fake xp seciuritycenter

[bobza]

Witam
Dawno mnie nie było, i wracam z problemem
kolega w pracy inteligentnie zainstalował sobie XP SeciurytyCenter jest to na 100% fake objawy klasyczne:
zmienione ikonki Seciurity Center cągłe monity z informacją ze wykryto 10372946 wirusów oraz informacja ze niezawodnym lekiem na tą sytuacje będzie zakupienie pełnej wersji
nie moge odpalić HJ ani w wersji .exe ani .com
jedyne co sie udało to Silent

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"VTTrayp" = "VTtrayp.exe" ["S3 Graphics Co., Ltd."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"JobHisInit" = "C:\Program Files\RMClient\JobHisInit.exe" [empty string]
"MplSetUp" = "C:\Program Files\RMClient\MplSetUp.exe" ["RICOH CO.,LTD."]
"XP SecurityCenter" = ""C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe" /hide" [file not found]
"braviax" = "braviax.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
PLTbMenu\(Default) = "{0923E181-20C7-4aed-ADF0-782ED052C930}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\RDS\PLTbMenu.dll" ["RICOH Company Ltd."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Admin\Menu Start\Programy\Autostart
<<!>> "ctfmon.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar"
-> {HKLM...CLSID} = "Winamp Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]
"{3FE20A68-5F78-4CF1-A941-3AAA55DE4C9D}" = (no title provided)
-> {HKLM...CLSID} = "Getionary Toolbar"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\getionaryPL.dll" [empty string]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"

{C5428486-50A0-4A02-9D20-520B59A9F9B2}\
"ButtonText" = "ShopperReports - Compare product prices"
"CLSIDExtension" = "{C9CCBB35-D123-4a31-AFFC-9B2933132116}"

{C5428486-50A0-4A02-9D20-520B59A9F9B3}\
"ButtonText" = "ShopperReports - Compare travel rates"
"CLSIDExtension" = "{A16AD1E9-F69A-45af-9462-B1C286708842}"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\SEBAFO~1\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
HASP Loader, HASP Loader, "C:\WINDOWS\system32\nhsrvice.exe -service" ["Aladdin Knowledge Systems"]
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
Microsoft ASPI Manager, aspimgr, "C:\WINDOWS\system32\aspimgr.exe" [null data]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Outpost Firewall Service, OutpostFirewall, "C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /service" [file not found]
Usługa administracyjna Menedżera dysków logicznych, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Monitor języka PJL\Driver = "PJLMON.DLL" [MS]
NRG Language Monitor2\Driver = "rc4mon.dll" ["RICOH CO.,Ltd."]
SmartDeviceMonitor\Driver = "RPNV2MON.DLL" ["RICOH"]


---------- (launch time: 2008-06-20 09:13:42)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 76 seconds.
---------- (total run time: 127 seconds)

proszę o pomoc

[wojtas]

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa lub dss

Autor postu otrzymał pochwałę

[bobza]

Log z SDFix jest za długi

ComboFix 08-06-19.2 - Admin 2008-06-20 13:55:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.79 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Admin\Menu Start\Programy\Autostart\ctfmon.exe
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\Recycled\Recycled
C:\Recycled\Recycled\ctfmon.exe
C:\WINDOWS\Downloaded Program Files\cache
C:\WINDOWS\Downloaded Program Files\cache\0f12d16f910f10e4b2228229c3514768
C:\WINDOWS\g32.txt
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 13:32 . 2008-06-20 13:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-20 11:46 . 2008-06-20 11:46 19,773 --a------ C:\Program Files\Common Files\niduqy.sys
2008-06-20 11:46 . 2008-06-20 11:46 16,741 --a------ C:\WINDOWS\azituj.db
2008-06-20 11:46 . 2008-06-20 11:46 16,194 --a------ C:\WINDOWS\gepi.dll
2008-06-20 11:46 . 2008-06-20 11:46 16,081 --a------ C:\WINDOWS\yqaga._dl
2008-06-20 11:46 . 2008-06-20 11:46 15,599 --a------ C:\Program Files\Common Files\riruvefox.exe
2008-06-20 11:46 . 2008-06-20 11:46 15,363 --a------ C:\Documents and Settings\All Users\Dane aplikacji\umasu.vbs
2008-06-20 11:46 . 2008-06-20 11:46 13,120 --a------ C:\WINDOWS\ifisonuc.pif
2008-06-20 11:46 . 2008-06-20 11:46 12,908 --a------ C:\WINDOWS\system32\jynojiv.dll
2008-06-20 11:46 . 2008-06-20 11:46 12,074 --a------ C:\WINDOWS\edaxilyw.db
2008-06-20 11:46 . 2008-06-20 11:46 11,942 --a------ C:\WINDOWS\raxikyz.scr
2008-06-20 11:46 . 2008-06-20 11:46 11,762 --a------ C:\WINDOWS\system32\dadalu.sys
2008-06-20 11:44 . 2008-06-20 11:44 <DIR> d-------- C:\Program Files\XPSecurityCenter
2008-06-20 10:06 . 2008-06-20 10:06 18,997 --a------ C:\WINDOWS\uzoneqotoj._dl
2008-06-20 10:06 . 2008-06-20 10:06 18,619 --a------ C:\WINDOWS\system32\ewyqyf.dl
2008-06-20 10:06 . 2008-06-20 10:06 17,292 --a------ C:\Program Files\Common Files\ibimysugag.dll
2008-06-20 10:06 . 2008-06-20 10:06 16,670 --a------ C:\Program Files\Common Files\tacon.bin
2008-06-20 10:06 . 2008-06-20 10:06 15,488 --a------ C:\WINDOWS\system32\oxylohi.dll
2008-06-20 10:06 . 2008-06-20 10:06 14,910 --a------ C:\WINDOWS\humazop.exe
2008-06-20 10:06 . 2008-06-20 10:06 14,410 --a------ C:\WINDOWS\system32\cipy.db
2008-06-20 10:06 . 2008-06-20 10:06 13,899 --a------ C:\Documents and Settings\All Users\Dane aplikacji\omogoliqam.exe
2008-06-20 10:06 . 2008-06-20 10:06 12,934 --a------ C:\WINDOWS\dofu.scr
2008-06-20 10:06 . 2008-06-20 10:06 12,660 --a------ C:\WINDOWS\enofu.reg
2008-06-20 10:06 . 2008-06-20 10:06 10,428 --a------ C:\Documents and Settings\All Users\Dane aplikacji\savazynite.bat
2008-06-20 10:06 . 2008-06-20 10:06 10,401 --a------ C:\Program Files\Common Files\lize.scr
2008-06-20 10:06 . 2008-06-20 10:06 10,291 --a------ C:\WINDOWS\zemaf.ban
2008-06-20 08:46 . 2008-06-20 08:53 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\HouseCall 6.6
2008-06-20 08:46 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-20 08:22 . 2008-06-20 08:22 19,962 --a------ C:\WINDOWS\epoj.bat
2008-06-20 08:22 . 2008-06-20 08:22 17,111 --a------ C:\Program Files\Common Files\tisyvu.dat
2008-06-20 08:22 . 2008-06-20 08:22 16,290 --a------ C:\WINDOWS\gemi.dll
2008-06-20 08:22 . 2008-06-20 08:22 15,528 --a------ C:\Documents and Settings\Admin\Dane aplikacji\qiduvulu.dat
2008-06-20 08:22 . 2008-06-20 08:22 15,176 --a------ C:\WINDOWS\system32\izamu.ban
2008-06-20 08:22 . 2008-06-20 08:22 14,638 --a------ C:\WINDOWS\vekuka.sys
2008-06-20 08:22 . 2008-06-20 08:22 14,115 --a------ C:\WINDOWS\asaratowo.pif
2008-06-20 08:22 . 2008-06-20 08:22 10,411 --a------ C:\WINDOWS\fiducujov.exe
2008-06-20 08:17 . 2008-06-20 08:17 19,921 --a------ C:\Documents and Settings\All Users\Dane aplikacji\letiby.dll
2008-06-20 08:17 . 2008-06-20 08:17 16,594 --a------ C:\Program Files\Common Files\tyrik.dat
2008-06-20 08:17 . 2008-06-20 08:17 16,291 --a------ C:\WINDOWS\system32\xilinovi.vbs
2008-06-20 08:17 . 2008-06-20 08:17 15,557 --a------ C:\WINDOWS\rahi.pif
2008-06-20 08:17 . 2008-06-20 08:17 15,182 --a------ C:\WINDOWS\system32\ekob.com
2008-06-20 08:17 . 2008-06-20 08:17 14,410 --a------ C:\WINDOWS\cyvyf._dl
2008-06-20 08:17 . 2008-06-20 08:17 14,054 --a------ C:\WINDOWS\system32\vesawuke.vbs
2008-06-20 08:17 . 2008-06-20 08:17 12,264 --a------ C:\WINDOWS\ilys.db
2008-06-20 08:17 . 2008-06-20 08:17 11,244 --a------ C:\Program Files\Common Files\zuvidok.reg
2008-06-20 08:17 . 2008-06-20 08:17 11,036 --a------ C:\Program Files\Common Files\asonyjah.dll
2008-06-20 08:17 . 2008-06-20 08:17 10,625 --a------ C:\Program Files\Common Files\yduhod.pif
2008-06-20 08:17 . 2008-06-20 08:17 10,170 --a------ C:\WINDOWS\system32\fitaja.db
2008-06-19 11:18 . 2008-06-19 11:18 19,110 --a------ C:\WINDOWS\system32\arumo.reg
2008-06-19 11:18 . 2008-06-19 11:18 18,729 --a------ C:\Documents and Settings\All Users\Dane aplikacji\wyhy.pif
2008-06-19 11:18 . 2008-06-19 11:18 17,961 --a------ C:\WINDOWS\ikekuci.inf
2008-06-19 11:18 . 2008-06-19 11:18 17,785 --a------ C:\Program Files\Common Files\ysilewaw.vbs
2008-06-19 11:18 . 2008-06-19 11:18 17,729 --a------ C:\WINDOWS\system32\idowulavoz.dat
2008-06-19 11:18 . 2008-06-19 11:18 15,104 --a------ C:\WINDOWS\uvekuj.sys
2008-06-19 11:18 . 2008-06-19 11:18 15,032 --a------ C:\WINDOWS\ajubypanip.bat
2008-06-19 11:18 . 2008-06-19 11:18 13,066 --a------ C:\WINDOWS\system32\asubeqan.bin
2008-06-19 11:18 . 2008-06-19 11:18 12,587 --a------ C:\WINDOWS\system32\iqixiqus.reg
2008-06-19 11:18 . 2008-06-19 11:18 12,426 --a------ C:\Program Files\Common Files\ogilo.exe
2008-06-19 11:18 . 2008-06-19 11:18 11,416 --a------ C:\WINDOWS\system32\lutaxad.pif
2008-06-11 05:04 . 2008-04-14 17:53 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:04 . 2008-04-14 17:53 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 09:55 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-06-20 08:06 15,665 ----a-w C:\Program Files\Common Files\ququc.ban
2008-06-20 06:22 10,322 ----a-w C:\Program Files\Common Files\xogelohecy.inf
2008-06-20 06:17 17,473 ----a-w C:\Program Files\Common Files\aketyp._dl
2008-06-19 09:18 16,127 ----a-w C:\Program Files\Common Files\faxafetuf.db
2008-06-19 09:18 14,868 ----a-w C:\Program Files\Common Files\osuk._dl
2008-06-03 13:14 --------- d-----w C:\Program Files\Kancelaris
2008-05-21 11:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-05-16 10:45 --------- d-----w C:\Program Files\mcportal.pl
2008-05-16 10:41 --------- d-----w C:\Program Files\Trend Micro
2008-05-16 10:31 --------- d-----w C:\Program Files\Common Files\Softwin
2008-05-16 08:32 82,812,928 ------w C:\WINDOWS\Setup1.exe
2008-05-16 08:32 1,507,356 ----a-w C:\WINDOWS\msjet40.dll
2008-05-16 08:32 1,163,264 ----a-w C:\WINDOWS\system32\libmysql.dll
2008-05-16 08:31 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 07:29 35,840 ----a-w C:\WINDOWS\system32\zlib1.dll
2005-02-02 22:28 1,544 ----a-w C:\Program Files\Common Files\highlight.rew
.

------- Sigcheck -------

2006-05-09 08:22 504832 381221f69d1248864861889a64f100b6 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-07-13 03:57 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2004-06-21 20:57 143360 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 14:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2005-11-01 10:52 151552]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2005-06-01 01:59 40960]
"XP SecurityCenter"="C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe" [2008-06-18 21:13 524476]

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Menu Start^Programy^Autostart^ctfmon.exe]
path=C:\Documents and Settings\Admin\Menu Start\Programy\Autostart\ctfmon.exe
backup=C:\WINDOWS\pss\ctfmon.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Function Palette.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Function Palette.lnk
backup=C:\WINDOWS\pss\Function Palette.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wm Pelnomocnik^Menu Start^Programy^Autostart^Last.fm Helper.lnk]
path=C:\Documents and Settings\Wm Pelnomocnik\Menu Start\Programy\Autostart\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wm Pelnomocnik^Menu Start^Programy^Autostart^OpenOffice.org 2.0.2.lnk]
path=C:\Documents and Settings\Wm Pelnomocnik\Menu Start\Programy\Autostart\OpenOffice.org 2.0.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wm Pelnomocnik^Menu Start^Programy^Autostart^Reboot.exe]
path=C:\Documents and Settings\Wm Pelnomocnik\Menu Start\Programy\Autostart\Reboot.exe
backup=C:\WINDOWS\pss\Reboot.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADS]
--a------ 2006-09-25 08:08 209408 C:\Windows\ADS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
C:\Program Files\Softwin\BitDefender8\bdmcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
C:\Program Files\Softwin\BitDefender8\bdnagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
D:\Sprawy komputerowe\Programs\Gadu Gadu\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2007-10-08 02:18 360448 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\wianmpa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP SecurityCenter]
--a------ 2008-06-18 21:13 524476 C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\RDS\\PLTBar.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 HASP Loader;HASP Loader;C:\WINDOWS\system32\nhsrvice.exe [2003-05-01 13:35]
S1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS []
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL []
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL []
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL []
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt []
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL []
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL []
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL []
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL []
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-09-12 08:31]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-09-12 08:31]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-09-12 08:31]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-09-12 08:31]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-09-12 08:31]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL []
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL []
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL []
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\Recycled\ctfmon.exe
\Shell\Open(&O)\command - C:\Recycled\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - D:\Recycled\ctfmon.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 20:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 13:57:37
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
Completion time: 2008-06-20 13:59:28
ComboFix-quarantined-files.txt 2008-06-20 11:59:23

Pre-Run: 30,725,693,440 bajtów wolnych
Post-Run: 30,715,719,680 bajtów wolnych

240 --- E O F --- 2008-06-12 06:34:17

[Magik]

wklej jeszcze log z combofix'a i zrob

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem

Autor postu otrzymał pochwałę

[bobza]

oki log wrzuciłem objawy objawy (przynajmniej te widoczne) ustąpiły

[wojtas]

Otworz notatnik i wklej w nim to:

File::
C:\Program Files\Common Files\niduqy.sys
C:\WINDOWS\azituj.db
C:\WINDOWS\gepi.dll
C:\WINDOWS\yqaga._dl
C:\Program Files\Common Files\riruvefox.exe
C:\Documents and Settings\All Users\Dane aplikacji\umasu.vbs
C:\WINDOWS\ifisonuc.pif
C:\WINDOWS\system32\jynojiv.dll
C:\WINDOWS\edaxilyw.db
C:\WINDOWS\raxikyz.scr
C:\WINDOWS\system32\dadalu.sys
C:\WINDOWS\uzoneqotoj._dl
C:\WINDOWS\system32\ewyqyf.dl
C:\Program Files\Common Files\ibimysugag.dll
C:\Program Files\Common Files\tacon.bin
C:\WINDOWS\system32\oxylohi.dll
C:\WINDOWS\humazop.exe
C:\WINDOWS\system32\cipy.db
C:\Documents and Settings\All Users\Dane aplikacji\omogoliqam.exe
C:\WINDOWS\dofu.scr
C:\WINDOWS\enofu.reg
C:\Documents and Settings\All Users\Dane aplikacji\savazynite.bat
C:\Program Files\Common Files\lize.scr
C:\WINDOWS\zemaf.ban
C:\WINDOWS\epoj.bat
C:\Program Files\Common Files\tisyvu.dat
C:\WINDOWS\gemi.dll
C:\Documents and Settings\Admin\Dane aplikacji\qiduvulu.dat
C:\WINDOWS\system32\izamu.ban
C:\WINDOWS\vekuka.sys
C:\WINDOWS\asaratowo.pif
C:\WINDOWS\fiducujov.exe
C:\Documents and Settings\All Users\Dane aplikacji\letiby.dll
C:\Program Files\Common Files\tyrik.dat
C:\WINDOWS\system32\xilinovi.vbs
C:\WINDOWS\rahi.pif
C:\WINDOWS\system32\ekob.com
C:\WINDOWS\cyvyf._dl
C:\WINDOWS\system32\vesawuke.vbs
C:\WINDOWS\ilys.db
C:\Program Files\Common Files\zuvidok.reg
C:\Program Files\Common Files\asonyjah.dll
C:\Program Files\Common Files\yduhod.pif
C:\WINDOWS\system32\fitaja.db
C:\WINDOWS\system32\arumo.reg
C:\Documents and Settings\All Users\Dane aplikacji\wyhy.pif
C:\WINDOWS\ikekuci.inf
C:\Program Files\Common Files\ysilewaw.vbs
C:\WINDOWS\system32\idowulavoz.dat
C:\WINDOWS\uvekuj.sys
C:\WINDOWS\ajubypanip.bat
C:\WINDOWS\system32\asubeqan.bin
C:\WINDOWS\system32\iqixiqus.reg
C:\Program Files\Common Files\ogilo.exe
C:\WINDOWS\system32\lutaxad.pif
C:\Program Files\Common Files\ququc.ban
C:\Program Files\Common Files\xogelohecy.inf
C:\Program Files\Common Files\aketyp._dl
C:\Program Files\Common Files\faxafetuf.db
C:\Program Files\Common Files\osuk._dl
C:\Program Files\Common Files\highlight.rew

Folder::
C:\Program Files\XPSecurityCenter

Registry::
[-HKEY_LOCAL_MACHINE\~\startupfolder\C:^Documents and Settings^Wm Pelnomocnik^Menu Start^Programy^Autostart^Reboot.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . odczekaj az wygeneruje sie nowy log i go daj na forum

[bobza]

ComboFix 08-06-19.2 - Admin 2008-06-20 14:40:16.2 - NTFSx86
Running from: C:\Documents and Settings\TEMP\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\TEMP\Pulpit\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Admin\Dane aplikacji\qiduvulu.dat
C:\Documents and Settings\All Users\Dane aplikacji\letiby.dll
C:\Documents and Settings\All Users\Dane aplikacji\omogoliqam.exe
C:\Documents and Settings\All Users\Dane aplikacji\savazynite.bat
C:\Documents and Settings\All Users\Dane aplikacji\umasu.vbs
C:\Documents and Settings\All Users\Dane aplikacji\wyhy.pif
C:\Program Files\Common Files\aketyp._dl
C:\Program Files\Common Files\asonyjah.dll
C:\Program Files\Common Files\faxafetuf.db
C:\Program Files\Common Files\highlight.rew
C:\Program Files\Common Files\ibimysugag.dll
C:\Program Files\Common Files\lize.scr
C:\Program Files\Common Files\niduqy.sys
C:\Program Files\Common Files\ogilo.exe
C:\Program Files\Common Files\osuk._dl
C:\Program Files\Common Files\ququc.ban
C:\Program Files\Common Files\riruvefox.exe
C:\Program Files\Common Files\tacon.bin
C:\Program Files\Common Files\tisyvu.dat
C:\Program Files\Common Files\tyrik.dat
C:\Program Files\Common Files\xogelohecy.inf
C:\Program Files\Common Files\yduhod.pif
C:\Program Files\Common Files\ysilewaw.vbs
C:\Program Files\Common Files\zuvidok.reg
C:\WINDOWS\ajubypanip.bat
C:\WINDOWS\asaratowo.pif
C:\WINDOWS\azituj.db
C:\WINDOWS\cyvyf._dl
C:\WINDOWS\dofu.scr
C:\WINDOWS\edaxilyw.db
C:\WINDOWS\enofu.reg
C:\WINDOWS\epoj.bat
C:\WINDOWS\fiducujov.exe
C:\WINDOWS\gemi.dll
C:\WINDOWS\gepi.dll
C:\WINDOWS\humazop.exe
C:\WINDOWS\ifisonuc.pif
C:\WINDOWS\ikekuci.inf
C:\WINDOWS\ilys.db
C:\WINDOWS\rahi.pif
C:\WINDOWS\raxikyz.scr
C:\WINDOWS\system32\arumo.reg
C:\WINDOWS\system32\asubeqan.bin
C:\WINDOWS\system32\cipy.db
C:\WINDOWS\system32\dadalu.sys
C:\WINDOWS\system32\ekob.com
C:\WINDOWS\system32\ewyqyf.dl
C:\WINDOWS\system32\fitaja.db
C:\WINDOWS\system32\idowulavoz.dat
C:\WINDOWS\system32\iqixiqus.reg
C:\WINDOWS\system32\izamu.ban
C:\WINDOWS\system32\jynojiv.dll
C:\WINDOWS\system32\lutaxad.pif
C:\WINDOWS\system32\oxylohi.dll
C:\WINDOWS\system32\vesawuke.vbs
C:\WINDOWS\system32\xilinovi.vbs
C:\WINDOWS\uvekuj.sys
C:\WINDOWS\uzoneqotoj._dl
C:\WINDOWS\vekuka.sys
C:\WINDOWS\yqaga._dl
C:\WINDOWS\zemaf.ban
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Admin\Dane aplikacji\qiduvulu.dat
C:\Documents and Settings\All Users\Dane aplikacji\letiby.dll
C:\Documents and Settings\All Users\Dane aplikacji\omogoliqam.exe
C:\Documents and Settings\All Users\Dane aplikacji\savazynite.bat
C:\Documents and Settings\All Users\Dane aplikacji\umasu.vbs
C:\Documents and Settings\All Users\Dane aplikacji\wyhy.pif
C:\Program Files\Common Files\aketyp._dl
C:\Program Files\Common Files\asonyjah.dll
C:\Program Files\Common Files\faxafetuf.db
C:\Program Files\Common Files\highlight.rew
C:\Program Files\Common Files\ibimysugag.dll
C:\Program Files\Common Files\lize.scr
C:\Program Files\Common Files\niduqy.sys
C:\Program Files\Common Files\ogilo.exe
C:\Program Files\Common Files\osuk._dl
C:\Program Files\Common Files\ququc.ban
C:\Program Files\Common Files\riruvefox.exe
C:\Program Files\Common Files\tacon.bin
C:\Program Files\Common Files\tisyvu.dat
C:\Program Files\Common Files\tyrik.dat
C:\Program Files\Common Files\xogelohecy.inf
C:\Program Files\Common Files\yduhod.pif
C:\Program Files\Common Files\ysilewaw.vbs
C:\Program Files\Common Files\zuvidok.reg
C:\Program Files\XPSecurityCenter
C:\Program Files\XPSecurityCenter\data\daily.cvd
C:\Program Files\XPSecurityCenter\htmlayout.dll
C:\Program Files\XPSecurityCenter\install.exe
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll
C:\Program Files\XPSecurityCenter\pthreadVC2.dll
C:\Program Files\XPSecurityCenter\un.ico
C:\Program Files\XPSecurityCenter\unzip32.dll
C:\Program Files\XPSecurityCenter\XP_SecurityCenter.cfg
C:\Program Files\XPSecurityCenter\XPSecurityCenter.dll
C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe
C:\Recycled\Recycled
C:\Recycled\Recycled\ctfmon.exe
C:\WINDOWS\ajubypanip.bat
C:\WINDOWS\asaratowo.pif
C:\WINDOWS\azituj.db
C:\WINDOWS\cyvyf._dl
C:\WINDOWS\dofu.scr
C:\WINDOWS\edaxilyw.db
C:\WINDOWS\enofu.reg
C:\WINDOWS\epoj.bat
C:\WINDOWS\fiducujov.exe
C:\WINDOWS\gemi.dll
C:\WINDOWS\gepi.dll
C:\WINDOWS\humazop.exe
C:\WINDOWS\ifisonuc.pif
C:\WINDOWS\ikekuci.inf
C:\WINDOWS\ilys.db
C:\WINDOWS\rahi.pif
C:\WINDOWS\raxikyz.scr
C:\WINDOWS\system32\arumo.reg
C:\WINDOWS\system32\asubeqan.bin
C:\WINDOWS\system32\cipy.db
C:\WINDOWS\system32\dadalu.sys
C:\WINDOWS\system32\ekob.com
C:\WINDOWS\system32\ewyqyf.dl
C:\WINDOWS\system32\fitaja.db
C:\WINDOWS\system32\idowulavoz.dat
C:\WINDOWS\system32\iqixiqus.reg
C:\WINDOWS\system32\izamu.ban
C:\WINDOWS\system32\jynojiv.dll
C:\WINDOWS\system32\lutaxad.pif
C:\WINDOWS\system32\oxylohi.dll
C:\WINDOWS\system32\vesawuke.vbs
C:\WINDOWS\system32\xilinovi.vbs
C:\WINDOWS\uvekuj.sys
C:\WINDOWS\uzoneqotoj._dl
C:\WINDOWS\vekuka.sys
C:\WINDOWS\yqaga._dl
C:\WINDOWS\zemaf.ban

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 14:35 . 2008-06-20 14:42 <DIR> d--h----- C:\Documents and Settings\TEMP\Ustawienia lokalne
2008-06-20 14:35 . 2008-06-20 14:36 <DIR> dr------- C:\Documents and Settings\TEMP\Ulubione
2008-06-20 14:35 . 2006-05-08 09:57 <DIR> d--h----- C:\Documents and Settings\TEMP\Szablony
2008-06-20 14:35 . 2008-06-20 14:40 <DIR> d-------- C:\Documents and Settings\TEMP\Pulpit
2008-06-20 14:35 . 2008-06-20 14:36 <DIR> dr------- C:\Documents and Settings\TEMP\Moje dokumenty
2008-06-20 14:35 . 2006-05-08 11:46 <DIR> dr------- C:\Documents and Settings\TEMP\Menu Start
2008-06-20 14:35 . 2008-06-20 14:36 <DIR> dr-h----- C:\Documents and Settings\TEMP\Dane aplikacji
2008-06-20 14:35 . 2008-06-20 14:35 <DIR> d-------- C:\Documents and Settings\TEMP
2008-06-20 13:32 . 2008-06-20 13:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-20 08:46 . 2008-06-20 08:53 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\HouseCall 6.6
2008-06-20 08:46 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-11 05:04 . 2008-04-14 17:53 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:04 . 2008-04-14 17:53 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 09:55 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-06-03 13:14 --------- d-----w C:\Program Files\Kancelaris
2008-05-21 11:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-05-16 10:45 --------- d-----w C:\Program Files\mcportal.pl
2008-05-16 10:41 --------- d-----w C:\Program Files\Trend Micro
2008-05-16 10:31 --------- d-----w C:\Program Files\Common Files\Softwin
2008-05-16 08:32 82,812,928 ------w C:\WINDOWS\Setup1.exe
2008-05-16 08:32 1,507,356 ----a-w C:\WINDOWS\msjet40.dll
2008-05-16 08:32 1,163,264 ----a-w C:\WINDOWS\system32\libmysql.dll
2008-05-16 08:31 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 07:29 35,840 ----a-w C:\WINDOWS\system32\zlib1.dll
.

------- Sigcheck -------

2006-05-09 08:22 504832 381221f69d1248864861889a64f100b6 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D64B7D5-18E0-4D26-8279-EB345003FE3E}]
2007-01-26 16:45 868410 --a------ C:\WINDOWS\DOWNLO~1\CONFLICT.1\GETION~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-12-13 18:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-07-13 03:57 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2004-06-21 20:57 143360 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 14:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2005-11-01 10:52 151552]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2005-06-01 01:59 40960]
"XP SecurityCenter"="C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Menu Start^Programy^Autostart^ctfmon.exe]
path=C:\Documents and Settings\Admin\Menu Start\Programy\Autostart\ctfmon.exe
backup=C:\WINDOWS\pss\ctfmon.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Function Palette.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Function Palette.lnk
backup=C:\WINDOWS\pss\Function Palette.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wm Pelnomocnik^Menu Start^Programy^Autostart^Last.fm Helper.lnk]
path=C:\Documents and Settings\Wm Pelnomocnik\Menu Start\Programy\Autostart\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wm Pelnomocnik^Menu Start^Programy^Autostart^OpenOffice.org 2.0.2.lnk]
path=C:\Documents and Settings\Wm Pelnomocnik\Menu Start\Programy\Autostart\OpenOffice.org 2.0.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wm Pelnomocnik^Menu Start^Programy^Autostart^Reboot.exe]
path=C:\Documents and Settings\Wm Pelnomocnik\Menu Start\Programy\Autostart\Reboot.exe
backup=C:\WINDOWS\pss\Reboot.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
C:\Program Files\Softwin\BitDefender8\bdmcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
C:\Program Files\Softwin\BitDefender8\bdnagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
D:\Sprawy komputerowe\Programs\Gadu Gadu\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2007-10-08 02:18 360448 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\wianmpa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP SecurityCenter]
C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\RDS\\PLTBar.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 HASP Loader;HASP Loader;C:\WINDOWS\system32\nhsrvice.exe [2003-05-01 13:35]
S1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS []
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL []
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL []
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL []
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt []
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL []
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL []
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL []
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL []
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-09-12 08:31]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-09-12 08:31]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-09-12 08:31]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-09-12 08:31]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-09-12 08:31]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL []
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL []
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL []
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 20:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 14:42:47
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
Completion time: 2008-06-20 14:44:33
ComboFix-quarantined-files.txt 2008-06-20 12:44:29

Pre-Run: 31,093,436,416 bajtów wolnych
Post-Run: 31,078,985,728 bajtów wolnych

312 --- E O F --- 2008-06-12 06:34:17

[Magik]

Łoki

usuń ręcznie kwarantannę CF'a - C:\ Qoobox
i jak po kazdym skanie przez w/w program przelec dysk "odkurzaczem" i wsio

[bobza]

fenkju Panowie