Win 32/statik

[koma]

Od wczoraj NOD32 podaje informacje dokładnie co 15 min o zagrożeniu podczas uzyskiwania dostępu do internetu.

Ochrona protokołu HTTP plik http: //banksguard.com/picxxx/file.php?del - prawdopodobnie odmiana wirusa Win32/Statik aplikacja - połączenie zostało zakończone - poddany kwarantannie - Wykryto zagrożenie podczas uzyskiwania dostępu do stron internetowych przez aplikację: C:\WINDOWS\system32\svchost.exe.
Co zrobić, żeby komputer nie łączył się z tą stroną? Nie wiem, czy to prawidłowy sposób podania problemu...

Kod: Zaznacz wszystko

ComboFix 09-02-17.02 - offer 2009-02-18 18:28:15.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1033.18.1279.983 [GMT 1:00]
Uruchomiony z: f:\instalki, sterowniki, programy, system\Programy\ComboFix.exe
* Utworzono nowy punkt przywracania
* Resident AV is active


UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\offer\Application Data\EurekaLog
c:\documents and settings\offer\Application Data\EurekaLog\EurekaLog.ini
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twex.exe

----- BITS: Możliwe zainfekowane strony -----

hxxp://banksguard.com
.
(((((((((((((((((((((((((   Pliki utworzone od 2009-01-18 do 2009-02-18  )))))))))))))))))))))))))))))))
.

2009-02-18 18:32 . 2009-02-18 18:32   <DIR>   d--hs----   c:\windows\system32\twain32
2009-02-18 13:43 . 2009-02-18 14:37   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-18 13:43 . 2009-02-18 13:43   <DIR>   d--------   c:\documents and settings\offer\Application Data\Malwarebytes
2009-02-18 13:43 . 2009-02-18 13:43   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 13:43 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 13:43 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-17 11:07 . 2008-04-14 04:42   26,112   --a------   c:\windows\system32\stu2.exe
2009-02-04 07:57 . 2009-02-04 07:57   <DIR>   d--------   c:\program files\iTunes
2009-02-04 07:57 . 2009-02-04 07:57   <DIR>   d--------   c:\program files\iPod
2009-02-04 07:57 . 2009-02-04 07:57   <DIR>   d--------   c:\program files\Bonjour
2009-02-04 07:57 . 2009-02-04 07:57   <DIR>   d--------   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-04 07:57 . 2008-04-17 13:12   107,368   --a------   c:\windows\system32\GEARAspi.dll
2009-02-04 07:57 . 2008-04-17 13:12   15,464   --a------   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-04 07:56 . 2009-02-04 07:56   <DIR>   d--------   c:\program files\QuickTime
2009-02-04 07:56 . 2009-02-04 07:56   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-04 07:55 . 2009-02-04 07:57   <DIR>   d----c---   c:\windows\system32\DRVSTORE
2009-02-04 07:55 . 2009-02-04 07:55   <DIR>   d--------   c:\program files\Common Files\Apple
2009-02-02 13:16 . 2009-02-11 11:58   <DIR>   d--------   c:\windows\system32\IOSUBSYS
2009-01-24 23:20 . 2009-01-24 23:20   <DIR>   d--------   c:\program files\UnH Solutions
2009-01-22 18:19 . 2009-01-24 23:06   <DIR>   d--------   C:\TEMP
2009-01-21 20:19 . 2009-01-21 20:19   <DIR>   d--------   c:\documents and settings\offer\Application Data\VSRevoGroup

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 17:27   81,920   ----a-w   c:\windows\DUMP3c20.tmp
2009-02-17 18:58   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-02-17 10:06   8,704   ----a-w   c:\windows\system32\userinit.exe
2009-02-12 15:26   ---------   d-----r   c:\program files\Aston
2009-02-04 20:58   ---------   d-----w   c:\program files\Google
2009-02-04 06:57   ---------   d-----w   c:\documents and settings\offer\Application Data\Apple Computer
2009-02-02 12:16   ---------   d-----w   c:\program files\Programy
2009-01-29 21:57   ---------   d-----w   c:\documents and settings\offer\Application Data\Skype
2009-01-29 21:17   ---------   d-----w   c:\documents and settings\offer\Application Data\skypePM
2009-01-16 20:35   3,594,752   ------w   c:\windows\system32\dllcache\mshtml.dll
2009-01-16 13:01   410,984   ----a-w   c:\windows\system32\deploytk.dll
2009-01-16 13:01   ---------   d-----w   c:\program files\Java
2009-01-16 00:53   ---------   d-----w   c:\documents and settings\All Users\Application Data\SpeedBit
2009-01-11 01:28   ---------   d-----w   c:\program files\AskSBar
2009-01-11 01:26   ---------   d-----w   c:\program files\DAP
2009-01-11 01:21   50,688   ----a-w   c:\windows\system32\wbhelp2.dll
2009-01-07 02:02   ---------   d-----w   c:\program files\Gadu-Gadu
2009-01-05 22:33   3,751,995   ----a-w   c:\windows\system32\GPhotos.scr
2009-01-03 22:54   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-03 22:54   ---------   d-----w   c:\program files\LizardTech
2008-12-25 00:37   ---------   d-----w   c:\documents and settings\offer\Application Data\AdobeUM
2008-12-23 00:18   22,776   ----a-w   c:\documents and settings\offer\Application Data\GDIPFONTCACHEV1.DAT
2008-12-19 09:10   70,656   ------w   c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10   13,824   ------w   c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25   634,024   ------w   c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23   161,792   ------w   c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57   333,952   ------w   c:\windows\system32\dllcache\srv.sys
2005-03-31 20:17   40,960   ----a-w   c:\program files\Uninstall_CDS.exe
.

------- Sigcheck -------

2009-02-17 11:06  8704  8d82c411cb3748dfefcbd4277db7fbfd   c:\windows\system32\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"= "c:\program files\Search Settings\kb127\SearchSettings.dll" [2008-06-12 1111904]

[HKEY_CLASSES_ROOT\clsid\{e312764e-7706-43f1-8dab-fcdd2b1e416d}]
[HKEY_CLASSES_ROOT\SearchSettings.BHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}]
[HKEY_CLASSES_ROOT\SearchSettings.BHO]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
2008-06-12 15:57   1111904   --a------   c:\program files\Search Settings\kb127\SearchSettings.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EVEREST AutoStart"="c:\program files\Programy\Everest Ultimate Edition 2007\everest.exe" [2007-04-04 2141544]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-12-27 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\Programy\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-03-24 46080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"shell"="c:\progra~1\Aston\aston.exe ,svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2004-04-21 09:26 86016 c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 16:35 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WapSter\\WapSter AQQ\\AQQ.exe"=
"c:\\Program Files\\Programy\\eMule\\emule.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-03-13 33800]
R2 ekrn;Eset Service;c:\program files\Programy\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Programy\Everest Ultimate Edition 2007\kerneld.wnt [2008-08-13 20856]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-08-23 3584]

--- Inne Usługi/Sterowniki w Pamięci ---

*NewlyCreated* - HELPSVC
.
Zawartość folderu 'Zaplanowane zadania'

2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-31 c:\windows\Tasks\ErrorKiller Scheduled Scan.job
- c:\program files\Programy\ErrorKiller\ErrorKiller.exe []

2009-01-31 c:\windows\Tasks\ErrorKiller Scheduled Scan.job
- c:\program files\Programy\ErrorKiller []
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.speedbit.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Compare Prices with &Dealio - c:\documents and settings\offer\Application Data\Dealio\kb127\res\DealioSearch.html
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~1\Programy\MICROS~1\Office10\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\offer\Application Data\Mozilla\Firefox\Profiles\v3siseyh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=pl
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\program files\Microsoft Silverlight\npctrl.1.0.20816.0.dll
FF - plugin: c:\program files\Programy\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Programy\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Programy\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Programy\Mozilla Firefox\plugins\NPMyrMus.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npwmsdrm.dll

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
pref(dom.disable_open_during_load, false);
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.chomikuj.pl
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 18:32:12
Windows 5.1.2600 Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Programy\Everest Ultimate Edition 2007\kerneld.wnt"
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Programy\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Aston\Aston.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Czas ukończenia: 2009-02-18 18:37:06 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2009-02-18 17:37:03

Przed: 6,228,918,272 bytes free
Po: 6,425,591,808 bytes free

219   --- E O F ---   2009-02-11 17:38:06


jeszcze ten..

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23:37, on 2009-02-18
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Programy\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Programy\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Aston\aston.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Programy\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Programy\Everest Ultimate Edition 2007\everest.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Programy\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\Instalki, Sterowniki, Programy, System\Programy\do logów\Hijackthis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Programy\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [egui] "C:\Program Files\Programy\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\Programy\Everest Ultimate Edition 2007\everest.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\offer\Application Data\Dealio\kb127\res\DealioSearch.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\Programy\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mxl: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mya: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .xmz: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\Programy\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Programy\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\Programy\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 7390 bytes


Hmm...

[djarta]

ComboFix usunął już tą stronkę którą wykrywał NOD.

1) Zamknij robaczywe porty przy pomocy --> Windows Worms Doors Cleaner (niżej na stronie linku)..
Ustaw znaczki na zielono, Netbios może być na żółto.
Po użyciu narzędzia wymagany jest restart.

2) Wklej do Notatnika:

Kod: Zaznacz wszystko

File::
c:\windows\system32\stu2.exe
c:\windows\DUMP3c20.tmp

Folder::
c:\windows\system32\twain32
c:\program files\AskSBar
c:\program files\DAP
c:\program files\Search Settings

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"=-
[-HKEY_CLASSES_ROOT\clsid\{e312764e-7706-43f1-8dab-fcdd2b1e416d}]
[-HKEY_CLASSES_ROOT\SearchSettings.BHO.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}]
[-HKEY_CLASSES_ROOT\SearchSettings.BHO]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=-
"NvMediaCenter"=-
"SunJavaUpdateSched"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00



>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

3) Coś jest 'nieteges' z Twoim plikiem "userinit.exe", widzę jego świeżą modyfikację, czyżby coś się pod niego podczepiło.?

Do tego to:

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"shell"="c:\progra~1\Aston\aston.exe ,svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,"

Hmm, boję się tego. Daje jak coś to do usuwania. Mam nadzieję, że to pomoże. Ten plik "userinit.exe":

Sprawdź go na ---> VIRUSSCAN
Albo na --> VIRUSTOTAL
Lub na --> VIRSCAN

4)

O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)

Kosmetycznie fiksujesz te wpisy.
>>Hijack>>scan(Do a system scan only)>>zaznacz je >>Fix checked.



====================================
K.

[koma]

Dzięki bardzo... zabieram się za studiowanie odpowiedzi...

Dodano Dzisiaj, 22:06:
To mój nowy log po restarcie... niestety z przygodami... Windows nie chciał się uruchomić (nakładka Aston)...

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

nie poszło dobrze chyba..? to usuwać?

Kod: Zaznacz wszystko

ComboFix 09-02-17.02 - offer 2009-02-18 20:17:08.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1033.18.1279.985 [GMT 1:00]
Uruchomiony z: f:\instalki, sterowniki, programy, system\Programy\ComboFix.exe
Użyto następujących komend :: f:\instalki, sterowniki, programy, system\Programy\CFScript.txt
* Utworzono nowy punkt przywracania
* Resident AV is active


UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

FILE ::
c:\windows\DUMP3c20.tmp
c:\windows\system32\stu2.exe
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSBar
c:\program files\DAP
c:\program files\DAP\cabex.dll
c:\program files\DAP\Cancel.gif
c:\program files\DAP\comtest.gif
c:\program files\DAP\DAP.exe
c:\program files\DAP\dap_premium.gif
c:\program files\DAP\DAPConf.exe
c:\program files\DAP\dapextie.htm
c:\program files\DAP\dapextie2.htm
c:\program files\DAP\DAPFireFox\chrome.manifest
c:\program files\DAP\DAPFireFox\chrome\dapff.jar
c:\program files\DAP\DAPFireFox\components\.autoreg
c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
c:\program files\DAP\DAPFireFox\components\dapservice.js
c:\program files\DAP\DAPFireFox\components\IDAPComponent.xpt
c:\program files\DAP\DAPFireFox\install.rdf
c:\program files\DAP\DAPFireFox\install.xpi
c:\program files\DAP\dapie.dll
c:\program files\DAP\DAPIEEngine.dll
c:\program files\DAP\DAPIEMonitor.dll
c:\program files\DAP\dapm_Context_search.dll
c:\program files\DAP\dapm_ftp.dll
c:\program files\DAP\dapmm.dll
c:\program files\DAP\dapop.dll
c:\program files\DAP\DapRemove.exe
c:\program files\DAP\dapres.dll
c:\program files\DAP\dapres32.dll
c:\program files\DAP\dapupd.exe
c:\program files\DAP\dapxrpt.exe
c:\program files\DAP\dapxrpt.ini
c:\program files\DAP\dbghelp.dll
c:\program files\DAP\delete_animation.gif
c:\program files\DAP\dexthlp.dll
c:\program files\DAP\download_ani.gif
c:\program files\DAP\Install.log
c:\program files\DAP\license.txt
c:\program files\DAP\Locales\DAPCHS.lng
c:\program files\DAP\Locales\DAPCHT.lng
c:\program files\DAP\Locales\DAPDEU.lng
c:\program files\DAP\Locales\DAPENU.lng
c:\program files\DAP\Locales\DAPESP.lng
c:\program files\DAP\Locales\DAPFRA.lng
c:\program files\DAP\Locales\DAPITA.lng
c:\program files\DAP\Locales\DAPJPN.lng
c:\program files\DAP\Locales\DAPM_FTPCHT.lng
c:\program files\DAP\Locales\DAPM_FTPDEU.lng
c:\program files\DAP\Locales\DAPM_FTPENU.lng
c:\program files\DAP\Locales\DAPM_FTPESP.lng
c:\program files\DAP\Locales\DAPM_FTPFRA.lng
c:\program files\DAP\Locales\DAPM_FTPITA.lng
c:\program files\DAP\Locales\DAPM_FTPJPN.lng
c:\program files\DAP\Locales\DAPM_FTPNLD.lng
c:\program files\DAP\Locales\DAPM_FTPPTB.lng
c:\program files\DAP\Locales\DAPM_FTPRUS.lng
c:\program files\DAP\Locales\DAPNLD.lng
c:\program files\DAP\Locales\DAPPOL.lng
c:\program files\DAP\Locales\DAPPTB.lng
c:\program files\DAP\Locales\DAPRUS.lng
c:\program files\DAP\MCMgr.dll
c:\program files\DAP\mfc42.dll
c:\program files\DAP\msvcrt.dll
c:\program files\DAP\OK.gif
c:\program files\DAP\Privacy Package\CleanerIEMenu.dll
c:\program files\DAP\Privacy Package\dapcleanerie.htm
c:\program files\DAP\Privacy Package\DAPCtxMenuShell.dll
c:\program files\DAP\Privacy Package\DAPShred.exe
c:\program files\DAP\Privacy Package\DAPTraceCleaner.exe
c:\program files\DAP\Privacy Package\shred_animation4.gif
c:\program files\DAP\Privacy Package\trace_ani.gif
c:\program files\DAP\privacy.txt
c:\program files\DAP\progbar.gif
c:\program files\DAP\RestartApp.exe
c:\program files\DAP\SBSearch.dll
c:\program files\DAP\security_ani.gif
c:\program files\DAP\Skins\dap\arrows.bmp
c:\program files\DAP\Skins\dap\bms.bmp
c:\program files\DAP\Skins\dap\bmstool.bmp
c:\program files\DAP\Skins\dap\C-Close.bmp
c:\program files\DAP\Skins\dap\C-end.bmp
c:\program files\DAP\Skins\dap\C-Max.bmp
c:\program files\DAP\Skins\dap\C-Min.bmp
c:\program files\DAP\Skins\dap\C-Restore.bmp
c:\program files\DAP\Skins\dap\checkbox.bmp
c:\program files\DAP\Skins\dap\ComboButton.bmp
c:\program files\DAP\Skins\dap\combobuttonextra.bmp
c:\program files\DAP\Skins\dap\DAP.uis
c:\program files\DAP\Skins\dap\Dialog.bmp
c:\program files\DAP\Skins\dap\Explorer.bmp
c:\program files\DAP\Skins\dap\F-Bottom.bmp
c:\program files\DAP\Skins\dap\F-Left.bmp
c:\program files\DAP\Skins\dap\F-Right.bmp
c:\program files\DAP\Skins\dap\F-Top.bmp
c:\program files\DAP\Skins\dap\grip.bmp
c:\program files\DAP\Skins\dap\GroupBox.bmp
c:\program files\DAP\Skins\dap\GroupBoxTitle.bmp
c:\program files\DAP\Skins\dap\Header.bmp
c:\program files\DAP\Skins\dap\hscroll.bmp
c:\program files\DAP\Skins\dap\hscroll2.bmp
c:\program files\DAP\Skins\dap\mdi-button.bmp
c:\program files\DAP\Skins\dap\Mdi.bmp
c:\program files\DAP\Skins\dap\Menu-Border.bmp
c:\program files\DAP\Skins\dap\MenuBar.bmp
c:\program files\DAP\Skins\dap\menuborder.bmp
c:\program files\DAP\Skins\dap\menutool.bmp
c:\program files\DAP\Skins\dap\ProgressBar.bmp
c:\program files\DAP\Skins\dap\radiobutton.bmp
c:\program files\DAP\Skins\dap\shade.bmp
c:\program files\DAP\Skins\dap\Status.bmp
c:\program files\DAP\Skins\dap\SunkenEdge.bmp
c:\program files\DAP\Skins\dap\tabborders.bmp
c:\program files\DAP\Skins\dap\tabs.bmp
c:\program files\DAP\Skins\dap\vscroll.bmp
c:\program files\DAP\Skins\dap\vscroll2.bmp
c:\program files\DAP\Skins\skins.url
c:\program files\DAP\unelevate.exe
c:\program files\DAP\UNWISE.EXE
c:\program files\DAP\website.url
c:\program files\DAP\zlib.dll
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\DUMP3c20.tmp
c:\windows\system32\stu2.exe
c:\windows\system32\twain32\user.ds.lll
c:\windows\system32\twain32 . . . . nie udało się usunąć
c:\windows\system32\twain32\local.ds . . . . nie udało się usunąć
c:\windows\system32\twain32\user.ds . . . . nie udało się usunąć
c:\windows\system32\twex.exe . . . . nie udało się usunąć

.
(((((((((((((((((((((((((   Pliki utworzone od 2009-01-18 do 2009-02-18  )))))))))))))))))))))))))))))))
.

2009-02-18 18:32 . 2009-02-18 21:26   <DIR>   d--hs----   c:\windows\system32\twain32
2009-02-18 13:43 . 2009-02-18 14:37   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-18 13:43 . 2009-02-18 13:43   <DIR>   d--------   c:\documents and settings\offer\Application Data\Malwarebytes
2009-02-18 13:43 . 2009-02-18 13:43   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 13:43 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 13:43 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-04 07:57 . 2009-02-04 07:57   <DIR>   d--------   c:\program files\iTunes
2009-02-04 07:57 . 2009-02-04 07:57   <DIR>   d--------   c:\program files\iPod
2009-02-04 07:57 . 2009-02-04 07:57   <DIR>   d--------   c:\program files\Bonjour
2009-02-04 07:57 . 2009-02-04 07:57   <DIR>   d--------   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-04 07:57 . 2008-04-17 13:12   107,368   --a------   c:\windows\system32\GEARAspi.dll
2009-02-04 07:57 . 2008-04-17 13:12   15,464   --a------   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-04 07:56 . 2009-02-04 07:56   <DIR>   d--------   c:\program files\QuickTime
2009-02-04 07:56 . 2009-02-04 07:56   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-04 07:55 . 2009-02-04 07:57   <DIR>   d----c---   c:\windows\system32\DRVSTORE
2009-02-04 07:55 . 2009-02-04 07:55   <DIR>   d--------   c:\program files\Common Files\Apple
2009-02-02 13:16 . 2009-02-11 11:58   <DIR>   d--------   c:\windows\system32\IOSUBSYS
2009-01-24 23:20 . 2009-01-24 23:20   <DIR>   d--------   c:\program files\UnH Solutions
2009-01-22 18:19 . 2009-01-24 23:06   <DIR>   d--------   C:\TEMP
2009-01-21 20:19 . 2009-01-21 20:19   <DIR>   d--------   c:\documents and settings\offer\Application Data\VSRevoGroup

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 20:47   ---------   d-----r   c:\program files\Aston
2009-02-17 18:58   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-02-04 20:58   ---------   d-----w   c:\program files\Google
2009-02-04 06:57   ---------   d-----w   c:\documents and settings\offer\Application Data\Apple Computer
2009-02-02 12:16   ---------   d-----w   c:\program files\Programy
2009-01-29 21:57   ---------   d-----w   c:\documents and settings\offer\Application Data\Skype
2009-01-29 21:17   ---------   d-----w   c:\documents and settings\offer\Application Data\skypePM
2009-01-16 13:01   ---------   d-----w   c:\program files\Java
2009-01-16 00:53   ---------   d-----w   c:\documents and settings\All Users\Application Data\SpeedBit
2009-01-07 02:02   ---------   d-----w   c:\program files\Gadu-Gadu
2009-01-03 22:54   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-03 22:54   ---------   d-----w   c:\program files\LizardTech
2008-12-25 00:37   ---------   d-----w   c:\documents and settings\offer\Application Data\AdobeUM
2008-12-23 00:18   22,776   ----a-w   c:\documents and settings\offer\Application Data\GDIPFONTCACHEV1.DAT
2005-03-31 20:17   40,960   ----a-w   c:\program files\Uninstall_CDS.exe
.

------- Sigcheck -------

2009-02-17 11:06  8704  8d82c411cb3748dfefcbd4277db7fbfd   c:\windows\system32\userinit.exe
.
(((((((((((((((((((((((((((((   SnapShot@2009-02-18_18.36.08.83   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-18 17:32:02   16,384   ----a-w   c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-18 20:26:00   16,384   ----a-w   c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-18 17:32:02   32,768   ----a-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-18 20:26:00   32,768   ----a-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-18 17:32:02   32,768   ----a-w   c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-18 20:26:00   32,768   ----a-w   c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-14 03:41:26   283,648   ------w   c:\windows\system32\twex.exe
+ 2009-02-18 20:47:42   332,800   ----a-w   c:\windows\system32\twex.exe
+ 2009-02-18 20:24:14   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_554.dat
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EVEREST AutoStart"="c:\program files\Programy\Everest Ultimate Edition 2007\everest.exe" [2007-04-04 2141544]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-12-27 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\Programy\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"shell"="c:\progra~1\Aston\aston.exe ,svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2004-04-21 09:26 86016 c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 16:35 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WapSter\\WapSter AQQ\\AQQ.exe"=
"c:\\Program Files\\Programy\\eMule\\emule.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-03-13 33800]
R2 ekrn;Eset Service;c:\program files\Programy\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Programy\Everest Ultimate Edition 2007\kerneld.wnt [2008-08-13 20856]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-08-23 3584]
.
Zawartość folderu 'Zaplanowane zadania'

2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-31 c:\windows\Tasks\ErrorKiller Scheduled Scan.job
- c:\program files\Programy\ErrorKiller\ErrorKiller.exe []

2009-01-31 c:\windows\Tasks\ErrorKiller Scheduled Scan.job
- c:\program files\Programy\ErrorKiller []
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.speedbit.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Compare Prices with &Dealio - c:\documents and settings\offer\Application Data\Dealio\kb127\res\DealioSearch.html
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~1\Programy\MICROS~1\Office10\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} -
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} -
FF - ProfilePath - c:\documents and settings\offer\Application Data\Mozilla\Firefox\Profiles\v3siseyh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=pl
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\program files\Microsoft Silverlight\npctrl.1.0.20816.0.dll
FF - plugin: c:\program files\Programy\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Programy\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Programy\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Programy\Mozilla Firefox\plugins\NPMyrMus.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Programy\Opera\program\plugins\npwmsdrm.dll

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
pref(dom.disable_open_during_load, false);
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.chomikuj.pl
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 21:47:47
Windows 5.1.2600 Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Programy\Everest Ultimate Edition 2007\kerneld.wnt"
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Programy\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\devldr32.exe
c:\program files\Aston\Aston.exe
c:\program files\Aston\XP\internat.exe
.
**************************************************************************
.
Czas ukończenia: 2009-02-18 21:51:23 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2009-02-18 20:51:09
ComboFix2.txt  2009-02-18 17:37:07

Przed: 6,428,753,920 bytes free
Po: 6,404,382,720 bytes free

329   --- E O F ---   2009-02-11 17:38:06


userinit.exe przeskanowałam - status OK nic nie ma.

A komunikat Noda 32 nadal się pojawia...

---------------

[wojtas]

Pobierz i uruchom narzędzie
The Avenger
w bialym polu wklej tekst:

Files to delete:

c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twex.exe

Folders to delete:

c:\windows\system32\twain32

Kopiujesz - Klikasz na Paste Script from Clipboard - Execute - Potwierdzasz i zgadzasz się na restart klikając OK.
Po wykonaniu skasuj z dysku plik: C:\Avenger\backup.zip i wklej raport na forum C:\avenger.txt
oraz nowy log z combofixa

[koma]

Kopiujesz - Klikasz na Paste Script from Clipboard - Execute - Potwierdzasz i zgadzasz się na restart klikając OK.

I to było ostatnie OK.
Coś narozrabiałam po drodze. Po wcześniejszych kłopotach z uruchomieniem windowsa (przypisałam to nakładce Aston), wróciłam do explorela. Po kolejnym wymuszonym restarcie dotarłam do okna logowania i koniec. Wylogowuje mnie automatycznie. W trybie awaryjnym jest taka sama sytuacja.
Jak mogę usunąć, względnie ominąć okno logowania? Ale to pewnie w innym wątku.
Po pokonaniu tej przeszkody wrócę do rozprawiania się z trojanem. Aha - w międzyczasie zmieniła się treść informacji dotycząca ataku. Teraz jej nie mogę podać z przyczyn podanych wyżej.

Dzięki:)

[djarta]

Daj najswieży log z ComboFixa.

Autologowanie:

http://support.microsoft.com/kb/315231/pl

W rejestrze dodatkowo:
W kluczu HKEY_LOCAL_MACHINE\Software\Microsoft Windows NT\CurrentVersion\Winlogon
Dodać nową wartość REG_SZ o nazwie DontDisplayLastUserName i dać jej parametr 0.

W menu start->uruchom wpisz: control userpasswords2
i tam odznaczyć pole "Aby używać tego komputera, użytkownik musi wprowadzić nazwę użytkownika i hasło.


==============
K.

Autor postu otrzymał pochwałę

[koma]

Dziękuję...
Jednak, aby wprowadzić te zmiany, najpierw trzeba dotrzeć do menu start, a tego nie potrafię. Windows tylko dochodzi do okna logowania i koniec.

[wojtas]

włóż płytkę windowsa - zbootuj ją. wejdź do konsoli odzyskiwania i w niej wpisz

chkdsk x: /r

gdzie x to litera partycji systemowej. i sprobuj dac logi

Autor postu otrzymał pochwałę

[koma]

Odzyskiwanie nic nie dało i po prostu zrobiłam format. Jest ładnie, czysto...
Dziękuję bardzo za pomoc