Witam! Mam ten sam problem. Kombinowałem troche na wlasna rękę, ale nic nie wyszlo. Poniżej moje logi z tych dwoch programow:
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 03:09:30, on 2008-01-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Dupa\Pulpit\hijackthis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM…\Run: [DAEMON Tools] “g:\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Combofix:
ComboFix 08-01-15.3 - Dupa 2008-01-15 2:59:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.610 [GMT 1:00]
Running from: C:\Documents and Settings\Dupa\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dupa\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE
C:\WINDOWS\system32\Drivers\smtpdrv.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\6_exception.nls
C:\WINDOWS\system32\Drivers\smtpdrv.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\smtpdrv
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.
2008-01-15 01:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 23:03 . 2008-01-15 03:02 24,832 --a------ C:\WINDOWS\system32\drivers\Cjp42.sys
2008-01-04 14:41 . 2008-01-04 17:04
2008-01-04 14:41 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-04 14:40 . 2008-01-04 14:40
2008-01-04 00:29 . 2008-01-04 00:29
2008-01-03 15:58 . 2008-01-03 15:58
2008-01-03 15:58 . 2008-01-03 15:58
2008-01-03 15:58 . 2008-01-03 15:58
2008-01-02 15:33 . 2008-01-10 19:48 21,760 --a------ C:\WINDOWS\Ouc63.sys
2008-01-02 14:23 . 2008-01-02 14:23 21,760 --a------ C:\WINDOWS\system32\drivers\Ouc63.sys
2007-12-25 16:16 . 2007-12-25 16:16
2007-12-25 14:19 . 2007-12-25 14:19
2007-12-25 00:55 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-12-25 00:55 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-12-25 00:55 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-12-25 00:55 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-12-25 00:55 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-12-25 00:55 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-12-25 00:55 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-12-25 00:55 . 2006-07-28 09:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-12-25 00:55 . 2007-01-08 15:30 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 18:25 --------- d-----w C:\Program Files\eMule
2008-01-10 18:33 --------- d-----w C:\Documents and Settings\Dupa\Dane aplikacji\Skype
2008-01-06 16:11 --------- d-----w C:\Program Files\Diablo II
2008-01-05 12:21 --------- d–h--w C:\Program Files\InstallShield Installation Information
2007-12-25 15:18 --------- d-----w C:\Program Files\Cool2000
2007-12-24 23:49 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys
2007-12-05 01:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 00:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 00:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 00:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 00:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 00:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 00:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 00:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 00:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 00:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 00:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 00:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 00:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 00:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 00:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 00:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 00:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 00:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 00:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 00:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 00:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 00:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 00:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 00:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 00:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 00:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 00:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 00:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-10-24 20:54 23,008 ----a-w C:\Documents and Settings\Dupa\Dane aplikacji\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-01-15_ 1.50.48.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-15 00:43:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 01:59:15 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 00:43:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 01:59:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 00:43:41 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 01:59:15 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 00:43:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 01:59:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 00:43:41 7,503,872 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 01:59:15 7,503,872 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 00:43:42 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
-
2008-01-15 01:59:16 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
-
2008-01-15 02:03:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_684.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“RTHDCPL”=“RTHDCPL.EXE” [2006-05-27 03:47 16208384 C:\WINDOWS\RTHDCPL.exe]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-12-05 01:41 8523776]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 09:50 155648]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“DAEMON Tools”=“g:\DAEMON Tools\daemon.exe” [2005-11-08 23:00 128920]
“nwiz”=“nwiz.exe” [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-12-05 01:41 81920]
“UserFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -u” []
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 23:44 15360]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cjp42.sys]
@=“Driver”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ouc63.sys]
@=“Driver”
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner 2006]
–a------ 2006-07-21 12:34 1058816 C:\Program Files\DriveCleaner 2006\DC2006.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPlusAgent2]
–a------ 2006-04-21 02:27 241664 C:\Program Files\iriver\iriver plus 2\iAgent2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-03 23:55 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
–a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF3 Registry Controller]
–a------ 2005-04-29 01:58 106496 C:\Program Files\ScanSoft\PDF Professional 3.0\RegistryController.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-09-29 23:14 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
R0 Cjp42;Cjp42;C:\WINDOWS\system32\Drivers\Cjp42.sys [2008-01-15 03:02]
R0 Ouc63;Ouc63;C:\WINDOWS\system32\Drivers\Ouc63.sys [2008-01-02 14:23]
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2005-01-31 09:30]
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2005-01-31 09:30]
S1 AmdPPM;Sterownik procesora AMD HwPState;C:\WINDOWS\system32\DRIVERS\AmdPPM.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-04-25 20:15]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 09:47]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 03:04:11
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-15 3:05:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 02:05:11
ComboFix2.txt 2008-01-15 01:09:59
ComboFix3.txt 2008-01-15 00:51:14
Z góry dziekuje za ewentualna pomoc i serdecznie pozdrawiam,
Tobiasz