Podczas skanowania podczas rozruchu avast znalazł mi w tym pliku wirusa. Kaspersky online potwierdził. Zrobiłem tak jak wyczytałem w podobnych tematach.
Raport z SDfix
SDFix: Version 1.240
Run by Administrator on 2009-01-07 at 12:40
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
Checking Services :
Infected user32.dll Found!
user32.dll File Locations:
“C:\WINDOWS\system32\user32.DLL” 578560 2008-12-03 14:11
“C:\WINDOWS\system32\dllcache\user32.dll” 578560 2008-12-03 14:11
[C] 64BD96FE003E0A1B82086B6DDA1D5FE4
[C] 64BD96FE003E0A1B82086B6DDA1D5FE4
[C] 0C81764F50F32D376E6E4B9E9F4B01A0
Note: SDFix does not repair this file!
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 13:01:18
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes …
scanning hidden services …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny”
“C:\Program Files\DC++\DCPlusPlus.exe”=“C:\Program Files\DC++\DCPlusPlus.exe:*:Enabled:DC++”
“C:\Program Files\Tlen.pl\tlen.exe”=“C:\Program Files\Tlen.pl\tlen.exe:*:Enabled:Komunikator Tlen.pl”
“C:\WINDOWS\system32\sessmgr.exe”=“C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019”
“C:\totalcmd\TOTALCMD.EXE”=“C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows”
“E:\SoF\sof3.exe”=“E:\SoF\sof3.exe:*:Enabled:sof3”
“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
“C:\Program Files\BearShare\BearShare.exe”=“C:\Program Files\BearShare\BearShare.exe:*:Enabled:BearShare”
“C:\Program Files\FlashGet Network\FlashGet universal\FlashGet.exe”=“C:\Program Files\FlashGet Network\FlashGet universal\FlashGet.exe:*:Enabled:Flashget2”
“C:\Program Files\FlashGet Network\FlashGet universal\LiveUpdate.exe”=“C:\Program Files\FlashGet Network\FlashGet universal\LiveUpdate.exe:*:Enabled:FGLiveUpdate”
“C:\Program Files\FlashGet Network\FlashGet universal\LiveUpdateEx.exe”=“C:\Program Files\FlashGet Network\FlashGet universal\LiveUpdateEx.exe:*:Enabled:FGLiveUpdateEx”
“D:\SOF2 MPtest\SoF2MP-Test.exe”=“D:\SOF2 MPtest\SoF2MP-Test.exe:*:Enabled:SoF2MP-Test”
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
Files with Hidden Attributes :
Wed 14 May 2008 2,098 A.SH. — “C:\WINDOWS\system32\KGyGaAvL.sys”
Thu 1 May 2008 56 …SHR — “C:\WINDOWS\system32\478FC01CCE.sys”
Sun 4 Jan 2009 85,504 …SHR — “C:\WINDOWS\system32\gasretyw0.dll”
Wed 4 Aug 2004 93,184 A.SH. — “C:\Program Files\Internet Explorer\IEXPLORE.EXE”
Thu 14 Aug 2008 1,429,840 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe”
Wed 30 Jul 2008 4,891,984 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe”
Tue 16 Sep 2008 1,833,296 A.SHR — “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”
Mon 15 Sep 2008 1,562,960 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll”
Wed 3 Dec 2008 131,072 A…H. — “C:\Program Files\Mozilla Firefox\a.exe”
Thu 1 May 2008 19,968 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL0671.tmp”
Thu 1 May 2008 229,888 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL3906.tmp”
Sun 27 Apr 2008 574,976 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL0002.tmp”
Thu 1 May 2008 20,992 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL1354.tmp”
Thu 1 May 2008 427,520 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL3081.tmp”
Thu 1 May 2008 20,992 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL0133.tmp”
Thu 1 May 2008 21,504 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL1187.tmp”
Thu 1 May 2008 21,504 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL3705.tmp”
Thu 1 May 2008 21,504 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL1739.tmp”
Thu 1 May 2008 22,016 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL0261.tmp”
Thu 1 May 2008 22,016 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL2829.tmp”
Thu 1 May 2008 22,016 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL0241.tmp”
Thu 1 May 2008 22,016 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL0766.tmp”
Thu 1 May 2008 22,016 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL1951.tmp”
Thu 1 May 2008 22,016 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL1368.tmp”
Thu 1 May 2008 22,528 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL2379.tmp”
Thu 1 May 2008 22,528 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL1116.tmp”
Thu 1 May 2008 24,576 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL1237.tmp”
Thu 1 May 2008 25,600 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL4077.tmp”
Thu 1 May 2008 26,112 …H. — “C:\Documents and Settings\Mago\Pulpit~WRL1543.tmp”
Thu 23 Jan 2003 65,952 …SHR — “C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe”
Fri 22 Feb 2008 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”
Sat 25 Oct 2008 1,301 …HR — “C:\Documents and Settings\Esper & Vher\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak”
Thu 7 Dec 2006 3,096,576 A…H. — “C:\Documents and Settings\Esper & Vher\Dane aplikacji\U3\temp\Launchpad Removal.exe”
Finished!
I log z Combofixa http://wklej.org/id/36062/
Co dalej?