Prośba o analizę log (IE Antivirus)

[Piotruś]

Proszę o pomoc. Spybot pokazuje iż znalazł: IE Antivirus, Spyshredder, Fraud.Antivirus2008, pokazywał też inne.
Zamiast zegara na pasku wyświetla się komunikat "Antivirus Alert!" oraz często dymek: Twój komputer może być zagrożony. Kliknij ...... No i żona mi kliknęła a potem się zaczęło...... Proszę o analizę Log i radę.

Log z Combofix:
ComboFix 08-07-08.7 - Administrator 2008-07-09 17:48:14.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.146 [GMT 2:00]
Running from: G:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 28674 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kasia i Piotr.X-760408C724564\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk
C:\Documents and Settings\Kasia i Piotr.X-760408C724564\Menu Start\Programy\IE AntiVirus 3.3.lnk
C:\Program Files\IEAntiVirus
C:\Program Files\IEAntiVirus\antivir.exe
C:\Program Files\IEAntiVirus\ieav.db2
C:\Program Files\IEAntiVirus\ieav.db3
C:\Program Files\IEAntiVirus\ieav.db6
C:\Program Files\IEAntiVirus\uninst.exe
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\WINDOWS\enwa.exe
C:\WINDOWS\kgqfweltgbn.dll
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\Sys13.exe
C:\WINDOWS\Sys14.exe
C:\WINDOWS\Sys15.exe
C:\WINDOWS\Sys16.exe
C:\WINDOWS\system32\cpymvssq.dll
C:\WINDOWS\system32\ddiwkits.dll
C:\WINDOWS\system32\drivers\protect.sys
C:\WINDOWS\system32\efOnmUvw.ini
C:\WINDOWS\system32\efOnmUvw.ini2
C:\WINDOWS\system32\Ehjkmnmp.ini
C:\WINDOWS\system32\Ehjkmnmp.ini2
C:\WINDOWS\system32\geBroOgg.dll
C:\WINDOWS\system32\ggOorBeg.ini
C:\WINDOWS\system32\ggOorBeg.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ojvffhvv.ini
C:\WINDOWS\system32\oxdqbcms.ini
C:\WINDOWS\system32\qssvmypc.ini
C:\WINDOWS\system32\stikwidd.ini
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\vvhffvjo.dll
C:\WINDOWS\Temp\1320015136.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_PROTECT
-------\Legacy_SYSLIBRARY
-------\Service_FCI
-------\Service_protect


((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-09 17:45 . 2008-07-09 17:51 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-07-09 17:45 . 2008-02-13 21:32 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-07-09 17:45 . 2008-02-13 20:42 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-07-09 17:45 . 2008-02-13 21:32 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-07-09 17:45 . 2008-02-13 21:32 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-07-09 17:45 . 2008-02-13 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-07-09 17:45 . 2008-02-13 21:32 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-07-09 17:45 . 2008-07-09 17:45 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-04 22:01 . 2008-07-04 22:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-04 22:01 . 2008-07-04 23:05 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Spybot - Search & Destroy
2008-07-04 21:30 . 2008-07-04 21:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-03 20:35 . 2008-07-03 20:35 30,672 --a------ C:\a
2008-07-03 20:24 . 2008-07-03 20:24 28,800 --a------ C:\WINDOWS\system32\hgGxWmkj.dll
2008-07-03 20:23 . 2008-07-03 20:23 28,800 --a------ C:\WINDOWS\system32\ssqNGXQI.dll
2008-07-03 20:21 . 2008-07-03 20:21 26,624 --a------ C:\WINDOWS\system32\wdol_bho.dll
2008-07-03 20:20 . 2008-07-03 20:20 26,624 --a------ C:\WINDOWS\system32\agino32.dll
2008-07-03 20:19 . 2008-07-03 20:19 26,624 --a------ C:\WINDOWS\system32\snop_bho.dll
2008-07-03 20:19 . 2008-07-03 20:19 26,624 --a------ C:\WINDOWS\system32\agin_bho.dll
2008-06-25 19:33 . 2008-06-25 19:34 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-06-25 19:33 . 2008-06-25 19:34 <DIR> d-------- C:\Program Files\AVSMedia
2008-06-16 17:25 . 2008-06-16 17:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Zylom
2008-06-12 16:55 . 2008-06-12 16:55 <DIR> d-------- C:\Program Files\phenomedia
2008-06-12 16:55 . 2008-06-12 16:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\phenomedia
2008-06-12 16:53 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-06-10 20:41 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 20:41 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 15:54 262,144 ---ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-09 15:54 262,144 ---ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-09 15:43 262,144 ---ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-09 15:43 262,144 ---ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-07 20:37 --------- d-----w C:\Program Files\Google
2008-07-04 18:48 --------- d-s---w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\Dane aplikacji\Microsoft
2008-07-04 18:48 --------- d-----w C:\Program Files\UltiDev
2008-07-02 18:10 --------- d-----w C:\Documents and Settings\Kasia i Piotr.X-760408C724564\Dane aplikacji\BearShare
2008-06-24 17:23 --------- d-----w C:\Program Files\WinX DVD Player 3.0
2008-06-12 14:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 16:28 --------- d-----w C:\Program Files\SnT
2008-05-27 16:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\UltiDev
2008-05-13 18:13 --------- d-----w C:\Documents and Settings\Martusia\Dane aplikacji\BearShare
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:03 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-13 20:44 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D72C2A4-9AC6-4727-A705-CEA1F0220B78}]
2008-07-03 20:23 28800 --a------ C:\WINDOWS\system32\ssqNGXQI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13 394680 --a------ C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5D72C2A4-9AC6-4727-A705-CEA1F0220B78}"= "C:\WINDOWS\system32\ssqNGXQI.dll" [2008-07-03 20:23 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNGXQI]
2008-07-03 20:23 28800 C:\WINDOWS\system32\ssqNGXQI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:44 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disc Detector]
--------- 1999-08-30 02:55 189952 C:\Program Files\Creative\ShareDLL\CTNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
--a------ 2007-11-14 12:54 2131392 C:\Program Files\Internet Explorer\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
--a------ 2000-08-04 03:50 44032 C:\Program Files\Creative\News\NewsUpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 19:24 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast_2K]
--a------ 2001-06-26 17:55 2142208 C:\WINDOWS\system32\Wf2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast2KLoadDefault]
--a------ 2001-05-31 16:06 637440 C:\WINDOWS\system32\WF2KCPL.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Internet Explorer\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 WFsys;WinFox Control I/O Driver;C:\WINDOWS\system32\DRIVERS\wfsys.sys [2001-05-23 11:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0df99de-e227-11dc-bb24-003084750c9f}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

.
- - - - ORPHANS REMOVED - - - -

BHO-{66C56BB1-38FA-4AF6-A7AD-9D18F0E74B1C} - C:\WINDOWS\system32\pmnmkjhE.dll
BHO-{A6FD9F49-CCB1-4873-9A51-216D638896DC} - C:\WINDOWS\system32\wvUmnOfe.dll
HKCU-Run-antivirus-2008pro.exe - C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
HKLM-Run-48c93143 - C:\WINDOWS\system32\cpymvssq.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-48c93143 - C:\WINDOWS\system32\vvhffvjo.dll
MSConfigStartUp-antispy - C:\Program Files\IEAntiVirus\ANTIVIR.exe
MSConfigStartUp-Antivirus - C:\Program Files\VAV\vav.exe
MSConfigStartUp-AudioHQ - C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
MSConfigStartUp-Creative Launcher - C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
MSConfigStartUp-SpyShredder - C:\Program Files\SpyShredder\SpyShredder.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-Windows update loader - C:\Windows\xpupdate.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 17:56:04
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
antivirus-2008pro.exe = C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe???????????????????????????????????????????????????????????????????????????????????????????????????e???????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ssqNGXQI.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-09 17:58:49 - machine was rebooted [Kasia i Piotr]
ComboFix-quarantined-files.txt 2008-07-09 15:58:42

Pre-Run: 2,679,021,568 bajtów wolnych
Post-Run: 4,326,694,912 bajt˘w wolnych

212 --- E O F --- 2008-06-20 07:58:32

[huber2t]

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

File::
C:\a
C:\WINDOWS\system32\hgGxWmkj.dll
C:\WINDOWS\system32\ssqNGXQI.dll
C:\WINDOWS\system32\wdol_bho.dll
C:\WINDOWS\system32\agino32.dll
C:\WINDOWS\system32\snop_bho.dll
C:\WINDOWS\system32\agin_bho.dll

Folder::
C:\Program Files\BearShare Applications\BearShare MediaBar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D72C2A4-9AC6-4727-A705-CEA1F0220B78}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5D72C2A4-9AC6-4727-A705-CEA1F0220B78}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNGXQI]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0df99de-e227-11dc-bb24-003084750c9f}]


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
[obrazek nie jest już dostępny]
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

Logi dajesz na wklejto a w poście dajesz tylko link