problem z wirusami, prosze o pomoc

[KAMILOSSS]

No wiec moj problem polega na tym ze gdy wchodze w jakis folder to prawie za kazdym razem wyskakuje mi wiadomosc o tresci:
"System Error!
Your computer was infected by unknown trojan.
Click OK to download the antispyware program to clean your system! (Reccommended)"

ponizej umieszczam loga i prosze o pomoc

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:42, on 2008-02-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMY\avast\aswUpdSv.exe
D:\PROGRAMY\avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\gry\pro street\PB\PnkBstrA.exe
D:\PROGRAMY\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UAService7.exe
D:\PROGRAMY\avast\ashMaiSv.exe
D:\PROGRAMY\avast\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
D:\PROGRAMY\POWER DVD\PDVDServ.exe
D:\PROGRAMY\daemon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\PROGRAMY\avast\ashDisp.exe
D:\PROGRAMY\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\PROGRAMY\3D\Common\IconMgr.exe
d:\programy\3D\E-Color Indicator\TICIcon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\PROGRAMY\iTunes.exe
D:\PROGRAMY\Gadu-Gadu\gg.exe
D:\PROGRAMY\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Użytkownik\Pulpit\hijackthis.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bar.baidu.com/sobar/defaultsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bar.baidu.com/sobar/defaultsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMY\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: MS Video Control 1.0 - {EEBA7DF1-A821-469A-BD31-206AD73CFA9B} - C:\WINDOWS\msvidc32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: °Ů¶Čł¬Ľ¶ËŃ°Ô - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\PROGRAMY\POWER DVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\PROGRAMY\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRAMY\avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMY\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMY\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AlcoholAutomount] "D:\PROGRAMY\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: E-Color.lnk = D:\PROGRAMY\3D\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\PROGRAMY\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\PROGRAMY\avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\PROGRAMY\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\PROGRAMY\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\PROGRAMY\avast\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - F:\gry\pro street\PB\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\PROGRAMY\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6454 bytes

[wojtas]

Wykonaj to co jest podane w tym temacie

zastosuj:

smitfraudfix z opcji 2
(sciagasz -> uruchamiasz-> klikasz dowolny klawisz -> wpisujesz w programie 2 i enter potem czekasz chwile -> gdy wyskoczy pytanie w programie Do you want to clean the registry ? to wpisujesz literke Y i znowu enter i czekasz do wyskoczenia raportu (znak ze skan dobiegł konca)


Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz z hijacka

[KAMILOSSS]

wielkie dzieki, juz jest w porzadku

[Dzi@dek]

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz z hijacka

wielkie dzieki, juz jest w porzadku

Nie rób lipy - wrzuć , to my ocenimy czy jest w porządku.

[KAMILOSSS]

Report.txt

Kod: Zaznacz wszystko

[b]SDFix: Version 1.146 [/b]

Run by Uľytkownik on 2008-02-24 at 13:53

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\cenzura!.EXE - Deleted





Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 13:56:49
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,72,7a,2f,bd,24,97,25,c7,b7,16,f2,76,1e,a2,20,f4,a9,..
"hj34z0"=hex:f7,30,e9,da,a2,69,fa,cc,58,6e,3f,a7,61,ca,19,fb,37,b4,1b,82,83,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,be,57,ca,88,98,80,80,73,5b,2b,e1,38,52,19,cc,48,5d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\PROGRAMY\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:fa,9b,a7,f9,ce,40,4f,4e,ce,5f,9d,15,4e,8d,77,5d,15,c4,e5,70,e9,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\PROGRAMY\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:fa,9b,a7,f9,ce,40,4f,4e,ce,5f,9d,15,4e,8d,77,5d,15,c4,e5,70,e9,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Eidos\Championship Manager 5\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,98,01,00,00,01,00,00,00,03,00,00,00,92,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\B\1\xac]
"Order"=hex:08,00,00,00,02,00,00,00,f4,00,00,00,01,00,00,00,02,00,00,00,70,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PROGRA~1\\pcast\\PODCAS~1\\PODCAS~2.EXE"="C:\\PROGRA~1\\pcast\\PODCAS~1\\PODCAS~2.EXE:*:Enabled:Share Streaming"
"C:\\Program Files\\pcast\\PodcastbarMini\\PodcastBarMini.exe"="C:\\Program Files\\pcast\\PodcastbarMini\\PodcastBarMini.exe:*:Enabled:Share Streaming"
"D:\\PROGRAMY\\PPLive\\PPLive.exe"="D:\\PROGRAMY\\PPLive\\PPLive.exe:*:Enabled:PPLive"
"D:\\PROGRAMY\\torrent\\utorrent.exe"="D:\\PROGRAMY\\torrent\\utorrent.exe:*:Enabled:uTorrent"
"D:\\PROGRAMY\\PPStream\\PPStream.exe"="D:\\PROGRAMY\\PPStream\\PPStream.exe:*:Enabled:PPSÖý¶‡u‡¨ŕ"
"D:\\PROGRAMY\\iTunes.exe"="D:\\PROGRAMY\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"D:\\PROGRAMY\\PPMate\\ppmate.exe"="D:\\PROGRAMY\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"D:\\PROGRAMY\\PPMate\\ppamnet.exe"="D:\\PROGRAMY\\PPMate\\ppamnet.exe:*:Enabled:PPMate"
"D:\\PROGRAMY\\PPStream\\PPSAP.exe"="D:\\PROGRAMY\\PPStream\\PPSAP.exe:*:Enabled:PPStream Öý¶‡•ŕÓŢŹö"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sat  3 Feb 2007         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

[b]Finished![/b]

hijack

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:01:39, on 2008-02-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMY\avast\aswUpdSv.exe
D:\PROGRAMY\avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\gry\pro street\PB\PnkBstrA.exe
D:\PROGRAMY\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\UAService7.exe
D:\PROGRAMY\POWER DVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\PROGRAMY\avast\ashDisp.exe
D:\PROGRAMY\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRAMY\Gadu-Gadu\gg.exe
D:\PROGRAMY\3D\Common\IconMgr.exe
D:\PROGRAMY\avast\ashMaiSv.exe
D:\PROGRAMY\avast\ashWebSv.exe
d:\programy\3D\E-Color Indicator\TICIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\PROGRAMY\Mozilla Firefox\firefox.exe
D:\PROGRAMY\iTunes.exe
C:\WINDOWS\system32\wscntfy.exe
D:\PROGRAMY\hijackthis.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMY\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: °Ů¶Čł¬Ľ¶ËŃ°Ô - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\PROGRAMY\POWER DVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\PROGRAMY\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRAMY\avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMY\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMY\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AlcoholAutomount] "D:\PROGRAMY\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: E-Color.lnk = D:\PROGRAMY\3D\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\PROGRAMY\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\PROGRAMY\avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\PROGRAMY\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\PROGRAMY\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\PROGRAMY\avast\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - F:\gry\pro street\PB\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\PROGRAMY\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 5880 bytes


[wojtas]

O3 - Toolbar: °Ů¶Čł¬Ľ¶ËŃ°Ô - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

skasuj te wpisy w hijacku i pogrubiony folder wywal do kosza i daj loga z combofixa

[KAMILOSSS]

załatwione, oto log z combofixa:

Kod: Zaznacz wszystko

ComboFix 08-02-25 - Użytkownik 2008-02-24 23:06:53.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.565 [GMT 1:00]
Running from: C:\Documents and Settings\Użytkownik\Pulpit\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Użytkownik\Ustawienia lokalne\Dane aplikacji\baidu
C:\Program Files\baidu
C:\Program Files\baidu\bar\baidubar.dat
C:\Program Files\baidu\bar\BaiduBar.dll
C:\Program Files\baidu\bar\bang.ini
C:\Program Files\baidu\bar\BDBar_tmp\baidubar.dll
C:\Program Files\baidu\bar\img\imglist.bmp
C:\Program Files\baidu\bar\img\logo.bmp
C:\Program Files\baidu\bar\loadmovie.swf
C:\WINDOWS\system32\iexp_log.txt

.
(((((((((((((((((((((((((   Files Created from 2008-01-25 to 2008-02-25  )))))))))))))))))))))))))))))))
.

2008-02-24 20:50 . 2008-02-24 20:50   <DIR>   d--------   C:\WINDOWS\LastGood
2008-02-24 20:05 . 2008-02-24 23:04   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-02-24 14:27 . 2004-08-03 23:44   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-------   C:\Documents and Settings\Administrator\Ulubione
2008-02-24 14:26 . 2007-01-03 19:48   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Szablony
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   d--------   C:\Documents and Settings\Administrator\Pulpit
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-------   C:\Documents and Settings\Administrator\Moje dokumenty
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   dr-------   C:\Documents and Settings\Administrator\Menu Start
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-h-----   C:\Documents and Settings\Administrator\Dane aplikacji
2008-02-24 13:51 . 2008-02-24 13:51   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-02-24 13:41 . 2008-02-24 15:01   <DIR>   d--------   C:\SDFix
2008-02-24 13:37 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-02-24 13:37 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-02-24 13:37 . 2008-02-22 18:44   86,016   --a------   C:\WINDOWS\system32\VACFix.exe
2008-02-24 13:37 . 2008-02-08 10:37   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-02-24 13:37 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-02-24 13:37 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-02-24 13:37 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-02-24 13:37 . 2008-02-24 13:37   2,308   --a------   C:\WINDOWS\system32\tmp.reg
2008-02-19 10:10 . 2008-02-19 10:10   50   --a------   C:\tmp.bat
2008-02-19 10:09 . 2008-02-19 10:09   4,096   --a------   C:\info.exe
2008-02-17 13:45 . 2004-08-03 23:08   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-17 13:45 . 2004-08-03 23:08   31,616   --a--c---   C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-05 22:41 . 2008-02-05 22:41   427   --a------   C:\WINDOWS\ODBC.INI
2008-02-05 22:39 . 2008-02-05 22:39   <DIR>   d--------   C:\WINDOWS\ShellNew
2008-02-05 22:37 . 2008-02-05 22:37   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Microsoft Web Folders
2008-02-04 23:33 . 2008-02-04 23:33   156,910   --a------   C:\WINDOWS\WMSysPr8.prx
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Sonic Foundry
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Publish Providers
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\NetMedia Providers
2008-02-04 22:39 . 2001-10-19 14:40   1,683,792   --a------   C:\WINDOWS\system32\wmvcore2.dll
2008-02-04 22:39 . 2001-10-19 14:40   665,424   --a------   C:\WINDOWS\system32\wmv8dmoe.dll
2008-02-04 22:39 . 2001-10-19 14:39   572,752   --a------   C:\WINDOWS\system32\wmvdmoe.dll
2008-02-04 22:39 . 2001-10-19 02:05   285,184   --a------   C:\WINDOWS\system32\wmidx2.ocx

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 20:06   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\Skype
2008-02-06 16:12   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\Hamachi
2008-02-06 16:09   26,056   ----a-w   C:\WINDOWS\system32\drivers\hamachi.sys
2008-02-05 21:37   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-02-05 16:44   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\uTorrent
2008-01-24 14:54   ---------   d---a-w   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-12 14:24   ---------   d-----w   C:\Program Files\Java
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-12-03 21:26   107,888   -c--a-w   C:\WINDOWS\system32\CmdLineExt.dll
.

------- Sigcheck -------

c1783498edb152656303b5d5bcabd86c  C:\WINDOWS\system32\drivers\tcpip.sys
-c--a-w           359,040 2007-04-21 21:02:46  C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w           359,040 2007-04-21 21:02:46  C:\WINDOWS\system32\drivers\TCPIP.SYS
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:44 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:55 1667584]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-22 23:31 25388584]
"Gadu-Gadu"="D:\PROGRAMY\Gadu-Gadu\gg.exe" [2007-05-10 15:36 2111176]
"AlcoholAutomount"="D:\PROGRAMY\Alcohol 120\axcmd.exe" [2007-07-02 11:27 219520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"RemoteControl"="D:\PROGRAMY\POWER DVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"pbmini"="C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" [ ]
"DAEMON Tools-1033"="D:\PROGRAMY\daemon.exe" [2004-08-22 16:05 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avast!"="D:\PROGRAMY\avast\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="D:\PROGRAMY\QuickTime Alternative\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="D:\PROGRAMY\iTunesHelper.exe" [2007-09-14 09:00 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
E-Color.lnk - D:\PROGRAMY\3D\Common\IconMgr.exe [2007-01-06 20:02:37 61440]
Microsoft Office.lnk - D:\PROGRAMY\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\PROGRAMY\\torrent\\utorrent.exe"=
"D:\\PROGRAMY\\PPStream\\PPStream.exe"=
"D:\\PROGRAMY\\iTunes.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"D:\\PROGRAMY\\PPStream\\PPSAP.exe"=
"D:\\PROGRAMY\\SopCast\\adv\\SopAdver.exe"=
"D:\\PROGRAMY\\SopCast\\SopCast.exe"=
"D:\\PROGRAMY\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\PROGRAMY\\TVUPlayer\\TVUPlayer.exe"=

R3 SNCT511;PC Camera (6005 CIF);C:\WINDOWS\system32\DRIVERS\snct511.sys [2003-04-22 11:04]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ddsxeiservice;ddsxeiservice;F:\gry\Counter-Strike 1.6\sXe Injected\ddsxei.sys [2007-10-29 06:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a080eea8-9d8f-11db-83d0-00138fe33e52}]
\Shell\AutoRun\command - H:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 18:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 23:08:34
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\SETE5.tmp 8192 bytes executable
C:\WINDOWS\system32\SETE6.tmp 148480 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-02-25 23:09:04
ComboFix-quarantined-files.txt  2008-02-25 22:09:01
.
2008-02-24 19:06:27   --- E O F --- 

[Dzi@dek]

Otwórz notatnik i wklej:

File::
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg
C:\tmp.bat
C:\info.exe

Plik Zapisz jako... CFScript - najlepiej jeśli zapiszesz w
takiej lokalizacji, by ikona CFScript.txt znalazła się obok ikony ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
Potwierdz zresetuje sie komputer.

Jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER. Rozpocznie się proces usuwania.

Daj nowe logi z Combofix oraz Hijackthis.

[KAMILOSSS]

hijackthis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:41:35, on 2008-02-26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMY\avast\aswUpdSv.exe
D:\PROGRAMY\avast\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
D:\PROGRAMY\POWER DVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\PROGRAMY\avast\ashDisp.exe
D:\PROGRAMY\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRAMY\3D\Common\IconMgr.exe
d:\programy\3D\E-Color Indicator\TICIcon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\gry\pro street\PB\PnkBstrA.exe
D:\PROGRAMY\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
D:\PROGRAMY\avast\ashMaiSv.exe
D:\PROGRAMY\avast\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\PROGRAMY\Gadu-Gadu\gg.exe
C:\WINDOWS\explorer.exe
D:\PROGRAMY\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\PROGRAMY\Hijackthis\hijackthis.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMY\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\PROGRAMY\POWER DVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pbmini] "C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\PROGRAMY\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRAMY\avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMY\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMY\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AlcoholAutomount] "D:\PROGRAMY\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: E-Color.lnk = D:\PROGRAMY\3D\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\PROGRAMY\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\PROGRAMY\avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\PROGRAMY\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\PROGRAMY\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\PROGRAMY\avast\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - F:\gry\pro street\PB\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\PROGRAMY\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 5620 bytes

combofix

Kod: Zaznacz wszystko

ComboFix 08-02-25 - Użytkownik 2008-02-26 16:42:11.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.587 [GMT 1:00]
Running from: D:\PROGRAMY\Combofix\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-01-26 to 2008-02-26  )))))))))))))))))))))))))))))))
.

2008-02-24 20:05 . 2008-02-26 11:19   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-02-24 14:27 . 2004-08-03 23:44   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2008-02-24 14:26 . 2008-02-26 16:39   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-------   C:\Documents and Settings\Administrator\Ulubione
2008-02-24 14:26 . 2007-01-03 19:48   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Szablony
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   d--------   C:\Documents and Settings\Administrator\Pulpit
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-------   C:\Documents and Settings\Administrator\Moje dokumenty
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   dr-------   C:\Documents and Settings\Administrator\Menu Start
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-h-----   C:\Documents and Settings\Administrator\Dane aplikacji
2008-02-24 13:51 . 2008-02-24 13:51   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-02-24 13:41 . 2008-02-24 15:01   <DIR>   d--------   C:\SDFix
2008-02-24 13:37 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-02-24 13:37 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-02-24 13:37 . 2008-02-22 18:44   86,016   --a------   C:\WINDOWS\system32\VACFix.exe
2008-02-24 13:37 . 2008-02-08 10:37   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-02-24 13:37 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-02-24 13:37 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-02-24 13:37 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-02-24 13:37 . 2008-02-24 13:37   2,308   --a------   C:\WINDOWS\system32\tmp.reg
2008-02-19 10:10 . 2008-02-19 10:10   50   --a------   C:\tmp.bat
2008-02-19 10:09 . 2008-02-19 10:09   4,096   --a------   C:\info.exe
2008-02-17 13:45 . 2004-08-03 23:08   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-17 13:45 . 2004-08-03 23:08   31,616   --a--c---   C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-05 22:41 . 2008-02-05 22:41   427   --a------   C:\WINDOWS\ODBC.INI
2008-02-05 22:39 . 2008-02-05 22:39   <DIR>   d--------   C:\WINDOWS\ShellNew
2008-02-05 22:37 . 2008-02-05 22:37   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Microsoft Web Folders
2008-02-04 23:33 . 2008-02-04 23:33   156,910   --a------   C:\WINDOWS\WMSysPr8.prx
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Sonic Foundry
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Publish Providers
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\NetMedia Providers
2008-02-04 22:39 . 2001-10-19 14:40   1,683,792   --a------   C:\WINDOWS\system32\wmvcore2.dll
2008-02-04 22:39 . 2001-10-19 14:40   665,424   --a------   C:\WINDOWS\system32\wmv8dmoe.dll
2008-02-04 22:39 . 2001-10-19 14:39   572,752   --a------   C:\WINDOWS\system32\wmvdmoe.dll
2008-02-04 22:39 . 2001-10-19 02:05   285,184   --a------   C:\WINDOWS\system32\wmidx2.ocx

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 14:09   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\Skype
2008-02-06 16:12   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\Hamachi
2008-02-06 16:09   26,056   ----a-w   C:\WINDOWS\system32\drivers\hamachi.sys
2008-02-05 21:37   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-02-05 16:44   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\uTorrent
2008-01-24 14:54   ---------   d---a-w   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-12 14:24   ---------   d-----w   C:\Program Files\Java
2007-12-07 01:08   662,016   ----a-w   C:\WINDOWS\system32\wininet.dll
2007-12-04 18:42   550,912   ------w   C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-12-03 21:26   107,888   -c--a-w   C:\WINDOWS\system32\CmdLineExt.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:44 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-22 23:31 25388584]
"Gadu-Gadu"="D:\PROGRAMY\Gadu-Gadu\gg.exe" [2007-05-10 15:36 2111176]
"AlcoholAutomount"="D:\PROGRAMY\Alcohol 120\axcmd.exe" [2007-07-02 11:27 219520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"RemoteControl"="D:\PROGRAMY\POWER DVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"pbmini"="C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" [ ]
"DAEMON Tools-1033"="D:\PROGRAMY\daemon.exe" [2004-08-22 16:05 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avast!"="D:\PROGRAMY\avast\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="D:\PROGRAMY\QuickTime Alternative\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="D:\PROGRAMY\iTunesHelper.exe" [2007-09-14 09:00 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
E-Color.lnk - D:\PROGRAMY\3D\Common\IconMgr.exe [2007-01-06 20:02:37 61440]
Microsoft Office.lnk - D:\PROGRAMY\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\PROGRAMY\\torrent\\utorrent.exe"=
"D:\\PROGRAMY\\PPStream\\PPStream.exe"=
"D:\\PROGRAMY\\iTunes.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"D:\\PROGRAMY\\PPStream\\PPSAP.exe"=
"D:\\PROGRAMY\\SopCast\\adv\\SopAdver.exe"=
"D:\\PROGRAMY\\SopCast\\SopCast.exe"=
"D:\\PROGRAMY\\Gadu-Gadu\\gg.exe"=
"D:\\PROGRAMY\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 SNCT511;PC Camera (6005 CIF);C:\WINDOWS\system32\DRIVERS\snct511.sys [2003-04-22 11:04]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ddsxeiservice;ddsxeiservice;F:\gry\Counter-Strike 1.6\sXe Injected\ddsxei.sys [2007-10-29 06:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a080eea8-9d8f-11db-83d0-00138fe33e52}]
\Shell\AutoRun\command - H:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 18:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 16:42:49
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 16:43:11
ComboFix-quarantined-files.txt  2008-02-26 15:43:09
ComboFix2.txt  2008-02-26 15:39:30
ComboFix3.txt  2008-02-25 22:09:04
.
2008-02-26 10:19:53   --- E O F --- 

[Dzi@dek]

Cos chyba nie zastosowałes bo pliki siedzą dalej.

Zastosuj SDFix . Po pobraniu uruchom go - rozpakuje się do C:\SDFix.
Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w trybie awaryjnym uruchom plik

RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zrestartuje.

Później wejdź do folderu C:\SDFix i wrzuć zawartość pliku Report.txt + log z

Combofix-a

[KAMILOSSS]

report.txt

Kod: Zaznacz wszystko

[b]SDFix: Version 1.146 [/b]

Run by Użytkownik on 2008-02-26 at 17:45

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 17:49:26
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,72,7a,2f,bd,24,97,25,c7,b7,16,f2,76,1e,a2,20,f4,a9,..
"hj34z0"=hex:f7,30,e9,da,a2,69,fa,cc,58,6e,3f,a7,61,ca,19,fb,37,b4,1b,82,83,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,be,57,ca,88,98,80,80,73,5b,2b,e1,38,52,19,cc,48,5d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\PROGRAMY\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:fa,9b,a7,f9,ce,40,4f,4e,ce,5f,9d,15,4e,8d,77,5d,15,c4,e5,70,e9,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\PROGRAMY\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:fa,9b,a7,f9,ce,40,4f,4e,ce,5f,9d,15,4e,8d,77,5d,15,c4,e5,70,e9,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Eidos\Championship Manager 5\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,98,01,00,00,01,00,00,00,03,00,00,00,92,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\B\1\xac]
"Order"=hex:08,00,00,00,02,00,00,00,f4,00,00,00,01,00,00,00,02,00,00,00,70,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\PROGRAMY\\torrent\\utorrent.exe"="D:\\PROGRAMY\\torrent\\utorrent.exe:*:Enabled:µTorrent"
"D:\\PROGRAMY\\PPStream\\PPStream.exe"="D:\\PROGRAMY\\PPStream\\PPStream.exe:*:Enabled:PPSÍřÂçµçĘÓ"
"D:\\PROGRAMY\\iTunes.exe"="D:\\PROGRAMY\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"D:\\PROGRAMY\\PPStream\\PPSAP.exe"="D:\\PROGRAMY\\PPStream\\PPSAP.exe:*:Enabled:PPStream ÍřÂçĽÓËŮĆ÷"
"D:\\PROGRAMY\\SopCast\\adv\\SopAdver.exe"="D:\\PROGRAMY\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"D:\\PROGRAMY\\SopCast\\SopCast.exe"="D:\\PROGRAMY\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"D:\\PROGRAMY\\Gadu-Gadu\\gg.exe"="D:\\PROGRAMY\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program główny"
"D:\\PROGRAMY\\TVUPlayer\\TVUPlayer.exe"="D:\\PROGRAMY\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Sat  3 Feb 2007         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 26 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1738c621b33e51e95e7a1d6339d42049\BIT3.tmp"
Sun 24 Feb 2008       343,784 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2c7c094c07d8ab1c6d2c7df6e96d2df0\BIT59.tmp"
Tue 26 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2f97292aaf86a275f40e749965d19378\BIT2.tmp"

[b]Finished![/b]

combofix

Kod: Zaznacz wszystko

ComboFix 08-02-25 - Użytkownik 2008-02-26 17:53:19.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.610 [GMT 1:00]
Running from: D:\PROGRAMY\Combofix\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-01-26 to 2008-02-26  )))))))))))))))))))))))))))))))
.

2008-02-24 20:05 . 2008-02-26 11:19   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-02-24 14:27 . 2004-08-03 23:44   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2008-02-24 14:26 . 2008-02-26 16:43   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-------   C:\Documents and Settings\Administrator\Ulubione
2008-02-24 14:26 . 2007-01-03 19:48   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Szablony
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   d--------   C:\Documents and Settings\Administrator\Pulpit
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-------   C:\Documents and Settings\Administrator\Moje dokumenty
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   dr-------   C:\Documents and Settings\Administrator\Menu Start
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-h-----   C:\Documents and Settings\Administrator\Dane aplikacji
2008-02-24 13:51 . 2008-02-24 13:51   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-02-24 13:41 . 2008-02-26 17:51   <DIR>   d--------   C:\SDFix
2008-02-24 13:37 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-02-24 13:37 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-02-24 13:37 . 2008-02-22 18:44   86,016   --a------   C:\WINDOWS\system32\VACFix.exe
2008-02-24 13:37 . 2008-02-08 10:37   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-02-24 13:37 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-02-24 13:37 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-02-24 13:37 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-02-24 13:37 . 2008-02-24 13:37   2,308   --a------   C:\WINDOWS\system32\tmp.reg
2008-02-19 10:10 . 2008-02-19 10:10   50   --a------   C:\tmp.bat
2008-02-19 10:09 . 2008-02-19 10:09   4,096   --a------   C:\info.exe
2008-02-17 13:45 . 2004-08-03 23:08   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-17 13:45 . 2004-08-03 23:08   31,616   --a--c---   C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-05 22:41 . 2008-02-05 22:41   427   --a------   C:\WINDOWS\ODBC.INI
2008-02-05 22:39 . 2008-02-05 22:39   <DIR>   d--------   C:\WINDOWS\ShellNew
2008-02-05 22:37 . 2008-02-05 22:37   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Microsoft Web Folders
2008-02-04 23:33 . 2008-02-04 23:33   156,910   --a------   C:\WINDOWS\WMSysPr8.prx
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Sonic Foundry
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Publish Providers
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\NetMedia Providers
2008-02-04 22:39 . 2001-10-19 14:40   1,683,792   --a------   C:\WINDOWS\system32\wmvcore2.dll
2008-02-04 22:39 . 2001-10-19 14:40   665,424   --a------   C:\WINDOWS\system32\wmv8dmoe.dll
2008-02-04 22:39 . 2001-10-19 14:39   572,752   --a------   C:\WINDOWS\system32\wmvdmoe.dll
2008-02-04 22:39 . 2001-10-19 02:05   285,184   --a------   C:\WINDOWS\system32\wmidx2.ocx

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 16:53   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\Skype
2008-02-06 16:12   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\Hamachi
2008-02-06 16:09   26,056   ----a-w   C:\WINDOWS\system32\drivers\hamachi.sys
2008-02-05 21:37   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-02-05 16:44   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\uTorrent
2008-01-24 14:54   ---------   d---a-w   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-12 14:24   ---------   d-----w   C:\Program Files\Java
2007-12-07 01:08   662,016   ----a-w   C:\WINDOWS\system32\wininet.dll
2007-12-04 18:42   550,912   ------w   C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-12-03 21:26   107,888   -c--a-w   C:\WINDOWS\system32\CmdLineExt.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:44 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-22 23:31 25388584]
"Gadu-Gadu"="D:\PROGRAMY\Gadu-Gadu\gg.exe" [2007-05-10 15:36 2111176]
"AlcoholAutomount"="D:\PROGRAMY\Alcohol 120\axcmd.exe" [2007-07-02 11:27 219520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"RemoteControl"="D:\PROGRAMY\POWER DVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"pbmini"="C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" [ ]
"DAEMON Tools-1033"="D:\PROGRAMY\daemon.exe" [2004-08-22 16:05 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avast!"="D:\PROGRAMY\avast\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="D:\PROGRAMY\QuickTime Alternative\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="D:\PROGRAMY\iTunesHelper.exe" [2007-09-14 09:00 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
E-Color.lnk - D:\PROGRAMY\3D\Common\IconMgr.exe [2007-01-06 20:02:37 61440]
Microsoft Office.lnk - D:\PROGRAMY\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\PROGRAMY\\torrent\\utorrent.exe"=
"D:\\PROGRAMY\\PPStream\\PPStream.exe"=
"D:\\PROGRAMY\\iTunes.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"D:\\PROGRAMY\\PPStream\\PPSAP.exe"=
"D:\\PROGRAMY\\SopCast\\adv\\SopAdver.exe"=
"D:\\PROGRAMY\\SopCast\\SopCast.exe"=
"D:\\PROGRAMY\\Gadu-Gadu\\gg.exe"=
"D:\\PROGRAMY\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 SNCT511;PC Camera (6005 CIF);C:\WINDOWS\system32\DRIVERS\snct511.sys [2003-04-22 11:04]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ddsxeiservice;ddsxeiservice;F:\gry\Counter-Strike 1.6\sXe Injected\ddsxei.sys [2007-10-29 06:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a080eea8-9d8f-11db-83d0-00138fe33e52}]
\Shell\AutoRun\command - H:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 18:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 17:54:04
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 17:54:30
ComboFix-quarantined-files.txt  2008-02-26 16:54:28
ComboFix2.txt  2008-02-26 15:43:12
ComboFix3.txt  2008-02-26 15:39:30
ComboFix4.txt  2008-02-25 22:09:04
.
2008-02-26 10:19:53   --- E O F --- 

[wojtas]

Ściągnij OTMoveIt W okienko po lewej Paste List of Files/Folders to be Moved wklej

C:\tmp.bat
C:\info.exe

Następnie naciskamy - MoveIt!. Pliki zostały przeniesione. Wynik operacji zobaczymy w prawym oknie Results.
Po całej operacji należy zresetować komputer

[KAMILOSSS]

operacja zostala wykonana pomyslnie, teraz juz wszystko w porzadku?

[wojtas]

daj dla pewnosci loga z combofixa

[KAMILOSSS]

oto i on:

Kod: Zaznacz wszystko

ComboFix 08-02-25 - Użytkownik 2008-02-26 20:01:03.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.636 [GMT 1:00]
Running from: D:\PROGRAMY\Combofix\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-01-26 to 2008-02-26  )))))))))))))))))))))))))))))))
.

2008-02-26 18:43 . 2008-02-26 18:43   <DIR>   d--------   C:\_OTMoveIt
2008-02-24 20:05 . 2008-02-26 11:19   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-02-24 14:27 . 2004-08-03 23:44   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2008-02-24 14:26 . 2008-02-26 17:54   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-------   C:\Documents and Settings\Administrator\Ulubione
2008-02-24 14:26 . 2007-01-03 19:48   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Szablony
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   d--------   C:\Documents and Settings\Administrator\Pulpit
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-------   C:\Documents and Settings\Administrator\Moje dokumenty
2008-02-24 14:26 . 2007-01-03 20:43   <DIR>   dr-------   C:\Documents and Settings\Administrator\Menu Start
2008-02-24 14:26 . 2008-02-24 14:27   <DIR>   dr-h-----   C:\Documents and Settings\Administrator\Dane aplikacji
2008-02-24 13:51 . 2008-02-24 13:51   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-02-24 13:41 . 2008-02-26 17:51   <DIR>   d--------   C:\SDFix
2008-02-24 13:37 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-02-24 13:37 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-02-24 13:37 . 2008-02-22 18:44   86,016   --a------   C:\WINDOWS\system32\VACFix.exe
2008-02-24 13:37 . 2008-02-08 10:37   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-02-24 13:37 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-02-24 13:37 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-02-24 13:37 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-02-24 13:37 . 2008-02-24 13:37   2,308   --a------   C:\WINDOWS\system32\tmp.reg
2008-02-17 13:45 . 2004-08-03 23:08   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-17 13:45 . 2004-08-03 23:08   31,616   --a--c---   C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-05 22:41 . 2008-02-05 22:41   427   --a------   C:\WINDOWS\ODBC.INI
2008-02-05 22:39 . 2008-02-05 22:39   <DIR>   d--------   C:\WINDOWS\ShellNew
2008-02-05 22:37 . 2008-02-05 22:37   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Microsoft Web Folders
2008-02-04 23:33 . 2008-02-04 23:33   156,910   --a------   C:\WINDOWS\WMSysPr8.prx
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Sonic Foundry
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\Publish Providers
2008-02-04 22:40 . 2008-02-04 22:40   <DIR>   d--------   C:\Documents and Settings\Użytkownik\Dane aplikacji\NetMedia Providers
2008-02-04 22:39 . 2001-10-19 14:40   1,683,792   --a------   C:\WINDOWS\system32\wmvcore2.dll
2008-02-04 22:39 . 2001-10-19 14:40   665,424   --a------   C:\WINDOWS\system32\wmv8dmoe.dll
2008-02-04 22:39 . 2001-10-19 14:39   572,752   --a------   C:\WINDOWS\system32\wmvdmoe.dll
2008-02-04 22:39 . 2001-10-19 02:05   285,184   --a------   C:\WINDOWS\system32\wmidx2.ocx

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 18:59   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\Skype
2008-02-06 16:12   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\Hamachi
2008-02-06 16:09   26,056   ----a-w   C:\WINDOWS\system32\drivers\hamachi.sys
2008-02-05 21:37   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-02-05 16:44   ---------   d-----w   C:\Documents and Settings\Użytkownik\Dane aplikacji\uTorrent
2008-01-24 14:54   ---------   d---a-w   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-12 14:24   ---------   d-----w   C:\Program Files\Java
2007-12-07 01:08   662,016   ----a-w   C:\WINDOWS\system32\wininet.dll
2007-12-04 18:42   550,912   ------w   C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-12-03 21:26   107,888   -c--a-w   C:\WINDOWS\system32\CmdLineExt.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:44 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-22 23:31 25388584]
"Gadu-Gadu"="D:\PROGRAMY\Gadu-Gadu\gg.exe" [2007-05-10 15:36 2111176]
"AlcoholAutomount"="D:\PROGRAMY\Alcohol 120\axcmd.exe" [2007-07-02 11:27 219520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"RemoteControl"="D:\PROGRAMY\POWER DVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"pbmini"="C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" [ ]
"DAEMON Tools-1033"="D:\PROGRAMY\daemon.exe" [2004-08-22 16:05 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avast!"="D:\PROGRAMY\avast\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="D:\PROGRAMY\QuickTime Alternative\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="D:\PROGRAMY\iTunesHelper.exe" [2007-09-14 09:00 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
E-Color.lnk - D:\PROGRAMY\3D\Common\IconMgr.exe [2007-01-06 20:02:37 61440]
Microsoft Office.lnk - D:\PROGRAMY\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\PROGRAMY\\torrent\\utorrent.exe"=
"D:\\PROGRAMY\\PPStream\\PPStream.exe"=
"D:\\PROGRAMY\\iTunes.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"D:\\PROGRAMY\\PPStream\\PPSAP.exe"=
"D:\\PROGRAMY\\SopCast\\adv\\SopAdver.exe"=
"D:\\PROGRAMY\\SopCast\\SopCast.exe"=
"D:\\PROGRAMY\\Gadu-Gadu\\gg.exe"=
"D:\\PROGRAMY\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 SNCT511;PC Camera (6005 CIF);C:\WINDOWS\system32\DRIVERS\snct511.sys [2003-04-22 11:04]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ddsxeiservice;ddsxeiservice;F:\gry\Counter-Strike 1.6\sXe Injected\ddsxei.sys [2007-10-29 06:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a080eea8-9d8f-11db-83d0-00138fe33e52}]
\Shell\AutoRun\command - H:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 18:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 20:02:19
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> D:\PROGRAMY\winrar\rarext.dll
.
Completion time: 2008-02-26 20:02:44
ComboFix-quarantined-files.txt  2008-02-26 19:02:42
ComboFix2.txt  2008-02-26 16:54:31
ComboFix3.txt  2008-02-26 15:43:12
ComboFix4.txt  2008-02-26 15:39:30
ComboFix5.txt  2008-02-25 22:09:04
.
2008-02-26 10:19:53   --- E O F --- 

[wojtas]

włacz jeszcze OTMoveIt i odpal go z opcji CleanUp

[KAMILOSSS]

zrobione!

widze wojtas ze tez jestes kibicem Realu HALA MADRID!!!

[wojtas]

to bedzie juz ok Hala Madrid