Zrobiłem format i oto logi z HJT i Combofix'a
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:58, on 2008-06-04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
--
End of file - 2499 bytes
Combofix:
ComboFix 08-06-03.4 - Admin - Łukasz 2008-06-04 22:17:52.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.56 [GMT 2:00]
Running from: C:\Documents and Settings\Admin - Łukasz\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.
2008-06-22 19:36 . 2008-06-22 19:36 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-22 19:34 . 2008-06-22 19:34 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-22 19:13 . 2008-06-22 19:13 <DIR> d-------- C:\Program Files\Winamp
2008-06-22 19:12 . 2008-06-22 19:12 152 --a------ C:\WINDOWS\CoolPlay.ini
2008-06-22 19:09 . 2008-06-22 19:09 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-06-22 19:09 . 2008-06-22 19:09 <DIR> d-------- C:\Documents and Settings\Admin - Łukasz\Gadu-Gadu
2008-06-22 19:09 . 2008-06-22 19:09 <DIR> d-------- C:\Documents and Settings\Admin - Łukasz\Gadu-Gadu
2008-06-22 19:05 . 2008-06-22 18:03 <DIR> d--h----- C:\Documents and Settings\Dominik\Ustawienia lokalne
2008-06-22 19:05 . 2008-06-22 19:06 <DIR> dr------- C:\Documents and Settings\Dominik\Ulubione
2008-06-22 19:05 . 2008-06-22 18:03 <DIR> d--h----- C:\Documents and Settings\Dominik\Szablony
2008-06-22 19:05 . 2008-06-22 18:03 <DIR> d-------- C:\Documents and Settings\Dominik\Pulpit
2008-06-22 19:05 . 2008-06-22 19:06 <DIR> dr------- C:\Documents and Settings\Dominik\Moje dokumenty
2008-06-22 19:05 . 2008-06-22 18:03 <DIR> dr------- C:\Documents and Settings\Dominik\Menu Start
2008-06-22 19:05 . 2008-06-22 18:03 <DIR> dr-h----- C:\Documents and Settings\Dominik\Dane aplikacji
2008-06-22 19:05 . 2008-06-22 19:05 <DIR> d-------- C:\Documents and Settings\Dominik
2008-06-22 19:04 . 2008-06-04 21:13 64,900 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-00000009-00001102-00000005-00211102}.rfx
2008-06-22 19:04 . 2008-06-04 21:13 55,452 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-00000009-00001102-00000005-00211102}.rfx
2008-06-22 19:04 . 2008-06-04 21:13 55,452 --a------ C:\WINDOWS\system32\BMXState-{00000000-00000000-00000009-00001102-00000005-00211102}.rfx
2008-06-22 19:04 . 2008-06-04 21:13 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-06-22 19:04 . 2008-06-04 21:13 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-06-22 19:03 . 2000-05-22 10:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2008-06-22 19:03 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE
2008-06-22 19:03 . 1999-10-10 19:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-06-22 19:02 . 2005-02-07 11:45 3,128 -ra------ C:\WINDOWS\system32\XFi.bmp
2008-06-22 19:02 . 2005-02-07 11:45 766 -ra------ C:\WINDOWS\system32\SBXFi.ico
2008-06-22 19:01 . 2008-06-22 19:01 <DIR> d-------- C:\WINDOWS\system32\Data
2008-06-22 19:01 . 2008-06-22 19:01 <DIR> d-------- C:\Documents and Settings\Admin - Łukasz\Dane aplikacji\Creative
2008-06-22 19:01 . 2008-06-22 19:01 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-06-22 19:01 . 2006-05-24 07:47 86,445 -ra------ C:\WINDOWS\system32\instwdm.ini
2008-06-22 19:01 . 2008-06-22 19:01 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-06-22 19:01 . 2006-05-24 06:55 11,776 --a------ C:\WINDOWS\INRES.DLL
2008-06-22 19:01 . 2006-05-24 06:20 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2008-06-22 19:01 . 2006-05-24 06:20 3,072 --a------ C:\WINDOWS\CTXFIRES.DLL
2008-06-22 19:01 . 2006-05-24 05:15 191 -ra------ C:\WINDOWS\system32\ctzapxx.ini
2008-06-22 19:00 . 2000-12-13 12:21 7,572,224 --------- C:\WINDOWS\system32\CT8MGM.SF2
2008-06-22 19:00 . 2000-12-05 03:11 4,174,814 --------- C:\WINDOWS\system32\CT4MGM.SF2
2008-06-22 19:00 . 1999-09-22 17:18 2,167,684 --------- C:\WINDOWS\system32\CT2MGM.SF2
2008-06-04 22:14 . 2008-06-04 22:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-04 22:12 . 2008-06-04 22:12 <DIR> d--hs---- C:\FOUND.000
2008-06-04 21:02 . 2008-06-04 21:02 <DIR> d-------- C:\Program Files\VirtualDJ
2008-06-04 20:31 . 2008-06-04 20:31 <DIR> d-------- C:\Program Files\Native Instruments
2008-06-04 14:32 . 2008-06-04 14:32 <DIR> d--hs---- C:\Recycled
2008-06-03 21:26 . 2008-06-03 21:26 <DIR> d-------- C:\Documents and Settings\Admin - Łukasz\Dane aplikacji\vlc
2008-06-03 21:25 . 2008-06-03 21:25 <DIR> d-------- C:\Program Files\VideoLAN
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 16:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Creative
2008-06-22 16:56 --------- d-----w C:\Program Files\Creative
2008-06-22 16:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-22 16:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-22 16:16 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-22 16:11 --------- d-----w C:\Program Files\Usługi online
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:44 1667584]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-01-30 16:58 1716224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2006-04-05 18:19 122880]
"CTHelper"="CTHELPER.EXE" [2006-05-24 06:20 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 06:20 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 19:38 35328]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-24 05:40]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a75d7542-4084-11dd-a474-806d6172696f}]
\Shell\AutoRun\command - G:\SETUP.EXE
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 22:19:07
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
C:\WINDOWS\Explorer.EXE [1448] 0x81944828
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-04 22:19:42
ComboFix-quarantined-files.txt 2008-06-04 20:19:40
Pre-Run: 5,515,206,656 bajtów wolnych
Post-Run: 5,677,735,936 bajtów wolnych
103
Zużycie procesora waha się od 30% do 75%. Przepraszam za zbędne posty
to wkle z dss'a zamiast z combo' roznicy to nie robi 
