 2008-06-17 15:35   --------   d-----w   c:\program files\Usługi online
2009-04-11 20:05 . 2008-12-31 15:46   --------   d-----w   c:\program files\Realtek AC97
2009-04-11 20:04 . 2008-06-17 21:26   --------   d-----w   c:\program files\Philips
2009-04-11 20:04 . 2008-06-18 17:37   --------   d-----w   c:\program files\NVIDIA Corporation
2009-04-11 20:04 . 2008-06-17 15:49   --------   d-----w   c:\program files\Opera
2009-04-11 20:04 . 2009-02-04 18:03   --------   d-----w   c:\program files\NAPI-PROJEKT
2009-04-11 20:04 . 2008-10-23 17:32   --------   d-----w   c:\program files\MyPlayCity.com
2009-04-11 20:04 . 2008-09-03 13:31   --------   d-----w   c:\program files\Microsoft.NET
2009-04-11 20:04 . 2008-06-17 15:38   --------   d-----w   c:\program files\microsoft frontpage
2009-04-11 20:04 . 2008-08-26 21:41   --------   d-----w   c:\program files\Java
2009-04-11 20:04 . 2008-06-17 16:46   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-04-11 20:04 . 2008-07-21 13:47   --------   d-----w   c:\program files\ICQToolbar
2009-04-11 17:08 . 2009-03-09 18:40   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Winamp
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\ViStart
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Tibia
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Thinstall
2009-04-11 17:08 . 2008-06-17 16:43   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Skype
2009-04-11 17:08 . 2008-11-02 19:53   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Notepad++
2009-04-11 17:08 . 2008-10-11 21:27   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Nowe Gadu-Gadu
2009-04-11 17:08 . 2008-07-18 20:26   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Media Player Classic
2009-04-11 17:08 . 2008-08-08 18:47   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\GetRightToGo
2009-04-11 17:08 . 2008-07-21 22:20   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\ICQ Toolbar
2009-04-11 17:08 . 2008-07-15 14:27   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\InstallShield
2009-04-11 17:07 . 2009-01-01 18:15   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\BESTplayer
2009-04-11 17:07 . 2008-10-09 18:18   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\DMCache
2009-04-11 17:07 . 2008-10-01 11:08   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\fltk.org
2009-04-11 17:07 . 2008-09-10 19:03   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\DAEMON Tools
2009-04-11 17:07 . 2008-06-18 16:13   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Gadu-Gadu
2009-04-11 17:07 . 2008-08-20 06:44   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\alot
2009-04-11 17:07 . 2008-06-21 15:27   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\Skype
2009-04-11 17:07 . 2008-08-12 18:14   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\ICQ Toolbar
2009-04-11 17:06 . 2008-09-30 18:58   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\DivX
2009-04-11 17:06 . 2009-02-28 18:00   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Wru
2009-04-11 17:06 . 2008-12-31 14:56   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2009-04-11 17:06 . 2009-03-09 18:46   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar
2009-04-11 17:06 . 2008-06-18 21:57   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\nView_Profiles
2009-04-11 17:06 . 2008-06-18 21:33   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\NVIDIA
2009-04-11 17:06 . 2008-06-17 16:42   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Skype
2009-04-11 17:06 . 2008-08-31 17:53   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2009-04-11 17:06 . 2008-12-21 17:17   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Bluetooth
2009-04-11 17:06 . 2008-08-20 06:44   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\DFX
2009-03-31 17:05 . 2001-10-26 17:15   68554   ----a-w   c:\windows\system32\perfc015.dat
2009-03-31 17:05 . 2001-10-26 17:15   439538   ----a-w   c:\windows\system32\perfh015.dat
2009-03-09 03:19 . 2009-01-11 12:43   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-02-10 23:52 . 2008-04-14 20:51   21590528   ----a-w   c:\windows\system32\logonuiX.exe
2009-02-04 21:18 . 2009-02-04 21:18   98304   ----a-w   c:\windows\system32\CmdLineExt.dll
2009-01-31 18:38 . 2008-06-17 15:37   1248   --sha-w   C:\zlwmvefv.sys
2009-01-29 20:36 . 2009-01-26 23:12   90   ----a-w   C:\m.txt
2008-11-10 13:47 . 2008-11-10 13:47   133   ----a-w   c:\documents and settings\Krzysiek\Ustawienia lokalne\Dane aplikacji\fusioncache.dat
2008-10-28 21:35 . 2008-06-18 21:33   42560   ----a-w   c:\documents and settings\Krzysiek\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-14_13.51.14   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-14 14:01 . 2009-04-14 14:01   16384              c:\windows\temp\Perflib_Perfdata_538.dat
+ 2007-05-22 12:52 . 2007-05-22 12:53   450560              c:\windows\system32\activexdebugger32.exe
+ 2008-06-17 16:46 . 2006-08-03 04:12   647168              c:\windows\soundman.exe
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-29 486856]
"ares"="d:\program files\Ares\Ares.exe" [2007-05-04 967676]
"Gadu-Gadu"="d:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2125756]
"ALLUpdate"="d:\program files\ALLPlayer\ALLUpdate.exe" [2008-11-24 876540]
"Nowe Gadu-Gadu"="d:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-16 9383012]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"DrvIcon"="d:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-18 7606272]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 222572]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-08-03 647168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Halina\Menu Start\Programy\Autostart\
KRZYCHU.eml [2009-4-14 14882]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 20:51   15360   ----a-w   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
2002-09-03 16:38   1075759   ----a-w   d:\program files\WinCustomize\LogonStudio\LogonStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 20:51   1786364   ------w   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-18 21:35   7606272   ----a-w   c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-24 18:57   258556   ----a-w   c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-02-25 21:26   37888   ----a-w   d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-18 21:35   86016   ----a-w   c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-18 21:35   1519616   ----a-w   c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-08-03 04:12   647168   ----a-w   c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Ahead\\SIPPS\\SIPPS.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\Aspyr Media, Inc\\THAW\\Game\\THAW.exe"=
"c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe"=
"d:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Program Files\\UltraVNC\\vncviewer.exe"=
"d:\\Program Files\\Wru\\Wru.exe"=
"d:\\Program Files\\Valve\\hl.exe"=
"d:\\cs\\cs 1 6 patch full v29.exe"=
"c:\\WINDOWS\\System32\\PAC.EXE"=
"d:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"d:\\Program Files\\Vista Drive Icon\\DrvIcon.exe"=
"c:\\WINDOWS\\System32\\netsh.exe"=
"c:\\WINDOWS\\system32\\activexdebugger32.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"d:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
"c:\\Documents and Settings\\Krzysiek\\Pulpit\\ComboFix.exe"=
"c:\\WINDOWS\\VM_STI.EXE"=
"c:\\DOCUME~1\\Krzysiek\\USTAWI~1\\Temp\\vikdyq.exe"=
"c:\\DOCUME~1\\Krzysiek\\USTAWI~1\\Temp\\winmysov.exe"=
"c:\\DOCUME~1\\Krzysiek\\USTAWI~1\\Temp\\winufsxc.exe"=
"c:\\DOCUME~1\\Krzysiek\\USTAWI~1\\Temp\\winyoudyd.exe"=
"c:\\DOCUME~1\\Krzysiek\\USTAWI~1\\Temp\\dvouqd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R3 Start BT in service;Start BT in service;d:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 141820]
S3 abp470n5;abp470n5; [x]
S3 PhTVTune;LifeView FlyVideo WDM TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2002-07-16 19616]


--- Inne Usługi/Sterowniki w Pamięci ---

*Deregistered* - BootScreen

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76a522b3-429f-11dd-8749-00001cd8ba0c}]
\Shell\Auto\command - J:\activexdebugger32.exe f
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - J:\activexdebugger32.exe f
\Shell\open\Command - J:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5f43132-4934-11dd-875a-00001cd8ba0c}]
\Shell\Auto\command - I:\activexdebugger32.exe f
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - I:\activexdebugger32.exe f
\Shell\open\Command - I:\activexdebugger32.exe f
.
- - - - USUNIĘTO PUSTE WPISY - - - -

WebBrowser-{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - (no file)


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 16:10
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13472eeb-4938-49a4-a9de-c1f0b27ea514}]
@Denied: (Full) (Everyone)
"Model"=dword:00000137
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):49,0d,9f,28,9b,89,98,09,7b,88,c7,63,a9,c6,e3,87,db,52,dc,0e,a3,
   34,ff,e7,a9,ca,7c,45,73,cb,2f,d9,d6,b7,85,44,13,2e,8d,48,00,00,00,00,00,00,\
.
Czas ukończenia: ~,10time:~,-3
ComboFix-quarantined-files.txt  2009-04-14 14:12
ComboFix2.txt  2009-04-14 13:54
ComboFix3.txt  2008-10-07 15:30

Przed: 6 971 707 392 bajtów wolnych
Po: 6 954 426 368 bajtów wolnych

244


Kod: Zaznacz wszystko

ComboFix 08-08-18.04 - Krzysiek 2008-10-07 17:27:32.8 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.89 [GMT 2:00]
Running from: C:\Documents and Settings\Krzysiek\Pulpit\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
- REDUCED FUNCTIONALITY MODE -
.

(((((((((((((((((((((((((   Files Created from 2008-09-07 to 2008-10-07  )))))))))))))))))))))))))))))))
.

2008-10-01 13:08 . 2008-10-01 13:08   <DIR>   d--------   C:\Documents and Settings\Krzysiek\Dane aplikacji\fltk.org
2008-09-30 20:58 . 2008-09-30 20:58   <DIR>   d--------   C:\Documents and Settings\Halina\Dane aplikacji\DivX
2008-09-10 21:03 . 2008-09-10 21:03   <DIR>   d--------   C:\Documents and Settings\Krzysiek\Dane aplikacji\DAEMON Tools
2008-09-10 21:01 . 2008-09-10 21:01   715,248   --a------   C:\WINDOWS\system32\drivers\sptd.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 18:50   ---------   d-----w   C:\Documents and Settings\Halina\Dane aplikacji\Skype
2008-09-28 15:51   ---------   d-----w   C:\Documents and Settings\Krzysiek\Dane aplikacji\Skype
2008-09-03 13:31   ---------   d-----w   C:\Program Files\Microsoft.NET
2008-08-31 20:41   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-08-31 17:53   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-08-31 17:48   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-08-26 21:57   ---------   d-----w   C:\Program Files\Sun
2008-08-26 21:57   ---------   d-----w   C:\Program Files\Java
2008-08-26 21:44   ---------   d-----w   C:\Documents and Settings\Krzysiek\Dane aplikacji\alot
2008-08-26 21:36   ---------   d-----w   C:\Program Files\Common Files\Java
2008-08-26 21:35   ---------   d-----w   C:\Program Files\ICQToolbar
2008-08-24 18:57   ---------   d-----w   C:\Program Files\Google
2008-08-22 17:25   ---------   d-----w   C:\Program Files\DFX
2008-08-20 20:53   ---------   d-----w   C:\Program Files\Opera
2008-08-20 06:44   ---------   d-----w   C:\Program Files\Common Files\DFX
2008-08-20 06:44   ---------   d-----w   C:\Program Files\alot
2008-08-20 06:44   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\DFX
2008-08-19 15:04   ---------   d-----w   C:\Program Files\Winamp
2008-08-18 11:07   ---------   d-----w   C:\Program Files\WinAce
2008-08-17 19:34   162,432   ----a-w   C:\WINDOWS\system32\drivers\vidstub.sys
2008-08-17 19:15   21,590,528   ----a-w   C:\WINDOWS\system32\logonuiX.exe
2008-08-17 18:53   ---------   d-----w   C:\Program Files\Common Files\Stardock
2008-08-12 18:14   ---------   d-----w   C:\Documents and Settings\Halina\Dane aplikacji\ICQ Toolbar
2008-08-08 18:54   ---------   d-----w   C:\Documents and Settings\Krzysiek\Dane aplikacji\GetRightToGo
2008-08-06 13:27   499,712   ----a-w   C:\WINDOWS\system32\msvcp71.dll
2007-05-22 12:53   376,832   --sh--w   C:\WINDOWS\system32\activexdebugger32.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="D:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="C:\WINDOWS\VM_STI.EXE" [2004-06-09 15:37 40960]
"DrvIcon"="D:\Program Files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 14:39 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-18 23:35 7606272]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 22:51 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
--a------ 2002-09-03 18:38 987187 D:\Program Files\WinCustomize\LogonStudio\LogonStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 22:51 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-05-18 23:35 7606272 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-08-24 20:57 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 D:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-05-18 23:35 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-05-18 23:35 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2002-09-11 04:57 46592 C:\WINDOWS\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Ahead\\SIPPS\\SIPPS.exe"=
"D:\\ \\mp#\\fovnfs01\\fovnfsu2\\speed2.exe"=
"C:\\Program Files\\Opera\\opera.exe"=
"D:\\Program Files\\Aspyr Media, Inc\\THAW\\Game\\THAW.exe"=
"C:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 usbstor;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 00:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{611211b4-8d73-11dd-880c-00001cd8ba0c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 17:28:14
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-07 17:30:47
ComboFix-quarantined-files.txt  2008-10-07 15:30:26
ComboFix2.txt  2008-09-07 16:45:33
ComboFix3.txt  2008-09-07 16:40:12
ComboFix4.txt  2008-08-31 17:39:55
ComboFix5.txt  2008-10-05 11:34:05

Pre-Run: 12,087,164,928 bajtów wolnych
Post-Run: 12,113,829,888 bajtów wolnych

119


Kod: Zaznacz wszystko

ComboFix 09-04-14.09 - Krzysiek 2009-04-14 15:47.9 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.255.70 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Krzysiek\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Halina\Cookies\KRZYCHU.eml
c:\documents and settings\Halina\Ustawienia lokalne\Temporary Internet Files\KRZYCHU.eml
c:\documents and settings\Krzysiek\Cookies\KRZYCHU.eml
c:\documents and settings\Krzysiek\Ustawienia lokalne\Temporary Internet Files\KRZYCHU.eml
c:\documents and settings\LocalService\Cookies\KRZYCHU.eml
c:\documents and settings\LocalService\Ustawienia lokalne\Temporary Internet Files\KRZYCHU.eml
c:\documents and settings\NetworkService\Cookies\KRZYCHU.eml
c:\documents and settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\KRZYCHU.eml
c:\program files\Common Files\System\ado\readme.eml
c:\program files\NetMeeting\readme.eml
c:\recycler\KRZYCHU.eml
c:\windows\system32\runouce.exe
d:\recycler\KRZYCHU.eml

.
(((((((((((((((((((((((((   Pliki utworzone od 2009-03-14 do 2009-04-14  )))))))))))))))))))))))))))))))
.

2009-04-14 13:45 . 2006-03-02 22:42   73728   ----a-w   C:\pv.exe
2009-04-14 13:45 . 2009-04-14 13:46   --------   d-----w   C:\32788R22FWJFW
2009-04-14 09:55 . 2009-04-14 10:09   --------   d-----w   c:\documents and settings\Halina\Ustawienia lokalne\Dane aplikacji\Identities
2009-04-13 07:35 . 2009-04-13 07:35   0   ----a-w   C:\38965
2009-04-11 17:06 . 2009-04-14 13:42   14882   ----a-w   C:\KRZYCHU.eml
2009-04-11 17:06 . 2009-04-14 13:42   14882   ----a-w   c:\documents and settings\KRZYCHU.eml
2009-04-11 07:02 . 2009-04-11 07:02   85728   ----a-w   c:\windows\system32\[u]0[/u]2bd4f9a-600c-561d-1268-87d43cf3d841.exe
2009-04-11 07:02 . 2009-04-11 07:02   60018   ----a-w   c:\windows\system32\utesewqgtqbsge.dll-uninst.exe
2009-03-23 09:57 . 2009-03-23 09:57   646144   ----a-w   c:\windows\system32\nsc5A.dll
2009-03-23 09:06 . 2009-03-23 09:06   629760   ----a-w   c:\windows\system32\utesewqgtqbsge.dll

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 13:14 . 2009-04-11 20:03   14882   ----a-w   c:\program files\Common Files\KRZYCHU.eml
2009-04-14 13:14 . 2009-04-11 20:03   14882   ----a-w   c:\program files\KRZYCHU.eml
2009-04-14 09:59 . 2008-10-23 17:32   --------   d-----w   c:\program files\MyPlayCity
2009-04-12 15:07 . 2009-04-12 14:35   --------   d-----w   c:\program files\Counter-Strike
2009-04-11 20:05 . 2009-03-09 18:46   --------   d-----w   c:\program files\Winamp Toolbar
2009-04-11 20:05 . 2008-12-31 15:46   --------   d-----w   c:\program files\Realtek Sound Manager
2009-04-11 20:05 . 2008-08-19 15:04   --------   d-----w   c:\program files\Winamp
2009-04-11 20:05 . 2008-08-17 19:37   --------   d-----w   c:\program files\WinAce
2009-04-11 20:05 . 2008-06-17 16:43   --------   d-----w   c:\program files\Skype
2009-04-11 20:05 . 2008-06-17 15:35   --------   d-----w   c:\program files\Usługi online
2009-04-11 20:05 . 2008-12-31 15:46   --------   d-----w   c:\program files\Realtek AC97
2009-04-11 20:04 . 2008-06-17 21:26   --------   d-----w   c:\program files\Philips
2009-04-11 20:04 . 2008-06-18 17:37   --------   d-----w   c:\program files\NVIDIA Corporation
2009-04-11 20:04 . 2008-06-17 15:49   --------   d-----w   c:\program files\Opera
2009-04-11 20:04 . 2009-02-04 18:03   --------   d-----w   c:\program files\NAPI-PROJEKT
2009-04-11 20:04 . 2008-10-23 17:32   --------   d-----w   c:\program files\MyPlayCity.com
2009-04-11 20:04 . 2008-09-03 13:31   --------   d-----w   c:\program files\Microsoft.NET
2009-04-11 20:04 . 2008-06-17 15:38   --------   d-----w   c:\program files\microsoft frontpage
2009-04-11 20:04 . 2008-08-26 21:41   --------   d-----w   c:\program files\Java
2009-04-11 20:04 . 2008-06-17 16:46   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-04-11 20:04 . 2008-07-21 13:47   --------   d-----w   c:\program files\ICQToolbar
2009-04-11 17:08 . 2009-03-09 18:40   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Winamp
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\ViStart
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Tibia
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Thinstall
2009-04-11 17:08 . 2008-06-17 16:43   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Skype
2009-04-11 17:08 . 2008-11-02 19:53   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Notepad++
2009-04-11 17:08 . 2008-10-11 21:27   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Nowe Gadu-Gadu
2009-04-11 17:08 . 2008-07-18 20:26   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Media Player Classic
2009-04-11 17:08 . 2008-08-08 18:47   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\GetRightToGo
2009-04-11 17:08 . 2008-07-21 22:20   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\ICQ Toolbar
2009-04-11 17:08 . 2008-07-15 14:27   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\InstallShield
2009-04-11 17:07 . 2009-01-01 18:15   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\BESTplayer
2009-04-11 17:07 . 2008-10-09 18:18   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\DMCache
2009-04-11 17:07 . 2008-10-01 11:08   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\fltk.org
2009-04-11 17:07 . 2008-09-10 19:03   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\DAEMON Tools
2009-04-11 17:07 . 2008-06-18 16:13   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Gadu-Gadu
2009-04-11 17:07 . 2008-08-20 06:44   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\alot
2009-04-11 17:07 . 2008-06-21 15:27   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\Skype
2009-04-11 17:07 . 2008-08-12 18:14   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\ICQ Toolbar
2009-04-11 17:06 . 2008-09-30 18:58   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\DivX
2009-04-11 17:06 . 2009-02-28 18:00   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Wru
2009-04-11 17:06 . 2008-12-31 14:56   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2009-04-11 17:06 . 2009-03-09 18:46   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar
2009-04-11 17:06 . 2008-06-18 21:57   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\nView_Profiles
2009-04-11 17:06 . 2008-06-18 21:33   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\NVIDIA
2009-04-11 17:06 . 2008-06-17 16:42   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Skype
2009-04-11 17:06 . 2008-08-31 17:53   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2009-04-11 17:06 . 2008-12-21 17:17   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Bluetooth
2009-04-11 17:06 . 2008-08-20 06:44   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\DFX
2009-03-31 17:05 . 2001-10-26 17:15   68554   ----a-w   c:\windows\system32\perfc015.dat
2009-03-31 17:05 . 2001-10-26 17:15   439538   ----a-w   c:\windows\system32\perfh015.dat
2009-03-09 03:19 . 2009-01-11 12:43   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-02-10 23:52 . 2008-04-14 20:51   21590528   ----a-w   c:\windows\system32\logonuiX.exe
2009-02-04 21:18 . 2009-02-04 21:18   98304   ----a-w   c:\windows\system32\CmdLineExt.dll
2009-01-31 18:38 . 2008-06-17 15:37   1248   --sha-w   C:\zlwmvefv.sys
2009-01-29 20:36 . 2009-01-26 23:12   90   ----a-w   C:\m.txt
2008-11-10 13:47 . 2008-11-10 13:47   133   ----a-w   c:\documents and settings\Krzysiek\Ustawienia lokalne\Dane aplikacji\fusioncache.dat
2008-10-28 21:35 . 2008-06-18 21:33   42560   ----a-w   c:\documents and settings\Krzysiek\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-04-14 1883672]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0466644f-f7ae-d26a-824c-6434f98b9d48}]
2009-03-23 09:57   646144   ----a-w   c:\windows\system32\nsc5A.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2009-04-14 09:59   1883672   ----a-w   c:\program files\MyPlayCity\tbMyP1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86DA915-6A1B-E032-96ED-C551A4E38D26}]
2009-03-23 09:06   629760   ----a-w   c:\windows\system32\utesewqgtqbsge.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-04-14 1883672]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-04-14 1883672]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-29 486856]
"ares"="d:\program files\Ares\Ares.exe" [2007-05-04 967676]
"Gadu-Gadu"="d:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2125756]
"ALLUpdate"="d:\program files\ALLPlayer\ALLUpdate.exe" [2008-11-24 876540]
"Nowe Gadu-Gadu"="d:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-16 9383012]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"DrvIcon"="d:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-18 7606272]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 222572]
"RecSche"="d:\lifeview flyvideo\RecSche.exe" [2002-12-11 249856]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-08-03 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Halina\Menu Start\Programy\Autostart\
KRZYCHU.eml [2009-4-14 14882]

c:\documents and settings\Krzysiek\Menu Start\Programy\Autostart\
KRZYCHU.eml [2009-4-14 14882]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
KRZYCHU.eml [2009-4-14 14882]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 20:51   15360   ----a-w   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
2002-09-03 16:38   1075759   ----a-w   d:\program files\WinCustomize\LogonStudio\LogonStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 20:51   1786364   ------w   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-18 21:35   7606272   ----a-w   c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-24 18:57   258556   ----a-w   c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-02-25 21:26   37888   ----a-w   d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-18 21:35   86016   ----a-w   c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-18 21:35   1519616   ----a-w   c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-08-03 04:12   577536   ----a-w   c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Ahead\\SIPPS\\SIPPS.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\Aspyr Media, Inc\\THAW\\Game\\THAW.exe"=
"c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe"=
"d:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Program Files\\UltraVNC\\vncviewer.exe"=
"d:\\Program Files\\Wru\\Wru.exe"=
"d:\\Program Files\\Valve\\hl.exe"=
"d:\\cs\\cs 1 6 patch full v29.exe"=
"c:\\WINDOWS\\System32\\PAC.EXE"=
"d:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"d:\\Program Files\\Vista Drive Icon\\DrvIcon.exe"=
"c:\\WINDOWS\\System32\\netsh.exe"=
"c:\\WINDOWS\\system32\\activexdebugger32.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R3 Start BT in service;Start BT in service;d:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 141820]
S3 abp470n5;abp470n5; [x]
S3 PhTVTune;LifeView FlyVideo WDM TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2002-07-16 19616]


--- Inne Usługi/Sterowniki w Pamięci ---

*Deregistered* - BootScreen

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76a522b3-429f-11dd-8749-00001cd8ba0c}]
\Shell\Auto\command - J:\activexdebugger32.exe f
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - J:\activexdebugger32.exe f
\Shell\open\Command - J:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5f43132-4934-11dd-875a-00001cd8ba0c}]
\Shell\Auto\command - I:\activexdebugger32.exe f
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - I:\activexdebugger32.exe f
\Shell\open\Command - I:\activexdebugger32.exe f
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKLM-Run-Runonce - c:\windows\system32\runouce.exe


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 15:51
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13472eeb-4938-49a4-a9de-c1f0b27ea514}]
@Denied: (Full) (Everyone)
"Model"=dword:00000137
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):49,0d,9f,28,9b,89,98,09,7b,88,c7,63,a9,c6,e3,87,db,52,dc,0e,a3,
   34,ff,e7,a9,ca,7c,45,73,cb,2f,d9,d6,b7,85,44,13,2e,8d,48,00,00,00,00,00,00,\
.
Czas ukończenia: ~,10time:~,-3
ComboFix-quarantined-files.txt  2009-04-14 13:53
ComboFix2.txt  2008-10-07 15:30

Przed: 5 961 773 056 bajtów wolnych
Po: 6 976 512 000 bajtów wolnych

263


Kod: Zaznacz wszystko

2009-04-14 14:11:44 . 2009-04-14 14:11:44              171 ----a-w  C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}.reg.dat
2009-04-14 13:56:52 . 2009-04-14 13:56:52           14,882 ----a-w  C:\Qoobox\Quarantine\C\Program Files\NetMeeting\readme.eml.vir
2009-04-14 13:56:09 . 2009-04-14 13:56:09           14,882 ----a-w  C:\Qoobox\Quarantine\C\Program Files\Common Files\System\ado\readme.eml.vir
2009-04-14 13:54:44 . 2009-04-14 13:59:48           10,748 ----a-w  C:\Qoobox\Quarantine\C\WINDOWS\system32\runouce.exe.vir
2009-04-14 13:52:23 . 2009-04-14 13:52:23              128 ----a-w  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Runonce.reg.dat
2009-04-14 13:51:13 . 2009-04-14 13:41:39           14,882 ----a-w  C:\Qoobox\Quarantine\D\RECYCLER\KRZYCHU.eml.vir
2009-04-14 13:50:02 . 2009-04-14 14:10:06           10,511 ----a-w  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-11 20:05:03 . 2009-04-14 13:15:55           14,882 ----a-w  C:\Qoobox\Quarantine\C\RECYCLER\KRZYCHU.eml.vir
2009-04-11 20:05:02 . 2009-04-14 13:15:55           14,882 ----a-w  C:\Qoobox\Quarantine\Registry_backups\KRZYCHU.eml
2009-04-11 20:05:02 . 2009-04-14 13:15:55           14,882 ----a-w  C:\Qoobox\Quarantine\E\KRZYCHU.eml
2009-04-11 20:05:02 . 2009-04-14 13:15:55           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Krzysiek\UserData\KRZYCHU.eml
2009-04-11 20:05:02 . 2009-04-14 13:15:55           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Krzysiek\KRZYCHU.eml
2009-04-11 20:05:02 . 2009-04-14 13:15:55           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\KRZYCHU.eml
2009-04-11 20:05:02 . 2009-04-14 13:15:55           14,882 ----a-w  C:\Qoobox\Quarantine\C\KRZYCHU.eml
2009-04-11 20:05:02 . 2009-04-14 13:15:54           14,882 ----a-w  C:\Qoobox\Quarantine\KRZYCHU.eml
2009-04-11 20:03:07 . 2009-04-14 13:14:20           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\KRZYCHU.eml.vir
2009-04-11 20:03:07 . 2009-04-14 13:14:20           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Cookies\KRZYCHU.eml.vir
2009-04-11 20:03:07 . 2009-04-14 13:14:19           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\KRZYCHU.eml.vir
2009-04-11 20:03:06 . 2009-04-14 13:14:19           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Cookies\KRZYCHU.eml.vir
2009-04-11 20:02:46 . 2009-04-14 13:14:11           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Krzysiek\Ustawienia lokalne\Temporary Internet Files\KRZYCHU.eml.vir
2009-04-11 17:07:55 . 2009-04-14 13:42:38           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Krzysiek\Cookies\KRZYCHU.eml.vir
2009-04-11 17:07:11 . 2009-04-14 13:42:28           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Halina\Ustawienia lokalne\Temporary Internet Files\KRZYCHU.eml.vir
2009-04-11 17:06:53 . 2009-04-14 13:42:14           14,882 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Halina\Cookies\KRZYCHU.eml.vir
2008-08-31 17:39:19 . 2008-08-31 17:39:19              130 ----a-w  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-ares.reg.dat
2008-08-31 17:39:19 . 2008-08-31 17:39:19              124 ----a-w  C:\Qoobox\Quarantine\Registry_backups\Toolbar-{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}.reg.dat
2008-08-19 14:54:38 . 2008-08-19 14:53:14              296 ----a-w  C:\Qoobox\Quarantine\E\AUTORUN.INF.vir
2008-08-19 13:58:56 . 2009-04-14 14:07:03              270 ----a-w  C:\Qoobox\Quarantine\catchme.log
2008-06-18 16:17:25 . 2008-04-02 06:38:15           16,384 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Krzysiek\UserData\index.dat.vir
2007-05-22 12:52:59 . 2007-05-22 12:53:02          376,832 ----a-w  C:\Qoobox\Quarantine\C\WINDOWS\system32\activexdebugger32.exe.vir


Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:24:02, on 2009-04-14
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
D:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\runouce.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Ares\Ares.exe
C:\Program Files\Opera\opera.exe
C:\DOCUME~1\Krzysiek\USTAWI~1\Temp\winocxtxe.exe
C:\DOCUME~1\Krzysiek\USTAWI~1\Temp\hcagh.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1392740
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 200NC PC Camera
O4 - HKLM\..\Run: [DrvIcon] D:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Runonce] C:\WINDOWS\system32\runouce.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ALLUpdate] "d:\Program Files\ALLPlayer\ALLUpdate.exe" "sleep"
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "D:\Program Files\Nowe Gadu-Gadu\gg.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: KRZYCHU.eml (User 'Default user')
O4 - Startup: KRZYCHU.eml
O4 - Global Startup: KRZYCHU.eml
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Start BT in service - Unknown owner - D:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

--
End of file - 4864 bytes


SDfix nie działa, pod awaryjnym też...
Dodatkowo dyski są udostępnione...

[wojtas]

Otworz notatnik i wklej w nim to:

File::
C:\38965
C:\KRZYCHU.eml
c:\documents and settings\KRZYCHU.eml
c:\windows\system32\02bd4f9a-600c-561d-1268-87d43cf3d841.exe
c:\windows\system32\utesewqgtqbsge.dll-uninst.exe
c:\program files\Common Files\KRZYCHU.eml
c:\program files\KRZYCHU.eml
C:\zlwmvefv.sys
c:\windows\system32\activexdebugger32.exe
c:\documents and settings\Halina\Menu Start\Programy\Autostart\KRZYCHU.eml

Folder::
c:\DOCUME~1\Krzysiek\USTAWI~1\Temp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76a522b3-429f-11dd-8749-00001cd8ba0c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5f43132-4934-11dd-875a-00001cd8ba0c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{611211b4-8d73-11dd-880c-00001cd8ba0c}]

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

[Wojtaz]

Kod: Zaznacz wszystko

ComboFix 08-08-18.04 - Krzysiek 2008-10-07 17:27:32.8 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1045.18.89 [GMT 2:00]
Running from: C:\Documents and Settings\Krzysiek\Pulpit\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
- REDUCED FUNCTIONALITY MODE -
.

(((((((((((((((((((((((((   Files Created from 2008-09-07 to 2008-10-07  )))))))))))))))))))))))))))))))
.

2008-10-01 13:08 . 2008-10-01 13:08   <DIR>   d--------   C:\Documents and Settings\Krzysiek\Dane aplikacji\fltk.org
2008-09-30 20:58 . 2008-09-30 20:58   <DIR>   d--------   C:\Documents and Settings\Halina\Dane aplikacji\DivX
2008-09-10 21:03 . 2008-09-10 21:03   <DIR>   d--------   C:\Documents and Settings\Krzysiek\Dane aplikacji\DAEMON Tools
2008-09-10 21:01 . 2008-09-10 21:01   715,248   --a------   C:\WINDOWS\system32\drivers\sptd.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 18:50   ---------   d-----w   C:\Documents and Settings\Halina\Dane aplikacji\Skype
2008-09-28 15:51   ---------   d-----w   C:\Documents and Settings\Krzysiek\Dane aplikacji\Skype
2008-09-03 13:31   ---------   d-----w   C:\Program Files\Microsoft.NET
2008-08-31 20:41   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-08-31 17:53   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-08-31 17:48   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-08-26 21:57   ---------   d-----w   C:\Program Files\Sun
2008-08-26 21:57   ---------   d-----w   C:\Program Files\Java
2008-08-26 21:44   ---------   d-----w   C:\Documents and Settings\Krzysiek\Dane aplikacji\alot
2008-08-26 21:36   ---------   d-----w   C:\Program Files\Common Files\Java
2008-08-26 21:35   ---------   d-----w   C:\Program Files\ICQToolbar
2008-08-24 18:57   ---------   d-----w   C:\Program Files\Google
2008-08-22 17:25   ---------   d-----w   C:\Program Files\DFX
2008-08-20 20:53   ---------   d-----w   C:\Program Files\Opera
2008-08-20 06:44   ---------   d-----w   C:\Program Files\Common Files\DFX
2008-08-20 06:44   ---------   d-----w   C:\Program Files\alot
2008-08-20 06:44   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\DFX
2008-08-19 15:04   ---------   d-----w   C:\Program Files\Winamp
2008-08-18 11:07   ---------   d-----w   C:\Program Files\WinAce
2008-08-17 19:34   162,432   ----a-w   C:\WINDOWS\system32\drivers\vidstub.sys
2008-08-17 19:15   21,590,528   ----a-w   C:\WINDOWS\system32\logonuiX.exe
2008-08-17 18:53   ---------   d-----w   C:\Program Files\Common Files\Stardock
2008-08-12 18:14   ---------   d-----w   C:\Documents and Settings\Halina\Dane aplikacji\ICQ Toolbar
2008-08-08 18:54   ---------   d-----w   C:\Documents and Settings\Krzysiek\Dane aplikacji\GetRightToGo
2008-08-06 13:27   499,712   ----a-w   C:\WINDOWS\system32\msvcp71.dll
2007-05-22 12:53   376,832   --sh--w   C:\WINDOWS\system32\activexdebugger32.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="D:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="C:\WINDOWS\VM_STI.EXE" [2004-06-09 15:37 40960]
"DrvIcon"="D:\Program Files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 14:39 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-18 23:35 7606272]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 22:51 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
--a------ 2002-09-03 18:38 987187 D:\Program Files\WinCustomize\LogonStudio\LogonStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 22:51 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-05-18 23:35 7606272 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-08-24 20:57 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 D:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-05-18 23:35 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-05-18 23:35 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2002-09-11 04:57 46592 C:\WINDOWS\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Ahead\\SIPPS\\SIPPS.exe"=
"D:\\ \\mp#\\fovnfs01\\fovnfsu2\\speed2.exe"=
"C:\\Program Files\\Opera\\opera.exe"=
"D:\\Program Files\\Aspyr Media, Inc\\THAW\\Game\\THAW.exe"=
"C:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 usbstor;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 00:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{611211b4-8d73-11dd-880c-00001cd8ba0c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 17:28:14
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-07 17:30:47
ComboFix-quarantined-files.txt  2008-10-07 15:30:26
ComboFix2.txt  2008-09-07 16:45:33
ComboFix3.txt  2008-09-07 16:40:12
ComboFix4.txt  2008-08-31 17:39:55
ComboFix5.txt  2008-10-05 11:34:05

Pre-Run: 12,087,164,928 bajtów wolnych
Post-Run: 12,113,829,888 bajtów wolnych

119


[wojtas]

wywal combofixa swojego.. pobierz stad:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

i jeszcze raz przeciagnij i nowy log daj

[Wojtaz]

Kod: Zaznacz wszystko

ComboFix 09-04-14.09 - Krzysiek 2009-04-14 18:18.13 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.255.70 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Krzysiek\Pulpit\ComboFix.exe

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((   Pliki utworzone od 2009-03-14 do 2009-04-14  )))))))))))))))))))))))))))))))
.

2009-04-14 09:55 . 2009-04-14 10:09   --------   d-----w   c:\documents and settings\Halina\Ustawienia lokalne\Dane aplikacji\Identities

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 09:59 . 2008-10-23 17:32   --------   d-----w   c:\program files\MyPlayCity
2009-04-12 15:07 . 2009-04-12 14:35   --------   d-----w   c:\program files\Counter-Strike
2009-04-11 20:05 . 2009-03-09 18:46   --------   d-----w   c:\program files\Winamp Toolbar
2009-04-11 20:05 . 2008-12-31 15:46   --------   d-----w   c:\program files\Realtek Sound Manager
2009-04-11 20:05 . 2008-08-19 15:04   --------   d-----w   c:\program files\Winamp
2009-04-11 20:05 . 2008-08-17 19:37   --------   d-----w   c:\program files\WinAce
2009-04-11 20:05 . 2008-06-17 16:43   --------   d-----w   c:\program files\Skype
2009-04-11 20:05 . 2008-06-17 15:35   --------   d-----w   c:\program files\Usługi online
2009-04-11 20:05 . 2008-12-31 15:46   --------   d-----w   c:\program files\Realtek AC97
2009-04-11 20:04 . 2008-06-17 21:26   --------   d-----w   c:\program files\Philips
2009-04-11 20:04 . 2008-06-18 17:37   --------   d-----w   c:\program files\NVIDIA Corporation
2009-04-11 20:04 . 2008-06-17 15:49   --------   d-----w   c:\program files\Opera
2009-04-11 20:04 . 2009-02-04 18:03   --------   d-----w   c:\program files\NAPI-PROJEKT
2009-04-11 20:04 . 2008-10-23 17:32   --------   d-----w   c:\program files\MyPlayCity.com
2009-04-11 20:04 . 2008-09-03 13:31   --------   d-----w   c:\program files\Microsoft.NET
2009-04-11 20:04 . 2008-06-17 15:38   --------   d-----w   c:\program files\microsoft frontpage
2009-04-11 20:04 . 2008-08-26 21:41   --------   d-----w   c:\program files\Java
2009-04-11 20:04 . 2008-06-17 16:46   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-04-11 20:04 . 2008-07-21 13:47   --------   d-----w   c:\program files\ICQToolbar
2009-04-11 17:08 . 2009-03-09 18:40   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Winamp
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\ViStart
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Tibia
2009-04-11 17:08 . 2008-06-18 16:16   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Thinstall
2009-04-11 17:08 . 2008-06-17 16:43   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Skype
2009-04-11 17:08 . 2008-11-02 19:53   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Notepad++
2009-04-11 17:08 . 2008-10-11 21:27   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Nowe Gadu-Gadu
2009-04-11 17:08 . 2008-07-18 20:26   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Media Player Classic
2009-04-11 17:08 . 2008-08-08 18:47   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\GetRightToGo
2009-04-11 17:08 . 2008-07-21 22:20   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\ICQ Toolbar
2009-04-11 17:08 . 2008-07-15 14:27   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\InstallShield
2009-04-11 17:07 . 2009-01-01 18:15   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\BESTplayer
2009-04-11 17:07 . 2008-10-09 18:18   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\DMCache
2009-04-11 17:07 . 2008-10-01 11:08   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\fltk.org
2009-04-11 17:07 . 2008-09-10 19:03   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\DAEMON Tools
2009-04-11 17:07 . 2008-06-18 16:13   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\Gadu-Gadu
2009-04-11 17:07 . 2008-08-20 06:44   --------   d-----w   c:\documents and settings\Krzysiek\Dane aplikacji\alot
2009-04-11 17:07 . 2008-06-21 15:27   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\Skype
2009-04-11 17:07 . 2008-08-12 18:14   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\ICQ Toolbar
2009-04-11 17:06 . 2008-09-30 18:58   --------   d-----w   c:\documents and settings\Halina\Dane aplikacji\DivX
2009-04-11 17:06 . 2009-02-28 18:00   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Wru
2009-04-11 17:06 . 2008-12-31 14:56   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2009-04-11 17:06 . 2009-03-09 18:46   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar
2009-04-11 17:06 . 2008-06-18 21:57   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\nView_Profiles
2009-04-11 17:06 . 2008-06-18 21:33   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\NVIDIA
2009-04-11 17:06 . 2008-06-17 16:42   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Skype
2009-04-11 17:06 . 2008-08-31 17:53   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2009-04-11 17:06 . 2008-12-21 17:17   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\Bluetooth
2009-04-11 17:06 . 2008-08-20 06:44   --------   d-----w   c:\documents and settings\All Users\Dane aplikacji\DFX
2009-03-31 17:05 . 2001-10-26 17:15   68554   ----a-w   c:\windows\system32\perfc015.dat
2009-03-31 17:05 . 2001-10-26 17:15   439538   ----a-w   c:\windows\system32\perfh015.dat
2009-03-09 03:19 . 2009-01-11 12:43   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-02-10 23:52 . 2008-04-14 20:51   21590528   ----a-w   c:\windows\system32\logonuiX.exe
2009-02-04 21:18 . 2009-02-04 21:18   98304   ----a-w   c:\windows\system32\CmdLineExt.dll
2009-01-29 20:36 . 2009-01-26 23:12   90   ----a-w   C:\m.txt
2008-11-10 13:47 . 2008-11-10 13:47   133   ----a-w   c:\documents and settings\Krzysiek\Ustawienia lokalne\Dane aplikacji\fusioncache.dat
2008-10-28 21:35 . 2008-06-18 21:33   42560   ----a-w   c:\documents and settings\Krzysiek\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-14_13.51.14   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-14 14:20 . 2009-04-14 14:20   16384              c:\windows\temp\Perflib_Perfdata_544.dat
+ 2008-06-17 16:46 . 2006-08-03 04:12   647168              c:\windows\soundman.exe
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-29 486856]
"ares"="d:\program files\Ares\Ares.exe" [2007-05-04 967676]
"Gadu-Gadu"="d:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2125756]
"ALLUpdate"="d:\program files\ALLPlayer\ALLUpdate.exe" [2008-11-24 876540]
"Nowe Gadu-Gadu"="d:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-16 9383012]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"DrvIcon"="d:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-18 7606272]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 222572]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Runonce"="c:\windows\system32\runouce.exe" [BU]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-08-03 647168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Krzysiek\Menu Start\Programy\Autostart\
KRZYCHU.eml [2009-4-14 14882]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
KRZYCHU.eml [2009-4-14 14882]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 20:51   15360   ----a-w   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
2002-09-03 16:38   1075759   ----a-w   d:\program files\WinCustomize\LogonStudio\LogonStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 20:51   1786364   ------w   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-18 21:35   7606272   ----a-w   c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-24 18:57   258556   ----a-w   c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-02-25 21:26   37888   ----a-w   d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-18 21:35   86016   ----a-w   c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-18 21:35   1519616   ----a-w   c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-08-03 04:12   647168   ----a-w   c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Ahead\\SIPPS\\SIPPS.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\Aspyr Media, Inc\\THAW\\Game\\THAW.exe"=
"c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe"=
"d:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Program Files\\UltraVNC\\vncviewer.exe"=
"d:\\Program Files\\Wru\\Wru.exe"=
"d:\\Program Files\\Valve\\hl.exe"=
"d:\\cs\\cs 1 6 patch full v29.exe"=
"c:\\WINDOWS\\System32\\PAC.EXE"=
"d:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"d:\\Program Files\\Vista Drive Icon\\DrvIcon.exe"=
"c:\\WINDOWS\\System32\\netsh.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"d:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
"c:\\Documents and Settings\\Krzysiek\\Pulpit\\ComboFix.exe"=
"c:\\WINDOWS\\VM_STI.EXE"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R3 Start BT in service;Start BT in service;d:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 141820]
S3 abp470n5;abp470n5; [x]
S3 PhTVTune;LifeView FlyVideo WDM TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2002-07-16 19616]


--- Inne Usługi/Sterowniki w Pamięci ---

*Deregistered* - BootScreen
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 18:21
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Runonce = c:\windows\system32\runouce.exe?^??|x???????0??|????????????????????\??|?x?|????<???@??|???|??9~??;~O?9~????0u??????0??|?????P?????????????????????????|l$?|!???x???????0??|D???????????????????????????????????????????????????????????????????`???d???????ZZ@

skanowanie ukrytych plików ... 


**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13472eeb-4938-49a4-a9de-c1f0b27ea514}]
@Denied: (Full) (Everyone)
"Model"=dword:00000137
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):49,0d,9f,28,9b,89,98,09,7b,88,c7,63,a9,c6,e3,87,db,52,dc,0e,a3,
   34,ff,e7,a9,ca,7c,45,73,cb,2f,d9,d6,b7,85,44,13,2e,8d,48,00,00,00,00,00,00,\
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(2616)
c:\docume~1\Krzysiek\USTAWI~1\Temp\catchme.dll
.
Czas ukończenia: ~,10time:~,-3
ComboFix-quarantined-files.txt  2009-04-14 16:22
ComboFix2.txt  2009-04-14 14:13
ComboFix3.txt  2009-04-14 13:54
ComboFix4.txt  2008-10-07 15:30

Przed: 8 158 900 224 bajtów wolnych
Po: 8 151 261 184 bajtów wolnych

221


[wojtas]

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Wykonaj skan Dr. Web CureIt
6. Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.

[Wojtaz]

wojtas,

Kod: Zaznacz wszystko

********************************************************************************
*                                                                              *
*                                 FixIEDef Log                                 *
*                              Version 1.7.22.7514                             *
*                                                                              *
********************************************************************************

Created at 17:45:24 on Wednesday, April 15, 2009

Time Zone            :

Logged On User       : Krzysiek

Operating System     : Microsoft Windows XP Professional Dodatek Service Pack 3
OS Architecture      : X86
System Langauge      : Polish
Keyboard Layout      : Polish
Processor            : X86 AMD Athlon(tm) XP 2000+

System Drive         : C:\
Windows Directory    : C:\WINDOWS
System Directory     : C:\WINDOWS\system32

System Drive Type    : Fixed
System Drive Status  : READY
System Drive Label   :
System Drive Size    : 16.31 GB
System Drive Free    : 6.54 GB

Total Physical Memory: 255 MB
Free Physical Memory : 77 MB
Total Page File      : 255 MB
Free Page File       : 400 MB
Total Virtual Memory : 2048 MB
Free Virtual Memory  : 1956 MB

Boot State           : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

No malicious files found

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!

DR! Web Cuit nie ściąga mi się, a strona Kasperskiego się nei wczytuje

[wojtas]

jakies problemy jeszcze ? daj loga z combofixa jak by co

[Wojtaz]

Rejestr nie działa, menadżer zadań też nie, wszędzie są pliki EML...

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:18:33, on 2009-04-16
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
D:\Program Files\Vista Drive Icon\DrvIcon.exe
D:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\DOCUME~1\Krzysiek\USTAWI~1\Temp\winnugbm.exe
C:\DOCUME~1\Krzysiek\USTAWI~1\Temp\winsyomho.exe
C:\Program Files\Opera\opera.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1392740
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 200NC PC Camera
O4 - HKLM\..\Run: [DrvIcon] D:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Runonce] C:\WINDOWS\system32\runouce.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ALLUpdate] "d:\Program Files\ALLPlayer\ALLUpdate.exe" "sleep"
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "D:\Program Files\Nowe Gadu-Gadu\gg.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: KRZYCHU.eml (User 'Default user')
O4 - Startup: KRZYCHU.eml
O4 - Global Startup: KRZYCHU.eml
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Start BT in service - Unknown owner - D:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

--
End of file - 4849 bytes


[wojtas]

skasuj to:

O4 - .DEFAULT User Startup: KRZYCHU.eml (User 'Default user')
O4 - Startup: KRZYCHU.eml
O4 - Global Startup: KRZYCHU.eml
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

oproznij ten folder;

C:\DOCUME~1\Krzysiek\USTAWI~1\Temp

daj loga z combofixa

Autor postu otrzymał pochwałę

[Wojtaz]

wojtas,

O4 - .DEFAULT User Startup: KRZYCHU.eml (User 'Default user')
O4 - Startup: KRZYCHU.eml
O4 - Global Startup: KRZYCHU.eml
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

fixowałem to kilka razy i nic właśnie...

Dobra, ale zrobiłem mu format C:\, narazie GG działa, regedit i ctrl+alt+delete też..
Tylko na D ma wszędzie pliki EML, może usunie je wszystkie.

temat do zamknięcia i dzięki za pomoc