prosze o sprawdzenia loga(ponownie wirus z 3 ikonkami)

[kamiilto]

Kilka dni temu dodalem temat z prosba o sprawdzenie loga w celu usuniecia wirusa error cleaner. Usunalem go lecz pojawil sie znowu. Uzywalem kolejny raz SDFix i SmitfraudFix. Na koncie administratora problem znkinal, natomiast na moim koncie problem dale istnieje. Prosze o wskazowki. Przesyłam loga z HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:04, on 2007-12-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-21-1004336348-1647877149-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Kamil Tobiasz')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 3436 bytes

[wojtas]

znasz to:

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

??

daj loga z combofixa

[kamiilto]

jasne ze znam. online armor to jest firewall moj. nawet jak byl wlaczony nie pomogl przed atakiem.

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php#firewalls-ratings

ComboFix 07-12-19.2 - Administrator 2007-12-19 16:38:46.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.176 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kamil Tobiasz\Pulpit\Error Cleaner.url
C:\Documents and Settings\Kamil Tobiasz\Pulpit\Privacy Protector.url
C:\Documents and Settings\Kamil Tobiasz\Pulpit\Spyware&Malware Protection.url
C:\Documents and Settings\Kamil Tobiasz\Ulubione\Error Cleaner.url
C:\Documents and Settings\Kamil Tobiasz\Ulubione\Privacy Protector.url
C:\Documents and Settings\Kamil Tobiasz\Ulubione\Spyware&Malware Protection.url

.
((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-19 12:46 . 2007-12-19 12:46 <DIR> d--hs---- C:\FOUND.004
2007-12-19 11:52 . 2007-12-19 11:52 <DIR> d--hs---- C:\FOUND.003
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\OnlineArmor
2007-12-19 01:50 . 2007-12-19 01:50 <DIR> d-------- C:\Program Files\Tall Emu
2007-12-19 01:50 . 2007-12-19 01:50 <DIR> d-------- C:\OnlineArmor
2007-12-19 01:50 . 2007-12-19 01:50 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\OnlineArmor
2007-12-19 01:50 . 2007-12-19 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\OnlineArmor
2007-12-19 01:50 . 2007-11-08 06:37 68,608 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2007-12-19 01:50 . 2007-09-29 00:06 25,600 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2007-12-19 01:50 . 2007-09-29 00:06 18,944 --a------ C:\WINDOWS\system32\drivers\ndisrd.sys
2007-12-18 23:50 . 2007-12-18 23:50 <DIR> d-------- C:\Program Files\ubi.com
2007-12-18 23:50 . 2007-12-18 23:50 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-12-18 23:50 . 2007-12-18 23:50 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\ubi.com
2007-12-18 23:50 . 2001-07-30 18:03 185,344 --a------ C:\WINDOWS\patchw32.dll
2007-12-18 17:19 . 2007-12-18 17:19 <DIR> d-------- C:\Program Files\Cream Software
2007-12-18 17:19 . 2007-12-18 17:19 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Cream Software
2007-12-18 16:51 . 2007-12-18 16:51 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\FTPRush
2007-12-18 16:50 . 2007-12-18 16:51 <DIR> d-------- C:\Program Files\FTPRush
2007-12-18 12:55 . 2007-12-18 12:55 <DIR> d-------- C:\Program Files\FileZilla Client
2007-12-18 12:55 . 2007-12-18 12:55 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\FileZilla
2007-12-18 12:20 . 2007-12-18 12:20 <DIR> d-------- C:\Program Files\Winamp Remote
2007-12-18 12:20 . 2007-12-18 12:20 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\OrbNetworks
2007-12-18 12:17 . 2007-12-18 12:17 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Winamp
2007-12-18 00:06 . 2007-12-18 16:34 450 --a------ C:\WINDOWS\wcx_ftp.ini
2007-12-17 17:36 . 2007-12-17 17:36 <DIR> d-------- C:\Program Files\eMule
2007-12-17 02:44 . 2007-12-17 02:44 <DIR> d-------- C:\Program Files\Gadu-Gadu
2007-12-17 02:36 . 2007-12-17 02:36 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Avg7
2007-12-16 00:02 . 2007-12-16 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Grisoft
2007-12-15 23:58 . 2007-12-15 23:58 <DIR> d-------- C:\Program Files\COMODO
2007-12-15 23:58 . 2007-12-15 23:58 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Comodo
2007-12-15 20:21 . 2007-12-15 20:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-15 20:01 . 2007-12-19 13:05 1,550 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-15 19:37 . 2007-12-15 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-15 17:33 . 2007-12-15 17:33 <DIR> d--hs---- C:\FOUND.002
2007-12-15 15:37 . 2007-12-15 15:37 <DIR> d-------- C:\Program Files\Uniblue
2007-12-15 15:37 . 2007-12-15 15:37 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Uniblue
2007-12-15 15:37 . 2007-12-15 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Uniblue
2007-12-15 14:27 . 2007-12-15 14:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-15 01:44 . 2007-12-15 01:44 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2007-12-15 01:23 . 2007-12-15 01:23 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\FastStone
2007-12-15 01:22 . 2007-12-18 13:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-15 01:22 . 2007-12-15 01:22 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-15 01:21 . 2007-12-15 01:21 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Corel
2007-12-15 00:53 . 2007-12-15 00:53 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ATI
2007-12-15 00:52 . 2005-12-07 04:22 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2007-12-15 00:52 . 2007-12-15 00:53 <DIR> dr------- C:\Documents and Settings\Administrator\Ulubione
2007-12-15 00:52 . 2005-12-07 04:22 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2007-12-15 00:52 . 2005-12-07 04:22 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2007-12-15 00:52 . 2007-12-15 00:53 <DIR> dr------- C:\Documents and Settings\Administrator\Moje dokumenty
2007-12-15 00:52 . 2005-12-07 04:22 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2007-12-15 00:52 . 2005-12-07 04:22 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2007-12-14 23:13 . 2007-12-14 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2007-12-14 22:51 . 2007-12-14 22:51 <DIR> d-------- C:\Program Files\SmartVideoCodec
2007-12-14 00:32 . 2007-12-14 00:32 <DIR> d-------- C:\Program Files\YouSendIt
2007-12-14 00:32 . 2007-12-14 00:32 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\YouSendIt
2007-12-13 11:36 . 2007-12-13 11:36 <DIR> d-------- C:\Program Files\Samsung ML-2010 Series
2007-12-13 11:36 . 2005-03-14 06:01 766 --------- C:\WINDOWS\Uninstall.ico
2007-12-13 11:35 . 2005-03-03 05:32 151,552 --a------ C:\WINDOWS\system32\SSCoInst.exe
2007-12-13 11:35 . 2005-03-03 11:09 57,344 --a------ C:\WINDOWS\system32\SSCoInst.dll
2007-12-13 11:35 . 2005-04-08 03:29 20,622 --a------ C:\WINDOWS\system32\SUGS2LMK.DLL
2007-12-13 11:35 . 2005-03-03 12:23 604 --a------ C:\WINDOWS\system32\SUGS2LMK.SMT
2007-12-13 11:34 . 2007-12-13 11:34 <DIR> d-------- C:\WINDOWS\Samsung
2007-12-13 11:34 . 2005-03-14 06:01 208,896 --------- C:\WINDOWS\system32\SSRemove.exe
2007-12-13 11:34 . 2005-03-14 06:01 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2007-12-13 11:34 . 2005-07-08 21:54 11,502 --------- C:\WINDOWS\system32\SP119.ICO
2007-12-13 11:31 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-13 11:31 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-12 22:58 . 2007-12-12 22:58 <DIR> d-------- C:\Program Files\WapSter
2007-12-12 22:58 . 2007-12-12 22:58 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\WapSter
2007-12-12 19:34 . 2007-12-12 19:34 <DIR> d-------- C:\Program Files\CyTaT
2007-12-11 22:28 . 2007-12-11 22:28 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-11 22:27 . 2007-12-11 22:27 <DIR> d-------- C:\Program Files\InterVideo Information Service
2007-12-11 22:27 . 2007-12-11 22:27 <DIR> d-------- C:\Program Files\Common Files\Ulead
2007-12-11 22:27 . 2006-05-11 18:41 654 --------- C:\WINDOWS\remove.iss
2007-12-11 21:16 . 2004-08-03 22:43 97,280 --a------ C:\WINDOWS\system32\dpcdll.dll.wga
2007-12-11 21:16 . 2001-08-23 11:00 29,338 --a------ C:\WINDOWS\system32\EULA.TXT.wga
2007-12-11 21:16 . 2004-08-03 22:42 24,064 --a------ C:\WINDOWS\system32\pidgen.dll.wga
2007-12-11 21:16 . 2007-12-11 21:16 13,588 --a------ C:\WINDOWS\system32\wpa.bak
2007-12-11 20:58 . 2007-12-11 20:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-11 17:36 . 2007-12-11 17:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-11 16:26 . 2007-12-11 16:26 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\vlc
2007-12-11 15:47 . 2007-12-11 15:47 <DIR> d-------- C:\Program Files\Thoosje Sidebar V2.3
2007-12-11 14:28 . 2007-12-11 14:28 <DIR> d--hs---- C:\FOUND.001
2007-12-11 12:46 . 2007-12-11 12:46 <DIR> d-------- C:\WINDOWS\SWAT 4
2007-12-11 12:46 . 2007-12-11 12:46 <DIR> d-------- C:\Program Files\SWAT 4
2007-11-28 12:34 . 2007-11-28 12:34 <DIR> d-------- C:\Program Files\No-IP
2007-11-28 11:45 . 2007-11-28 12:00 38 --a------ C:\WINDOWS\avisplitter.INI
2007-11-27 19:19 . 2007-11-27 19:19 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-11-27 19:19 . 2007-11-27 19:19 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\skypePM
2007-11-27 19:19 . 2007-11-27 19:19 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2007-11-27 18:38 . 2007-11-27 18:38 <DIR> d-------- C:\Program Files\MSN Apps
2007-11-25 22:46 . 2007-11-25 22:47 <DIR> d-------- C:\Documents and Settings\Kamil Tobiasz\Contacts
2007-11-25 22:36 . 2007-11-25 23:12 595 --ah----- C:\WINDOWS\system32\ws783973.ocx
2007-11-25 22:36 . 2007-11-25 23:12 595 --ah----- C:\os582744.bin
2007-11-25 22:04 . 2007-11-25 22:04 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-25 21:14 . 2007-11-25 21:14 <DIR> d-------- C:\WINDOWS\Vbox
2007-11-25 10:32 . 2007-11-25 10:32 72 ---hs---- C:\desktop.ini
2007-11-24 12:12 . 2007-11-24 12:13 <DIR> d-------- C:\Program Files\The KMPlayer
2007-11-24 00:43 . 2007-11-24 00:43 <DIR> d-------- C:\Downloads
2007-11-24 00:14 . 2007-11-24 00:14 <DIR> d-------- C:\Program Files\Free Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 17:33 27,904 ----a-w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-12-11 14:26 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-12-11 14:26 219,648 ----a-w C:\WINDOWS\system32\dllcache\uxtheme.dll
2007-11-16 23:18 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Thunderbird
2007-11-16 14:52 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Media Player Classic
2007-11-16 00:11 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\The Bat!
2007-11-14 23:39 --------- d-----w C:\Program Files\Realtek AC97
2007-11-14 22:26 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\DivX
2007-11-14 22:25 --------- d-----w C:\Program Files\AC3Filter
2007-11-14 22:23 --------- d-----w C:\Program Files\DivX
2007-11-14 21:49 --------- d-----w C:\Program Files\Realtek Sound Manager
2007-11-14 21:49 --------- d-----w C:\Program Files\AvRack
2007-11-14 21:15 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\PC Drivers HeadQuarters
2007-11-14 20:33 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MailFrontier
2007-11-14 07:28 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 19:30 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-11-13 13:14 --------- d-----w C:\Program Files\Common Files\Stardock
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 23:50 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\GanymedeNet
2007-11-11 15:10 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Samsung
2007-11-09 22:37 --------- d-----w C:\Program Files\Ganymede
2007-11-06 21:00 --------- d-----w C:\Program Files\Incomplete
2007-10-31 08:40 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Publish Providers
2007-10-31 08:30 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Sony
2007-10-31 08:28 --------- d-----w C:\Program Files\Vstplugins
2007-10-30 10:35 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\fssg
2007-10-30 10:19 3,079,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 14:36 --------- d-----w C:\Program Files\iMesh Applications
2007-10-28 14:22 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-28 14:22 --------- d-----w C:\Program Files\Real
2007-10-28 14:22 --------- d-----w C:\Program Files\Common Files\xing shared
2007-10-28 14:22 --------- d-----w C:\Program Files\Common Files\Real
2007-10-28 13:58 --------- d-----w C:\Program Files\LimeWire
2007-10-28 13:58 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\LimeWire
2007-10-28 07:48 --------- d-----w C:\Documents and Settings\Kamil Tobiasz\Dane aplikacji\Corel
2007-10-28 07:45 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Corel
2007-10-28 07:44 --------- d-----w C:\Program Files\Corel
2007-10-28 07:44 --------- d-----w C:\Program Files\Common Files\Corel
2007-10-25 16:57 8,483,328 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-20 18:33 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-20 18:33 139,264 ----a-w C:\WINDOWS\system32\UAService7.exe
2007-10-20 13:20 --------- d-----w C:\Program Files\D-Tools
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-11 06:14 96,768 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:14 662,016 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:14 616,448 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:14 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:14 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:14 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:14 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:14 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:14 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:14 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:14 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:14 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:14 151,552 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:14 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:14 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:14 1,055,744 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:14 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2004-03-11 12:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
579,072 2007-03-08 16:38:48 C:\WINDOWS\system32\user32.dll
579,072 2007-03-08 16:38:48 C:\WINDOWS\system32\dllcache\user32.dll
578,560 2005-03-02 19:21:08 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
579,584 2007-03-08 16:51:58 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
578,560 2004-08-03 21:44:14 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
578,560 2005-03-02 19:18:38 C:\WINDOWS\$NtUninstallKB925902$\user32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 14:12 C:\WINDOWS\soundman.exe]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-16 07:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:44]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2007-11-16 07:50 633344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ATI CATALYST – pasek zadań.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST – pasek zadań.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^NETGEAR WG111v2 Smart Wizard.lnk]
backup=C:\WINDOWS\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VIA RAID TOOL.lnk]
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kamil Tobiasz^Menu Start^Programy^Autostart^Stardock ObjectDock.lnk]
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kamil Tobiasz^Menu Start^Programy^Autostart^Thoosje Sidebar.lnk]
backup=C:\WINDOWS\pss\Thoosje Sidebar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kamil Tobiasz^Menu Start^Programy^Autostart^Thoosje Vista Sidebar.lnk]
backup=C:\WINDOWS\pss\Thoosje Vista Sidebar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kamil Tobiasz^Menu Start^Programy^Autostart^WordWeb.lnk]
backup=C:\WINDOWS\pss\WordWeb.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQQ]
2007-02-28 13:18 2351864 --a------ C:\PROGRA~1\WapSter\AQQ\AQQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
C:\Program Files\COMODO\Firewall\cfp.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-03 22:44 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
C:\Program Files\D-Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DemonStarter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Upload Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Uploader Oe Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
C:\Program Files\Gadu-Gadu\gg.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magentic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGA6P_0001_N122M2210]
C:\Documents and Settings\Kamil Tobiasz\Ustawienia lokalne\Temporary Internet Files\Content.IE5\8XLSH894\install_en
[1].exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Program Files\Winamp Remote\bin\OrbTray.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerDVD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]
C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2007-02-05 10:11 476728 --a------ C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 04:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-10-10 06:28 36352 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"kavsvc"=3 (0x3)
"iPodService"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"TapiSrv"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"SonicStage Back-End Service"=3 (0x3)
"helpsvc"=2 (0x2)
"LmHosts"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"SysmonLog"=3 (0x3)
"Eventlog"=2 (0x2)
"Diskeeper"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"UserAccess7"=2 (0x2)
"ServiceLayer"=3 (0x3)
"usnjsvc"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"ose"=3 (0x3)
"IviRegMgr"=2 (0x2)
"cFosSpeedS"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"cmdAgent"=2 (0x2)

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2004-05-18 09:55]
R1 NDISRD;NDISRD;C:\WINDOWS\system32\drivers\NDISRD.sys [2007-09-29 00:06]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2007-11-08 06:37]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2007-09-29 00:06]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2006-03-29 20:28]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2006-03-29 20:28]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2007-11-16 07:51]
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 16:32]
S3 naecd;naecd;C:\DOCUME~1\KAMILT~1\USTAWI~1\Temp\naecd.sys []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys []
S3 sony_ssm.sys;sony_ssm.sys;C:\DOCUME~1\KAMILT~1\USTAWI~1\Temp\sony_ssm.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 21:28:56 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 15:07:32 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-12-15 15:58:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-12-15 15:58:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 16:45:06
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 16:48:06
C:\ComboFix2.txt ... 2007-12-15 21:04
.
2007-12-11 20:48:06 --- E O F ---

[wojtas]

Wykonaj to co jest podane w tym temacie

zastosuj:

smitfraudfix z opcji 2

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz z hijacka