TR/Crypt.XPACK.Gen zainfekowanie, próba usunięcia

[Fagno]

Witam, to mój pierwszy post na tym forum. Mam nadzieję że wszystko ok robię pisząc temat

Jak już wyjaśnił temat, mój komputer jest zainfekowany czymś co Avira AntiVir (darmowa wersja, zaktualizowana) wykrywa jako TR/Crypt.XPACK.Gen . Program nie jest w stanie wrzucić tego czegoś do kwarantanny, ani usunąć, a trojan znajduje się w w pliku C:WINDOWSsystem32ntbios.dll . Próbowałem go usunąć zarówno w trybie zwykłym, jak i awaryjnym - nic to nie dało, wyskakuje okienko o "odmowie dostępu". Avira szaleje gdy tylko widzi folder system32.

Log z programu HijackThis :

Kod:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36:39, on 2008-07-22
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
C:Program FilesCOMODOFirewallcmdagent.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe
C:Program FilesScreenshotCaptorScreenshotCaptor.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesWapSterWapSter AQQAQQ.exe
C:WINDOWSexplorer.exe
C:Program FilesCOMODOFirewallcfp.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsDexPulpitHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.comodo.com/search/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:Program FilesFlashGetjccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:Program FilesFlashGetgetflash.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [COMODO Firewall Pro] "C:Program FilesCOMODOFirewallcfp.exe" -h
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKCU..Run: [Screenshot Captor] "C:Program FilesScreenshotCaptorScreenshotCaptor.exe" /autorun
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [AQQ] C:PROGRA~1WapSterWAPSTE~1AQQ.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA LOKALNA'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA SIECIOWA'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''Default user'')
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet''a - C:Program FilesFlashGetjc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet''a - C:Program FilesFlashGetjc_all.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra ''Tools'' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra ''Tools'' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:Program FilesCOMODOFirewallcmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe

--
End of file - 6044 bytes

Log z programu Silent Runners :

Kod:

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"Screenshot Captor" = ""C:Program FilesScreenshotCaptorScreenshotCaptor.exe" /autorun" ["DonationCoder"]
"CTFMON.EXE" = "C:WINDOWSsystem32ctfmon.exe" [MS]
"AQQ" = "C:PROGRA~1WapSterWAPSTE~1AQQ.exe" [empty string]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"NvMediaCenter" = "RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup" [MS]
"COMODO Firewall Pro" = ""C:Program FilesCOMODOFirewallcfp.exe" -h" ["COMODO"]
"avgnt" = ""C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" /min" ["Avira GmbH"]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}(Default) = (no title provided)
-> {HKLM...CLSID} = "Ask Search Assistant BHO"
InProcServer32(Default) = "C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL" ["Ask.com"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
InProcServer32(Default) = "C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
InProcServer32(Default) = "C:Program FilesFlashGetjccatch.dll" ["www.flashget.com"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
InProcServer32(Default) = "C:Program FilesJavajre1.6.0_07binssv.dll" ["Sun Microsystems, Inc."]
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}(Default) = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar BHO"
InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]
{F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
InProcServer32(Default) = "C:Program FilesFlashGetgetflash.dll" ["www.flashget.com"]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAviraAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]
"{10677009-C23C-4FC2-A62C-29323A2201F0}" = "AQQ File Transfer Shell Extension"
-> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"
InProcServer32(Default) = "C:PROGRA~1WapSterWAPSTE~1SystemAQQSHE~1.DLL" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesMicrosoft OfficeOFFICE11msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
InProcServer32(Default) = "C:WINDOWSsystem32nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
InProcServer32(Default) = "C:WINDOWSsystem32nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
"IconPackager Repair" = "{1799460C-0BC8-4865-B9DF-4A36CD703FF0}"
-> {HKLM...CLSID} = "IPShellInstantiator Class"
InProcServer32(Default) = "C:Program FilesStardockObject DesktopIconPackageriprepair.dll" ["Stardock.net, Inc"]

HKLMSYSTEMCurrentControlSetControlSession Manager
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLMSOFTWAREClassesPROTOCOLSFilter
<<!>> text/xmlCLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesCommon FilesMicrosoft SharedOFFICE11MSOXMLMF.DLL" [MS]




HKLMSOFTWAREClassesFoldershellexColumnHandlers
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
InProcServer32(Default) = "C:Program FilesCommon FilesAdobeAcrobatActiveXPDFShell.dll" ["Adobe Systems, Inc."]

HKLMSOFTWAREClasses*shellexContextMenuHandlers
AQQFileTransfer(Default) = "{10677009-C23C-4FC2-A62C-29323A2201F0}"
-> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"
InProcServer32(Default) = "C:PROGRA~1WapSterWAPSTE~1SystemAQQSHE~1.DLL" [null data]
Shell Extension for Malware scanning(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAviraAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]

HKLMSOFTWAREClassesDirectoryshellexContextMenuHandlers
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]

HKLMSOFTWAREClassesFoldershellexContextMenuHandlers
Shell Extension for Malware scanning(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAviraAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"disableregistrytools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCUSoftwarePoliciesMicrosoftWindowsSystem

"DisableCMD" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "C:Documents and SettingsDexUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCUControl PanelDesktop
"SCRNSAVE.EXE" = "C:WINDOWSsystem32logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAutoplayHandlersHandlers

ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-burn"
HKLMSOFTWAREClassesAshampoo.BurningStudio6FREEshellautoplay-burnCommand(Default) = ""C:Program FilesAshampooAshampoo Burning Studio 6burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"]

ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-copy"
HKLMSOFTWAREClassesAshampoo.BurningStudio6FREEshellautoplay-copyCommand(Default) = "C:Program FilesAshampooAshampoo Burning Studio 6burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found]

ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-rip"
HKLMSOFTWAREClassesAshampoo.BurningStudio6FREEshellautoplay-ripCommand(Default) = ""C:Program FilesAshampooAshampoo Burning Studio 6burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"]

Picasa2ImportPicturesOnArrival
"Provider" = "Picasa2"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLMSOFTWAREClassespicasa2.autoplayshellimportcommand(Default) = "C:Program FilesPicasa2Picasa2.exe "%1"" ["Google Inc."]

WinampMTPHandler
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:Program FilesWinampwinamp.exe"
HKLMSOFTWAREClassesShell.HWEventHandlerShellExecuteCLSID(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
LocalServer32(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLMSOFTWAREClassesWinamp.FileshellPlaycommand(Default) = ""C:Program FilesWinampwinamp.exe" "%1"" ["Nullsoft"]
HKLMSOFTWAREClassesWinamp.FileshellPlayDropTargetCLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
LocalServer32(Default) = ""C:Program FilesWinampwinamp.exe"" ["Nullsoft"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%system32mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%system32rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCUSoftwareMicrosoftInternet ExplorerToolbarWebBrowser
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"
-> {HKLM...CLSID} = "Ask Toolbar"
InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]

HKLMSOFTWAREMicrosoftInternet ExplorerToolbar
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar"
InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]

Explorer Bars

HKLMSOFTWAREMicrosoftInternet ExplorerExplorer Bars

HKLMSOFTWAREClassesCLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = "&Badanie"
Implemented Categories{00021493-0000-0000-C000-000000000046} [vertical bar]
InProcServer32(Default) = "C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLMSOFTWAREMicrosoftInternet ExplorerExtensions
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
InProcServer32(Default) = "C:Program FilesJavajre1.6.0_07binssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
InProcServer32(Default) = "C:Program FilesJavajre1.6.0_07binnpjpi160_07.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}
"ButtonText" = "Badanie"

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:Program FilesFlashGetFlashGet.exe" ["FlashGet.com"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:Program FilesMessengermsmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCUSoftwareMicrosoftInternet ExplorerURLSearchHooks
<<H>> "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL" ["Ask.com"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal – Free Antivirus Scheduler, AntiVirScheduler, ""C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe"" ["Avira GmbH"]
COMODO Firewall Pro Helper Service, cmdAgent, ""C:Program FilesCOMODOFirewallcmdagent.exe"" ["COMODO"]
Lavasoft Ad-Aware Service, aawservice, ""C:Program FilesLavasoftAd-Awareaawservice.exe"" ["Lavasoft"]
NVIDIA Display Driver Service, NVSvc, "C:WINDOWSsystem32nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:WINDOWSsystem32wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLMSYSTEMCurrentControlSetControlPrintMonitors
hpzsnt09Driver = "hpzsnt09.dll" ["HP"]
Microsoft Document Imaging Writer MonitorDriver = "mdimon.dll" [MS]


---------- (launch time: 2008-07-22 16:33:32)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 210 seconds.,
---------- (total run time: 373 seconds)

Próbowalem też usunąć ten plik za pomocą ComboFix, przeciągałem ikonkę z plikiem tekstowym o treści :

Kod:

File ::
C:WINDOWSsystem32ntbios.dll

ComboFix nie rozpoznaje tego pliku.

ps : zaraz wrzucę log combofixa

edit : w załączniku dodałem raport

[Serafin]

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - Crogram FilesAskSBarSrchAstt1.binA2SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - Crogram FilesAskSBarSrchAstt1.binA2SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - Crogram FilesAskSBarbar1.binASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - Crogram FilesAskSBarbar1.binASKSBAR.DLL

Skasuj te wpisy w hijacku. Po zabiegu daj logi z hijacka i combofix. Tylko Nie dawaj ich w załącznikach

[Fagno]

Po pierwsze dzięki za odpowiedź .

Skasowałem wpisy które podałeś, przedstawiam log HiJack :

Kod:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:27, on 2008-07-23
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesCOMODOFirewallcfp.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe
C:Program FilesScreenshotCaptorScreenshotCaptor.exe
C:WINDOWSsystem32ctfmon.exe
C:PROGRA~1WapSterWAPSTE~1AQQ.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
C:Program FilesCOMODOFirewallcmdagent.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesMozilla Firefoxfirefox.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.comodo.com/search/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:Program FilesFlashGetjccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:Program FilesFlashGetgetflash.dll
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [COMODO Firewall Pro] "C:Program FilesCOMODOFirewallcfp.exe" -h
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKCU..Run: [Screenshot Captor] "C:Program FilesScreenshotCaptorScreenshotCaptor.exe" /autorun
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [AQQ] C:PROGRA~1WapSterWAPSTE~1AQQ.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA LOKALNA'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA SIECIOWA'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''Default user'')
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet''a - C:Program FilesFlashGetjc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet''a - C:Program FilesFlashGetjc_all.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra ''Tools'' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra ''Tools'' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:Program FilesCOMODOFirewallcmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe

--
End of file - 5530 bytes

Niestety, nie mogę wykonać loga combofix . Przy próbie otwarcia programu wyskakuje mi takie okienko :

[Aby zobaczyć linki, zarejestruj się tutaj]

Próbowałem ściągać z 3 różnych źródeł (w tym z tego z którego wczoraj działało), oraz wyłączać firewall i antywirus. Bez skutku.

editudało mi się zrobić log combofix z programu od kolegi :

Kod:

ComboFix 08-07-21.2 - Dex 2008-07-23 11:15:27.4 - NTFSx86
Microsoft Windows XP Professional5.1.2600.2.1250.1.1045.18.697 [GMT 2:00]
Running from: D:DokumentyComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23)))))))))))))))))))))))))))))))
.

2008-07-23 10:01 . 2008-07-23 10:01    <DIR>    d--------    C:Program FilesTrend Micro
2008-07-22 11:11 . 2004-08-03 23:08    25,600    --a------    C:WINDOWSsystem32driversusbser.sys
2008-07-22 11:11 . 2004-08-03 23:08    25,600    --a--c---    C:WINDOWSsystem32dllcacheusbser.sys
2008-07-22 11:10 . 2008-07-22 11:10    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiNokia
2008-07-22 10:59 . 2008-05-07 07:39    1,419,232    --a------    C:WINDOWSsystem32wdfcoinstaller01005.dll
2008-07-22 10:59 . 2008-05-07 07:38    659,968    --a------    C:WINDOWSsystem32nmwcdcocls.dll
2008-07-22 10:59 . 2008-05-07 07:38    20,864    --a------    C:WINDOWSsystem32driversccdcmbo.sys
2008-07-22 10:59 . 2008-05-07 07:38    17,536    --a------    C:WINDOWSsystem32driversccdcmb.sys
2008-07-22 10:59 . 2008-05-07 07:38    8,064    --a------    C:WINDOWSsystem32driversusbser_lowerfltj.sys
2008-07-22 10:59 . 2008-06-06 09:24    8,064    --a------    C:WINDOWSsystem32driversusbser_lowerflt.sys
2008-07-22 10:57 . 2008-07-22 10:57    <DIR>    d--------    C:Program FilesMSXML 6.0
2008-07-22 10:55 . 2008-07-22 10:58    <DIR>    d--------    C:Program FilesNokia
2008-07-22 10:55 . 2008-07-22 10:55    <DIR>    d--------    C:Program FilesCommon FilesNokia
2008-07-22 10:53 . 2008-07-22 10:53    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiInstallations
2008-07-22 10:52 . 2008-07-22 10:52    0    --ah-----    C:WINDOWSsystem32driversMsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-22 10:52 . 2008-07-22 10:52    0    --ah-----    C:WINDOWSsystem32driversMsft_Kernel_ccdcmb_01005.Wdf
2008-07-22 10:32 . 2008-07-22 10:32    <DIR>    d--------    C:Program FilesLavasoft
2008-07-22 10:32 . 2008-07-22 10:34    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiLavasoft
2008-07-22 09:19 . 2008-07-22 09:20    <DIR>    d--------    C:Program FilesWinAVI Video Converter
2008-07-20 23:20 . 2008-07-22 09:15    67    --a------    C:WINDOWS#1 Video Converter.INI
2008-07-20 23:19 . 2008-07-20 23:19    <DIR>    d--------    C:Program FilesNO1 Video Converter
2008-07-20 11:06 . 2008-07-20 11:06    <DIR>    d--------    C:Documents and SettingsLocalServiceDane aplikacjiThunderbird
2008-07-19 09:25 . 2008-07-19 09:25    <DIR>    d--------    C:Program FilesJC - U912V vibration game pad driver
2008-07-18 11:37 . 2008-07-18 11:37    <DIR>    d--------    C:Program FilesAvira
2008-07-17 18:18 . 2008-07-17 18:18    <DIR>    d--------    C:Program FilesDNA
2008-07-17 18:18 . 2008-07-22 18:59    <DIR>    d--------    C:Documents and SettingsDexDane aplikacjiDNA
2008-07-17 18:17 . 2008-07-22 18:12    <DIR>    d--------    C:Program FilesBitTorrent
2008-07-14 22:47 . 2008-07-14 22:47    <DIR>    d--------    C:WINDOWSApplian FLV Player
2008-07-14 22:47 . 2008-07-14 22:47    <DIR>    d--------    C:Program FilesFLV Player
2008-07-14 22:46 . 2008-07-14 22:46    <DIR>    d--------    C:Documents and SettingsDexdwhelper
2008-07-14 20:23 . 2008-07-14 20:23    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiTomTom
2008-07-14 20:21 . 2008-07-14 20:21    <DIR>    d--------    C:Documents and SettingsDexDane aplikacjiTomTom
2008-07-14 20:19 . 2008-07-14 20:19    <DIR>    d--------    C:Program FilesTomTom DesktopSuite
2008-07-07 20:25 . 2008-07-07 20:25    45    --a------    C:WINDOWSsystem32initdebug.nfo
2008-07-04 19:03 . 2008-07-04 19:03    34    --a------    C:WINDOWScdplayer.ini
2008-07-03 21:07 . 2008-07-03 21:07    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjinView_Profiles
2008-07-02 17:00 . 2008-07-02 17:00    <DIR>    d--------    C:Documents and SettingsDexDane aplikacjiAshampoo
2008-07-02 16:59 . 2008-07-02 16:59    <DIR>    d--------    C:Program FilesAshampoo
2008-07-02 16:59 . 2008-07-02 16:59    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiashampoo
2008-07-01 18:52 . 2008-07-22 23:02    <DIR>    d--------    C:Documents and SettingsDexDane aplikacjiHamachi
2008-07-01 18:50 . 2008-07-01 18:50    25,280    --a------    C:WINDOWSsystem32drivershamachi.sys
2008-07-01 18:49 . 2008-07-05 17:48    <DIR>    d--------    C:Program FilesHamachi
2008-06-30 22:05 . 2008-06-30 22:38    4,259,840    --a------    C:Documents and SettingsDexit.dat
2008-06-30 22:04 . 1995-09-23 01:10    106,496    --a------    C:Documents and SettingsDexSUPER_PI.EXE
2008-06-30 15:42 . 1999-10-21 11:12    20,400    --a------    C:WINDOWSsystem32driversentech.sys
2008-06-30 15:41 . 2008-06-30 16:20    <DIR>    d--------    C:Program FilesAquaMark3
2008-06-30 15:25 . 2008-06-30 15:25    <DIR>    d--------    C:BurnInTest test files
2008-06-30 11:13 . 2007-03-12 16:42    3,495,784    --a------    C:WINDOWSsystem32d3dx9_33.dll
2008-06-30 11:13 . 2006-11-29 13:06    3,426,072    --a------    C:WINDOWSsystem32d3dx9_32.dll
2008-06-30 11:13 . 2006-09-28 16:05    2,414,360    --a------    C:WINDOWSsystem32d3dx9_31.dll
2008-06-30 11:13 . 2007-01-24 15:27    255,848    --a------    C:WINDOWSsystem32xactengine2_6.dll
2008-06-30 11:13 . 2006-12-08 12:02    251,672    --a------    C:WINDOWSsystem32xactengine2_5.dll
2008-06-30 11:13 . 2006-09-28 16:05    237,848    --a------    C:WINDOWSsystem32xactengine2_4.dll
2008-06-30 11:13 . 2006-07-28 09:30    236,824    --a------    C:WINDOWSsystem32xactengine2_3.dll
2008-06-30 11:13 . 2006-07-28 09:30    62,744    --a------    C:WINDOWSsystem32xinput1_2.dll
2008-06-30 11:13 . 2007-03-05 12:42    15,128    --a------    C:WINDOWSsystem32x3daudio1_1.dll
2008-06-30 11:12 . 2008-07-22 10:59    <DIR>    d----c---    C:WINDOWSsystem32DRVSTORE
2008-06-30 11:12 . 2008-06-30 11:12    <DIR>    d--------    C:WINDOWSsystem32AGEIA
2008-06-30 11:12 . 2008-06-30 11:12    <DIR>    d--------    C:Program FilesAGEIA Technologies
2008-06-30 11:11 . 2008-07-22 10:31    <DIR>    d--------    C:Program FilesCommon FilesWise Installation Wizard
2008-06-29 23:03 . 2008-07-14 17:48    <DIR>    d--------    C:Program FilesCPUMon
2008-06-29 16:57 . 2008-06-29 16:57    <DIR>    d--------    C:WINDOWSnview
2008-06-29 16:57 . 2008-05-16 11:48    446,464    --a------    C:WINDOWSsystem32NVUNINST.EXE
2008-06-29 16:57 . 2008-05-16 14:01    446,464    --a------    C:WINDOWSsystem32nvudisp.exe
2008-06-29 16:57 . 2008-05-16 14:01    18,070    --a------    C:WINDOWSsystem32nvdisp.nvu
2008-06-29 16:57 . 2008-07-23 10:13    917    --a------    C:WINDOWSsystem32nvapps.xml
2008-06-29 16:48 . 2008-06-29 16:49    <DIR>    d--------    C:Program FilesSystemRequirementsLab
2008-06-29 16:48 . 2008-06-29 16:48    <DIR>    d--------    C:Documents and SettingsDexSystemRequirementsLab
2008-06-29 14:58 . 2008-07-03 17:58    <DIR>    d--------    C:Program FilesSpybot - Search & Destroy
2008-06-29 14:58 . 2008-07-23 10:20    <DIR>    d--------    C:Documents and SettingsAll UsersDane aplikacjiSpybot - Search & Destroy
2008-06-29 14:02 . 2008-07-14 17:45    <DIR>    d--------    C:Program FilesWorldGatea
2008-06-29 11:10 . 2008-06-29 13:16    <DIR>    d--------    C:Program FilesWorldGate
2008-06-28 22:22 . 2008-07-14 17:45    <DIR>    d--------    C:Program FilesYahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 08:14    ---------    d-----w    C:Program FilesScreenshotCaptor
2008-07-23 07:54    ---------    d-----w    C:Program FilesMozilla Thunderbird
2008-07-22 16:59    ---------    d-----w    C:Program FilesFlashGet
2008-07-18 19:57    ---------    d--h--w    C:Program FilesInstallShield Installation Information
2008-07-18 09:37    ---------    d-----w    C:Documents and SettingsAll UsersDane aplikacjiAvira
2008-07-18 06:26    ---------    d-----w    C:Program FilesCommon FilesInstallShield
2008-07-15 08:23    ---------    d-----w    C:Program FilesWinamp
2008-07-15 08:21    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiWinamp
2008-07-11 10:23    ---------    d-----w    C:Program FilesJava
2008-07-03 18:59    ---------    d-----w    C:Program FilesOdkurzacz
2008-06-30 13:40    ---------    d---a-w    C:Documents and SettingsAll UsersDane aplikacjiTEMP
2008-06-30 11:25    ---------    d-----w    C:Program FilesCOMODO
2008-06-21 13:20    108,208    ----a-w    C:WINDOWSNeverwinter Nights Fan Site Kit Uninstaller.exe
2008-06-21 12:45    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiDonationCoder
2008-06-21 12:44    ---------    d-----w    C:Documents and SettingsAll UsersDane aplikacjiDonationCoder
2008-06-21 12:03    ---------    dc-h--w    C:Documents and SettingsAll UsersDane aplikacji{8CC5CF4A-124E-41BA-B58C-A41F05BE09CC}
2008-06-21 12:02    ---------    d-----w    C:Program FilesStardock
2008-06-21 10:55    ---------    d-----w    C:Program FilesGameSpy Arcade
2008-06-20 19:13    ---------    d-----w    C:Program FilesDefraggler
2008-06-20 11:51    499,712    ----a-w    C:WINDOWSsystem32msvcp71.dll
2008-06-20 11:51    434,252    ----a-w    C:WINDOWSsystem32MSVCRTD.DLL
2008-06-20 11:51    348,160    ----a-w    C:WINDOWSsystem32msvcr71.dll
2008-06-20 11:51    216,576    ----a-w    C:WINDOWSsystem32monln.dll
2008-06-20 11:51    1,060,864    ----a-w    C:WINDOWSsystem32MFC71.dll
2008-06-20 11:51    ---------    d-----w    C:Documents and SettingsAll UsersDane aplikacjicomodo
2008-06-19 09:39    107,888    ----a-w    C:WINDOWSsystem32CmdLineExt.dll
2008-06-18 16:42    ---------    d-----w    C:Documents and SettingsAll UsersDane aplikacjiABBYY
2008-06-18 16:41    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiABBYY
2008-06-18 15:18    ---------    d-----w    C:Program Files7-Zip
2008-06-18 08:20    ---------    d-----w    C:Program FilesMicrosoft.NET
2008-06-18 07:44    ---------    d-----w    C:Program FilesCommon FilesBlizzard Entertainment
2008-06-17 17:43    ---------    d-----w    C:Program FilesCommon FilesBinarySense
2008-06-17 12:09    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiGadu-Gadu
2008-06-15 08:41    ---------    d-----w    C:Program FilesPicasa2
2008-06-15 08:41    ---------    d-----w    C:Program FilesGoogle
2008-06-15 08:35    ---------    d-----w    C:Program FilesTemp
2008-06-14 18:01    273,024    ------w    C:WINDOWSsystem32driversbthport.sys
2008-06-13 19:18    ---------    d-----w    C:Program FilesMSXML 4.0
2008-06-13 14:57    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiBinarySense
2008-06-13 14:09    ---------    d-----w    C:Program FilesHP
2008-06-13 14:09    ---------    d-----w    C:Program FilesHewlett-Packard
2008-06-12 20:31    ---------    d-----w    C:Program FilesKotOR2-PL
2008-06-12 19:35    ---------    d-----w    C:Program FilesDAEMON Tools Lite
2008-06-12 19:28    717,296    ----a-w    C:WINDOWSsystem32driverssptd.sys
2008-06-12 19:28    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiDAEMON Tools
2008-06-12 16:18    ---------    d--h--r    C:Documents and SettingsDexDane aplikacjiSecuROM
2008-06-12 13:38    ---------    d-----w    C:Program FilesCobian Backup 9
2008-06-11 20:27    87,056    ----a-w    C:WINDOWSsystem32driverscmdguard.sys
2008-06-11 20:27    249,592    ----a-w    C:WINDOWSsystem32cssdll32.dll
2008-06-11 20:27    24,208    ----a-w    C:WINDOWSsystem32driverscmdhlp.sys
2008-06-11 20:27    143,104    ----a-w    C:WINDOWSsystem32guard32.dll
2008-06-11 20:27    ---------    d-----w    C:Program FilesAskSBar
2008-06-11 20:27    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiComodo
2008-06-11 20:06    ---------    d-----w    C:Program FilesCommon FilesAdobe
2008-06-11 19:02    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiInstallShield
2008-06-11 17:54    ---------    d-----w    C:Program FilesCCleaner
2008-06-11 17:53    ---------    d-----w    C:Documents and SettingsDexDane aplikacjiThunderbird
2008-06-11 17:45    ---------    d-----w    C:Program FilesWapSter
2008-06-11 17:35    ---------    d-----w    C:Program FilesCommon FilesJava
2008-06-11 17:30    4,261    ----a-w    C:WINDOWSsystem32driversrtport.sys
2008-06-11 17:23    ---------    d-----w    C:Program Filesmicrosoft frontpage
2008-06-11 17:21    ---------    d-----w    C:Program FilesUsługi online
2008-05-16 09:58    12,632    ----a-w    C:WINDOWSsystem32lsdelete.exe
2008-05-07 05:38    90,624    ----a-w    C:WINDOWSsystem32nmwcdcls.dll
2008-05-07 05:16    1,291,264    ----a-w    C:WINDOWSsystem32quartz.dll
2008-05-02 08:58    148,992    ----a-w    C:WINDOWSsystem32nsesetup.dll
2008-04-23 07:20    826,368    ----a-w    C:WINDOWSsystem32wininet.dll
.

------- Sigcheck -------

2005-03-02 20:14205824035d11fdc381536ab95e3005489131f44    C:WINDOWS$hf_mig$KB890859SP2QFEntkrnlpa.exe
2007-02-28 18:0920606722f4a36b1b03d64fb176cb0f3eb597118    C:WINDOWS$hf_mig$KB931784SP2QFEntkrnlpa.exe
2004-08-04 00:54205811244d1bc1b05e0c7c82e81687b79c653c7    C:WINDOWS$NtUninstallKB890859$ntkrnlpa.exe
2005-03-02 20:0820581120f6990820c6ce0a7a911fae5937ef1f6    C:WINDOWS$NtUninstallKB931784$ntkrnlpa.exe
2007-02-28 18:0420588802bdc1a6cefe320e9c39fabf1961ebb9d    C:WINDOWSDriver Cachei386ntkrnlpa.exe
2007-02-28 18:0420588800c44c4d6850bd92d78f2620a14dedd6e    C:WINDOWSsystem32ntkrnlpa.exe
2007-02-28 18:0420588802bdc1a6cefe320e9c39fabf1961ebb9d    C:WINDOWSsystem32dllcachentkrnlpa.exe

2005-03-02 20:142180864dba3e4215279c8012b37d2135b531258    C:WINDOWS$hf_mig$KB890859SP2QFEntoskrnl.exe
2007-02-28 18:092183424c450518ef9acc02a2d799698021e31a8    C:WINDOWS$hf_mig$KB931784SP2QFEntoskrnl.exe
2004-08-04 00:392182272dcf53422b7edded3b7431fbae4a7ee3f    C:WINDOWS$NtUninstallKB890859$ntoskrnl.exe
2005-03-02 20:0921806083f3612846d67352468d2286fc23fb0c2    C:WINDOWS$NtUninstallKB931784$ntoskrnl.exe
2007-02-28 18:042181632c378be3a1edc5e4421d428655ac4a48c    C:WINDOWSDriver Cachei386ntoskrnl.exe
2007-02-28 18:042181632751b15e98160ecb81f92405fce680548    C:WINDOWSsystem32ntoskrnl.exe
2007-02-28 18:042181632c378be3a1edc5e4421d428655ac4a48c    C:WINDOWSsystem32dllcachentoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Screenshot Captor"="C:Program FilesScreenshotCaptorScreenshotCaptor.exe" [2007-10-07 21:38 6422016]
"CTFMON.EXE"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 00:44 15360]
"AQQ"="C:PROGRA~1WapSterWAPSTE~1AQQ.exe" [2008-07-10 11:11 1597936]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvMediaCenter"="C:WINDOWSsystem32NvMcTray.dll" [2008-05-16 14:01 86016]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [2008-05-16 14:01 13529088]
"COMODO Firewall Pro"="C:Program FilesCOMODOFirewallcfp.exe" [2008-06-11 22:27 1655552]
"avgnt"="C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" [2008-07-21 11:53 266497]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="C:WINDOWSsystem32CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregKernelFaultCheck]
C:WINDOWSsystem32dumprep 0 -k [X]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregnwiz]
--a------ 2008-05-16 14:01 1630208 C:WINDOWSsystem32nwiz.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"UpdatesDisableNotify"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\WapSter\WapSter AQQ\AQQ.exe"=
"C:\Program Files\FlashGet\flashget.exe"=
"D:\Neverwinter Nights\nwmain.exe"=
"D:\NWN2\nwn2main.exe"=
"D:\NWN2\nwn2main_amdxp.exe"=
"D:\NWN2\nwupdate.exe"=
"D:\NWN2\nwn2server.exe"=
"C:\totalcmd\TOTALCMD.EXE"=
"C:\Program Files\DNA\btdna.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:WINDOWSsystem32DRIVERScmdguard.sys [2008-06-11 22:27]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:WINDOWSsystem32DRIVERScmdhlp.sys [2008-06-11 22:27]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;C:WINDOWSsystem32driversusbscan.sys [2004-08-03 22:58]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.comodo.com/search/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Ściągnij przy pomocy FlashGet''a - C:Program FilesFlashGetjc_link.htm
O8 -: &Ściągnij wszystko przy pomocy FlashGet''a - C:Program FilesFlashGetjc_all.htm
O8 -: E&ksport do programu Microsoft Excel - C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 11:18:13
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-23 11:19:33
ComboFix-quarantined-files.txt2008-07-23 09:19:23
ComboFix2.txt2008-07-22 15:49:01

Pre-Run: 8,652,333,056 bajtów wolnych
Post-Run: 8,644,247,552 bajtów wolnych

231    --- E O F ---    2008-06-20 11:45:05

A w ogóle już wczoraj udało mi się uporać z tym trojanem - jednak dało się go usunąć za pomocą combofixa, a później wystarczyło wyłączyć i włączyć przywracanie systemu. Jednak jeśli twierdzisz że w logach jest coś nie tak, to czekam na dalsze rady .

[Serafin]

O4 - HKLM..Run: [KernelFaultCheck]%systemroot%system32dumprep 0 -k

Skasuj ten wpis w hijacku

Crogram FilesAskSBar

Usuń ten folder ręcznie z dysku.