Mam problem z programem Malware Doctor. Poniżej zamieszcam logi z combofixa:
ComboFix 09-05-28.07 - Kuba 2009-05-29 11:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1508 [GMT 2:00]
Uruchomiony z: d:\moje dokumenty\Maszyny\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\wiaserva.log
f:\documents and settings\LocalService\Dane aplikacji\691447002.exe
f:\windows\system\mmtaskclean.log
f:\windows\system32\avast!Antivirus.exe
f:\windows\system32\drivers\zexdvsw.sys
f:\windows\system32\sft.res
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_avast!antivirus
-------\Service_avast!antivirus
((((((((((((((((((((((((( Pliki utworzone od 2009-04-28 do 2009-05-29 )))))))))))))))))))))))))))))))
.
2009-05-29 08:28 . 2009-05-29 08:28 -------- d-----w f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Malwarebytes
2009-05-29 08:28 . 2009-05-26 11:20 40160 ----a-w f:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 08:28 . 2009-05-29 08:28 -------- d-----w f:\documents and settings\All Users\Dane aplikacji\Malwarebytes
2009-05-29 08:28 . 2009-05-26 11:19 19096 ----a-w f:\windows\system32\drivers\mbam.sys
2009-05-29 08:17 . 2009-05-29 08:17 32768 ----a-w f:\windows\system32\avast!Antivirus(3).exe
2009-05-03 22:50 . 2009-05-03 22:50 -------- d-----w f:\documents and settings\KUBA~1~KUB\USTAWI~1
2009-05-03 22:50 . 2009-05-03 22:50 -------- d-----w f:\documents and settings\KUBA~1~KUB
2009-05-03 21:58 . 2009-05-03 21:58 -------- d-----w f:\program files\Common Files\Wise Installation Wizard
2009-05-03 21:21 . 2009-05-03 21:48 -------- d-----w f:\program files\AGEIA Technologies
2009-05-03 21:21 . 2009-05-03 21:21 -------- d-----w f:\windows\system32\AGEIA
2009-05-02 08:51 . 2009-05-02 08:51 -------- d-----w f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\New Technology Studio
2009-04-29 22:18 . 2009-04-29 22:18 -------- d-----w F:\t
2009-04-29 22:05 . 2009-04-29 22:05 -------- d-----w F:\d
2009-04-29 21:53 . 2007-07-24 13:58 95616 ----a-w F:\junction.exe
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 09:13 . 2009-04-05 08:53 83294 ----a-w f:\windows\system32\drivers\45ec582f.sys
2009-05-29 09:13 . 2008-11-27 15:25 -------- d-----w f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Orbit
2009-05-29 09:10 . 2008-12-03 17:56 814312 ----a-w f:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat
2009-05-29 08:52 . 2008-03-31 07:42 -------- d-----w f:\program files\Kalendarz XP
2009-05-29 08:13 . 2009-05-03 21:44 4904 ----a-w f:\windows\system32\PerfStringBackup.TMP
2009-05-29 08:13 . 2004-08-04 12:00 90632 ----a-w f:\windows\system32\perfc015.dat
2009-05-29 08:13 . 2004-08-04 12:00 503918 ----a-w f:\windows\system32\perfh015.dat
2009-05-28 20:28 . 2008-03-29 10:21 -------- d-----w f:\program files\Mozilla Thunderbird
2009-05-20 22:10 . 2008-04-20 16:02 -------- d-----w f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Skype
2009-05-20 06:00 . 2008-04-20 16:13 -------- d-----w f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\skypePM
2009-05-03 22:50 . 2008-02-28 21:38 -------- d-----w f:\program files\Realtek
2009-05-03 21:08 . 2008-09-15 16:20 -------- d-----w f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\GetRightToGo
2009-04-29 22:33 . 2008-03-29 10:14 -------- d-----w f:\program files\Microsoft Office backup
2009-04-28 22:58 . 2009-04-28 22:58 221252 ----a-w f:\windows\system32\maskDll.dll
2009-04-28 22:58 . 2009-04-28 22:58 200776 ----a-w f:\windows\system32\unMaskDLL.dll
2009-04-27 16:33 . 2008-02-28 21:25 78800 ----a-w f:\documents and settings\Kuba.KUBA-NW\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-04-26 23:46 . 2008-02-28 21:35 -------- d--h--w f:\program files\InstallShield Installation Information
2009-04-19 19:21 . 2009-04-19 19:20 -------- d-----w f:\program files\DOSBox-0.72
2009-04-15 11:24 . 2009-04-15 11:24 29184 ----a-w f:\windows\system32\smstf.dll
2009-04-11 17:16 . 2008-11-27 15:25 -------- d-----w f:\program files\Orbitdownloader
2009-04-07 18:19 . 2008-03-29 10:49 -------- d-----w f:\program files\Gadu-Gadu
2009-03-30 20:57 . 2008-05-12 10:18 -------- d-----w f:\program files\NAPI-PROJEKT
2009-03-27 06:14 . 2008-03-10 17:50 453152 ----a-w f:\windows\system32\NVUNINST.EXE
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290}]
2009-05-29 09:13 29184 ----a-w f:\windows\system32\jhxm32.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SkinClock"="f:\program files\Desktop Tray Clock\DTClock.exe" [2006-08-18 1712128]
"DAEMON Tools"="f:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="f:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"AdobeUpdater"="f:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"RGSC"="e:\gta4\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-13 306088]
"Malware Doctor"="f:\documents and settings\LocalService\Dane aplikacji\691447002.exe" [2009-05-29 96768]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="f:\program files\winamp\winampa.exe" [2008-01-15 37376]
"avgnt"="f:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"NeroFilterCheck"="f:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="e:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"Malware Doctor"="f:\documents and settings\LocalService\Dane aplikacji\691447002.exe" [2009-05-29 96768]
"RTHDCPL"="RTHDCPL.EXE" - f:\windows\RTHDCPL.exe [2007-03-21 16126464]
"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2009-03-27 1657376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
f:\documents and settings\Kuba.KUBA-NW\Menu Start\Programy\Autostart\
kalendarz.lnk - f:\program files\Kalendarz XP\Start.exe [2008-3-31 30208]
f:\documents and settings\All Users\Menu Start\Programy\Autostart\
Orbit.lnk - f:\program files\Orbitdownloader\orbitdm.exe [2008-11-27 1690824]
Przyspieszenie uruchomienia programu AutoCAD.lnk - f:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Test drive\\TestDriveUnlimited.exe"=
"f:\\Program Files\\Gadu-Gadu\\gg.exe"=
"f:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Alien Shooter 2\\AlienShooter.exe"=
"d:\\Program Files\\WapSter\\AQQ\\AQQ.exe"=
"d:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords_PitBoss.exe"=
"e:\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"g:\\HEROES3\\Death\\Heroes3.exe"=
"d:\\Herosi\\Heroes3.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"e:\\GTA 4\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\GTA 4\\Grand Theft Auto IV\\GTAIV.exe"=
"e:\\GTA4\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Supreme Commander\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"d:\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=
"d:\\Supreme Commander\\GPGNet\\GPG.Multiplayer.Client.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"444:UDP"= 444:UDP:444
"444:TCP"= 444:TCP:444
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;f:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R2 avast!Antivirus;avast!Antivirus;f:\windows\System32\avast!Antivirus.exe -k netsvcs --> f:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-07-13 98488]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;f:\windows\system32\drivers\atl01_xp.sys [2008-02-28 38656]
R3 DDCCI;DDC/CI monitor;f:\windows\system32\drivers\Moni2c.sys [2008-03-27 6494]
S0 bvli;bvli;f:\windows\system32\drivers\zexdvsw.sys --> f:\windows\system32\drivers\zexdvsw.sys [?]
S3 NDSPCIIO;NDSPCIIO;\??\f:\windows\system32\DRIVERS\NDSPCIIO.SYS --> f:\windows\system32\DRIVERS\NDSPCIIO.SYS [?]
--- Inne Usługi/Sterowniki w Pamięci ---
*NewlyCreated* - avast!antivirus
.
- - - - USUNIĘTO PUSTE WPISY - - - -
HKCU-Run-wsctf.exe - wsctf.exe
Notify-WgaLogon - (no file)
SafeBoot-procexp90.sys
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.orbitdownloader.com/
IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&ksport do programu Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Kuba.KUBA-NW\Dane aplikacji\Mozilla\Firefox\Profiles\d0gqwv3v.default\
FF - prefs.js: browser.startup.homepage - www.onet.pl
FF - plugin: d:\opera\program\plugins\npdsplay.dll
FF - plugin: d:\opera\program\plugins\npwmsdrm.dll
FF - plugin: f:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npOggX.dll
---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: security.checkloaduri - false
FF - user.js: capability.policy.default.checkloaduri.enabled - allAccess.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 11:13
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
f:\windows\system32\jhxm32.dll
skanowanie pomyślnie ukończone
ukryte pliki: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\45ec582f]
"ImagePath"="\SystemRoot\System32\drivers\45ec582f.sys"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_USERS\s-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,f8,76,21,3f,ba,cb,dc,db,5a,01,5d,88,f1,d9,d2,bc,9e,27,dc,a5,da,35,
19,14,4d,ab,35,3a,d6,19,05,19,64,b2,27,f9,5c,f4,8d,64,2e,3c,e0,31,aa,21,29,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
[HKEY_USERS\s-1-5-21-436374069-1060284298-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d8,60,ff,89,e6,f2,7c,f6,a6,e0,c6,52,85,09,f2,67,a4,70,ea,f0,ba,
e7,03,7f,b2,9c,08,8e,ab,e8,ee,83,0f,66,eb,ed,29,bc,7c,5b,1e,d5,eb,19,13,f3,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'explorer.exe'(1732)
f:\program files\Desktop Tray Clock\Clock.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
f:\windows\system32\browselc.dll
f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
f:\windows\system32\jhxm32.dll
f:\program files\Microsoft Office\OFFICE11\msohev.dll
f:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll
f:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
f:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files junction\Adobe\Reader 8.0\Reader\reader_sl.exe
f:\windows\system32\rundll32.exe
f:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\program files\Orbitdownloader\orbitnet.exe
e:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
f:\program files\Kalendarz XP\Kalendarz.exe
f:\windows\system32\nvsvc32.exe
f:\windows\system32\IoctlSvc.exe
f:\windows\system32\wscntfy.exe
f:\program files\Common Files\Nero\Lib\NMIndexingService.exe
f:\windows\system32\wbem\wmiapsrv.exe
f:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
f:\windows\system32\avast!Antivirus.exe
f:\windows\system32\notepad.exe
.
**************************************************************************
.
Czas ukończenia: 2009-05-29 11:14 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-05-29 09:14
Przed: 1 818 087 424 bajtów wolnych
Po: 2 388 976 128 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
234 --- E O F --- 2009-03-12 02:01
Co z tym fantem zrobić?