po tym combo fix wyskoczył mi taki log
ComboFix 08-09-14.02 - Mariusz 2008-09-15 10:05:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.930 [GMT 2:00]
Uruchomiony z: C:\Documents and Settings\Mariusz\Pulpit\Nowy folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mariusz\Pulpit\Nowy folder\CFScript.txt
* Utworzono nowy punkt przywracania
* Resident AV is active
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\avi.dll
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\ertqcadzqk.dll
C:\WINDOWS\system32\ff_liba52.dll
C:\WINDOWS\system32\ff_libdts.dll
C:\WINDOWS\system32\ff_libfaad2.dll
C:\WINDOWS\system32\ff_libmad.dll
C:\WINDOWS\system32\ff_realaac.dll
C:\WINDOWS\system32\ff_samplerate.dll
C:\WINDOWS\system32\ff_tremor.dll
C:\WINDOWS\system32\ff_unrar.dll
C:\WINDOWS\system32\ff_wmv9.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\libavcodec.dll
C:\WINDOWS\system32\libFLAC.dll
C:\WINDOWS\system32\libmpeg2_ff.dll
C:\WINDOWS\system32\libmplayer.dll
C:\WINDOWS\system32\mkunicode.dll
C:\WINDOWS\system32\mkx.dll
C:\WINDOWS\system32\mkzlib.dll
C:\WINDOWS\system32\mmfinfo.dll
C:\WINDOWS\system32\mp4.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\ogm.dll
C:\WINDOWS\system32\rmwnw64l.exe
C:\WINDOWS\system32\ts.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg
.
((((((((((((((((((((((((( Pliki utworzone od 2008-08-15 do 2008-09-15 )))))))))))))))))))))))))))))))
.
2008-09-15 09:21 . 2008-09-15 09:21 250 --a------ C:\WINDOWS\gmer.ini
2008-09-11 14:16 . 2008-09-11 14:16
2008-09-11 14:15 . 2008-09-11 14:15
2008-09-11 11:14 . 2008-09-11 11:14
2008-09-11 11:14 . 2008-09-11 11:14
2008-09-11 11:14 . 2008-09-11 11:15 548,924 --a------ C:\WINDOWS\system32\pcntrtdl.exe
2008-09-11 11:14 . 2008-09-11 11:15 90,919 --a------ C:\WINDOWS\system32\ertqcadzqk.dll-uninst.exe
2008-09-11 11:13 . 2008-09-11 11:17
2008-09-07 10:55 . 2008-01-10 14:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-09-04 21:36 . 2008-09-04 21:36
2008-08-31 12:06 . 2008-09-10 22:41
2008-08-30 14:18 . 2008-08-30 14:18
2008-08-25 19:35 . 2008-08-25 19:37 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-08-24 20:28 . 2008-08-30 14:38 604 --a------ C:\WINDOWS\Thps3.INI
2008-08-24 19:03 . 2008-08-24 19:06
2008-08-23 18:52 . 2008-08-23 18:52
2008-08-23 18:40 . 2008-08-23 18:40
2008-08-22 22:34 . 2008-08-22 22:34
2008-08-22 09:10 . 1999-05-07 00:00 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-08-22 09:10 . 2000-03-20 23:55 118,784 --a------ C:\WINDOWS\system32\vbalNCSM6.dll
2008-08-22 09:10 . 1999-03-25 23:00 101,888 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2008-08-22 09:10 . 2000-07-17 13:41 70,088 --a------ C:\WINDOWS\system32\Project2-1.ocx
2008-08-22 09:10 . 1999-02-19 07:54 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2008-08-22 09:10 . 2000-03-21 15:37 1,760 --a------ C:\WINDOWS\system32\objsafe.tlb
2008-08-22 09:10 . 2000-04-06 14:58 1,453 --a------ C:\WINDOWS\system32\Project2.INF
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 08:05 --------- d-----w C:\Program Files\cFosSpeed
2008-09-15 07:15 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\uTorrent
2008-09-15 07:10 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Hamachi
2008-09-14 18:23 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Skype
2008-09-14 12:07 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\skypePM
2008-09-11 16:25 --------- d-----w C:\Program Files\Folder Guard Pro
2008-09-08 07:50 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-09-07 18:30 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Folder Guard
2008-08-26 18:21 --------- d-----w C:\Program Files\uTorrent
2008-08-25 17:38 892,928 ----a-w C:\WINDOWS\system32\iconv.dll
2008-08-25 17:35 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-08-24 17:03 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-08-22 08:34 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Nokia
2008-08-11 17:08 --------- d-----w C:\Program Files\Lavalys
2008-08-01 16:08 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-01 16:08 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-28 11:25 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\PC Suite
2008-07-28 10:37 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2008-07-28 10:31 --------- d-----w C:\Program Files\DIFX
2008-07-28 10:30 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-07-28 10:30 --------- d-----w C:\Program Files\Nokia
2008-07-28 10:30 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-07-28 10:30 --------- d-----w C:\Program Files\Common Files\Nokia
2008-07-28 10:27 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-07-25 08:34 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-07-25 08:34 683,520 ----a-w C:\WINDOWS\system32\divx.dll
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 11:23 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\vlc
2008-07-21 13:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-19 05:58 --------- d-----w C:\Program Files\Winamp
2008-07-19 05:49 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Winamp
2008-07-16 18:51 2,041,363 ----a-w C:\WINDOWS\system32\x264vfw.dll
2008-07-16 13:41 --------- d-----w C:\Program Files\Replay Media Catcher
2008-07-16 06:30 --------- d-----w C:\Documents and Settings\Mariusz\Dane aplikacji\Media Player Classic
2008-07-16 06:28 --------- d-----w C:\Program Files\PowerQuest
2008-07-15 18:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-15 13:02 --------- d-----w C:\Documents and Settings\Gość\Dane aplikacji\ESET
2008-07-15 13:01 --------- d-s—w C:\Documents and Settings\Gość\Dane aplikacji\Microsoft
2008-07-15 13:01 --------- d-----w C:\Documents and Settings\Gość\Dane aplikacji\Identities
2008-07-12 13:16 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll
2008-07-12 13:16 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll
2008-07-12 13:15 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll
2008-07-12 13:15 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2008-07-12 13:15 391,168 ----a-w C:\WINDOWS\system32\i263_32.drv
2008-07-12 13:15 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll
2008-07-12 13:15 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2008-07-12 12:23 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-06-25 08:33 290,008 ----a-w C:\WINDOWS\system32\cfosspeed.dll
2008-06-25 05:14 13,576 ----a-w C:\WINDOWS\system32\wnaspi32.dll
2008-06-16 14:34 446,464 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{b8a5b62c-517f-42a5-85ae-29b5497fb15f}”= “C:\Program Files\Come2PlayK2P\tbCome.dll” [2008-08-20 1780248]
[HKEY_CLASSES_ROOT\clsid{b8a5b62c-517f-42a5-85ae-29b5497fb15f}]
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b8a5b62c-517f-42a5-85ae-29b5497fb15f}]
2008-08-20 23:03 1780248 --a------ C:\Program Files\Come2PlayK2P\tbCome.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{b8a5b62c-517f-42a5-85ae-29b5497fb15f}”= “C:\Program Files\Come2PlayK2P\tbCome.dll” [2008-08-20 1780248]
[HKEY_CLASSES_ROOT\clsid{b8a5b62c-517f-42a5-85ae-29b5497fb15f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{B8A5B62C-517F-42A5-85AE-29B5497FB15F}”= “C:\Program Files\Come2PlayK2P\tbCome.dll” [2008-08-20 1780248]
[HKEY_CLASSES_ROOT\clsid{b8a5b62c-517f-42a5-85ae-29b5497fb15f}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“eMuleAutoStart”=“D:\eMule\emule.exe” [2007-05-13 5308416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-09-20 94208]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-09-20 77824]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2008-07-09 36352]
“WheelMouse”=“C:\Program Files\A4Tech\Mouse\Amoumain.exe” [2007-02-11 241664]
“egui”=“C:\Program Files\ESET\ESET Smart Security\egui.exe” [2008-02-20 1443072]
“cFosSpeed”=“C:\Program Files\cFosSpeed\cFosSpeed.exe” [2008-06-25 867544]
“SoundMAXPnP”=“C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [2004-07-27 1388544]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-08-17 7630848]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-08-17 86016]
“nwiz”=“nwiz.exe” [2006-08-17 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 15360]
“Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2007-03-27 1744896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.I420”= i263_32.drv
“VIDC.ACDV”= ACDV.dll
“msacm.l3fhg”= mp3fhg.acm
“msacm.divxa32”= divxa32.acm
“VIDC.X264”= x264vfw.dll
“VIDC.HFYU”= huffyuv.dll
“vidc.i263”= i263_32.drv
“VIDC.YV12”= yv12vfw.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun
“CTFMON.EXE”=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“Hotkey”=C:\Program Files\Internet keyboard driver\Hotkey.exe
“igfxpers”=C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\uTorrent\uTorrent.exe”=
“D:\eMule\emule.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-10-26 3584]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-12 306432]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Zawartość folderu ‘Zaplanowane zadania’
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 10:07:23
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
Czas ukończenia: 2008-09-15 10:08:32
ComboFix-quarantined-files.txt 2008-09-15 08:08:29
Przed: 5,267,136,512 bajt˘w wolnych
Po: 5,293,391,872 bajt˘w wolnych
202
a to jest log z hijacktthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:51, on 2008-09-15
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mariusz\Pulpit\Nowy folder\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Come2PlayK2P Toolbar - {b8a5b62c-517f-42a5-85ae-29b5497fb15f} - C:\Program Files\Come2PlayK2P\tbCome.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Come2PlayK2P Toolbar - {b8a5b62c-517f-42a5-85ae-29b5497fb15f} - C:\Program Files\Come2PlayK2P\tbCome.dll
O3 - Toolbar: Come2PlayK2P Toolbar - {b8a5b62c-517f-42a5-85ae-29b5497fb15f} - C:\Program Files\Come2PlayK2P\tbCome.dll
O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”
O4 - HKLM…\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET Smart Security\egui.exe” /hide /waitservice
O4 - HKLM…\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU…\Run: [eMuleAutoStart] D:\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip…{276C73C7-208B-45CB-8072-AA6347F84B3A}: NameServer = 194.204.159.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
–
End of file - 4800 bytes