Win32:Rootkit-gen [Rtk] - avast wykrywa mi coś takiego

witam,mam problem z rootkit-gen.

Przeskanowalem w sdfix i mam taki o to raport;co robic?

b]SDFix: Version 1.240

Run by pawcio on 2009-03-21 at 12:04

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\autorun.inf - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP77.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP1C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP10.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP1E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP20.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPE.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP8.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP22.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP14.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP9.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP19.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP1A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPD.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPF.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP13.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP12.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP11.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP15.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP16.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP1B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP17.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP3D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP18.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP1F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPD5.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP24.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP21.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP37.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP28.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP23.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPD7.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP27.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP25.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP26.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP1D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPD4.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP2A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP31.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPCC.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPCE.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP34.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP2B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP2D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP29.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPDD.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPD3.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP2C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPD6.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPD9.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP2F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP30.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP46.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP5A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP33.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP32.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP35.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP57.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP2E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP36.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP7A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP7C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPE2.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP39.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP3A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP38.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC8.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP3F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP3B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP54.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP55.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP3C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP3E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP5D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP41.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP42.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP40.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP43.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP45.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP59.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP44.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP49.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP47.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP68.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP9F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP4B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP51.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP48.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP4A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP4E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP4D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP4C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP50.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP52.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP4F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP56.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP5B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP53.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP5C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP5E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP60.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP58.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP63.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP66.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP61.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP5F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP9B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP65.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP6F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP75.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP64.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP62.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP67.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP8B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP7D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP6A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP69.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP6B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP6E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP8D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP6D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP70.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP71.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP72.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP73.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP8E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP90.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP74.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP98.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP9A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA1.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP7F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP76.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP6C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP78.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP84.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP86.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP80.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP81.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP7B.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA0.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP7E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA3.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP82.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP89.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP83.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP87.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP85.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP88.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP8C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP8A.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP94.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP91.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP8F.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP97.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP92.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP93.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP95.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP96.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP99.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP9C.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP9D.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP9E.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA9.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA7.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA2.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA4.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA5.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP79.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPAA.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA8.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPAC.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPA6.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPAD.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPAE.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPDC.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPAF.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMP7.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPAB.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB0.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPDF.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPDA.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB1.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB2.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB7.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB4.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB5.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB6.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB8.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB3.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPBB.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPBA.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPB9.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPCF.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPBD.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPBC.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPBE.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPBF.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC0.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC1.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC2.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC5.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC4.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPDB.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPE1.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPE3.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC7.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC6.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPDE.tmp - Deleted

C:\DOCUME~1\pawcio\USTAWI~1\Temp\TMPC3.tmp - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-21 12:08:56

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden services …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

“C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny”

“C:\Program Files\Tlen.pl\tlen.exe”=“C:\Program Files\Tlen.pl\tlen.exe:*:Enabled:Komunikator Tlen.pl”

“C:\PROGRA~1\RINGZS~1\STORMC~1\Stormser.exe”=“C:\PROGRA~1\RINGZS~1\STORMC~1\Stormser.exe:*:Enabled:@xpsp2res.dll,-22008”

“C:\Program Files\IncrediMail\bin\ImApp.exe”=“C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail”

“C:\Program Files\IncrediMail\bin\IncMail.exe”=“C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail”

“C:\Program Files\IncrediMail\bin\ImpCnt.exe”=“C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail”

“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 21 Mar 2009 100,864 …SHR — “C:\WINDOWS\system32\nmdfgds0.dll”

Fri 20 Mar 2009 100,864 …SHR — “C:\WINDOWS\system32\nmdfgds1.dll”

Fri 20 Mar 2009 110,776 …SHR — “C:\WINDOWS\system32\olhrwef.exe”

Mon 9 Feb 2009 9,934,392 A…H. — “C:\Program Files\Google\Picasa3\setup.exe”

Mon 27 Oct 2008 6,108,728 A…H. — “C:\System Volume Information_restore{F67BB49C-E621-4AF0-878C-35BB9CEFF5F7}\RP110\A0076395.exe”

Finished!

zaleskoszalin , na przyszłość nie podpinaj się pod istniejące tematy - jeżeli masz problem, załóż własny temat.

Wydzielono.

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s … ntry369724

lub format

zastosuj ATF Cleaner http://cybertrash.pl/images/tata/ATF/ATF.html

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj

Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirusy

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:

oto log z Combofix

ComboFix 09-03-19.02 - pawcio 2009-03-21 14:48:15.2 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.275 [GMT 0:00]

Uruchomiony z: c:\documents and settings\pawcio\Pulpit\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\pawcio\Pulpit\CFScript.txt

AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((( Pliki utworzone od 2009-02-21 do 2009-03-21 )))))))))))))))))))))))))))))))

.

2009-03-21 12:02 . 2009-03-21 12:02

2009-03-21 11:58 . 2008-11-06 02:03

2009-03-20 17:41 . 2009-03-20 17:41 54,156 --ah----- c:\windows\QTFont.qfn

2009-03-20 17:41 . 2009-03-20 17:41 1,409 --a------ c:\windows\QTFont.for

2009-03-20 11:50 . 2009-03-20 11:50

2009-03-20 11:49 . 2009-03-20 11:49

2009-03-17 22:37 . 2009-03-17 22:37

2009-03-17 17:05 . 2009-03-17 17:05

2009-03-17 17:05 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll

2009-03-15 13:26 . 2009-03-15 13:26

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2009-03-15 12:26

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2009-03-15 12:26

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2009-03-15 12:26

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2009-03-15 12:26

2009-03-15 12:26 . 2004-08-04 00:44 221,184 --a------ c:\windows\system32\wmpns.dll

2009-03-15 12:26 . 2009-03-15 12:26 118 --a------ c:\windows\wininit.ini

2009-02-25 10:31 . 2009-02-25 10:31

2009-02-24 09:28 . 2009-02-24 09:28

2009-02-22 11:15 . 2009-02-22 11:15

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-17 22:59 --------- d-----w c:\program files\Nowe Gadu-Gadu

2009-02-17 22:59 --------- d-----w c:\documents and settings\pawcio\Dane aplikacji\Nowe Gadu-Gadu

2009-02-08 14:55 --------- d-----w c:\program files\CC-CAM

2009-02-07 21:12 --------- d-----w c:\program files\IrfanView

2009-01-31 15:14 --------- d-----w c:\documents and settings\pawcio\Dane aplikacji\BESTplayer

2009-01-30 12:13 --------- d-----w c:\program files\Mobile Partner

2009-01-21 00:22 --------- d-----w c:\documents and settings\pawcio\Dane aplikacji\Ashampoo

2009-01-21 00:21 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\ashampoo

2009-01-21 00:20 --------- d-----w c:\program files\Ashampoo

2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant09.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant08.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant07.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant03.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant02.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant01.hgp

2008-11-17 00:10 3,960 ----a-w c:\program files\GrowRoom.hgg

2008-11-16 23:29 75,387 ----a-w c:\program files\Uninstal.exe

2008-09-26 19:03 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat

2008-08-11 00:08 978,396 ----a-w c:\program files\BDAXP.cab

2005-07-28 19:19 2,238 ----a-w c:\program files\hg.ico

Dodane 21.03.2009 (So) 15:55

z gory przepraszam za podpiecie sie pod istniejacy temat i dziekuje za odp =D>

Log obcięty

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:

ComboFix 09-03-19.02 - pawcio 2009-03-21 15:19:58.3 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.297 [GMT 0:00]

Uruchomiony z: c:\documents and settings\pawcio\Pulpit\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\pawcio\Pulpit\CFScript.txt

AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((( Pliki utworzone od 2009-02-21 do 2009-03-21 )))))))))))))))))))))))))))))))

.

2009-03-21 12:02 . 2009-03-21 12:02

2009-03-21 11:58 . 2008-11-06 02:03

2009-03-20 17:41 . 2009-03-20 17:41 54,156 --ah----- c:\windows\QTFont.qfn

2009-03-20 17:41 . 2009-03-20 17:41 1,409 --a------ c:\windows\QTFont.for

2009-03-20 11:50 . 2009-03-20 11:50

2009-03-20 11:49 . 2009-03-20 11:49

2009-03-17 22:37 . 2009-03-17 22:37

2009-03-17 17:05 . 2009-03-17 17:05

2009-03-17 17:05 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll

2009-03-15 13:26 . 2009-03-15 13:26

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2009-03-15 12:26

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2009-03-15 12:26

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2009-03-15 12:26

2009-03-15 12:26 . 2008-09-23 22:19

2009-03-15 12:26 . 2009-03-15 12:26

2009-03-15 12:26 . 2004-08-04 00:44 221,184 --a------ c:\windows\system32\wmpns.dll

2009-03-15 12:26 . 2009-03-15 12:26 118 --a------ c:\windows\wininit.ini

2009-02-25 10:31 . 2009-02-25 10:31

2009-02-24 09:28 . 2009-02-24 09:28

2009-02-22 11:15 . 2009-02-22 11:15

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-17 22:59 --------- d-----w c:\program files\Nowe Gadu-Gadu

2009-02-17 22:59 --------- d-----w c:\documents and settings\pawcio\Dane aplikacji\Nowe Gadu-Gadu

2009-02-08 14:55 --------- d-----w c:\program files\CC-CAM

2009-02-07 21:12 --------- d-----w c:\program files\IrfanView

2009-01-31 15:14 --------- d-----w c:\documents and settings\pawcio\Dane aplikacji\BESTplayer

2009-01-30 12:13 --------- d-----w c:\program files\Mobile Partner

2009-01-21 00:22 --------- d-----w c:\documents and settings\pawcio\Dane aplikacji\Ashampoo

2009-01-21 00:21 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\ashampoo

2009-01-21 00:20 --------- d-----w c:\program files\Ashampoo

2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant09.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant08.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant07.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant03.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant02.hgp

2008-11-17 01:05 31,256 —ha-w c:\program files\Plant01.hgp

2008-11-17 00:10 3,960 ----a-w c:\program files\GrowRoom.hgg

2008-11-16 23:29 75,387 ----a-w c:\program files\Uninstal.exe

2008-09-26 19:03 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat

2008-08-11 00:08 978,396 ----a-w c:\program files\BDAXP.cab

2005-07-28 19:19 2,238 ----a-w c:\program files\hg.ico

2005-07-28 17:00 82,321 ----a-w c:\program files\Antique Attic.hgb

2005-07-28 16:41 136,276 ----a-w c:\program files\Virtual Beach.hgb

2005-04-19 14:26 1,769,472 ----a-w c:\program files\HighGrow.exe

2005-04-02 11:44 252,362 ----a-w c:\program files\HighGrow.chm

2005-02-19 11:18 20,480 ----a-w c:\program files\Comments.dll

2002-03-01 19:27 231,936 ----a-w c:\program files\Robbie.dll

1998-07-27 13:57 228,968 ----a-w c:\program files\BigLeaf.dat

1998-07-04 22:16 2,848 ----a-w c:\program files\Harvest.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-03-21_14.30.46,11 )))))))))))))))))))))))))))))))))))))))))

.

  • 2009-03-21 13:45:04 2,234 ----a-w c:\windows\bthservsdp.dat
  • 2009-03-21 15:12:14 2,234 ----a-w c:\windows\bthservsdp.dat
  • 2009-03-21 13:46:14 31,968 ----a-w c:\windows\system32\nvModes.dat
  • 2009-03-21 15:13:24 31,968 ----a-w c:\windows\system32\nvModes.dat

  • 2009-03-21 15:13:12 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_460.dat

  • 2009-03-21 15:13:24 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_7ac.dat

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

“{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}”= “c:\program files\Winamp Toolbar\winamptb.dll” [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Google Update”=“c:\documents and settings\pawcio\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe” [2008-09-24 133104]

“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-11-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“c:\windows\system32\V0420Ext.ax”=“c:\windows\system32\V0420Ext.ax” [X]

“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2004-04-13 3309568]

“StormCodec_Helper”=“c:\program files\Ringz Studio\Storm Codec\StormSet.exe” [2006-11-26 97357]

“WinampAgent”=“c:\program files\Winamp\winampa.exe” [2008-09-12 36352]

“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2008-06-12 34672]

“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2008-11-10 136600]

“V0420Mon.exe”=“c:\windows\V0420Mon.exe” [2007-04-30 32768]

“NeroCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]

“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]

“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-03 c:\windows\system32\bthprops.cpl]

“nwiz”=“nwiz.exe” [2004-04-13 c:\windows\system32\nwiz.exe]

“NvMediaCenter”=“NvMCTray.dll” [2004-04-13 c:\windows\system32\nvmctray.dll]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-03 15360]

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\Tlen.pl\tlen.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-17 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-17 20560]

R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\TDSupportApp\cdrom_mon.exe [2008-09-23 81920]

S3 V0420VID;Live! Cam Vista IM (VF0420);c:\windows\system32\drivers\V0420Vid.sys [2008-12-19 99648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c455c361-eeca-11dd-af9e-0010c6294c8d}]

\Shell\AutoRun\command - F:\AutoRun.exe

.

Zawartość folderu ‘Zaplanowane zadania’

2009-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1606980848-1060284298-1003.job

  • c:\documents and settings\pawcio\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2008-09-24 00:13]

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://mystart.incredimail.com/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com/ie

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-21 15:22:01

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2009-03-21 15:23:50

ComboFix-quarantined-files.txt 2009-03-21 15:23:50

ComboFix3.txt 2009-03-21 14:32:08

ComboFix2.txt 2009-03-21 14:52:14

Przed: 2 696 658 944 bajtów wolnych

Po: 2,692,349,952 bajtów wolnych

152

te foldery usuń ręcznie

Otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki

b57f17008275c957m.jpg

powstanie plik o takiej ikonie

062aec4c9b51c033m.jpg

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

Pobierz CCleaner http://www.filehippo.com/download_ccleaner/

przeskanuj nim i wyczyść rejestr.

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i … 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html gdy będą wirusy pokaż raport

:slight_smile: