Ukryty dysk C i virus alert

Dla specjalistów Bezpieczeństwo
#1

Witam, ma problem z moim WinXP zlapalem sporo wirow i zniknal mi dysk C poza tym jeszcze pare funkcji windowsa. przesylam log moze ktos potrafi mi pomoc. Z gory dziekuje

Logfile of HijackThis v1.99.1

Scan saved at 21:06: VIRUS ALERT!, on 2008-06-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\studnet\studnet.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Pulpit\HijackThis.exe

C:\Program Files\Gadu-Gadu\gg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 92.63.97.167 www.postbank.de

O1 - Hosts: 92.63.97.167 postbank.de

O1 - Hosts: 92.63.97.167 direkt.postbank.de

O1 - Hosts: 92.63.97.167 www.smile.co.uk

O1 - Hosts: 92.63.97.167 smile.co.uk

O1 - Hosts: 92.63.97.167 cahoot.com

O1 - Hosts: 92.63.97.167 www.cahoot.com

O1 - Hosts: 92.63.97.167 www.cahoot.co.uk

O1 - Hosts: 92.63.97.167 cahoot.co.uk

O1 - Hosts: 92.63.97.167 www.co-operativebank.co.uk

O1 - Hosts: 92.63.97.167 co-operativebank.co.uk

O1 - Hosts: 92.63.97.167 www.co-operativebank.com

O1 - Hosts: 92.63.97.167 co-operativebank.com

O1 - Hosts: 92.63.97.167 personal.barclays.co.uk

O1 - Hosts: 92.63.97.167 barclays.co.uk

O1 - Hosts: 92.63.97.167 www.barclays.co.uk

O1 - Hosts: 92.63.97.167 barclays.touchclarity.com

O1 - Hosts: 92.63.97.167 hsbc.co.uk

O1 - Hosts: 92.63.97.167 www.hsbc.co.uk

O1 - Hosts: 92.63.97.167 hsbc.touchclarity.com

O1 - Hosts: 92.63.97.167 www1.member-hsbc-group.com

O1 - Hosts: 92.63.97.167 lloydstsb.co.uk

O1 - Hosts: 92.63.97.167 www.lloydstsb.co.uk

O1 - Hosts: 92.63.97.167 lloydstsb.com

O1 - Hosts: 92.63.97.167 www.lloydstsb.com

O1 - Hosts: 92.63.97.167 mi.lloydstsb.com

O1 - Hosts: 92.63.97.167 www.woolwich.co.uk

O1 - Hosts: 92.63.97.167 woolwich.co.uk

O1 - Hosts: 92.63.97.167 www.deutsche-bank.de

O1 - Hosts: 92.63.97.167 deutsche-bank.de

O1 - Hosts: 92.63.97.167 www.anbusiness.com

O1 - Hosts: 92.63.97.167 anbusiness.com

O1 - Hosts: 92.63.97.167 www.abbeyinternational.com

O1 - Hosts: 92.63.97.167 www.barclays.com

O1 - Hosts: 92.63.97.167 barclays.com

O1 - Hosts: 92.63.97.167 ibank.internationalbanking.barclays.com

O1 - Hosts: 92.63.97.167 offshore.hsbc.com

O1 - Hosts: 92.63.97.167 www.lloydstsb-offshore.com

O1 - Hosts: 92.63.97.167 lloydstsb-offshore.com

O1 - Hosts: 92.63.97.167 citibank.de

O1 - Hosts: 92.63.97.167 www.citibank.de

O1 - Hosts: 92.63.97.167 www.natwest.com

O1 - Hosts: 92.63.97.167 natwest.com

O1 - Hosts: 92.63.97.167 nwolb.com

O1 - Hosts: 92.63.97.167 rbs.co.uk

O1 - Hosts: 92.63.97.167 www.rbs.co.uk

O1 - Hosts: 92.63.97.167 rbsdigital.com

O1 - Hosts: 92.63.97.167 www.ybonline.co.uk

O1 - Hosts: 92.63.97.167 ybonline.co.uk

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll (file missing)

O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)

O3 - Toolbar: nmwegbsf - {F675F06A-0375-4B3E-8F88-62E0FC9C706A} - C:\WINDOWS\nmwegbsf.dll

O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”

O4 - HKLM…\Run: [40ccc01e] rundll32.exe “C:\WINDOWS\system32\qjcqckqo.dll”,b

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne … nicode.cab

O17 - HKLM\System\CCS\Services\Tcpip…{714E189E-5F49-4187-993A-467016881E7F}: NameServer = 139.18.25.3

O21 - SSODL: erpobmsw - {ED614A2E-409C-4B97-B890-C518DFECDD12} - C:\WINDOWS\erpobmsw.dll (file missing)

O21 - SSODL: adgpfoxs - {B7DD0E1A-030A-4C65-808A-0F2BDB2B6102} - C:\WINDOWS\adgpfoxs.dll (file missing)

O21 - SSODL: MonCheck - {20001b99-1220-42c4-a609-4e879a5a5cea} - C:\WINDOWS\Resources\MonCheck.dll (file missing)

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#2 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 92.63.97.167 www.postbank.de

O1 - Hosts: 92.63.97.167 postbank.de

O1 - Hosts: 92.63.97.167 direkt.postbank.de

O1 - Hosts: 92.63.97.167 www.smile.co.uk

O1 - Hosts: 92.63.97.167 smile.co.uk

O1 - Hosts: 92.63.97.167 cahoot.com

O1 - Hosts: 92.63.97.167 www.cahoot.com

O1 - Hosts: 92.63.97.167 www.cahoot.co.uk

O1 - Hosts: 92.63.97.167 cahoot.co.uk

O1 - Hosts: 92.63.97.167 www.co-operativebank.co.uk

O1 - Hosts: 92.63.97.167 co-operativebank.co.uk

O1 - Hosts: 92.63.97.167 www.co-operativebank.com

O1 - Hosts: 92.63.97.167 co-operativebank.com

O1 - Hosts: 92.63.97.167 personal.barclays.co.uk

O1 - Hosts: 92.63.97.167 barclays.co.uk

O1 - Hosts: 92.63.97.167 www.barclays.co.uk

O1 - Hosts: 92.63.97.167 barclays.touchclarity.com

O1 - Hosts: 92.63.97.167 hsbc.co.uk

O1 - Hosts: 92.63.97.167 www.hsbc.co.uk

O1 - Hosts: 92.63.97.167 hsbc.touchclarity.com

O1 - Hosts: 92.63.97.167 www1.member-hsbc-group.com

O1 - Hosts: 92.63.97.167 lloydstsb.co.uk

O1 - Hosts: 92.63.97.167 www.lloydstsb.co.uk

O1 - Hosts: 92.63.97.167 lloydstsb.com

O1 - Hosts: 92.63.97.167 www.lloydstsb.com

O1 - Hosts: 92.63.97.167 mi.lloydstsb.com

O1 - Hosts: 92.63.97.167 www.woolwich.co.uk

O1 - Hosts: 92.63.97.167 woolwich.co.uk

O1 - Hosts: 92.63.97.167 www.deutsche-bank.de

O1 - Hosts: 92.63.97.167 deutsche-bank.de

O1 - Hosts: 92.63.97.167 www.anbusiness.com

O1 - Hosts: 92.63.97.167 anbusiness.com

O1 - Hosts: 92.63.97.167 www.abbeyinternational.com

O1 - Hosts: 92.63.97.167 www.barclays.com

O1 - Hosts: 92.63.97.167 barclays.com

O1 - Hosts: 92.63.97.167 ibank.internationalbanking.barclays.com

O1 - Hosts: 92.63.97.167 offshore.hsbc.com

O1 - Hosts: 92.63.97.167 www.lloydstsb-offshore.com

O1 - Hosts: 92.63.97.167 lloydstsb-offshore.com

O1 - Hosts: 92.63.97.167 citibank.de

O1 - Hosts: 92.63.97.167 www.citibank.de

O1 - Hosts: 92.63.97.167 www.natwest.com

O1 - Hosts: 92.63.97.167 natwest.com

O1 - Hosts: 92.63.97.167 nwolb.com

O1 - Hosts: 92.63.97.167 rbs.co.uk

O1 - Hosts: 92.63.97.167 www.rbs.co.uk

O1 - Hosts: 92.63.97.167 rbsdigital.com

O1 - Hosts: 92.63.97.167 www.ybonline.co.uk

O1 - Hosts: 92.63.97.167 ybonline.co.uk

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll (file missing)

O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)

O3 - Toolbar: nmwegbsf - {F675F06A-0375-4B3E-8F88-62E0FC9C706A} - C:\WINDOWS\nmwegbsf.dll

4 - HKLM\..\Run: [40ccc01e] rundll32.exe "C:\WINDOWS\system32\qjcqckqo.dll",b

O21 - SSODL: erpobmsw - {ED614A2E-409C-4B97-B890-C518DFECDD12} - C:\WINDOWS\erpobmsw.dll (file missing)

O21 - SSODL: adgpfoxs - {B7DD0E1A-030A-4C65-808A-0F2BDB2B6102} - C:\WINDOWS\adgpfoxs.dll (file missing)

O21 - SSODL: MonCheck - {20001b99-1220-42c4-a609-4e879a5a5cea} - C:\WINDOWS\Resources\MonCheck.dll (file missing)

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

Fix w HJ :stuck_out_tongue:

W dniu 06.06.2008 , o godzinie 21:25 został dopisany post przez Łukasz14

PS. Wątpie, że Ty sam wsadziłeś tyle linków do “łącz” :slight_smile:

#3

ostatni log wyglada tak

Logfile of HijackThis v1.99.1

Scan saved at 21:35: VIRUS ALERT!, on 2008-06-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\studnet\studnet.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Documents and Settings\user\Pulpit\HijackThis.exe

O3 - Toolbar: nmwegbsf - {F675F06A-0375-4B3E-8F88-62E0FC9C706A} - C:\WINDOWS\nmwegbsf.dll

O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne … nicode.cab

O17 - HKLM\System\CCS\Services\Tcpip…{714E189E-5F49-4187-993A-467016881E7F}: NameServer = 139.18.25.3

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 
O3 - Toolbar: nmwegbsf - {F675F06A-0375-4B3E-8F88-62E0FC9C706A} - C:\WINDOWS\nmwegbsf.dll

Jeszcze to :stuck_out_tongue:

#5

łukasz 023 się tak nie usuwa i dobrze bo są prawidłowe

wpisy

również usuń HijackThisem >> Fix checked

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:

#6

Witam jeszcze raz. Wielkie dzieki za przydatne info. juz spiesze umiescic loga z combofix

ComboFix 08-06-05.3 - user 2008-06-06 22:11:57.1 - NTFSx86

Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\user\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\WINDOWS\nmwegbsf.dll

C:\WINDOWS\system32\qjcqckqo.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat

C:\Documents and Settings\user\Pulpit\Privacy Protector.url

C:\WINDOWS\nmwegbsf.dll

C:\WINDOWS\system32\1.htm

C:\WINDOWS\system32\905757\905757.dll

C:\WINDOWS\system32\dqdztmoc.dll

C:\WINDOWS\system32\gqrru.exe

C:\WINDOWS\system32\iifeeCRH.dll

C:\WINDOWS\system32\jkkKcDTl.dll

C:\WINDOWS\system32\lTDcKkkj.ini

C:\WINDOWS\system32\lTDcKkkj.ini2

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\mdm.exe

C:\WINDOWS\system32\oqkcqcjq.ini

C:\WINDOWS\system32\prsgrc.dll

C:\WINDOWS\system32\w3naeld.dll

C:\WINDOWS\system32\xGfMlUtv.ini

C:\WINDOWS\system32\xGfMlUtv.ini2

C:\WINDOWS\system32\ycogxxti.ini

----- BITS: Possible infected sites -----

hxxp://139.18.143.201

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSUPDATE

((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))

.

2008-06-06 20:15 . 2008-06-06 20:15 117,640 --a------ C:\test.htm

2008-06-06 15:20 . 2008-06-06 15:20 92,032 --a------ C:\WINDOWS\system32\itxxgocy.dll

2008-06-06 09:35 . 2008-06-06 19:52

2008-06-06 09:35 . 2008-06-06 19:54

2008-06-05 13:12 . 2008-06-05 13:12

2008-06-05 12:37 . 2008-06-05 12:37

2008-06-05 11:58 . 2008-06-05 11:54 294 --ahs---- C:\WINDOWS\system32\ugkvppjv.ini

2008-06-05 11:45 . 2008-06-05 11:45 1,273,594 —hs---- C:\WINDOWS\system32\ugkvppjv.tmp

2008-06-05 11:24 . 2008-06-05 11:48 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat

2008-06-05 11:24 . 2008-06-05 11:48 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat

2008-06-05 11:21 . 2008-06-06 19:55

2008-06-05 11:21 . 2008-06-06 23:22 1,698,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-06-05 11:21 . 2008-06-06 23:20 23,780 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-06-05 11:21 . 2008-06-06 23:22 22,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2008-06-05 11:21 . 2008-06-06 23:20 3,092 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2008-06-05 10:42 . 2008-06-05 10:42

2008-06-05 10:34 . 2008-06-05 10:34

2008-06-05 10:34 . 2008-06-05 10:34

2008-06-05 10:33 . 2008-06-05 10:33

2008-06-05 10:32 . 2008-06-05 10:32 324,352 --------- C:\WINDOWS\system32\vtUlMfGx.dll_old

2008-06-05 10:17 . 2008-06-05 10:17

2008-06-05 10:00 . 2008-06-05 10:00

2008-06-05 09:52 . 2008-06-05 09:52 16 --a------ C:\WINDOWS\system32\coh.cache

2008-06-05 09:51 . 2008-06-05 09:51

2008-06-05 09:49 . 2008-06-05 09:49

2008-06-05 09:49 . 2008-06-05 09:49

2008-06-05 09:49 . 2008-06-05 09:49

2008-06-05 09:43 . 2008-06-05 09:43

2008-06-05 09:43 . 2008-06-05 09:43

2008-06-05 09:37 . 2008-06-05 09:37

2008-06-05 09:32 . 2008-06-05 09:32

2008-06-05 09:31 . 2008-06-05 11:31

2008-06-05 09:27 . 2008-06-06 23:06

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 01:46 . 2008-06-05 00:17 245,760 --a------ C:\WINDOWS\nogxfvblawt.dll

2008-06-05 01:46 . 2008-06-05 00:17 229,376 --------- C:\WINDOWS\erpobmsw.dll_old

2008-06-05 01:46 . 2008-06-05 09:27 160,256 --a------ C:\WINDOWS\system32\blackster.scr

2008-06-05 01:46 . 2008-06-05 00:17 94,208 --a------ C:\WINDOWS\exmk.exe

2008-06-05 01:46 . 2008-06-05 00:17 81,920 --a------ C:\WINDOWS\xbqmfsed.exe

2008-06-05 00:48 . 2008-06-05 00:48

2008-06-05 00:12 . 2008-06-05 11:17

2008-06-05 00:00 . 2008-06-05 00:00

2008-06-04 23:53 . 2008-06-04 23:53 0 --a------ C:\WINDOWS\nsreg.dat

2008-06-04 23:41 . 2008-06-04 23:41

2008-06-04 23:41 . 2005-11-28 14:12 683,488 --a------ C:\WINDOWS\studsavinfo.exe

2008-06-04 10:36 . 2008-06-04 10:36

2008-06-03 23:59 . 2008-06-03 23:59 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

2008-06-02 09:02 . 2004-08-04 00:43 716,288 --a------ C:\WINDOWS\system32\ntlib.dll

2008-06-02 09:01 . 2008-06-02 09:01 0 --a------ C:\WINDOWS\system32\zakaz1.clk

2008-06-01 23:13 . 2008-06-01 23:44 724,992 --a------ C:\WINDOWS\iun6002.exe

2008-06-01 23:11 . 2008-06-04 00:25

2008-06-01 22:08 . 2004-08-04 00:43 716,288 --a------ C:\WINDOWS\system32\hlxb.dll

2008-05-29 16:53 . 2008-05-17 13:23 4,090,320 --a------ C:\WINDOWS\system32\ssartworkz_pc.dll

2008-05-29 16:53 . 2007-09-28 17:11 338,384 --a------ C:\WINDOWS\system32\JS32CE_pc.dll

2008-05-29 16:53 . 2008-05-16 15:57 258,352 --a------ C:\WINDOWS\system32\unicows.dll

2008-05-29 16:53 . 2007-09-28 17:11 186,832 --a------ C:\WINDOWS\system32\Archimedes_pc.dll

2008-05-29 16:53 . 2008-05-17 13:23 88,528 --a------ C:\WINDOWS\system32\sszlib_pc.dll

2008-05-14 22:28 . 2008-05-14 22:28 29,165 --a------ C:\WINDOWS\system32\nfjjrgmshsi

2008-05-14 22:28 . 2008-06-05 13:00 8,242 --a------ C:\Documents and Settings\user\mpr2.dat

2008-05-14 22:28 . 2008-06-05 13:00 8,242 --a------ C:\Documents and Settings\user\mpr.dat

2008-05-06 21:39 . 2008-05-22 21:29 0 --a------ C:\IAX_OUT.DAT

2008-05-06 21:39 . 2008-05-22 21:29 0 --a------ C:\IAX_IN.DAT

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2060-08-18 17:02 1,496,064 ------w C:\WINDOWS\system32\CC3250MT.DLL

2060-08-18 16:40 909,824 ------w C:\WINDOWS\system32\CP3245MT.DLL

2060-08-18 16:40 24,064 ------w C:\WINDOWS\system32\BORLNDMM.DLL

2008-06-06 21:17 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Skype

2008-06-05 09:52 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys

2008-06-05 09:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-06-05 09:21 --------- d-----w C:\Program Files\Kaspersky Lab

2008-06-05 09:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec

2008-06-05 08:53 --------- d-----w C:\Program Files\BitComet

2008-06-03 22:41 --------- d-----w C:\Program Files\MarBit

2008-06-03 22:25 --------- d-----w C:\Program Files\Common Files\Teleca Shared

2008-06-03 21:25 --------- d-----w C:\Program Files\onlineTV 2

2008-06-03 21:22 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-06-03 21:20 --------- d-----w C:\Program Files\Winamp

2008-06-01 21:45 --------- d-----w C:\Program Files\GK3neu

2008-05-06 06:06 --------- d-----w C:\Program Files\AskPBar

2008-04-29 19:59 --------- d-----w C:\Program Files\TerraSipPhonerLite

2008-04-26 22:09 --------- d-----w C:\Program Files\Elaborate Bytes

2008-04-21 21:15 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\IrfanView

2008-04-15 22:47 --------- d-----w C:\Program Files\NiemPol

2008-04-14 18:35 --------- d-----w C:\Program Files\PDFCreator PL

2008-04-14 18:35 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\PDFCreator

2006-07-26 16:48 6,770,772 ----a-w C:\Program Files\realalt149.exe

2006-07-26 16:46 735,883 ----a-w C:\Program Files\ac3filter_1_02a_test8.exe

2006-07-17 22:26 4,272,232 ----a-w C:\Program Files\subedit+codecpack_pl.exe

2006-07-17 22:18 8,282,187 ----a-w C:\Program Files\vlc-0.8.5-win32.exe

2001-02-23 17:22 299,008 ----a-w C:\Program Files\bestplayer1.0.exe

1999-05-17 10:58 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL

1998-12-08 23:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL

1998-12-08 23:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL

1998-12-08 23:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL

1998-12-08 23:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL

1998-12-08 23:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL

2007-08-28 19:29 80 --sh–r C:\WINDOWS\system32\7148505F44.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{945328DB-7667-4043-9D75-CE942CC333C0}]

C:\WINDOWS\system32\vtUlMfGx.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{E06E98B2-A901-4064-A05E-0F56D55DD86D}]

2008-06-05 00:17 245760 --a------ C:\WINDOWS\nogxfvblawt.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{E1BACF55-35E1-4E47-9247-2D48660E5545}]

C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{E1BACF55-35E1-4E47-9247-2D48660E5545}”= C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll []

[HKEY_CLASSES_ROOT\clsid{e1bacf55-35e1-4e47-9247-2d48660e5545}]

[HKEY_CLASSES_ROOT\HostIE.Bho.1]

[HKEY_CLASSES_ROOT\TypeLib{087C4054-0A2B-4F35-B0DB-BED3E21650F4}]

[HKEY_CLASSES_ROOT\HostIE.Bho]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2005-09-15 15:43 1712128]

“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” [2007-12-18 00:43 227856]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.l3acm”= l3codecp.acm

“vidc.3iv2”= 3ivxVfWCodec.dll

“msacm.divxa32”= divxa32.acm

“VIDC.HFYU”= huffyuv.dll

“VIDC.VP31”= vp31vfw.dll

“msacm.l3codecp”= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winch62.sys]

@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnr60.sys]

@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wintx47.sys]

@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuy37.sys]

@=“Driver”

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Symantec Fax Starter Edition Port.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Symantec Fax Starter Edition Port.lnk

backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^user^Menu Start^Programy^Autostart^UltimateZip Quick Start.lnk]

path=C:\Documents and Settings\user\Menu Start\Programy\Autostart\UltimateZip Quick Start.lnk

backup=C:\WINDOWS\pss\UltimateZip Quick Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

–a------ 2003-04-18 11:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

–a------ 2003-10-30 16:46 192512 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\callfromweb]

C:\Program Files\CallFromWeb\CallFromWeb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

–a------ 2007-04-04 00:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrWebScheduler]

C:\Program Files\DrWeb\DRWEBSCD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFON]

C:\Program Files\eFON\efon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2005-09-15 15:43 1712128 C:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

–a------ 2004-01-26 19:03 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

–a------ 2004-01-26 19:03 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]

C:\Program Files\Tlen.pl\tlen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]

–a------ 2003-01-02 16:16 172032 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneMoreKey]

C:\Program Files\XP Antivirus\xpa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PoivY]

C:\Program Files\PoivY.com\PoivY\PoivY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

–a------ 2007-04-09 14:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

–a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon]

–a------ 2003-08-03 16:01 86073 C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

–a------ 2006-11-24 18:16 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SparVoip]

C:\Program Files\SparVoip\SparVoip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\studNET-Autologin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

–a------ 2007-07-14 21:38 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

–a------ 2005-10-12 00:38 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

–a------ 2004-03-03 12:57 278528 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]

C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]

C:\Program Files\VoipCheapCom\VoipCheapCom.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipDiscount]

C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]

C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherDPA]

C:\Program Files\Zango\bin\10.1.181.0\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

–a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“gusvc”=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\Gadu-Gadu\ggphone\ggphone.exe”=

“C:\Program Files\PeerCast\PeerCast.exe”=

“C:\Program Files\Winamp\winamp.exe”=

“C:\Program Files\BitComet\BitComet.exe”=

“C:\Program Files\SJLabs\SJphone\SJphone.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“14483:TCP”= 14483:TCP:BitComet 14483 TCP

“14483:UDP”= 14483:UDP:BitComet 14483 UDP

R1 SSHDRV82;SSHDRV82;C:\WINDOWS\system32\drivers\SSHDRV82.sys [2005-11-08 22:23]

R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;“C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe” [2006-09-13 15:54]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

S0 Winch62;Winch62;C:\WINDOWS\system32\Drivers\Winch62.sys []

S0 Winuy37;Winuy37;C:\WINDOWS\system32\Drivers\Winuy37.sys []

S3 wlags48d;Agere Wireless PCCard Service;C:\WINDOWS\system32\DRIVERS\wlags48d.sys [2003-07-24 09:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ae49b400-980d-11db-ae7a-000e7b87cb13}]

\Shell\AutoRun\command - G:\LaunchU3.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-06 23:22:43

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2008-06-06 23:33:38 - machine was rebooted

ComboFix-quarantined-files.txt 2008-06-06 21:33:24

Pre-Run: 6,789,693,440 bajtów wolnych

Post-Run: 7,088,533,504 bajt˘w wolnych

313 — E O F — 2008-02-26 18:40:34

#7

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:

#8

Witam ponownie przesylam drugi log z combofixa

ComboFix 08-06-05.3 - user 2008-06-07 7:23:41.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.185 [GMT 2:00]

Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\user\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\test.htm

C:\WINDOWS\erpobmsw.dll_old

C:\WINDOWS\exmk.exe

C:\WINDOWS\nogxfvblawt.dll

C:\WINDOWS\system32\7148505F44.dll

C:\WINDOWS\system32\blackster.scr

C:\WINDOWS\system32\hlxb.dll

C:\WINDOWS\system32\itxxgocy.dll

C:\WINDOWS\system32\nfjjrgmshsi

C:\WINDOWS\system32\ugkvppjv.ini

C:\WINDOWS\system32\ugkvppjv.tmp

C:\WINDOWS\system32\vtUlMfGx.dll_old

C:\WINDOWS\system32\zakaz1.clk

C:\WINDOWS\xbqmfsed.exe

C:\Documents and Settings\ShoppingReport :#:

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\user\ShoppingReport

C:\ShoppingReport

C:\test.htm

C:\WINDOWS\erpobmsw.dll_old

C:\WINDOWS\exmk.exe

C:\WINDOWS\system32\7148505F44.dll

C:\WINDOWS\system32\blackster.scr

C:\WINDOWS\system32\hlxb.dll

C:\WINDOWS\system32\itxxgocy.dll

C:\WINDOWS\system32\nfjjrgmshsi

C:\WINDOWS\system32\ugkvppjv.ini

C:\WINDOWS\system32\ugkvppjv.tmp

C:\WINDOWS\system32\vtUlMfGx.dll_old

C:\WINDOWS\system32\zakaz1.clk

C:\WINDOWS\xbqmfsed.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_WINCH62

-------\Legacy_WINUY37

-------\Service_gusvc

-------\Service_Winch62

-------\Service_Winuy37

((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))

.

2008-06-07 01:11 . 2008-06-07 01:11

2008-06-07 00:29 . 2008-06-07 00:29

2008-06-07 00:29 . 2008-06-07 00:29

2008-06-06 23:33 . 2008-06-06 23:33

2008-06-06 23:33 .

2008-06-06 23:33 .

2008-06-06 09:35 . 2008-06-06 19:52

2008-06-06 09:35 . 2008-06-06 19:54

2008-06-05 12:37 . 2008-06-05 12:37

2008-06-05 10:42 . 2008-06-05 10:42

2008-06-05 10:34 . 2008-06-05 10:34

2008-06-05 10:34 . 2008-06-05 10:34

2008-06-05 10:33 . 2008-06-05 10:33

2008-06-05 10:17 . 2008-06-05 10:17

2008-06-05 10:00 . 2008-06-05 10:00

2008-06-05 09:52 . 2008-06-05 09:52 16 --a------ C:\WINDOWS\system32\coh.cache

2008-06-05 09:51 . 2008-06-05 09:51

2008-06-05 09:49 . 2008-06-05 09:49

2008-06-05 09:49 . 2008-06-05 09:49

2008-06-05 09:49 . 2008-06-05 09:49

2008-06-05 09:43 . 2008-06-05 09:43

2008-06-05 09:43 . 2008-06-05 09:43

2008-06-05 09:37 . 2008-06-05 09:37

2008-06-05 09:32 . 2008-06-05 09:32

2008-06-05 09:31 . 2008-06-05 11:31

2008-06-05 09:27 . 2008-06-06 23:06

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 09:27 . 2008-06-05 09:27

2008-06-05 00:48 . 2008-06-05 00:48

2008-06-05 00:12 . 2008-06-05 11:17

2008-06-05 00:00 . 2008-06-05 00:00

2008-06-04 23:53 . 2008-06-04 23:53 0 --a------ C:\WINDOWS\nsreg.dat

2008-06-04 23:41 . 2008-06-04 23:41

2008-06-04 23:41 . 2005-11-28 14:12 683,488 --a------ C:\WINDOWS\studsavinfo.exe

2008-06-04 10:36 . 2008-06-04 10:36

2008-06-03 23:59 . 2008-06-03 23:59 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

2008-06-02 09:02 . 2004-08-04 00:43 716,288 --a------ C:\WINDOWS\system32\ntlib.dll

2008-06-01 23:13 . 2008-06-01 23:44 724,992 --a------ C:\WINDOWS\iun6002.exe

2008-06-01 23:11 . 2008-06-04 00:25

2008-05-29 16:53 . 2008-05-17 13:23 4,090,320 --a------ C:\WINDOWS\system32\ssartworkz_pc.dll

2008-05-29 16:53 . 2007-09-28 17:11 338,384 --a------ C:\WINDOWS\system32\JS32CE_pc.dll

2008-05-29 16:53 . 2008-05-16 15:57 258,352 --a------ C:\WINDOWS\system32\unicows.dll

2008-05-29 16:53 . 2007-09-28 17:11 186,832 --a------ C:\WINDOWS\system32\Archimedes_pc.dll

2008-05-29 16:53 . 2008-05-17 13:23 88,528 --a------ C:\WINDOWS\system32\sszlib_pc.dll

2008-05-14 22:28 . 2008-06-05 13:00 8,242 --a------ C:\Documents and Settings\user\mpr2.dat

2008-05-14 22:28 . 2008-06-05 13:00 8,242 --a------ C:\Documents and Settings\user\mpr.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-06 21:17 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Skype

2008-06-05 09:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-06-05 09:21 --------- d-----w C:\Program Files\Kaspersky Lab

2008-06-05 09:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec

2008-06-05 08:53 --------- d-----w C:\Program Files\BitComet

2008-06-03 22:41 --------- d-----w C:\Program Files\MarBit

2008-06-03 22:25 --------- d-----w C:\Program Files\Common Files\Teleca Shared

2008-06-03 21:25 --------- d-----w C:\Program Files\onlineTV 2

2008-06-03 21:22 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-06-03 21:20 --------- d-----w C:\Program Files\Winamp

2008-06-01 21:45 --------- d-----w C:\Program Files\GK3neu

2008-05-22 19:29 0 ----a-w C:\IAX_OUT.DAT

2008-05-22 19:29 0 ----a-w C:\IAX_IN.DAT

2008-05-06 06:06 --------- d-----w C:\Program Files\AskPBar

2008-04-29 19:59 --------- d-----w C:\Program Files\TerraSipPhonerLite

2008-04-26 22:09 --------- d-----w C:\Program Files\Elaborate Bytes

2008-04-21 21:15 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\IrfanView

2008-04-15 22:47 --------- d-----w C:\Program Files\NiemPol

2008-04-14 18:35 --------- d-----w C:\Program Files\PDFCreator PL

2008-04-14 18:35 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\PDFCreator

2006-07-26 16:48 6,770,772 ----a-w C:\Program Files\realalt149.exe

2006-07-26 16:46 735,883 ----a-w C:\Program Files\ac3filter_1_02a_test8.exe

2006-07-17 22:26 4,272,232 ----a-w C:\Program Files\subedit+codecpack_pl.exe

2006-07-17 22:18 8,282,187 ----a-w C:\Program Files\vlc-0.8.5-win32.exe

2001-02-23 17:22 299,008 ----a-w C:\Program Files\bestplayer1.0.exe

1999-05-17 10:58 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL

1998-12-08 23:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL

1998-12-08 23:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL

1998-12-08 23:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL

1998-12-08 23:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL

1998-12-08 23:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL

.

((((((((((((((((((((((((((((( snapshot@2008-06-06_23.29.56.32 )))))))))))))))))))))))))))))))))))))))))

.

  • 2008-06-06 21:21:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat

  • 2008-06-07 05:28:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat

  • 2008-01-21 16:12:56 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys

  • 2008-01-21 16:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys

  • 2008-03-04 11:28:53 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys

  • 2007-03-01 08:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2005-09-15 15:43 1712128]

“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]

“studNET-Autologin”=“C:\WINDOWS\system32\studnet\studnet.exe” [2007-09-26 18:15 245760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“avgnt”=“C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” [2008-02-12 10:06 262401]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.l3acm”= l3codecp.acm

“vidc.3iv2”= 3ivxVfWCodec.dll

“msacm.divxa32”= divxa32.acm

“VIDC.HFYU”= huffyuv.dll

“VIDC.VP31”= vp31vfw.dll

“msacm.l3codecp”= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnr60.sys]

@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wintx47.sys]

@=“Driver”

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Symantec Fax Starter Edition Port.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Symantec Fax Starter Edition Port.lnk

backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^user^Menu Start^Programy^Autostart^UltimateZip Quick Start.lnk]

path=C:\Documents and Settings\user\Menu Start\Programy\Autostart\UltimateZip Quick Start.lnk

backup=C:\WINDOWS\pss\UltimateZip Quick Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

–a------ 2003-04-18 11:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

–a------ 2003-10-30 16:46 192512 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

–a------ 2007-04-04 00:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2005-09-15 15:43 1712128 C:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

–a------ 2004-01-26 19:03 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

–a------ 2004-01-26 19:03 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]

–a------ 2003-01-02 16:16 172032 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

–a------ 2007-04-09 14:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

–a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon]

–a------ 2003-08-03 16:01 86073 C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

–a------ 2006-11-24 18:16 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

–a------ 2007-07-14 21:38 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

–a------ 2005-10-12 00:38 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

–a------ 2004-03-03 12:57 278528 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

–a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\Gadu-Gadu\ggphone\ggphone.exe”=

“C:\Program Files\PeerCast\PeerCast.exe”=

“C:\Program Files\Winamp\winamp.exe”=

“C:\Program Files\BitComet\BitComet.exe”=

“C:\Program Files\SJLabs\SJphone\SJphone.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“14483:TCP”= 14483:TCP:BitComet 14483 TCP

“14483:UDP”= 14483:UDP:BitComet 14483 UDP

R1 SSHDRV82;SSHDRV82;C:\WINDOWS\system32\drivers\SSHDRV82.sys [2005-11-08 22:23]

R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;“C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe” [2006-09-13 15:54]

S3 wlags48d;Agere Wireless PCCard Service;C:\WINDOWS\system32\DRIVERS\wlags48d.sys [2003-07-24 09:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3c71cc73-0f6a-11dc-af9b-000e7b87cb13}]

\Shell\AutoRun\command - I:\

\Shell\open\Command - .\autorun.exe explore

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ae49b400-980d-11db-ae7a-000e7b87cb13}]

\Shell\AutoRun\command - G:\LaunchU3.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-07 07:29:19

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2008-06-07 7:33:26 - machine was rebooted

ComboFix-quarantined-files.txt 2008-06-07 05:33:21

ComboFix2.txt 2008-06-06 21:33:49

Pre-Run: 7,102,836,736 bajtów wolnych

Post-Run: 7,092,776,960 bajt˘w wolnych

269 — E O F — 2008-02-26 18:40:34

Wielkie dzieki odzyskalem juz dysk C i komp chodzi znacznie lepiej. Nie wiem czy jeszcze cos trzeba poprawic. Przesylam jeszcze log z hijackThis

Logfile of HijackThis v1.99.1

Scan saved at 07:40, on 2008-06-07

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Spybot - Search Destroy\TeaTimer.exe

C:\WINDOWS\system32\studnet\studnet.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Documents and Settings\user\Pulpit\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O4 - HKLM…\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search Destroy\TeaTimer.exe

O4 - HKCU…\Run: [studNET-Autologin] C:\WINDOWS\system32\studnet\studnet.exe /auto

O8 - Extra context menu item: Download with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Download all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip…{714E189E-5F49-4187-993A-467016881E7F}: NameServer = 139.18.25.3

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#9

usuń te foldery

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

:slight_smile:

#10

Witam ponownie,dziekuje za dotychczasowa pomoc. postapilem zgodnie z instrukcja od Leon$. raport ze skanowania wyglada nastepujaco:

KASPERSKY ONLINE SCANNER REPORT

8 czerwiec 2008 00:41

System operacyjny: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600)

Kaspersky Online Scanner wersja: 5.0.98.0

Ostatnia aktualizacja Kaspersky Anti-Virus 7/06/2008

Liczba wpisów w bazie danych Kaspersky Anti-Virus837687

Ustawienia skanowania:

Skanowanie przy użyciu następujących baz danych: rozszerzone

Skanuj archiwa: tak

Skanuj pocztowe bazy danych: tak

Obszar skanowania - Mój komputer:

C:\

D:\

E:\

F:\

Statystyki skanowania:

Liczba skanowanych obiektów: 54566

Liczba wykrytych wirusów: 1

Liczba zainfekowanych obiektów: 1

Liczba podejrzanych obiektów: 0

Czas trwania skanowania: 01:47:12

Nazwa zainfekowanego obiektu / Nazwa wirusa / Ostatnie działanie

C:\Documents and Settings\All Users\Dane aplikacji\Symantec\LiveUpdate\2008-06-07_Log.ALUSchedulerSvc.LiveUpdate Object is locked pominięty

C:\Documents and Settings\All Users\Dane aplikacji\Symantec\LiveUpdate\Log.LiveUpdate Object is locked pominięty

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Documents and Settings\user\Cookies\index.dat Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\cert8.db Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\history.dat Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\key3.db Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\parent.lock Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\search.sqlite Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\urlclassifier2.sqlite Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\call256.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\callmember256.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\chat256.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\chat512.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\chatmsg1024.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\chatmsg2048.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\chatmsg256.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\chatmsg4096.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\chatmsg512.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\contactgroup256.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\index2.dat Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\profile256.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\transfer256.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\transfer512.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\user1024.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\user4096.dbb Object is locked pominięty

C:\Documents and Settings\user\Dane aplikacji\Skype\skuballa24\voicemail256.dbb Object is locked pominięty

C:\Documents and Settings\user\ntuser.dat Object is locked pominięty

C:\Documents and Settings\user\ntuser.dat.LOG Object is locked pominięty

C:\Documents and Settings\user\Pulpit\backups\backup-20080607-001519-261.dll Zainfekowanych: Trojan.Win32.Vapsup.geq pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\Cache_CACHE_001_ Object is locked pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\Cache_CACHE_002_ Object is locked pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\Cache_CACHE_003_ Object is locked pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\ejsrtki1.default\Cache_CACHE_MAP_ Object is locked pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Temp~DF6782.tmp Object is locked pominięty

C:\Documents and Settings\user\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-06-07.22-27-38.log Object is locked pominięty

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty

C:\System Volume Information_restore{CEDBF221-C2F2-4399-8281-6CB4839D1D42}\RP1\change.log Object is locked pominięty

C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty

C:\WINDOWS\Sti_Trace.log Object is locked pominięty

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\default Object is locked pominięty

C:\WINDOWS\system32\config\default.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SAM Object is locked pominięty

C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\SECURITY Object is locked pominięty

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty

C:\WINDOWS\system32\config\software Object is locked pominięty

C:\WINDOWS\system32\config\software.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\system Object is locked pominięty

C:\WINDOWS\system32\config\system.LOG Object is locked pominięty

C:\WINDOWS\system32\drivers\sptd.sys Object is locked pominięty

C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked pominięty

C:\WINDOWS\system32\h323log.txt Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty

C:\WINDOWS\wiadebug.log Object is locked pominięty

C:\WINDOWS\wiaservc.log Object is locked pominięty

C:\WINDOWS\WindowsUpdate.log Object is locked pominięty

Proces skanowania został zakończony.

Pozdrawiam i prosze o sugestie.

#11

Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum

kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

po usunięciu system będzie bez wirusów i powinno być OK

:slight_smile:

#12

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350