[wirus]opowieść z XP, walka z trojanem, oraz co z tym zrobic:)

Na początku był windows XP profesjonal. wszystko było ok dopóki nie zaczęły sie dziać dziwne rzeczy z internetem.
administratora internetu mialem na gg wiec codziennie pisalem,ze mam slabe połączenie (mój internet 512 kb/s , predkość pobierania przy problemie z internetem 8-15 KB/s, a normalnie 100-150KB/s), potem sie okzalo ze mieli jakiegos wirusa co im zasmiecal cala prace serwera. kiedy sie z tym uporali a ja przeinstalowalem system 3x wyszstko bylo ok , aż miesiąc temu system zaczal mi padaczadnego programu nie moglem odpalic ani zainstalowac anty wirusa,bo cos siadlo na biblioteke. wiec znowu przeinstalowalem system ale z nowymi darmowymi programami (Sygate Personal Firewall,Ad-Aware, i inne legalne) ad aware wykryl mi trojana nazwy dokladnie nie pamietam usuwalem go 3 razy kiedy sie go pozbylem na stale( tak mi sie wydaje) ale po tym system jest lekko zmulony firewall pokazuje mi co jakis czas komunikat ze "jadro systemu i winNT został zablokowany dostep do internetu. Natomiast windos pokazuje czy ma wyslac blad,z terscia "ftp.exe nie udalo sie uruchomic" . za kazdym razem gdy przinstaluje system fromat dysku zrobie jak i partycje usune i stworze nowe to dalej mam tego troja i 1 dzien i biblioteka pada a system dziala. Co wy na to ???

Zainstaluj Windows XP z service pack 2 lub uaktualnij swoją wersję Windows. Podczas instalacji systemu wyjmij kabel LAN z gniazdka, a po instalacji zajmij się wgrywaniem programu antywirusowego i firewalla.

Jeśli masz podejrzenia że masz jakiegoś wirusa proponuję pochwal mi się logami swoimi z combofixa.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-09 16:36:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-04-09 14:36:09 UTC - RP7 - Deckard's System Scanner Restore Point
6: 2008-03-30 11:33:16 UTC - RP6 - Zainstalowano: Adobe Reader 6.0.2 CE
5: 2008-03-30 10:33:04 UTC - RP5 - Installed Windows Media Format Runtime
4: 2008-03-30 10:19:01 UTC - RP4 - Installed Ad-Aware 2007
3: 2008-03-30 10:18:17 UTC - RP3 - Zainstalowano: Opera 9.26


-- First Restore Point --
1: 2008-03-29 20:32:56 UTC - RP1 - Punkt kontrolny systemu


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-09 16:37:53
Platform: Windows XP (5.01.2600)
MSIE: Internet Explorer (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\antiv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...mp;plcid=0x0415
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinDLL (redyLive.exe)] rundll32.exe C:\WINDOWS\System32\redyLive.exe,start
O4 - HKLM\..\Run: [Windows Defender] windowsdefender.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Microsoft Anivirus Monitor Process] antiv.exe
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL6.tmp
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [Windows Defender] windowsdefender.exe
O4 - HKLM\..\RunServices: [Microsoft Anivirus Monitor Process] antiv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Pokrewne - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe


--
End of file - 4017 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 NVSvc (NVIDIA Driver Helper Service) - c:\windows\system32\nvsvc32.exe (file missing)
S2 UMWdf (Windows User Mode Driver Framework) - c:\windows\system32\wdfmgr.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Kontroler Uniwersalnej magistrali szeregowej (USB)
Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_80A11043&REV_82\3&61AAA01&0&83
Manufacturer:
Name: Kontroler Uniwersalnej magistrali szeregowej (USB)
PNP Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_80A11043&REV_82\3&61AAA01&0&83
Service:


-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 16:30:19 77824 --a------ C:\WINDOWS\zip.exe
2008-04-09 16:30:19 61440 --a------ C:\WINDOWS\VFind.exe
2008-04-09 16:30:19 222208 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-09 16:30:19 146432 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-09 16:30:19 171520 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-09 16:30:19 108544 --a------ C:\WINDOWS\sed.exe
2008-04-09 16:30:19 90140 --a------ C:\WINDOWS\grep.exe
2008-04-09 16:30:19 86016 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-03 19:41:12 0 d-------- C:\My Downloads
2008-04-03 19:41:10 0 d-------- C:\Program Files\BearShare
2008-03-30 20:34:49 0 d-------- C:\WINDOWS\System32\iDlo04
2008-03-30 20:34:49 0 d-------- C:\Temp
2008-03-30 17:39:49 73216 -ra------ C:\WINDOWS\System32\antiv.exe
2008-03-30 13:36:13 0 d-------- C:\Program Files\PITy
2008-03-30 13:33:24 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-30 13:31:35 0 d-------- C:\WINDOWS\Cache
2008-03-30 13:10:48 0 d-------- C:\Program Files\Trend Micro
2008-03-30 12:33:05 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-30 12:31:55 0 d-------- C:\Program Files\Winamp
2008-03-30 12:19:12 0 d---s---- C:\WINDOWS\System32\Microsoft
2008-03-30 12:19:02 0 d-------- C:\Program Files\Lavasoft
2008-03-30 12:18:18 0 d-------- C:\Program Files\Opera
2008-03-30 12:17:54 21075 --a------ C:\WINDOWS\System32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-03-30 12:17:54 60496 --a------ C:\WINDOWS\System32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-03-30 12:17:51 0 d-------- C:\Program Files\Sygate
2008-03-30 12:17:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 11:58:18 0 --a------ C:\adware.exe
2008-03-30 11:58:17 33952 --a------ C:\WINDOWS\System32\drivers\oreans32.sys
2008-03-30 11:56:03 0 d-------- C:\Program Files\Gadu-Gadu
2008-03-29 23:16:09 0 d-------- C:\WINDOWS
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\WinSxS
2008-03-29 23:16:09 0 dr------- C:\WINDOWS\Web
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\twain_32
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\system32
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\wins
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\wbem
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\usmt
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\spool
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\ShellExt
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\Setup
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\ras
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\oobe
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\npp
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\mui
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\inetsrv
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\IME
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\icsxml
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\ias
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\export
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\drivers
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\drivers\etc
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\drivers\disdn
2008-03-29 23:16:09 0 dr-hs--c- C:\WINDOWS\System32\dllcache
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\dhcp
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\config
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\3com_dmi
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\3076
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\2052
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1054
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1045
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1042
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1041
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1037
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1033
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1031
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1028
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\System32\1025
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\system
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\security
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\Resources
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\repair
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\mui
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\msapps
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\msagent
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\Media
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\java
2008-03-29 23:16:09 0 d--h----- C:\WINDOWS\inf
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\ime
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\Help
2008-03-29 23:16:09 0 dr--s---- C:\WINDOWS\Fonts
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\Driver Cache
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\Debug
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\Cursors
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\Config
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\AppPatch
2008-03-29 23:16:09 0 d-------- C:\WINDOWS\addins
2008-03-29 22:43:43 0 d-------- C:\WINDOWS\System32\NtmsData
2008-03-29 22:42:59 0 -r------- C:\WINDOWS\System32\TFTP1964
2008-03-29 22:39:11 0 d-------- C:\WINDOWS\nview
2008-03-29 22:37:24 30208 -----n--- C:\WINDOWS\System32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-29 22:37:23 1285632 -----n--- C:\WINDOWS\System32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-29 22:37:22 978944 -----n--- C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-29 22:37:22 393216 -----n--- C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-29 22:37:21 45056 -----n--- C:\WINDOWS\System32\SynthCore11Resources.dll <Not Verified; Analog Devices, Inc.; Analog Devices, Inc. SynthCore11Resources>
2008-03-29 22:37:21 40820 -----n--- C:\WINDOWS\System32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-29 22:37:21 49152 -----n--- C:\WINDOWS\System32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-29 22:37:19 0 d-------- C:\WINDOWS\VirtualEar
2008-03-29 22:37:19 765952 -----n--- C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-29 22:37:17 57344 -----n--- C:\WINDOWS\System32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-29 22:37:17 0 d-------- C:\Program Files\Analog Devices
2008-03-29 22:37:16 44 -----n--- C:\WINDOWS\System32\msssc.dll
2008-03-29 22:37:16 61440 -----n--- C:\WINDOWS\System32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-29 22:37:16 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-29 22:37:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-29 22:36:55 0 d-------- C:\WINDOWS\System32\ReinstallBackups
2008-03-29 22:36:43 316416 -----n--- C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield? unInstaller>
2008-03-29 22:36:28 5824 -----n--- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
2008-03-29 22:32:45 0 d--hs---- C:\WINDOWS\Installer
2008-03-29 22:30:58 0 d--hs---- C:\System Volume Information
2008-03-29 22:30:57 0 d-------- C:\WINDOWS\Prefetch
2008-03-29 22:27:59 0 d-------- C:\WINDOWS\System32\xircom
2008-03-29 22:27:59 0 d-------- C:\Program Files\microsoft frontpage
2008-03-29 22:27:40 0 -r-hs---- C:\MSDOS.SYS
2008-03-29 22:27:40 0 -r-hs---- C:\IO.SYS
2008-03-29 22:27:40 0 -----n--- C:\CONFIG.SYS
2008-03-29 22:27:40 0 -----n--- C:\AUTOEXEC.BAT
2008-03-29 22:26:46 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-29 22:26:46 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-29 22:26:28 0 d-------- C:\WINDOWS\srchasst
2008-03-29 22:26:23 0 d-------- C:\WINDOWS\System32\DirectX
2008-03-29 22:26:22 0 d-------- C:\WINDOWS\System32\Macromed
2008-03-29 22:26:13 0 d-------- C:\Program Files\Movie Maker
2008-03-29 22:25:53 0 d-------- C:\WINDOWS\System32\Restore
2008-03-29 22:25:51 45056 --a------ C:\WINDOWS\System32\mnmsrvc.exe <Not Verified; Microsoft Corporation; Windows? NetMeeting?>
2008-03-29 22:25:48 0 d-------- C:\WINDOWS\PCHEALTH
2008-03-29 22:25:44 0 d---s---- C:\WINDOWS\Tasks
2008-03-29 22:25:44 19456 --a------ C:\WINDOWS\System32\mstinit.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? - Harmonogram zadań>
2008-03-29 22:25:42 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-29 22:25:16 21856 -----n--- C:\WINDOWS\System32\emptyregdb.dat
2008-03-29 22:25:04 0 d-------- C:\WINDOWS\Registration
2008-03-29 22:24:59 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-29 22:24:59 0 d-------- C:\Program Files\Usługi online
2008-03-29 22:24:54 0 d-------- C:\Program Files\Messenger
2008-03-29 22:24:47 15360 --a------ C:\WINDOWS\System32\write.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-03-29 22:24:47 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-29 22:24:40 148992 --a------ C:\WINDOWS\System32\sndvol32.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:40 135168 --a------ C:\WINDOWS\System32\sndrec32.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:40 128000 --a------ C:\WINDOWS\System32\mplay32.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:40 193024 --a------ C:\WINDOWS\System32\accwiz.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:39 0 d-------- C:\Program Files\Windows NT
2008-03-29 22:24:38 351744 --a------ C:\WINDOWS\System32\mspaint.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:35 109056 --a------ C:\WINDOWS\System32\clipbrd.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:34 129536 --a------ C:\WINDOWS\System32\winmine.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:34 543744 --a------ C:\WINDOWS\System32\spider.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:34 67072 --a------ C:\WINDOWS\System32\sol.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:34 90624 --a------ C:\WINDOWS\System32\charmap.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:34 124928 --a------ C:\WINDOWS\System32\calc.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:33 123392 --a------ C:\WINDOWS\System32\wuauclt.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:33 137728 --a------ C:\WINDOWS\System32\mshearts.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:33 65536 --a------ C:\WINDOWS\System32\freecell.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 27648 --a------ C:\WINDOWS\System32\tsshutdn.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 26112 --a------ C:\WINDOWS\System32\tskill.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 25088 --a------ C:\WINDOWS\System32\tsdiscon.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 50176 --a------ C:\WINDOWS\System32\tscupgrd.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 25088 --a------ C:\WINDOWS\System32\tscon.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 25088 --a------ C:\WINDOWS\System32\shadow.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 140800 --a------ C:\WINDOWS\System32\sessmgr.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 19456 --a------ C:\WINDOWS\System32\reset.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:32 71680 --a------ C:\WINDOWS\System32\rdshost.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-03-29 22:24:32 22016 --a------ C:\WINDOWS\System32\rdsaddin.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-03-29 22:24:32 396800 --a------ C:\WINDOWS\System32\mstsc.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:31 26112 --a------ C:\WINDOWS\System32\rwinsta.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:31 43520 --a------ C:\WINDOWS\System32\regini.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-03-29 22:24:31 51712 --a------ C:\WINDOWS\System32\rdpclip.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-03-29 22:24:31 32256 --a------ C:\WINDOWS\System32\qwinsta.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:31 29184 --a------ C:\WINDOWS\System32\qprocess.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:31 27136 --a------ C:\WINDOWS\System32\qappsrv.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:31 32256 --a------ C:\WINDOWS\System32\msg.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:31 0 d-------- C:\WINDOWS\System32\MsDtc
2008-03-29 22:24:31 25600 --a------ C:\WINDOWS\System32\logoff.exe <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:24:30 15872 --a------ C:\WINDOWS\System32\msdtc.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-03-29 22:24:29 14848 --a------ C:\WINDOWS\System32\dcomcnfg.exe <Not Verified; Microsoft Corporation; COM Services>
2008-03-29 22:24:29 0 d-------- C:\WINDOWS\System32\Com
2008-03-29 22:20:01 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-29 22:19:59 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-29 22:19:58 0 dr------- C:\Program Files
2008-03-29 22:19:58 0 d-------- C:\Program Files\Common Files
2008-03-29 22:19:47 25088 --a------ C:\WINDOWS\TASKMAN.EXE <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:19:47 76800 --a------ C:\WINDOWS\NOTEPAD.EXE <Not Verified; Microsoft Corporation; System operacyjny Microsoft? Windows?>
2008-03-29 22:19:30 0 d-------- C:\WINDOWS\System32\CatRoot2
2008-03-29 22:19:30 0 d-------- C:\WINDOWS\System32\CatRoot
2008-03-29 22:19:11 0 d-------- C:\Documents and Settings


-- Find3M Report ---------------------------------------------------------------

2008-04-03 20:30:28 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu
2008-03-30 17:35:54 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Soldat
2008-03-30 17:02:44 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-03-30 13:33:41 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Adobe
2008-03-30 13:14:54 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Macromedia
2008-03-30 12:20:33 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Opera
2008-03-30 11:53:28 355486 --a------ C:\WINDOWS\System32\perfh015.dat
2008-03-30 11:53:28 49492 --a------ C:\WINDOWS\System32\perfc015.dat
2008-03-29 22:52:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Help
2008-03-29 22:32:43 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Identities
2008-03-29 22:19:40 62 ---hs---- C:\Documents and Settings\Administrator\Dane aplikacji\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 09:57]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-23 10:33]
"nwiz"="nwiz.exe" [2003-09-23 10:33 C:\WINDOWS\system32\nwiz.exe]
"WinDLL (redyLive.exe)"="C:\WINDOWS\System32\redyLive.exe" []
"Windows Defender"="windowsdefender.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"Microsoft Anivirus Monitor Process"="antiv.exe" [2008-03-30 17:40 C:\WINDOWS\system32\antiv.exe]
"AutoInclude"="C:\WINDOWS\TEMP\DIL6.tmp" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 19:29]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows Defender"=windowsdefender.exe
"Microsoft Anivirus Monitor Process"=antiv.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 dl2.teenpassage.com


-- End of Deckard's System Scanner: finished at 2008-04-09 16:38:42 ------------
tak poza tym wiem ze sie odlancza wtyczke od neta ;p nie mam przkonania do aktualnien. nic nie moge instalowac bo mam blad z biblioteka

Pozamykaj dziurawe porty narzędziem Windows Worms Doors Cleaner. Wszystkie znaczki mają być na zielono! Po użyciu uruchom ponownie komputer.

Pobierz SDFix.

1. Naciśnij dwa razy na plik SDFix.exe. Program wypakuje się na dysk systemowy – C:\SDFix
2. Uruchom ponownie komputer i wejdź do Trybu Awaryjnego (Przed bootowaniem Windowsa naciśnij F8).
3. Wejdź do folderu który utworzył SDFix i kliknij dwa razy na plik RunThis.bat
4. Naciśnij Y by narzędzie rozpoczęło proces usuwania szkodników.
5. Po zakończeniu usuwania program poprosi o wciśnięcie dowolnego klawisza na klawiaturze (Any Key). Po naciśnięciu komputer zostanie uruchomiony ponownie.
6. Po restarcie aplikacja uruchomi się ponownie. Kiedy w okienku pojawi się Finished, naciśnij dowolny klawisz, aby program zakończył pracę.
7. Na koniec pokaż log z programu znajdujący się w lokalizacji – C:\SDFix\Report.txt

Po pracy pokaż logi z: HiJack This + Silent Runners + ComboFix + SDFix.

logi z hiJack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07:02, on 2008-04-10
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinDLL (redyLive.exe)] rundll32.exe C:\WINDOWS\System32\redyLive.exe,start
O4 - HKLM\..\Run: [Windows Defender] windowsdefender.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL6.tmp
O4 - HKLM\..\RunServices: [Windows Defender] windowsdefender.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 3400 bytes

Silent Runners
"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"WinDLL (redyLive.exe)" = "rundll32.exe C:\WINDOWS\System32\redyLive.exe,start" [MS] <(tutaj mi sie pokazuje bład przy uruchomienu sys)
"Windows Defender" = "windowsdefender.exe" [file not found]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"AutoInclude" = "C:\WINDOWS\TEMP\DIL6.tmp" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"
-> {HKLM...CLSID} = "Eksplorator pulpitów"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Policies\Microsoft\Windows\System\

"disablecmd" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" ["Lavasoft"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Monitor 2 języka BJ\Driver = "CNBJMON2.DLL" [MS]


ComboFix

ComboFix 08-04-09.9 - Administrator 2008-04-10 15:26:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1250.48.1045.18.274 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\sanR24
C:\WINDOWS\system32\msssc.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 15:17 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-10 15:17 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-10 15:17 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-10 15:17 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-04-10 15:17 . 2004-08-03 14:04 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-04-10 15:17 . 2004-08-03 14:03 170,264 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-04-10 15:17 . 2004-08-03 14:02 168,728 --a------ C:\WINDOWS\system32\wuaucpl.cpl.wusetup.889859.bak
2008-04-10 15:17 . 2004-08-03 14:01 39,704 --a------ C:\WINDOWS\system32\wups.dll
2008-04-10 15:11 . 2008-04-10 15:19 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-10 15:11 . 2002-05-23 09:34 310,272 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-10 08:11 . 2008-04-10 08:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-10 08:06 . 2008-04-10 08:18 <DIR> d-------- C:\SDFix
2008-04-03 20:30 . 2008-04-03 20:30 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu
2008-04-03 19:41 . 2008-04-04 15:36 <DIR> d-------- C:\Program Files\BearShare
2008-04-03 19:41 . 2008-04-03 19:41 <DIR> d-------- C:\My Downloads
2008-03-30 20:34 . 2008-03-30 20:34 <DIR> d-------- C:\WINDOWS\system32\iDlo04
2008-03-30 20:34 . 2008-04-10 15:26 <DIR> d-------- C:\Temp
2008-03-30 17:35 . 2008-03-30 17:35 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Soldat
2008-03-30 13:36 . 2008-03-30 13:36 <DIR> d-------- C:\Program Files\PITy
2008-03-30 13:33 . 2008-03-30 13:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-30 13:31 . 2008-03-30 13:31 <DIR> d-------- C:\WINDOWS\Cache
2008-03-30 13:10 . 2008-03-30 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 12:31 . 2008-03-30 12:33 <DIR> d-------- C:\Program Files\Winamp
2008-03-30 12:31 . 2008-03-30 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-03-30 12:19 . 2008-03-30 12:19 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-03-30 12:19 . 2008-03-30 12:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-30 12:19 . 2008-03-30 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-03-30 12:18 . 2008-03-30 12:18 <DIR> d-------- C:\Program Files\Opera
2008-03-30 12:17 . 2008-03-30 12:17 <DIR> d-------- C:\Program Files\Sygate
2008-03-30 12:17 . 2008-03-30 12:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 12:17 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-03-30 12:17 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-30 12:17 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-30 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-30 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-30 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-30 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-30 11:58 . 2008-03-30 11:58 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-03-30 11:56 . 2008-03-30 11:56 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-03-30 11:56 . 2008-04-03 20:30 <DIR> d-------- C:\Documents and Settings\Administrator\Gadu-Gadu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 20:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-29 20:37 --------- d-----w C:\Program Files\Analog Devices
2008-03-29 20:27 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-29 20:26 --------- d-----w C:\Program Files\Usługi online
.

------- Sigcheck -------

2001-10-26 19:29 1012224 f36ef8aba6d8243ef037aaa39e6a9af6 C:\WINDOWS\explorer.exe
2001-10-26 19:29 1012224 a130ac0d88e071c86816c4f9a4989b3d C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 19:29 23040]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14 1089565]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-09-23 10:33 49152]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 12:54 2131392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 09:57 155648]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-23 10:33 4616192]
"nwiz"="nwiz.exe" [2003-09-23 10:33 335872 C:\WINDOWS\system32\nwiz.exe]
"WinDLL (redyLive.exe)"="C:\WINDOWS\System32\redyLive.exe" [ ]
"Windows Defender"="windowsdefender.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Defender"="windowsdefender.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-26 19:29 23040]

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-03-30 11:58]

*Newly Created Service* - BITS
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 15:27:08
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-10 15:27:30
ComboFix-quarantined-files.txt 2008-04-10 13:27:20
Pre-Run: 5,778,735,104 bajtów wolnych
Post-Run: 6,344,712,192 bajtów wolnych




---------- (launch time: 2008-04-10 15:22:56)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 54 seconds, including 2 seconds for message boxes)

SDFix




SDFix: Version 1.168
Run by Administrator on 2008-04-10 at 08:13

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\ADWARE.EXE - Deleted
C:\WINDOWS\system32\TFTP1964 - Deleted
C:\adware.exe - Deleted
C:\WINDOWS\system32\antiv.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 08:17:23
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\windowsdefender.exe"="C:\\WINDOWS\\System32\\windowsdefender.exe:*:Enabled:Windows Defender"

Remaining Files :



Files with Hidden Attributes :


Finished!

Wklej do Notatnika:

File::
C:\WINDOWS\system32\drivers\oreans32.sys

Folder::
C:\WINDOWS\system32\iDlo04

Driver::
oreans32

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinDLL (redyLive.exe)"=-
"Windows Defender"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Defender"=-

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

ComboFix 08-04-09.9 - Administrator 2008-04-10 21:49:59.4 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::
C:\WINDOWS\system32\drivers\oreans32.sys
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\oreans32.sys
C:\WINDOWS\system32\iDlo04
C:\WINDOWS\system32\iDlo04\iDlo041066.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_oreans32
-------\oreans32


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 15:17 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-10 15:17 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-10 15:17 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-10 15:17 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-04-10 15:17 . 2004-08-03 14:04 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-04-10 15:17 . 2004-08-03 14:03 170,264 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-04-10 15:17 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-10 15:11 . 2002-05-23 09:34 310,272 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-10 08:11 . 2008-04-10 08:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-10 08:06 . 2008-04-10 08:18 <DIR> d-------- C:\SDFix
2008-04-03 20:30 . 2008-04-03 20:30 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu
2008-04-03 19:41 . 2008-04-04 15:36 <DIR> d-------- C:\Program Files\BearShare
2008-04-03 19:41 . 2008-04-03 19:41 <DIR> d-------- C:\My Downloads
2008-03-30 20:34 . 2008-04-10 15:26 <DIR> d-------- C:\Temp
2008-03-30 17:35 . 2008-03-30 17:35 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Soldat
2008-03-30 13:36 . 2008-03-30 13:36 <DIR> d-------- C:\Program Files\PITy
2008-03-30 13:33 . 2008-03-30 13:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-30 13:31 . 2008-03-30 13:31 <DIR> d-------- C:\WINDOWS\Cache
2008-03-30 13:10 . 2008-03-30 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 12:31 . 2008-03-30 12:33 <DIR> d-------- C:\Program Files\Winamp
2008-03-30 12:31 . 2008-03-30 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-03-30 12:19 . 2008-03-30 12:19 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-03-30 12:19 . 2008-03-30 12:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-30 12:19 . 2008-03-30 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-03-30 12:18 . 2008-03-30 12:18 <DIR> d-------- C:\Program Files\Opera
2008-03-30 12:17 . 2008-03-30 12:17 <DIR> d-------- C:\Program Files\Sygate
2008-03-30 12:17 . 2008-03-30 12:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 12:17 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-03-30 12:17 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-30 12:17 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-30 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-30 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-30 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-30 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-30 11:56 . 2008-03-30 11:56 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-03-30 11:56 . 2008-04-03 20:30 <DIR> d-------- C:\Documents and Settings\Administrator\Gadu-Gadu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 20:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-29 20:37 --------- d-----w C:\Program Files\Analog Devices
2008-03-29 20:27 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-29 20:26 --------- d-----w C:\Program Files\Usługi online
.

------- Sigcheck -------

2001-10-26 19:29 1012224 f36ef8aba6d8243ef037aaa39e6a9af6 C:\WINDOWS\explorer.exe
2001-10-26 19:29 1012224 a130ac0d88e071c86816c4f9a4989b3d C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-10_15.27.14,27 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 173,056 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 173,056 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-04-10 13:27:04 65,536 ----a-w C:\WINDOWS\PSEXESVC.EXE
+ 2008-04-10 19:52:11 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
- 2008-04-10 13:04:38 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-10 19:52:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-10 13:04:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-04-10 19:52:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
- 2008-04-10 13:04:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-10 19:52:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 19:29 23040]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14 1089565]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-09-23 10:33 49152]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 12:54 2131392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 09:57 155648]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-23 10:33 4616192]
"nwiz"="nwiz.exe" [2003-09-23 10:33 335872 C:\WINDOWS\system32\nwiz.exe]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-26 19:29 23040]


.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 21:52:16
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\TEMP\DIL3.tmp
C:\WINDOWS\TEMP\DIL4.tmp
.
**************************************************************************
.
Completion time: 2008-04-10 21:52:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 19:52:43
ComboFix2.txt 2008-04-10 19:48:42
ComboFix3.txt 2008-04-10 19:45:58
ComboFix4.txt 2008-04-10 13:27:31
Pre-Run: 6,213,136,384 bajtów wolnych
Post-Run: 6,160,519,168 bajt˘w wolnych