Po pierwsze dziękuje bardzo za szybka odpowiedz i pomoc Ciuci
oto dane po skanie z combo fixa:
ComboFix 08-12-17.01 - Boban 2008-12-18 16:06:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1023.699 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Boban\Pulpit\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\Boban\Pulpit\CFScript.txt
* Utworzono nowy punkt przywracania
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA
FILE ::
c:\windows\system32\amvo.exe
c:\windows\system32\kamsoft.exe
c:\windows\system32\vamsoft.exe
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\08dgu.com
C:\0w.com
C:\1u0o8bnq.cmd
C:\2u.com
C:\3rl3lqbq.bat
C:\68.exe
C:\abk.bat
C:\Autorun.inf
C:\b.com
C:\bo1dhu.bat
C:\cqdis.cmd
c:\docume~1\Boban\USTAWI~1\Temp\ovlx.dll
c:\docume~1\Boban\USTAWI~1\Temp\rlbaort.dll
c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
C:\e.cmd
C:\ev60a2.cmd
C:\gr06t.cmd
C:\h3.bat
C:\hgu.bat
C:\ij.bat
C:\itsduel.exe
C:\kk3.bat
C:\lky.exe
C:\m2nl.bat
C:\ncyrf.bat
C:\nfdmg.com
C:\njibyekk.com
C:\nq0cq.cmd
C:\otyh.cmd
C:\p1y2.cmd
C:\qwultj1.bat
C:\qxbx9blb.com
C:\r.cmd
C:\r1y1.bat
C:\rcukd.cmd
C:\rqq2v.bat
C:\t1ypkh.exe
C:\tbm9.bat
C:\tyktjfww.exe
C:\vxl.exe
c:\windows\system32\28463
c:\windows\system32\28463\AKV.exe
c:\windows\system32\28463\MMWP.001
c:\windows\system32\28463\MMWP.002
c:\windows\system32\28463\MMWP.005
c:\windows\system32\28463\MMWP.006
c:\windows\system32\28463\MMWP.007
c:\windows\system32\28463\MMWP.009
c:\windows\system32\28463\MMWP.exe
c:\windows\system32\alamxd.dll
c:\windows\system32\amvo.exe
c:\windows\system32\amvo0.dll
c:\windows\system32\amvo1.dll
c:\windows\system32\aqcnkqmu.ini
c:\windows\system32\Bitkv0.dll
c:\windows\system32\Bitkv1.dll
c:\windows\system32\brrsmm.dll
c:\windows\system32\brxbis.dll
c:\windows\system32\cbXRHxWp.dll
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\ckvo1.dll
c:\windows\system32\ckvo2.dll
c:\windows\system32\crmbfucl.ini
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\geBspoPJ.dll
c:\windows\system32\gjqcfpop.dll
c:\windows\system32\ijujhyjq.dll
c:\windows\system32\JPopsBeg.ini
c:\windows\system32\JPopsBeg.ini2
c:\windows\system32\juevcmpq.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\lcufbmrc.dll
c:\windows\system32\popfcqjg.ini
c:\windows\system32\qcixacki.dll
c:\windows\system32\qpmcveuj.ini
c:\windows\system32\rmpsjofo.dll
c:\windows\system32\senfer.dll
c:\windows\system32\umqkncqa.dll
c:\windows\system32\vamsoft.exe
c:\windows\system32\xcqnbpyq.dll
c:\windows\Tasks\yfgtiffk.job
C:\x0.cmd
C:\xih9.cmd
C:\yew.bat
D:\08dgu.com
D:\0w.com
D:\1u0o8bnq.cmd
D:\2u.com
D:\3rl3lqbq.bat
D:\68.exe
D:\abk.bat
D:\Autorun.inf
D:\b.com
D:\bo1dhu.bat
D:\cqdis.cmd
D:\e.cmd
D:\ev60a2.cmd
D:\gr06t.cmd
D:\h3.bat
D:\hgu.bat
D:\ij.bat
D:\itsduel.exe
D:\kk3.bat
D:\lky.exe
D:\m2nl.bat
D:\ncyrf.bat
D:\nfdmg.com
D:\njibyekk.com
D:\nq0cq.cmd
D:\otyh.cmd
D:\p1y2.cmd
D:\qwultj1.bat
D:\qxbx9blb.com
D:\r.cmd
D:\r1y1.bat
D:\rcukd.cmd
D:\rqq2v.bat
D:\t1ypkh.exe
D:\tbm9.bat
D:\tyktjfww.exe
D:\vxl.exe
D:\x0.cmd
D:\xih9.cmd
D:\yew.bat
E:\08dgu.com
E:\0w.com
E:\1u0o8bnq.cmd
E:\2u.com
E:\3rl3lqbq.bat
E:\68.exe
E:\abk.bat
E:\Autorun.inf
E:\b.com
E:\bo1dhu.bat
E:\cqdis.cmd
E:\e.cmd
E:\ev60a2.cmd
E:\gr06t.cmd
E:\h3.bat
E:\hgu.bat
E:\ij.bat
E:\itsduel.exe
E:\kk3.bat
E:\lky.exe
E:\m2nl.bat
E:\ncyrf.bat
E:\nfdmg.com
E:\njibyekk.com
E:\nq0cq.cmd
E:\otyh.cmd
E:\p1y2.cmd
E:\qwultj1.bat
E:\qxbx9blb.com
E:\r.cmd
E:\r1y1.bat
E:\rcukd.cmd
E:\rqq2v.bat
E:\t1ypkh.exe
E:\tbm9.bat
E:\tyktjfww.exe
E:\vxl.exe
E:\x0.cmd
E:\xih9.cmd
E:\yew.bat
----- BITS: Możliwe zainfekowane strony -----
hxxp://childhe.com
.
((((((((((((((((((((((((( Pliki utworzone od 2008-11-18 do 2008-12-18 )))))))))))))))))))))))))))))))
.
2008-12-15 19:58 . 2008-12-15 19:58 70,144 --a------ c:\windows\system32\mlJCUMGw.dll
2008-12-14 20:37 . 2008-12-18 15:06 84,992 -r-hs---- c:\windows\system32\kav320.dll
2008-12-10 18:16 . 2008-12-10 18:16 85,504 -r-hs---- c:\windows\system32\vbsdfe2.dll
2008-12-10 16:14 . 2008-12-08 18:00 107,045 -r-hs---- C:\6fnlpetp.exe
2008-12-10 16:13 . 2008-12-18 15:07 85,504 -r-hs---- c:\windows\system32\vbsdfe1.dll
2008-12-09 16:30 . 2008-12-18 15:06 85,504 --------- c:\windows\system32\vbsdfe0.dll
2008-12-08 18:01 . 2008-12-08 18:00 107,045 -r-hs---- C:\m9ma.exe
2008-11-22 09:13 . 2008-11-22 09:13
2008-11-22 08:48 . 2008-11-22 08:48
2008-11-20 23:26 . 2008-11-20 23:26
2008-11-20 23:26 . 2006-11-30 10:55 9,011,200 --a------ c:\windows\system32\Christmas Eve 3D Screensaver.scr
2008-11-20 23:26 . 2006-06-29 15:46 528,384 --a------ c:\windows\system32\Astro Gemini Screensaver Manager.scr
2008-11-20 23:26 . 2006-11-30 10:55 3,253 --a------ c:\windows\system32\ChristmasEve3DScreensaver.html
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 15:10 --------- d-----w c:\program files\neostrada tp
2008-12-16 19:33 --------- d-----w c:\documents and settings\Boban\Dane aplikacji\Skype
2008-12-15 16:55 --------- d-----w c:\program files\Bit Che
2008-11-26 14:20 --------- d-----w c:\documents and settings\Boban\Dane aplikacji\Tlen.pl
2008-11-10 18:04 108,271 --sh–r C:\whi.com
2008-11-08 12:05 108,973 --sh–r C:\sq.com
2008-11-08 11:22 --------- d-----w c:\program files\KaraFun
2008-11-08 11:22 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Recisio
2008-11-03 20:48 --------- d-----w c:\program files\Karaoke
2008-11-01 11:19 103,744 --sh–r C:\vfjc8mxm.exe
2008-10-22 14:27 104,123 --sh–r C:\xlk9.com
2008-10-21 17:04 103,973 --sh–r C:\2fiji.com
2008-10-21 13:01 102,936 --sh–r C:\je26200.com
2007-11-29 16:29 21,528 ----a-w c:\documents and settings\Boban\Dane aplikacji\GDIPFONTCACHEV1.DAT
2001-11-23 04:08 712,704 ----a-r c:\windows\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“StatBar”=“c:\program files\Globe Software\StatBar\StatBar.exe” [2003-07-25 335872]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2004-08-03 15360]
“BitComet”=“c:\program files\BitComet\BitComet.exe” [2005-01-26 2412544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-10-22 7700480]
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2007-04-27 282624]
“iTunesHelper”=“c:\program files\iTunes\iTunesHelper.exe” [2007-06-01 257088]
“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2006-10-22 86016]
“WOOWATCH”=“c:\progra~1\NEOSTR~1\Watch.exe” [2004-08-23 20480]
“WOOTASKBARICON”=“c:\progra~1\NEOSTR~1\GestMaj.exe” [2004-10-14 32768]
“PCSuiteTrayApplication”=“c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2005-03-22 167936]
“DataLayer”=“c:\program files\Common Files\PCSuite\DataLayer\DataLayer.exe” [2005-03-31 1106944]
“CloneCDTray”=“c:\program files\SlySoft\CloneCD\CloneCDTray.exe” [2005-05-19 57344]
“SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_06\bin\jusched.exe” [2008-03-25 144784]
“nwiz”=“nwiz.exe” [2006-10-22 c:\windows\system32\nwiz.exe]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-03 15360]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“RunStartupScriptSync”= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“RunStartupScriptSync”= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.DIVF”= DivX412.dll
“vidc.vp31”= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\BitComet\BitComet.exe”=
“c:\Program Files\Tlen.pl\tlen.exe”=
“d:\Program Files\NAPI-PROJEKT\napisy.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“d:\Program Files\CALL\CoDMP.exe”=
“c:\Program Files\Gadu-Gadu\gg.exe”=
“c:\Program Files\Mozilla Firefox\firefox.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
R3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\DRIVERS\e4usbaw.sys [2007-07-01 116992]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\Drivers\e4ldr.sys [2007-07-01 64000]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{143af8f0-09ef-11dc-baac-806d6172696f}]
\Shell\AutoRun\command - F:\lkxcqdb.bat
\Shell\explore\Command - F:\lkxcqdb.bat
\Shell\open\Command - F:\lkxcqdb.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{230bf9fc-3954-11dd-89aa-4d6564696130}]
\Shell\AutoRun\command - J:\r.cmd
\Shell\explore\Command - J:\r.cmd
\Shell\open\Command - J:\r.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{367cb3be-b802-11dd-8ab9-4d6564696130}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{367cb3bf-b802-11dd-8ab9-4d6564696130}]
\Shell\AutoRun\command - J:\abk.bat
\Shell\explore\Command - J:\abk.bat
\Shell\open\Command - J:\abk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{46dc6c15-4502-11dc-8780-4d6564696130}]
\Shell\AutoRun\command - F:\lkxcqdb.bat
\Shell\explore\Command - F:\lkxcqdb.bat
\Shell\open\Command - F:\lkxcqdb.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{50222270-cc45-11dd-8ae7-4d6564696130}]
\Shell\AutoRun\command - F:\m9ma.exe
\Shell\explore\Command - F:\m9ma.exe
\Shell\open\Command - F:\m9ma.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{db097b24-6b30-11dc-87d9-4d6564696130}]
\Shell\AutoRun\command - F:\r.cmd
\Shell\explore\Command - F:\r.cmd
\Shell\open\Command - F:\r.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e069256f-4742-11dc-878d-4d6564696130}]
\Shell\AutoRun\command - F:\fppg1.exe
\Shell\explore\Command - F:\fppg1.exe
\Shell\open\Command - F:\fppg1.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ed81d4f0-1b81-11dd-894f-4d6564696130}]
\Shell\AutoRun\command - F:\fppg1.exe
\Shell\explore\Command - F:\fppg1.exe
\Shell\open\Command - F:\fppg1.exe
.
Zawartość folderu ‘Zaplanowane zadania’
2008-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-12-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
BHO-{0DEE1AEC-099A-4782-AC46-966025C73CE6} - c:\windows\system32\geBspoPJ.dll
BHO-{3fef25e4-eaf5-4fcc-a5e5-33ee0b80a435} - c:\windows\system32\brrsmm.dll
HKCU-Run-DrTweakXP.exe - c:\program files\Fic_Products\DoctorTweak XP\DrTweakXP.exe
HKLM-Run-MMWP Agent - c:\windows\system32\28463\MMWP.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.neostrada.pl/
IE: Eksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: { - c:\program files\Messenger\msmsgs.exe
IE: {c:\program files\Messenger\msmsgs.exe - -
TCP: {38870256-65AF-46B9-912B-E554FC67AEAF} = 194.204.159.1 217.98.63.164
FF - ProfilePath - c:\documents and settings\Boban\Dane aplikacji\Mozilla\Firefox\Profiles\hiq0f9zw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=ie=UTF-8oe=UTF-8q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Boban\Dane aplikacji\Mozilla\Firefox\Profiles\hiq0f9zw.default\extensions{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\Boban\Dane aplikacji\Mozilla\Firefox\Profiles\hiq0f9zw.default\extensions{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJPI140_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI610.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.rights.version”, 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.rights.3.shown”, false);
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 16:10:47
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\FTRTSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\NEOSTR~1\TaskBarIcon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
.
**************************************************************************
.
Czas ukończenia: 2008-12-18 16:12:05 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2008-12-18 15:12:01
ComboFix2.txt 2008-04-26 13:54:14
Przed: 11 244 793 856 bajtów wolnych
Po: 11,344,871,424 bajtów wolnych
366 — E O F — 2007-08-15 16:14:23