Skanując sobie dziś dysk natrafiłem na takie cudo.

Oto log z Combofixa:

ComboFix 08-04-28.2 - jaszczur 2008-04-29 14:14:25.1 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.78 [GMT 2:00]

Running from: I:\ComboFix.exe

Command switches used :: I:\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

f:\dwvo.cmd

f:\mug0sd.cmd

f:\tym8a.exe

f:\uqhqx1.cmd

f:\WINDOWS\S3A0A6B41.tmp

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

F:\autorun.inf

f:\mug0sd.cmd

f:\tym8a.exe

F:\WINDOWS\system32_000110_.tmp.dll

F:\WINDOWS\system32\amvo.exe

F:\WINDOWS\system32\amvo0.dll

F:\WINDOWS\system32\amvo1.dll

.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))

.

2008-04-28 12:46 . 2008-04-28 12:46 104,269 -r-hs---- F:\jfvkcsy.bat

2008-04-28 09:45 . 2008-04-28 09:45 105,128 -r-hs---- F:\oq.cmd

2008-04-26 12:42 . 2008-04-26 12:42 103,457 -r-hs---- F:\0n.bat

2008-04-25 17:44 . 2008-04-25 17:43 104,161 -r-hs---- F:\1dg.exe

2008-04-25 09:05 . 2008-04-25 09:05 102,822 -r-hs---- F:\lkxcqdb.bat

2008-04-24 13:21 . 2008-04-24 13:21

2008-04-23 00:29 . 2008-04-23 00:29 41,296 --a------ F:\WINDOWS\system32\xfcodec.dll

2008-04-22 13:54 . 2008-04-22 13:54

2008-04-19 17:52 . 2008-04-19 17:52

2008-04-14 16:21 . 2008-04-14 16:21

2008-04-12 18:40 . 2008-04-12 18:40

2008-04-12 18:40 . 2008-04-12 18:40

2008-04-06 09:58 . 2008-04-06 09:58

2008-04-06 09:24 . 2008-04-06 09:24

2008-04-05 16:03 . 2008-04-29 11:20 107,832 --a------ F:\WINDOWS\system32\PnkBstrB.exe

2008-04-05 16:03 . 2008-04-05 16:03 66,872 --a------ F:\WINDOWS\system32\PnkBstrA.exe

2008-04-05 15:56 . 2008-04-05 16:03 674,600 --a------ F:\WINDOWS\system32\pbsvc.exe

2008-04-01 18:40 . 2008-04-01 18:40

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-29 09:21 22,328 ----a-w F:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-04-05 14:03 22,328 ----a-w F:\Documents and Settings\jaszczur\Dane aplikacji\PnkBstrK.sys

2008-03-24 13:56 --------- d-----w F:\Program Files\Windows Media Connect 2

2008-03-24 13:27 --------- d-----w F:\Program Files\Xilisoft

2008-03-20 08:09 1,845,504 ----a-w F:\WINDOWS\system32\win32k.sys

2008-03-20 08:09 1,845,504 ----a-w F:\WINDOWS\system32\dllcache\win32k.sys

2008-03-17 15:31 --------- d-----w F:\Documents and Settings\jaszczur\Dane aplikacji\Hamachi

2008-03-17 15:30 25,544 ----a-w F:\WINDOWS\system32\drivers\hamachi.sys

2008-03-17 15:30 --------- d-----w F:\Program Files\Hamachi

2008-03-16 19:02 --------- d-----w F:\Program Files\totalcmd

2008-03-12 11:58 --------- d-----w F:\Program Files\SpeedFan

2008-03-11 11:01 --------- d-----w F:\Documents and Settings\jaszczur\Dane aplikacji\vlc

2008-03-11 11:00 --------- d-----w F:\Program Files\VideoLAN

2008-03-07 17:17 --------- d-----w F:\Program Files\Ventrilo

2008-02-20 06:51 282,624 ----a-w F:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ----a-w F:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:38 45,568 ----a-w F:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:38 45,568 ----a-w F:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:38 148,992 ----a-w F:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-16 22:35 3,080,704 ----a-w F:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-15 09:23 18,432 ----a-w F:\WINDOWS\system32\dllcache\iedw.exe

2008-02-13 14:11 1,218,732 ----a-w F:\WINDOWS\D.B. World Uninstaller.exe

2007-12-24 16:55 32 ----a-w F:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

2007-12-13 17:49 1185120 --a------ F:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= “F:\Program Files\Winamp Toolbar\winamptb.dll” [2007-12-13 17:49 1185120]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= F:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 17:49 1185120]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“F:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“nod32kui”=“F:\Program Files\Eset\nod32kui.exe” [2007-12-24 13:40 949376]

“Diamondback”=“F:\Program Files\Razer\Diamondback 3G\razerhid.exe” [2007-06-29 16:30 147456]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“F:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44 15360]

F:\Documents and Settings\jaszczur\Menu Start\Programy\Autostart\

Xfire.lnk - I:\Program Files\Xfire\xfire.exe [2008-04-23 00:29:52 2998608]

hamachi.lnk - F:\Program Files\Hamachi\hamachi.exe [2008-03-17 17:30:33 619048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“vidc.yv12”= yv12vfw.dll

“VIDC.XFR1”= xfcodec.dll

[HKLM~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk

backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Oprogramowanie Kodak EasyShare.lnk]

path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Oprogramowanie Kodak EasyShare.lnk

backup=F:\WINDOWS\pss\Oprogramowanie Kodak EasyShare.lnkCommon Startup

[HKLM~\startupfolder\F:^Documents and Settings^jaszczur^Menu Start^Programy^Autostart^Deer Hunter 2005 Registration.lnk]

path=F:\Documents and Settings\jaszczur\Menu Start\Programy\Autostart\Deer Hunter 2005 Registration.lnk

backup=F:\WINDOWS\pss\Deer Hunter 2005 Registration.lnkStartup

[HKLM~\startupfolder\F:^Documents and Settings^jaszczur^Menu Start^Programy^Autostart^Rejestrowanie produktów Corela.lnk]

path=F:\Documents and Settings\jaszczur\Menu Start\Programy\Autostart\Rejestrowanie produktów Corela.lnk

backup=F:\WINDOWS\pss\Rejestrowanie produktów Corela.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]

–a------ 2006-07-26 13:19 540672 F:\Program Files\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

–a------ 2006-10-09 11:28 139264 F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

–a------ 2004-08-03 22:44 15360 F:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

–a------ 2004-03-12 22:43 81920 F:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2007-11-14 12:54 2131392 G:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]

–a------ 2007-11-21 02:47 172280 I:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2006-01-12 16:40 155648 F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]

–a------ 2002-06-03 11:38 49152 F:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]

–a------ 2007-12-18 02:02 471040 F:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2005-10-26 16:17 159744 F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

–a------ 2006-11-10 12:35 90112 F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

–a------ 2008-03-28 18:31 1271032 I:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

–a------ 2007-09-25 01:11 132496 F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“I:\Program Files\Orbitdownloader\orbitdm.exe”=

“I:\Program Files\Orbitdownloader\orbitnet.exe”=

“I:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe”=

“I:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe”=

“G:\Program Files\Gadu-Gadu\gg.exe”=

“I:\Program Files\Xfire\xfire.exe”=

“I:\Program Files\mIRC\mirc.exe”=

“F:\Program Files\uTorrent\uTorrent.exe”=

“I:\Program Files\DC++\DCPlusPlus.exe”=

“G:\Program Files\Teamspeak2_RC2\server_windows.exe”=

“G:\Program Files\Valve\hl.exe”=

“I:\Program Files\Steam\steamapps\billy722\counter-strike\hl.exe”=

“I:\Program Files\Games-Masters.com\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe”=

“I:\Program Files\Steam\steamapps\billy722\condition zero\hl.exe”=

“I:\Program Files\DC++ 0.401\DCplusplus.exe”=

“G:\Program Files\Steam\steamapps\billy722\counter-strike\hl.exe”=

“F:\Program Files\totalcmd\TOTALCMD.EXE”=

“F:\Program Files\Hamachi\hamachi.exe”=

“I:\Program Files\GTactix\GTactix.exe”=

“G:\Program Files\TibiaTek Bot DevTeam\TibiaTek Bot\TibiaTekBot.exe”=

“I:\Program Files\Mozilla Firefox\firefox.exe”=

“F:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe”=

“I:\Program Files\Steam\steamapps\billy722\day of defeat\hl.exe”=

“F:\WINDOWS\System32\PnkBstrA.exe”=

“F:\WINDOWS\System32\PnkBstrB.exe”=

“G:\Program Files\EA Sports\FIFA 08\FIFA08.exe”=

“I:\Program Files\Teamspeak2_RC2\server_windows.exe”=

“I:\Program Files\Steam\steamapps\connor732\counter-strike source\hl2.exe”=

“I:\Program Files\TmNationsForever\TmForever.exe”=

“F:\Program Files\Skype\Phone\Skype.exe”=

“F:\Program Files\EA SPORTS\FIFA 07\fifa07.exe”=

R0 d346bus;d346bus;F:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]

R0 d346prt;d346prt;F:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]

S3 ddsxeiservice;ddsxeiservice2;G:\Program Files\sXe Injected\ddsxei.sys []

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-29 14:16:43

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-29 14:17:17

ComboFix-quarantined-files.txt 2008-04-29 12:17:14

Pre-Run: 1,920,843,776 bajtów wolnych

Post-Run: 6,309,969,920 bajtów wolnych

192 — E O F — 2008-04-11 10:27:30

W dniu 29.04.2008 , o godzinie 14:28 został dopisany post przez xjaszczurx

PS. Ta Tibia to nie moja tylko mojego Brata

Wklej do Notatnika :

File::

F:\jfvkcsy.bat

F:\oq.cmd

F:\0n.bat

F:\1dg.exe

F:\lkxcqdb.bat

X:\jfvkcsy.bat

X:\oq.cmd

X:\0n.bat

X:\1dg.exe

X:\lkxcqdb.bat

Zamiast “X” wpisz literę innej partycji, jaką masz na dysku. (jeśli nie masz innej partycji, to wstaw “F”).

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

–>

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log, który powstanie w trakcie usuwania.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:** Qoobox**.

jessi

No ok zrobię tak ale jak teraz skanuje Nod’em to mi się na każdej partycji mam te pliki.

W dniu 29.04.2008 , o godzinie 15:13 został dopisany post przez xjaszczurx

Aha jeszcze jedno skanując Nodem natrafiam na folder o nazwie “MountPointManagerRemoteDatabase” i go nie można usunąc

W dniu 29.04.2008 , o godzinie 15:22 został dopisany post przez xjaszczurx

Oto nowy log:

ComboFix 08-04-28.2 - jaszczur 2008-04-29 15:17:45.2 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.61 [GMT 2:00]

Running from: I:\ComboFix.exe

Command switches used :: I:\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

c:\0n.bat

c:\1dg.exe

c:\jfvkcsy.bat

c:\lkxcqdb.bat

c:\oq.cmd

F:\0n.bat

F:\1dg.exe

F:\jfvkcsy.bat

F:\lkxcqdb.bat

F:\oq.cmd

g:\0n.bat

g:\1dg.exe

g:\jfvkcsy.bat

g:\lkxcqdb.bat

g:\oq.cmd

h:\0n.bat

h:\1dg.exe

h:\jfvkcsy.bat

h:\lkxcqdb.bat

h:\oq.cmd

i:\0n.bat

i:\1dg.exe

i:\jfvkcsy.bat

i:\lkxcqdb.bat

i:\oq.cmd

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\0n.bat

C:\Autorun.inf

c:\jfvkcsy.bat

c:\lkxcqdb.bat

F:\0n.bat

F:\jfvkcsy.bat

F:\lkxcqdb.bat

g:\0n.bat

G:\Autorun.inf

g:\jfvkcsy.bat

g:\lkxcqdb.bat

h:\0n.bat

H:\Autorun.inf

h:\jfvkcsy.bat

h:\lkxcqdb.bat

i:\0n.bat

I:\Autorun.inf

i:\jfvkcsy.bat

i:\lkxcqdb.bat

.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))

.

2008-04-24 13:21 . 2008-04-24 13:21

2008-04-23 00:29 . 2008-04-23 00:29 41,296 --a------ F:\WINDOWS\system32\xfcodec.dll

2008-04-22 13:54 . 2008-04-22 13:54

2008-04-19 17:52 . 2008-04-19 17:52

2008-04-14 16:21 . 2008-04-14 16:21

2008-04-12 18:40 . 2008-04-12 18:40

2008-04-12 18:40 . 2008-04-12 18:40

2008-04-06 09:58 . 2008-04-06 09:58

2008-04-06 09:24 . 2008-04-06 09:24

2008-04-05 16:03 . 2008-04-29 11:20 107,832 --a------ F:\WINDOWS\system32\PnkBstrB.exe

2008-04-05 16:03 . 2008-04-05 16:03 66,872 --a------ F:\WINDOWS\system32\PnkBstrA.exe

2008-04-05 15:56 . 2008-04-05 16:03 674,600 --a------ F:\WINDOWS\system32\pbsvc.exe

2008-04-01 18:40 . 2008-04-01 18:40

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-29 09:21 22,328 ----a-w F:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-04-05 14:03 22,328 ----a-w F:\Documents and Settings\jaszczur\Dane aplikacji\PnkBstrK.sys

2008-03-24 13:56 --------- d-----w F:\Program Files\Windows Media Connect 2

2008-03-24 13:27 --------- d-----w F:\Program Files\Xilisoft

2008-03-20 08:09 1,845,504 ----a-w F:\WINDOWS\system32\win32k.sys

2008-03-20 08:09 1,845,504 ----a-w F:\WINDOWS\system32\dllcache\win32k.sys

2008-03-17 15:31 --------- d-----w F:\Documents and Settings\jaszczur\Dane aplikacji\Hamachi

2008-03-17 15:30 25,544 ----a-w F:\WINDOWS\system32\drivers\hamachi.sys

2008-03-17 15:30 --------- d-----w F:\Program Files\Hamachi

2008-03-16 19:02 --------- d-----w F:\Program Files\totalcmd

2008-03-12 11:58 --------- d-----w F:\Program Files\SpeedFan

2008-03-11 11:01 --------- d-----w F:\Documents and Settings\jaszczur\Dane aplikacji\vlc

2008-03-11 11:00 --------- d-----w F:\Program Files\VideoLAN

2008-03-07 17:17 --------- d-----w F:\Program Files\Ventrilo

2008-02-20 06:51 282,624 ----a-w F:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ----a-w F:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:38 45,568 ----a-w F:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:38 45,568 ----a-w F:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:38 148,992 ----a-w F:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-16 22:35 3,080,704 ----a-w F:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-15 09:23 18,432 ----a-w F:\WINDOWS\system32\dllcache\iedw.exe

2008-02-13 14:11 1,218,732 ----a-w F:\WINDOWS\D.B. World Uninstaller.exe

2007-12-24 16:55 32 ----a-w F:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

2007-12-13 17:49 1185120 --a------ F:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= “F:\Program Files\Winamp Toolbar\winamptb.dll” [2007-12-13 17:49 1185120]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= F:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 17:49 1185120]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“F:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“nod32kui”=“F:\Program Files\Eset\nod32kui.exe” [2007-12-24 13:40 949376]

“Diamondback”=“F:\Program Files\Razer\Diamondback 3G\razerhid.exe” [2007-06-29 16:30 147456]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“F:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44 15360]

F:\Documents and Settings\jaszczur\Menu Start\Programy\Autostart\

Xfire.lnk - I:\Program Files\Xfire\xfire.exe [2008-04-23 00:29:52 2998608]

hamachi.lnk - F:\Program Files\Hamachi\hamachi.exe [2008-03-17 17:30:33 619048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“vidc.yv12”= yv12vfw.dll

“VIDC.XFR1”= xfcodec.dll

[HKLM~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk

backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Oprogramowanie Kodak EasyShare.lnk]

path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Oprogramowanie Kodak EasyShare.lnk

backup=F:\WINDOWS\pss\Oprogramowanie Kodak EasyShare.lnkCommon Startup

[HKLM~\startupfolder\F:^Documents and Settings^jaszczur^Menu Start^Programy^Autostart^Deer Hunter 2005 Registration.lnk]

path=F:\Documents and Settings\jaszczur\Menu Start\Programy\Autostart\Deer Hunter 2005 Registration.lnk

backup=F:\WINDOWS\pss\Deer Hunter 2005 Registration.lnkStartup

[HKLM~\startupfolder\F:^Documents and Settings^jaszczur^Menu Start^Programy^Autostart^Rejestrowanie produktów Corela.lnk]

path=F:\Documents and Settings\jaszczur\Menu Start\Programy\Autostart\Rejestrowanie produktów Corela.lnk

backup=F:\WINDOWS\pss\Rejestrowanie produktów Corela.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]

–a------ 2006-07-26 13:19 540672 F:\Program Files\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

–a------ 2006-10-09 11:28 139264 F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

–a------ 2004-08-03 22:44 15360 F:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

–a------ 2004-03-12 22:43 81920 F:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2007-11-14 12:54 2131392 G:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]

–a------ 2007-11-21 02:47 172280 I:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2006-01-12 16:40 155648 F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]

–a------ 2002-06-03 11:38 49152 F:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]

–a------ 2007-12-18 02:02 471040 F:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2005-10-26 16:17 159744 F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

–a------ 2006-11-10 12:35 90112 F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

–a------ 2008-03-28 18:31 1271032 I:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

–a------ 2007-09-25 01:11 132496 F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“I:\Program Files\Orbitdownloader\orbitdm.exe”=

“I:\Program Files\Orbitdownloader\orbitnet.exe”=

“I:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe”=

“I:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe”=

“G:\Program Files\Gadu-Gadu\gg.exe”=

“I:\Program Files\Xfire\xfire.exe”=

“I:\Program Files\mIRC\mirc.exe”=

“F:\Program Files\uTorrent\uTorrent.exe”=

“I:\Program Files\DC++\DCPlusPlus.exe”=

“G:\Program Files\Teamspeak2_RC2\server_windows.exe”=

“G:\Program Files\Valve\hl.exe”=

“I:\Program Files\Steam\steamapps\billy722\counter-strike\hl.exe”=

“I:\Program Files\Games-Masters.com\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe”=

“I:\Program Files\Steam\steamapps\billy722\condition zero\hl.exe”=

“I:\Program Files\DC++ 0.401\DCplusplus.exe”=

“G:\Program Files\Steam\steamapps\billy722\counter-strike\hl.exe”=

“F:\Program Files\totalcmd\TOTALCMD.EXE”=

“F:\Program Files\Hamachi\hamachi.exe”=

“I:\Program Files\GTactix\GTactix.exe”=

“G:\Program Files\TibiaTek Bot DevTeam\TibiaTek Bot\TibiaTekBot.exe”=

“I:\Program Files\Mozilla Firefox\firefox.exe”=

“F:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe”=

“I:\Program Files\Steam\steamapps\billy722\day of defeat\hl.exe”=

“F:\WINDOWS\System32\PnkBstrA.exe”=

“F:\WINDOWS\System32\PnkBstrB.exe”=

“G:\Program Files\EA Sports\FIFA 08\FIFA08.exe”=

“I:\Program Files\Teamspeak2_RC2\server_windows.exe”=

“I:\Program Files\Steam\steamapps\connor732\counter-strike source\hl2.exe”=

“I:\Program Files\TmNationsForever\TmForever.exe”=

“F:\Program Files\Skype\Phone\Skype.exe”=

“F:\Program Files\EA SPORTS\FIFA 07\fifa07.exe”=

R0 d346bus;d346bus;F:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]

R0 d346prt;d346prt;F:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]

S3 ddsxeiservice;ddsxeiservice2;G:\Program Files\sXe Injected\ddsxei.sys []

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-29 15:20:09

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-29 15:20:42

ComboFix2.txt 2008-04-29 12:17:18

ComboFix-quarantined-files.txt 2008-04-29 13:20:40

Pre-Run: 6,319,210,496 bajtów wolnych

Post-Run: 6,308,872,192 bajtów wolnych

221 — E O F — 2008-04-11 10:27:30

Log jest czysty.

Możesz usunąć te zbędne foldery (ręcznie).

EDIT:

“MountPointManagerRemoteDatabase” - czy nie jest przypadkiem w “System Volume Information”?

Jeśli tak, to można go usunąć poprzez chwilowe wyłączenie “Przywracania Systemu”:

>>Panel Sterowania>>System>>Przywracanie Systemu>>zaznacz w okienku przy “Wyłącz przywracanie na wszystkich dyskach”>Zastosuj>>OK.

Potem możesz powrócić do poprzedniego ustawienia - czyli usunąć zaznaczenie z okienka.

jessi

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

Folder::

F:\FOUND.005

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Dzięki

Daj log z usuwania z Combofix