problem z nod32

gianbuffon · #1 (**permalink**) 12.10.2008, 00:17

Witam,
mialem na jednym dysku wirusa, ktory usuwal mp3...
zrobilem skana, ale po jakims czasie zauwazylem, ze antywirus robi kwarantanne i usuwa te mp3:/
zatrzymalem skan. nastepnie uzylem combofixa i ccleanera. wirus chyba padl, bo teraz jak odpalam mp3 to nie usuwa ich, ale niestety sa one teraz zniekszalcone... ale mniejsza z tym.
teraz jak wchodze w ustawienia lokalne/dane aplikacji/eset nod/quarantine mam ponad 8000 plikow z takimi nazwami: 0AAE0C85AD5900BCEBC68A0A47A566B02C26F250.NDF
zajmuja one az 16GB!
co mam z tym zrobic, czy moge to usunac?
prosze o pomoc

Marcieks · #2 (**permalink**) 12.10.2008, 00:32

Pokaz logi z HJ i Combofix.

kaban123 · #3 (**permalink**) 12.10.2008, 00:33

To wszystko są to Twoje pliki muzyczne, które były prawdopodobnie zainfekowane.
Możesz je przywrócić z kwarantanny lub usunąć...

Edit::
I podaj logi jak wyżej

gianbuffon · #4 (**permalink**) 12.10.2008, 00:58

Combofix

Kod:

 * Utworzono nowy punkt przywracania
 * Resident AV is active


UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mp3codec32win.dll

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-09-11 do 2008-10-11  )))))))))))))))))))))))))))))))
.

2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\system32\xircom
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\srchasst
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\msagent
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\Program Files\microsoft frontpage
2008-10-03 13:51 . 2008-10-03 13:51	<DIR>	d--------	C:\Program Files\CCleaner
2008-10-03 13:46 . 2008-10-03 13:50	<DIR>	d--------	C:\Program Files\Mp3Doctor
2008-10-03 13:46 . 2001-12-08 12:23	1,089,536	--a------	C:\WINDOWS\system32\Mp3Doctor1.dll
2008-10-03 13:46 . 2003-01-22 14:20	299,008	--a------	C:\WINDOWS\system32\winwmbcay.dll
2008-10-03 13:46 . 2001-11-25 17:00	266,240	--a------	C:\WINDOWS\system32\Mp3Doctor2.dll
2008-10-03 13:46 . 2001-08-01 09:50	90,112	--a------	C:\WINDOWS\system32\ID3v23xBase.DLL
2008-10-03 13:46 . 2003-04-11 12:48	18,432	--a------	C:\WINDOWS\system32\winint.dll
2008-10-01 11:23 . 2008-10-01 11:23	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Leadertech
2008-09-30 16:23 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\USB Vibration Joystick
2008-09-30 16:22 . 2008-09-30 16:22	<DIR>	d--------	C:\WINDOWS\USB Vibration
2008-09-30 16:22 . 2008-09-30 16:22	<DIR>	d--------	C:\Program Files\USB Vibration
2008-09-30 16:00 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\VID_0E8F&PID_0012
2008-09-30 16:00 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\Common Files\VID_0E8F&PID_0012
2008-09-30 16:00 . 2007-08-16 09:58	11,136	--a------	C:\WINDOWS\system32\drivers\GF0012.SYS
2008-09-30 15:57 . 2008-04-13 22:15	10,368	--a------	C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-28 16:02 . 2008-09-28 16:02	<DIR>	d--------	C:\WINDOWS\Downloaded Installations
2008-09-26 20:27 . 2008-09-26 20:27	<DIR>	d--------	C:\Program Files\MyPhoneExplorer
2008-09-26 20:26 . 2008-09-27 13:36	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\MyPhoneExplorer
2008-09-25 17:26 . 2008-09-27 17:42	<DIR>	d--hs----	C:\Documents and Settings\jerry\Phone Browser
2008-09-25 17:02 . 2008-09-25 17:17	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Nokia Multimedia Player
2008-09-25 16:33 . 2008-09-25 16:33	<DIR>	d--------	C:\WINDOWS\system32\LogFiles
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\DIFX
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Common Files\PCSuite
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Common Files\Nokia
2008-09-25 16:30 . 2008-09-25 16:41	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\PC Suite
2008-09-25 16:30 . 2008-09-25 16:43	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Nokia
2008-09-25 16:30 . 2008-09-25 16:32	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2008-09-25 16:29 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\PC Connectivity Solution
2008-09-25 16:29 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Nokia
2008-09-25 16:29 . 2007-02-22 10:15	137,216	--a------	C:\WINDOWS\system32\drivers\nmwcd.sys
2008-09-25 16:29 . 2007-02-22 10:15	90,624	--a------	C:\WINDOWS\system32\nmwcdcls.dll
2008-09-25 16:29 . 2007-02-22 10:15	65,536	--a------	C:\WINDOWS\system32\nmwcdcocls.dll
2008-09-25 16:29 . 2007-02-22 10:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-09-25 16:29 . 2007-02-22 10:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-09-25 16:29 . 2007-02-22 10:15	8,320	--a------	C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-09-25 16:28 . 2008-09-25 16:29	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-09-21 23:02 . 2008-09-21 23:02	<DIR>	d--------	C:\Program Files\MKVTOAVI
2008-09-18 15:01 . 2008-04-13 22:15	60,032	--a------	C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-09-14 13:00 . 2008-09-14 13:00	<DIR>	d--------	C:\Program Files\Combined Community Codec Pack
2008-09-13 15:34 . 2008-09-13 15:34	<DIR>	d--------	C:\Program Files\7-Zip

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-11 21:46	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\uTorrent
2008-10-06 11:05	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\U3
2008-09-30 14:26	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Bioshock
2008-09-30 14:23	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-09-14 14:27	---------	d---a-w	C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-09-05 18:03	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Apple Computer
2008-09-03 13:00	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\SPORE
2008-09-02 07:35	---------	d-----w	C:\Program Files\Common Files\SWF Studio
2008-09-01 09:04	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Ahead
2008-08-28 12:18	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\DVD Shrink
2008-08-27 18:30	47,360	----a-w	C:\Documents and Settings\jerry\Dane aplikacji\pcouffin.sys
2008-08-27 18:30	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Vso
2008-08-27 17:02	---------	d-----w	C:\Program Files\Opera9.27
2008-08-27 15:53	47,360	----a-w	C:\WINDOWS\system32\drivers\pcouffin.sys
2008-08-27 12:08	---------	d-----w	C:\Program Files\AutoGK
2008-08-27 12:07	43,698	----a-w	C:\WINDOWS\system32\xvid-uninstall.exe
2008-08-27 12:07	---------	d-----w	C:\Program Files\AviSynth 2.5
2008-08-27 12:04	---------	d-----w	C:\Program Files\Gabest
2008-08-23 11:25	---------	d-----w	C:\Program Files\Sun
2008-08-23 11:25	---------	d-----w	C:\Program Files\Java
2008-08-23 10:57	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\FLEXnet
2008-08-21 11:41	---------	d-----w	C:\Program Files\Sony Ericsson
2008-08-21 11:32	---------	d-----w	C:\Program Files\Disc2Phone
2008-08-20 14:05	---------	d-----w	C:\Program Files\AVIcodec
2008-08-20 13:20	---------	d-----w	C:\Program Files\ESET
2008-08-20 13:20	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-08-20 13:18	---------	d-----w	C:\Program Files\Google
2008-08-20 13:18	---------	d-----w	C:\Program Files\AbiSuite2
2008-08-19 07:41	---------	d-----w	C:\Program Files\WMV9_VCM
2008-08-19 07:41	---------	d-----w	C:\Program Files\Winfor
2008-08-16 13:26	---------	d-----w	C:\Program Files\NAPI-PROJEKT
2008-08-15 19:20	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-08-15 19:20	---------	d-----w	C:\Program Files\Bonjour
2008-08-15 19:15	---------	d-----w	C:\Program Files\Common Files\Macrovision Shared
2008-08-14 18:06	---------	d-----w	C:\Program Files\Microsoft.NET
2008-08-03 12:44	444,952	----a-w	C:\WINDOWS\system32\wrap_oal.dll
2008-08-03 12:44	109,080	----a-w	C:\WINDOWS\system32\OpenAL32.dll
2008-08-03 11:46	319,488	----a-w	C:\WINDOWS\HideWin.exe
2008-08-03 11:38	4,501	----a-w	C:\WINDOWS\gdrv.sys
2008-08-01 13:51	107,888	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2008-07-23 14:51	16,804,864	----a-w	C:\WINDOWS\RTHDCPL.exe
2008-07-18 20:10	94,920	----a-w	C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10	53,448	----a-w	C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10	45,768	----a-w	C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10	36,552	----a-w	C:\WINDOWS\system32\wups.dll
2008-07-18 20:09	563,912	----a-w	C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09	325,832	----a-w	C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09	205,000	----a-w	C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09	1,811,656	----a-w	C:\WINDOWS\system32\wuaueng.dll
2008-07-15 11:58	524,288	----a-w	C:\WINDOWS\RtlExUpd.dll
2008-07-15 11:47	1,196,032	----a-w	C:\WINDOWS\RtlUpd.exe
.

------- Sigcheck -------

2008-05-17 14:44  487424  5f1ccdf37f28a88d0473b0c9ea1e0d58	C:\WINDOWS\system32\user32.dll

2008-05-17 14:40  2146304  262abab004204800fc107194ca7a7b35	C:\WINDOWS\system32\ntoskrnl.exe

2008-05-17 14:36  1503232  67eacb65fbb0997dd3be8e4f1a5fe069	C:\WINDOWS\explorer.exe

2008-05-17 14:35  40448  0277e1a3e8b337555a45943808451981	C:\WINDOWS\system32\ctfmon.exe
.
(((((((((((((((((((((((((((((   snapshot@2008-10-03_10.30.55.21   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-16 06:58:48	1,477,336	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-03 15:06:23	1,477,112	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-17 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 C:\WINDOWS\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 C:\WINDOWS\alcwzrd.exe]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-06-23 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-06-24 16:06 1840424 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-06-08 09:31 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-06-19 09:53 570664 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"D:\\GRID\\GRID.exe"=
"D:\\BearShare\\BearShare\\BearShare.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Opera9.27\\Opera.exe"=
"D:\\Beijing\\Beijing.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\JDownloader.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"F:\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57986:TCP"= 57986:TCP:57986

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-09 102400]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12 41456]
R2 Nokia Network Bridge;Nokia Network Bridge;C:\WINDOWS\system32\nbridge.exe [2005-11-09 18944]
R3 Nokia Network Bridge Driver;Nokia Network Bridge Driver;C:\WINDOWS\system32\Drivers\nbridge.sys [2005-11-09 19456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08c08568-5f38-11dd-be12-806d6172696f}]
\Shell\AutoRun\command - G:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c7806e0-6154-11dd-b450-001a4d746d51}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0259ec8-75d6-11dd-b493-001a4d746d51}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
.
------- Skan uzupełniający -------
.
R0 -: HKCU-Main,Start Page = hxxp://wyborcza.pl/0,0.html?p=005
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.ursoftware.com/order.php?pid=
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: E&ksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
------- Skojarzenia plików -------
.
inffile=C:\WINDOWS\system32\Notepad2.exe %1
inifile=C:\WINDOWS\system32\Notepad2.exe %1
txtfile=C:\WINDOWS\system32\Notepad2.exe %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-11 23:51:09
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Czas ukończenia: 2008-10-11 23:51:44
ComboFix-quarantined-files.txt  2008-10-11 21:51:40
ComboFix2.txt  2008-10-03 08:31:17

Przed: 8*752*820*224 bajtów wolnych
Po: 8,750,489,600 bajtów wolnych

245	--- E O F ---	2008-09-10 11:19:54

HJ

Kod:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:54:44, on 2008-10-11
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nbridge.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera9.27\opera.exe
F:\Nowy folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wyborcza.pl/0,0.html?p=005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ursoftware.com/order.php?pid=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\Run: [VisualTaskTips] C:\Program Files\Utilities\VisualTaskTips\VisualTaskTips.exe (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Nokia Network Bridge - Nokia - C:\WINDOWS\system32\nbridge.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5691 bytes

Marcieks · #5 (**permalink**) 12.10.2008, 01:24

To w Hijacku:

Kod:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wyborcza.pl/0,0.html?p=005
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

gianbuffon · #6 (**permalink**) 12.10.2008, 01:55

skopiowalem to do notatnika i zapisalem CFScript.txt i przeciagnalem do Combofixa. tak to nalezalo zrobic?:P

a co z tymi plikami quarantine? moge je usunac?
daje logi

Kod:

ComboFix 08-10-11.01 - jerry 2008-10-12  0:50:16.3 - NTFSx86
Uruchomiony z: C:\Documents and Settings\jerry\Pulpit\ComboFix.exe
Użyto następujących komend :: C:\Documents and Settings\jerry\Pulpit\CFScript.txt
 * Utworzono nowy punkt przywracania
 * Resident AV is active


UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((   Pliki utworzone od 2008-09-11 do 2008-10-11  )))))))))))))))))))))))))))))))
.

2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\system32\xircom
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\srchasst
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\msagent
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\Program Files\microsoft frontpage
2008-10-03 13:51 . 2008-10-03 13:51	<DIR>	d--------	C:\Program Files\CCleaner
2008-10-03 13:46 . 2008-10-03 13:50	<DIR>	d--------	C:\Program Files\Mp3Doctor
2008-10-03 13:46 . 2001-12-08 12:23	1,089,536	--a------	C:\WINDOWS\system32\Mp3Doctor1.dll
2008-10-03 13:46 . 2003-01-22 14:20	299,008	--a------	C:\WINDOWS\system32\winwmbcay.dll
2008-10-03 13:46 . 2001-11-25 17:00	266,240	--a------	C:\WINDOWS\system32\Mp3Doctor2.dll
2008-10-03 13:46 . 2001-08-01 09:50	90,112	--a------	C:\WINDOWS\system32\ID3v23xBase.DLL
2008-10-03 13:46 . 2003-04-11 12:48	18,432	--a------	C:\WINDOWS\system32\winint.dll
2008-10-01 11:23 . 2008-10-01 11:23	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Leadertech
2008-09-30 16:23 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\USB Vibration Joystick
2008-09-30 16:22 . 2008-09-30 16:22	<DIR>	d--------	C:\WINDOWS\USB Vibration
2008-09-30 16:22 . 2008-09-30 16:22	<DIR>	d--------	C:\Program Files\USB Vibration
2008-09-30 16:00 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\VID_0E8F&PID_0012
2008-09-30 16:00 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\Common Files\VID_0E8F&PID_0012
2008-09-30 16:00 . 2007-08-16 09:58	11,136	--a------	C:\WINDOWS\system32\drivers\GF0012.SYS
2008-09-30 15:57 . 2008-04-13 22:15	10,368	--a------	C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-28 16:02 . 2008-09-28 16:02	<DIR>	d--------	C:\WINDOWS\Downloaded Installations
2008-09-26 20:27 . 2008-09-26 20:27	<DIR>	d--------	C:\Program Files\MyPhoneExplorer
2008-09-26 20:26 . 2008-09-27 13:36	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\MyPhoneExplorer
2008-09-25 17:26 . 2008-09-27 17:42	<DIR>	d--hs----	C:\Documents and Settings\jerry\Phone Browser
2008-09-25 17:02 . 2008-09-25 17:17	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Nokia Multimedia Player
2008-09-25 16:33 . 2008-09-25 16:33	<DIR>	d--------	C:\WINDOWS\system32\LogFiles
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\DIFX
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Common Files\PCSuite
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Common Files\Nokia
2008-09-25 16:30 . 2008-09-25 16:41	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\PC Suite
2008-09-25 16:30 . 2008-09-25 16:43	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Nokia
2008-09-25 16:30 . 2008-09-25 16:32	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2008-09-25 16:29 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\PC Connectivity Solution
2008-09-25 16:29 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Nokia
2008-09-25 16:29 . 2007-02-22 10:15	137,216	--a------	C:\WINDOWS\system32\drivers\nmwcd.sys
2008-09-25 16:29 . 2007-02-22 10:15	90,624	--a------	C:\WINDOWS\system32\nmwcdcls.dll
2008-09-25 16:29 . 2007-02-22 10:15	65,536	--a------	C:\WINDOWS\system32\nmwcdcocls.dll
2008-09-25 16:29 . 2007-02-22 10:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-09-25 16:29 . 2007-02-22 10:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-09-25 16:29 . 2007-02-22 10:15	8,320	--a------	C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-09-25 16:28 . 2008-09-25 16:29	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-09-21 23:02 . 2008-09-21 23:02	<DIR>	d--------	C:\Program Files\MKVTOAVI
2008-09-18 15:01 . 2008-04-13 22:15	60,032	--a------	C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-09-14 13:00 . 2008-09-14 13:00	<DIR>	d--------	C:\Program Files\Combined Community Codec Pack
2008-09-13 15:34 . 2008-09-13 15:34	<DIR>	d--------	C:\Program Files\7-Zip

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-11 22:49	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\uTorrent
2008-10-06 11:05	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\U3
2008-09-30 14:26	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Bioshock
2008-09-30 14:23	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-09-14 14:27	---------	d---a-w	C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-09-05 18:03	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Apple Computer
2008-09-03 13:00	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\SPORE
2008-09-02 07:35	---------	d-----w	C:\Program Files\Common Files\SWF Studio
2008-09-01 09:04	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Ahead
2008-08-28 12:18	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\DVD Shrink
2008-08-27 18:30	47,360	----a-w	C:\Documents and Settings\jerry\Dane aplikacji\pcouffin.sys
2008-08-27 18:30	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Vso
2008-08-27 17:02	---------	d-----w	C:\Program Files\Opera9.27
2008-08-27 15:53	47,360	----a-w	C:\WINDOWS\system32\drivers\pcouffin.sys
2008-08-27 12:08	---------	d-----w	C:\Program Files\AutoGK
2008-08-27 12:07	43,698	----a-w	C:\WINDOWS\system32\xvid-uninstall.exe
2008-08-27 12:07	---------	d-----w	C:\Program Files\AviSynth 2.5
2008-08-27 12:04	---------	d-----w	C:\Program Files\Gabest
2008-08-23 11:25	---------	d-----w	C:\Program Files\Sun
2008-08-23 11:25	---------	d-----w	C:\Program Files\Java
2008-08-23 10:57	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\FLEXnet
2008-08-21 11:41	---------	d-----w	C:\Program Files\Sony Ericsson
2008-08-21 11:32	---------	d-----w	C:\Program Files\Disc2Phone
2008-08-20 14:05	---------	d-----w	C:\Program Files\AVIcodec
2008-08-20 13:20	---------	d-----w	C:\Program Files\ESET
2008-08-20 13:20	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-08-20 13:18	---------	d-----w	C:\Program Files\Google
2008-08-20 13:18	---------	d-----w	C:\Program Files\AbiSuite2
2008-08-19 07:41	---------	d-----w	C:\Program Files\WMV9_VCM
2008-08-19 07:41	---------	d-----w	C:\Program Files\Winfor
2008-08-16 13:26	---------	d-----w	C:\Program Files\NAPI-PROJEKT
2008-08-15 19:20	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-08-15 19:20	---------	d-----w	C:\Program Files\Bonjour
2008-08-15 19:15	---------	d-----w	C:\Program Files\Common Files\Macrovision Shared
2008-08-14 18:06	---------	d-----w	C:\Program Files\Microsoft.NET
2008-08-03 12:44	444,952	----a-w	C:\WINDOWS\system32\wrap_oal.dll
2008-08-03 12:44	109,080	----a-w	C:\WINDOWS\system32\OpenAL32.dll
2008-08-03 11:46	319,488	----a-w	C:\WINDOWS\HideWin.exe
2008-08-03 11:38	4,501	----a-w	C:\WINDOWS\gdrv.sys
2008-08-01 13:51	107,888	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2008-07-23 14:51	16,804,864	----a-w	C:\WINDOWS\RTHDCPL.exe
2008-07-18 20:10	94,920	----a-w	C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10	53,448	----a-w	C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10	45,768	----a-w	C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10	36,552	----a-w	C:\WINDOWS\system32\wups.dll
2008-07-18 20:09	563,912	----a-w	C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09	325,832	----a-w	C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09	205,000	----a-w	C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09	1,811,656	----a-w	C:\WINDOWS\system32\wuaueng.dll
2008-07-15 11:58	524,288	----a-w	C:\WINDOWS\RtlExUpd.dll
2008-07-15 11:47	1,196,032	----a-w	C:\WINDOWS\RtlUpd.exe
.

------- Sigcheck -------

2008-05-17 14:44  487424  5f1ccdf37f28a88d0473b0c9ea1e0d58	C:\WINDOWS\system32\user32.dll

2008-05-17 14:40  2146304  262abab004204800fc107194ca7a7b35	C:\WINDOWS\system32\ntoskrnl.exe

2008-05-17 14:36  1503232  67eacb65fbb0997dd3be8e4f1a5fe069	C:\WINDOWS\explorer.exe

2008-05-17 14:35  40448  0277e1a3e8b337555a45943808451981	C:\WINDOWS\system32\ctfmon.exe
.
(((((((((((((((((((((((((((((   snapshot@2008-10-03_10.30.55.21   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-16 06:58:48	1,477,336	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-03 15:06:23	1,477,112	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-17 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 C:\WINDOWS\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 C:\WINDOWS\alcwzrd.exe]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-06-23 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-06-24 16:06 1840424 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-06-08 09:31 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-06-19 09:53 570664 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"D:\\GRID\\GRID.exe"=
"D:\\BearShare\\BearShare\\BearShare.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Opera9.27\\Opera.exe"=
"D:\\Beijing\\Beijing.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\JDownloader.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"F:\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57986:TCP"= 57986:TCP:57986

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-09 102400]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12 41456]
R2 Nokia Network Bridge;Nokia Network Bridge;C:\WINDOWS\system32\nbridge.exe [2005-11-09 18944]
R3 Nokia Network Bridge Driver;Nokia Network Bridge Driver;C:\WINDOWS\system32\Drivers\nbridge.sys [2005-11-09 19456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08c08568-5f38-11dd-be12-806d6172696f}]
\Shell\AutoRun\command - G:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c7806e0-6154-11dd-b450-001a4d746d51}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0259ec8-75d6-11dd-b493-001a4d746d51}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-12 00:50:54
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Czas ukończenia: 2008-10-12  0:51:20
ComboFix-quarantined-files.txt  2008-10-11 22:51:18
ComboFix2.txt  2008-10-03 08:31:17

Przed: 10*725*040*128 bajtów wolnych
Po: 10,716,286,976 bajtów wolnych

225	--- E O F ---	2008-09-10 11:19:54

Kod:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:52:22, on 2008-10-12
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nbridge.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
F:\Nowy folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wyborcza.pl/0,0.html?p=005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ursoftware.com/order.php?pid=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\Run: [VisualTaskTips] C:\Program Files\Utilities\VisualTaskTips\VisualTaskTips.exe (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Nokia Network Bridge - Nokia - C:\WINDOWS\system32\nbridge.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5653 bytes

kaban123 · #7 (**permalink**) 13.10.2008, 14:35

Przed uruchomieniem skryptu podlącz urządzenia z pamięcią przenośną USB (pen drive, mp3, etc)

Kod:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08c08568-5f38-11dd-be12-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c7806e0-6154-11dd-b450-001a4d746d51}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0259ec8-75d6-11dd-b493-001a4d746d51}]

Zapisz to jako CFScript.txt po wklejeniu do notatnika.
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe w taki sposób:

Rozpocznie się skan.
Daj nowego loga tu.

Do tego skan narzędziem: http://cybertrash.pl/Tata/MBAM/Malwa...i-Malware.html
którego najnowszą wersję pobierzesz stąd: http://www.malwarebytes.org/mbam.php
Przed skanem zaktualizuj narzędzie.
Co znajdzie to usuń.
Loga daj tu, tak jak nowego loga z Combofixa.

____
Pliki kwarantanny NODA możesz skasować.

gianbuffon · #8 (**permalink**) 14.10.2008, 05:17

Kod:

Uruchomiony z: C:\Documents and Settings\jerry\Pulpit\ComboFix.exe
Użyto następujących komend :: C:\Documents and Settings\jerry\Pulpit\CFScript.txt
 * Utworzono nowy punkt przywracania
 * Resident AV is active


UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((   Pliki utworzone od 2008-09-14 do 2008-10-14  )))))))))))))))))))))))))))))))
.

2008-10-14 04:04 . 2008-10-14 04:04	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-10-14 04:04 . 2008-10-14 04:04	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Malwarebytes
2008-10-14 04:04 . 2008-10-14 04:04	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-10-14 04:04 . 2008-09-10 00:04	38,528	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-14 04:04 . 2008-09-10 00:03	17,200	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-10-13 18:25 . 2008-10-13 18:28	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\dp3d
2008-10-13 18:22 . 2008-10-13 18:22	<DIR>	d--------	C:\Program Files\Dream Pinball 3D
2008-10-13 10:36 . 2008-10-13 10:36	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\HEXelon
2008-10-12 18:15 . 2008-10-12 18:49	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Microsoft Games
2008-10-12 15:53 . 2008-10-12 15:53	<DIR>	d--h-----	C:\WINDOWS\PIF
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\system32\xircom
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\srchasst
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\WINDOWS\msagent
2008-10-03 17:06 . 2008-10-03 17:06	<DIR>	d--------	C:\Program Files\microsoft frontpage
2008-10-03 13:51 . 2008-10-03 13:51	<DIR>	d--------	C:\Program Files\CCleaner
2008-10-03 13:46 . 2008-10-03 13:50	<DIR>	d--------	C:\Program Files\Mp3Doctor
2008-10-03 13:46 . 2001-12-08 12:23	1,089,536	--a------	C:\WINDOWS\system32\Mp3Doctor1.dll
2008-10-03 13:46 . 2003-01-22 14:20	299,008	--a------	C:\WINDOWS\system32\winwmbcay.dll
2008-10-03 13:46 . 2001-11-25 17:00	266,240	--a------	C:\WINDOWS\system32\Mp3Doctor2.dll
2008-10-03 13:46 . 2001-08-01 09:50	90,112	--a------	C:\WINDOWS\system32\ID3v23xBase.DLL
2008-10-03 13:46 . 2003-04-11 12:48	18,432	--a------	C:\WINDOWS\system32\winint.dll
2008-10-01 11:23 . 2008-10-01 11:23	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Leadertech
2008-09-30 16:23 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\USB Vibration Joystick
2008-09-30 16:22 . 2008-09-30 16:22	<DIR>	d--------	C:\WINDOWS\USB Vibration
2008-09-30 16:22 . 2008-09-30 16:22	<DIR>	d--------	C:\Program Files\USB Vibration
2008-09-30 16:00 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\VID_0E8F&PID_0012
2008-09-30 16:00 . 2008-09-30 16:23	<DIR>	d--------	C:\Program Files\Common Files\VID_0E8F&PID_0012
2008-09-30 16:00 . 2007-08-16 09:58	11,136	--a------	C:\WINDOWS\system32\drivers\GF0012.SYS
2008-09-30 15:57 . 2008-04-13 22:15	10,368	--a------	C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-28 16:02 . 2008-09-28 16:02	<DIR>	d--------	C:\WINDOWS\Downloaded Installations
2008-09-26 20:27 . 2008-09-26 20:27	<DIR>	d--------	C:\Program Files\MyPhoneExplorer
2008-09-26 20:26 . 2008-09-27 13:36	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\MyPhoneExplorer
2008-09-25 17:26 . 2008-09-27 17:42	<DIR>	d--hs----	C:\Documents and Settings\jerry\Phone Browser
2008-09-25 17:02 . 2008-09-25 17:17	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Nokia Multimedia Player
2008-09-25 16:33 . 2008-09-25 16:33	<DIR>	d--------	C:\WINDOWS\system32\LogFiles
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\DIFX
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Common Files\PCSuite
2008-09-25 16:30 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Common Files\Nokia
2008-09-25 16:30 . 2008-09-25 16:41	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\PC Suite
2008-09-25 16:30 . 2008-09-25 16:43	<DIR>	d--------	C:\Documents and Settings\jerry\Dane aplikacji\Nokia
2008-09-25 16:30 . 2008-09-25 16:32	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2008-09-25 16:29 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\PC Connectivity Solution
2008-09-25 16:29 . 2008-09-25 16:30	<DIR>	d--------	C:\Program Files\Nokia
2008-09-25 16:29 . 2007-02-22 10:15	137,216	--a------	C:\WINDOWS\system32\drivers\nmwcd.sys
2008-09-25 16:29 . 2007-02-22 10:15	90,624	--a------	C:\WINDOWS\system32\nmwcdcls.dll
2008-09-25 16:29 . 2007-02-22 10:15	65,536	--a------	C:\WINDOWS\system32\nmwcdcocls.dll
2008-09-25 16:29 . 2007-02-22 10:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-09-25 16:29 . 2007-02-22 10:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-09-25 16:29 . 2007-02-22 10:15	8,320	--a------	C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-09-25 16:28 . 2008-09-25 16:29	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-09-21 23:02 . 2008-09-21 23:02	<DIR>	d--------	C:\Program Files\MKVTOAVI
2008-09-18 15:01 . 2008-04-13 22:15	60,032	--a------	C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-09-14 13:00 . 2008-09-14 13:00	<DIR>	d--------	C:\Program Files\Combined Community Codec Pack

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 01:56	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\uTorrent
2008-10-13 18:06	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\U3
2008-09-30 14:26	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Bioshock
2008-09-30 14:23	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-09-14 14:27	---------	d---a-w	C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-09-13 13:34	---------	d-----w	C:\Program Files\7-Zip
2008-09-05 18:03	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Apple Computer
2008-09-03 13:00	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\SPORE
2008-09-02 07:35	---------	d-----w	C:\Program Files\Common Files\SWF Studio
2008-09-01 09:04	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Ahead
2008-08-28 12:18	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\DVD Shrink
2008-08-27 18:30	47,360	----a-w	C:\Documents and Settings\jerry\Dane aplikacji\pcouffin.sys
2008-08-27 18:30	---------	d-----w	C:\Documents and Settings\jerry\Dane aplikacji\Vso
2008-08-27 17:02	---------	d-----w	C:\Program Files\Opera9.27
2008-08-27 15:53	47,360	----a-w	C:\WINDOWS\system32\drivers\pcouffin.sys
2008-08-27 12:08	---------	d-----w	C:\Program Files\AutoGK
2008-08-27 12:07	43,698	----a-w	C:\WINDOWS\system32\xvid-uninstall.exe
2008-08-27 12:07	---------	d-----w	C:\Program Files\AviSynth 2.5
2008-08-27 12:04	---------	d-----w	C:\Program Files\Gabest
2008-08-23 11:25	---------	d-----w	C:\Program Files\Sun
2008-08-23 11:25	---------	d-----w	C:\Program Files\Java
2008-08-23 10:57	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\FLEXnet
2008-08-21 11:41	---------	d-----w	C:\Program Files\Sony Ericsson
2008-08-21 11:32	---------	d-----w	C:\Program Files\Disc2Phone
2008-08-20 14:05	---------	d-----w	C:\Program Files\AVIcodec
2008-08-20 13:20	---------	d-----w	C:\Program Files\ESET
2008-08-20 13:20	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-08-20 13:18	---------	d-----w	C:\Program Files\Google
2008-08-20 13:18	---------	d-----w	C:\Program Files\AbiSuite2
2008-08-19 07:41	---------	d-----w	C:\Program Files\WMV9_VCM
2008-08-19 07:41	---------	d-----w	C:\Program Files\Winfor
2008-08-16 13:26	---------	d-----w	C:\Program Files\NAPI-PROJEKT
2008-08-15 19:20	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-08-15 19:20	---------	d-----w	C:\Program Files\Bonjour
2008-08-15 19:15	---------	d-----w	C:\Program Files\Common Files\Macrovision Shared
2008-08-14 18:06	---------	d-----w	C:\Program Files\Microsoft.NET
2008-08-03 12:44	444,952	----a-w	C:\WINDOWS\system32\wrap_oal.dll
2008-08-03 12:44	109,080	----a-w	C:\WINDOWS\system32\OpenAL32.dll
2008-08-03 11:46	319,488	----a-w	C:\WINDOWS\HideWin.exe
2008-08-03 11:38	4,501	----a-w	C:\WINDOWS\gdrv.sys
2008-08-01 13:51	107,888	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2008-07-23 14:51	16,804,864	----a-w	C:\WINDOWS\RTHDCPL.exe
2008-07-18 20:10	94,920	----a-w	C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10	53,448	----a-w	C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10	45,768	----a-w	C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10	36,552	----a-w	C:\WINDOWS\system32\wups.dll
2008-07-18 20:09	563,912	----a-w	C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09	325,832	----a-w	C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09	205,000	----a-w	C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09	1,811,656	----a-w	C:\WINDOWS\system32\wuaueng.dll
2008-07-15 11:58	524,288	----a-w	C:\WINDOWS\RtlExUpd.dll
2008-07-15 11:47	1,196,032	----a-w	C:\WINDOWS\RtlUpd.exe
.

------- Sigcheck -------

2008-05-17 14:44  487424  5f1ccdf37f28a88d0473b0c9ea1e0d58	C:\WINDOWS\system32\user32.dll

2008-05-17 14:40  2146304  262abab004204800fc107194ca7a7b35	C:\WINDOWS\system32\ntoskrnl.exe

2008-05-17 14:36  1503232  67eacb65fbb0997dd3be8e4f1a5fe069	C:\WINDOWS\explorer.exe

2008-05-17 14:35  40448  0277e1a3e8b337555a45943808451981	C:\WINDOWS\system32\ctfmon.exe
.
(((((((((((((((((((((((((((((   snapshot@2008-10-03_10.30.55.21   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-12 15:18:27	454,656	----a-r	C:\WINDOWS\Installer\{1170D24F-42B7-40CF-AA1B-6395CE562354}\ARPPRODUCTICON.exe
- 2006-06-18 21:51:32	43,520	----a-w	C:\WINDOWS\system32\drivers\AmdK8.sys
+ 2006-07-01 21:32:26	43,520	----a-w	C:\WINDOWS\system32\drivers\AmdK8.sys
+ 2006-07-01 21:32:26	43,520	-c--a-w	C:\WINDOWS\system32\DRVSTORE\amdk8_642960B49F5985230DB9B953682A9431120601FA\AmdK8.sys
- 2008-08-16 06:58:48	1,477,336	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-03 15:06:23	1,477,112	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-04-30 14:50:50	903,072	----a-w	C:\WINDOWS\system32\msidcrl40.dll
- 2008-08-03 11:34:28	70,174	----a-w	C:\WINDOWS\system32\perfc009.dat
+ 2008-10-12 16:43:23	70,174	----a-w	C:\WINDOWS\system32\perfc009.dat
- 2008-08-03 11:34:28	87,572	----a-w	C:\WINDOWS\system32\perfc015.dat
+ 2008-10-12 16:43:23	87,572	----a-w	C:\WINDOWS\system32\perfc015.dat
- 2008-08-03 11:34:28	439,250	----a-w	C:\WINDOWS\system32\perfh009.dat
+ 2008-10-12 16:43:23	439,250	----a-w	C:\WINDOWS\system32\perfh009.dat
- 2008-08-03 11:34:28	498,110	----a-w	C:\WINDOWS\system32\perfh015.dat
+ 2008-10-12 16:43:23	498,110	----a-w	C:\WINDOWS\system32\perfh015.dat
+ 2006-06-18 21:51:32	43,520	----a-w	C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\AmdK8.sys
+ 2006-07-01 21:32:26	43,520	----a-w	C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\AmdK8.sys
+ 2006-07-01 21:32:26	43,520	----a-w	C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\AmdK8.sys
+ 2007-08-07 17:22:14	8,607,552	----a-w	C:\WINDOWS\system32\xlive.dll
+ 2007-08-07 17:22:16	13,653,824	----a-w	C:\WINDOWS\system32\xlivefnt.dll
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-17 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 C:\WINDOWS\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 C:\WINDOWS\alcwzrd.exe]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-06-23 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-06-24 16:06 1840424 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-06-08 09:31 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-06-19 09:53 570664 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"D:\\GRID\\GRID.exe"=
"D:\\BearShare\\BearShare\\BearShare.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Opera9.27\\Opera.exe"=
"D:\\Beijing\\Beijing.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\JDownloader.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"F:\\mIRC\\mirc.exe"=
"D:\\GoW\\Binaries\\WarGame-G4WLive.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57986:TCP"= 57986:TCP:57986

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-09 102400]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12 41456]
R2 Nokia Network Bridge;Nokia Network Bridge;C:\WINDOWS\system32\nbridge.exe [2005-11-09 18944]
R3 Nokia Network Bridge Driver;Nokia Network Bridge Driver;C:\WINDOWS\system32\Drivers\nbridge.sys [2005-11-09 19456]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-HEXelon MAX - C:\Documents and Settings\jerry\Pulpit\HEXelonMAX6\hexelon.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 04:10:18
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Czas ukończenia: 2008-10-14  4:10:53
ComboFix-quarantined-files.txt  2008-10-14 02:10:46
ComboFix2.txt  2008-10-12 16:48:34
ComboFix3.txt  2008-10-03 08:31:17

Przed: 10*369*134*592 bajtów wolnych
Po: 10,362,839,040 bajtów wolnych

251	--- E O F ---	2008-09-10 11:19:54

Kod:

Malwarebytes' Anti-Malware 1.28
Wersja bazy definicji: 1267
Windows 5.1.2600 Dodatek Service Pack 3

2008-10-14 04:16:32
mbam-log-2008-10-14 (04-16-32).txt

Typ skanowania: Szybkie skanowanie
Przeskanowane obiekty: 45442
Upłynęło: 2 minute(s), 5 second(s)

Zainfekowane procesy w pamięci: 0
Zainfekowane moduły pamięci: 0
Zainfekowane klucze rejestru: 1
Zainfekowane wartości rejestru: 0
Zainfekowane pliki rejestru: 0
Zainfekowane foldery: 0
Zainfekowane pliki: 0

Zainfekowane procesy w pamięci:
(Nie wykryto groźnych plików)

Zainfekowane moduły pamięci:
(Nie wykryto groźnych plików)

Zainfekowane klucze rejestru:
HKEY_CLASSES_ROOT\Interface\{37b85a2c-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Zainfekowane wartości rejestru:
(Nie wykryto groźnych plików)

Zainfekowane pliki rejestru:
(Nie wykryto groźnych plików)

Zainfekowane foldery:
(Nie wykryto groźnych plików)

Zainfekowane pliki:
(Nie wykryto groźnych plików)

Szybka odpowiedź
Po Twoich działaniach wystąpiły następujące błędy

OK
Weryfikacja obrazka Wiadomość: Kliknij jedną z ikon szybkiej odpowiedzi w postach powyżej w celu aktywacji tego okna. Opcje Zacytować wiadomość podczas odpowiedzi? Dodawanie szybkiej odpowiedzi - Proszę czekać!

Narzędzia wątku	Przeszukaj ten temat
Wersja do druku Wyślij na email	Przeszukaj ten temat: Zaawansowane wyszukiwanie
Wygląd
Wygląd liniowy Wygląd mieszany Wygląd wątkowy

Podobne wątki
Temat	Autor wątku	Forum	Odpowiedzi	Ostatni post/autor
nod32-problem	edyta1970	bezpieczeństwo i anonimowość	1	13.01.2008 15:29
nod32 problem!	TynoKonkret	programy	3	09.05.2007 19:15
Problem z NOD32 2.5	afu-ra	programy	1	20.09.2006 13:34
NOD32 problem	memeczyslaw	programy	8	14.08.2006 12:22
Problem z NOD32	szyszak17	programy	2	23.03.2006 00:18