Trojan Amvo

[delgard]

Lokalizacja to:
F:\WINDOWS\system32\amvo0.dll
F:\oufddh.exe
F:\WINDOWS\system32\amvo.exe
F:\WINDOWS\system32\aqpndsvq.dll.vir

Wklejam log z Combofixa.

ComboFix 08-05-01.1 - Artur i Dorotka 2008-05-02 15:06:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.596 [GMT 2:00]
Running from: F:\Documents and Settings\Artur i Dorotka\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf
F:\Autorun.inf
F:\WINDOWS\system32\amvo.exe
F:\WINDOWS\system32\amvo0.dll
F:\WINDOWS\system32\eaauwksf.ini
F:\WINDOWS\system32\howrtsku.ini
F:\WINDOWS\system32\ihdqbyvu.ini
F:\WINDOWS\system32\mcrh.tmp
F:\WINDOWS\system32\nldudmkx.ini
F:\WINDOWS\system32\pmqmnwqg.ini
F:\WINDOWS\system32\qblruibe.ini
F:\WINDOWS\system32\qfrsvigq.ini
F:\WINDOWS\system32\rrwfrleu.ini
G:\Autorun.inf
H:\Autorun.inf
I:\Autorun.inf
J:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-05-02 14:45 . 2008-05-02 14:45 <DIR> d-------- F:\Program Files\PrevxCSI
2008-05-02 14:45 . 2008-05-02 14:45 <DIR> d-------- F:\Documents and Settings\All Users\Dane aplikacji\PrevxCSI
2008-05-02 14:45 . 2008-05-02 14:45 10,880 --a------ F:\WINDOWS\system32\drivers\pxark.sys
2008-04-29 14:28 . 2008-02-23 18:19 109,413 -r-hs---- F:\oufddh.exe
2008-04-24 19:29 . 2007-07-19 18:14 3,727,720 --a------ F:\WINDOWS\system32\d3dx9_35.dll
2008-04-24 19:29 . 2007-07-19 18:14 1,358,192 --a------ F:\WINDOWS\system32\D3DCompiler_35.dll
2008-04-24 19:29 . 2007-07-19 18:14 444,776 --a------ F:\WINDOWS\system32\d3dx10_35.dll
2008-04-13 14:42 . 2008-04-14 08:04 <DIR> d-------- F:\WINDOWS\SxsCaPendDel
2008-04-12 17:12 . 2008-04-12 17:12 <DIR> d-------- F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Gadu-Gadu
2008-04-11 09:35 . 2008-04-12 17:03 <DIR> d-------- F:\Documents and Settings\Artur i Dorotka\Gadu-Gadu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 13:10 176,310,304 --sha-w F:\WINDOWS\system32\drivers\fidbox.dat
2008-05-02 12:23 --------- d-----w F:\Program Files\XoftSpySE
2008-05-02 10:27 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\foobar2000
2008-05-02 06:35 2,079,116 --sha-w F:\WINDOWS\system32\drivers\fidbox.idx
2008-04-24 19:35 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\InstallShield Installation Information
2008-04-09 15:44 278,984 ----a-w F:\WINDOWS\system32\drivers\atksgt.sys
2008-03-17 20:26 --------- d-----w F:\Program Files\SkanerOnline
2008-03-15 16:30 3,286,016 ----a-w F:\WINDOWS\Internet Logs\xDB24.tmp
2008-03-09 21:28 --------- d-----w F:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-03-09 15:05 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\skypePM
2008-03-08 11:07 32 ----a-w F:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-02-15 17:29 3,426,304 ----a-w F:\WINDOWS\Internet Logs\xDB22.tmp
2008-02-15 17:29 1,782,784 ----a-w F:\WINDOWS\Internet Logs\xDB23.tmp
2008-02-09 08:43 4,166,534 ----a-w F:\WINDOWS\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="F:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 14:44 36864]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-05-11 00:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 00:03 1626112 F:\WINDOWS\system32\nwiz.exe]
"ZoneAlarm Client"="J:\Programy\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"WinampAgent"="J:\Programy\Winamp\winampa.exe" [2007-05-15 00:22 35328]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-05-11 00:03 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 F:\WINDOWS\RTHDCPL.exe]
"DAEMON Tools-1033"="J:\Programy\Daemon\daemon.exe" [2004-08-22 18:05 81920]
"MSConfig"="F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:44 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghgd]
iifghgd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]
winpdc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk
backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk
backup=F:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^GIGABYTE VGA Utility.lnk]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\GIGABYTE VGA Utility.lnk
backup=F:\WINDOWS\pss\GIGABYTE VGA Utility.lnkStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Last.fm Helper.lnk]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Last.fm Helper.lnk
backup=F:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Tribes of the East.LNK]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Tribes of the East.LNK
backup=F:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Tribes of the East.LNKStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5.LNK]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5.LNK
backup=F:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c96147d]
F:\WINDOWS\system32\ldlflfxo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a89c1a66]
F:\WINDOWS\system32\ihyfvqro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 15:00 79224 J:\avast\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
J:\Programy\Daemon\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
--a------ 2008-03-20 12:04 2127296 J:\Programy\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 22:52 49152 F:\Program Files\hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 10:30 249856 F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 10:30 81920 F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:55 1667584 F:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 F:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 J:\Programy\Sony Ericsson\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
--a------ 2005-09-21 19:23 159744 F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"H:\\World in Conflict\\wic.exe"=
"H:\\World in Conflict\\wic_online.exe"=
"H:\\World in Conflict\\wic_ds.exe"=
"%windir%\\system32\\sessmgr.exe"=
"H:\\Call of Duty 4\\iw3mp.exe"=
"D:\\Perseus\\FEARXP2.exe"=

R0 pxark;pxark;F:\WINDOWS\system32\drivers\pxark.sys [2008-05-02 14:45]
R2 CA_LIC_CLNT;CA License Client;"F:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2004-08-31 16:21]
R2 CSIScanner;CSIScanner;"F:\Program Files\PrevxCSI\\PrevxCSI.exe" /service []
R2 LogWatch;Event Log Watch;"F:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 17:06]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;F:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2005-09-21 16:27]
S3 gdrv;gdrv;F:\WINDOWS\gdrv.sys [2007-09-05 18:38]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);F:\WINDOWS\system32\DRIVERS\k510bus.sys [2008-01-25 20:02]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2008-01-25 20:02]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;F:\WINDOWS\system32\DRIVERS\k510mdm.sys [2008-01-25 20:02]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);F:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2008-01-25 20:02]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;F:\WINDOWS\system32\DRIVERS\k510obex.sys [2008-01-25 20:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CSISCANNER
*Newly Created Service* - PXARK
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 08:05:09 F:\WINDOWS\Tasks\XoftSpySE 2.job"
- F:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-12 01:00:00 F:\WINDOWS\Tasks\XoftSpySE.job"
- F:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 15:09:59
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-02 15:10:33
ComboFix-quarantined-files.txt 2008-05-02 13:10:31

Pre-Run: 38,619,410,432 bajtów wolnych
Post-Run: 39,309,484,032 bajtów wolnych

187

Czy mam coś z tym dalej robić? Pomóżcie

[pp3088]

Wklej do notatnika:

Kod: Zaznacz wszystko

File::
F:\oufddh.exe
F:\WINDOWS\Internet Logs\xDB24.tmp
F:\WINDOWS\Internet Logs\xDB22.tmp
F:\WINDOWS\Internet Logs\xDB23.tmp
F:\WINDOWS\Tasks\XoftSpySE 2.job
F:\WINDOWS\Tasks\XoftSpySE.job
F:\oufddh.exe
F:\WINDOWS\system32\aqpndsvq.dll.vir

Folder::
F:\Program Files\XoftSpySE\XoftSpy.ex


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox

Użyj ATF Cleanera.

Zrób Scan Vundofixem:
LINK

[delgard]

Vundofix nic nie znalazl.

To drugi log z Combofixa.

ComboFix 08-05-01.1 - Artur i Dorotka 2008-05-02 15:41:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.596 [GMT 2:00]
Running from: F:\Documents and Settings\Artur i Dorotka\Pulpit\ComboFix.exe
Command switches used :: F:\Documents and Settings\Artur i Dorotka\Pulpit\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
F:\oufddh.exe
F:\WINDOWS\Internet Logs\xDB22.tmp
F:\WINDOWS\Internet Logs\xDB23.tmp
F:\WINDOWS\Internet Logs\xDB24.tmp
F:\WINDOWS\system32\aqpndsvq.dll.vir
F:\WINDOWS\Tasks\XoftSpySE 2.job
F:\WINDOWS\Tasks\XoftSpySE.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\oufddh.exe
F:\Program Files\XoftSpySE\XoftSpy.exe\
F:\WINDOWS\Internet Logs\xDB22.tmp
F:\WINDOWS\Internet Logs\xDB23.tmp
F:\WINDOWS\Internet Logs\xDB24.tmp
F:\WINDOWS\Tasks\XoftSpySE 2.job
F:\WINDOWS\Tasks\XoftSpySE.job

.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-05-02 14:45 . 2008-05-02 14:45 <DIR> d-------- F:\Program Files\PrevxCSI
2008-05-02 14:45 . 2008-05-02 15:20 <DIR> d-------- F:\Documents and Settings\All Users\Dane aplikacji\PrevxCSI
2008-05-02 14:45 . 2008-05-02 15:20 10,880 --a------ F:\WINDOWS\system32\drivers\pxark.sys
2008-04-24 19:29 . 2007-07-19 18:14 3,727,720 --a------ F:\WINDOWS\system32\d3dx9_35.dll
2008-04-24 19:29 . 2007-07-19 18:14 1,358,192 --a------ F:\WINDOWS\system32\D3DCompiler_35.dll
2008-04-24 19:29 . 2007-07-19 18:14 444,776 --a------ F:\WINDOWS\system32\d3dx10_35.dll
2008-04-13 14:42 . 2008-04-14 08:04 <DIR> d-------- F:\WINDOWS\SxsCaPendDel
2008-04-12 17:12 . 2008-04-12 17:12 <DIR> d-------- F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Gadu-Gadu
2008-04-11 09:35 . 2008-04-12 17:03 <DIR> d-------- F:\Documents and Settings\Artur i Dorotka\Gadu-Gadu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 13:42 176,367,648 --sha-w F:\WINDOWS\system32\drivers\fidbox.dat
2008-05-02 12:23 --------- d-----w F:\Program Files\XoftSpySE
2008-05-02 10:27 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\foobar2000
2008-05-02 06:35 2,079,116 --sha-w F:\WINDOWS\system32\drivers\fidbox.idx
2008-04-24 19:35 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\InstallShield Installation Information
2008-04-09 15:44 278,984 ----a-w F:\WINDOWS\system32\drivers\atksgt.sys
2008-03-17 20:26 --------- d-----w F:\Program Files\SkanerOnline
2008-03-09 21:28 --------- d-----w F:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-03-09 15:05 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\skypePM
2008-03-08 11:07 32 ----a-w F:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-02-09 08:43 4,166,534 ----a-w F:\WINDOWS\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="F:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 14:44 36864]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-05-11 00:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 00:03 1626112 F:\WINDOWS\system32\nwiz.exe]
"ZoneAlarm Client"="J:\Programy\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"WinampAgent"="J:\Programy\Winamp\winampa.exe" [2007-05-15 00:22 35328]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-05-11 00:03 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 F:\WINDOWS\RTHDCPL.exe]
"DAEMON Tools-1033"="J:\Programy\Daemon\daemon.exe" [2004-08-22 18:05 81920]
"MSConfig"="F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:44 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghgd]
iifghgd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]
winpdc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk
backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk
backup=F:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^GIGABYTE VGA Utility.lnk]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\GIGABYTE VGA Utility.lnk
backup=F:\WINDOWS\pss\GIGABYTE VGA Utility.lnkStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Last.fm Helper.lnk]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Last.fm Helper.lnk
backup=F:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Tribes of the East.LNK]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Tribes of the East.LNK
backup=F:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Tribes of the East.LNKStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5.LNK]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5.LNK
backup=F:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c96147d]
F:\WINDOWS\system32\ldlflfxo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a89c1a66]
F:\WINDOWS\system32\ihyfvqro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 15:00 79224 J:\avast\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
J:\Programy\Daemon\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
--a------ 2008-03-20 12:04 2127296 J:\Programy\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 22:52 49152 F:\Program Files\hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 10:30 249856 F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 10:30 81920 F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:55 1667584 F:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 F:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 J:\Programy\Sony Ericsson\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
--a------ 2005-09-21 19:23 159744 F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"H:\\World in Conflict\\wic.exe"=
"H:\\World in Conflict\\wic_online.exe"=
"H:\\World in Conflict\\wic_ds.exe"=
"%windir%\\system32\\sessmgr.exe"=
"H:\\Call of Duty 4\\iw3mp.exe"=
"D:\\Perseus\\FEARXP2.exe"=

R0 pxark;pxark;F:\WINDOWS\system32\drivers\pxark.sys [2008-05-02 15:20]
R2 CA_LIC_CLNT;CA License Client;"F:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2004-08-31 16:21]
R2 CSIScanner;CSIScanner;"F:\Program Files\PrevxCSI\\PrevxCSI.exe" /service []
R2 LogWatch;Event Log Watch;"F:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 17:06]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;F:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2005-09-21 16:27]
S3 gdrv;gdrv;F:\WINDOWS\gdrv.sys [2007-09-05 18:38]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);F:\WINDOWS\system32\DRIVERS\k510bus.sys [2008-01-25 20:02]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2008-01-25 20:02]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;F:\WINDOWS\system32\DRIVERS\k510mdm.sys [2008-01-25 20:02]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);F:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2008-01-25 20:02]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;F:\WINDOWS\system32\DRIVERS\k510obex.sys [2008-01-25 20:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
*Newly Created Service* - CSISCANNER
*Newly Created Service* - PXARK
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 15:42:04
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-02 15:42:39
ComboFix-quarantined-files.txt 2008-05-02 13:42:35
ComboFix2.txt 2008-05-02 13:10:34

Pre-Run: 39,290,015,744 bajtów wolnych
Post-Run: 39,280,082,944 bajtów wolnych

177

[huber2t]

otwórz notatnik i wklej

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c96147d]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a89c1a66]

Z menu Notatnika Plik Zapisz jako Zmień rozszerzenie z .txt na wszystkie pliki zapisz pod nazwą Fix.reg

Uruchom ten plik, uruchom ponownie komputer

[delgard]

Wyskoczył komunikat:

Nie można zaimportować F:\Documents and Settings\Artur i Dorotka\Pulpit\fix.reg: Określony plik nie jest skryptem rejestru.
Można importować tylko binarne pliki rejestru z wewnątrz Edytora rejestru.

[huber2t]

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c96147d]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a89c1a66]


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

[delgard]

To ten log:

ComboFix 08-05-01.1 - Artur i Dorotka 2008-05-02 17:08:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.670 [GMT 2:00]
Running from: I:\Fix do wirusów\ComboFix.exe
Command switches used :: I:\Fix do wirusów\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-05-02 14:45 . 2008-05-02 14:45 <DIR> d-------- F:\Program Files\PrevxCSI
2008-05-02 14:45 . 2008-05-02 15:20 <DIR> d-------- F:\Documents and Settings\All Users\Dane aplikacji\PrevxCSI
2008-05-02 14:45 . 2008-05-02 15:20 10,880 --a------ F:\WINDOWS\system32\drivers\pxark.sys
2008-04-24 19:29 . 2007-07-19 18:14 3,727,720 --a------ F:\WINDOWS\system32\d3dx9_35.dll
2008-04-24 19:29 . 2007-07-19 18:14 1,358,192 --a------ F:\WINDOWS\system32\D3DCompiler_35.dll
2008-04-24 19:29 . 2007-07-19 18:14 444,776 --a------ F:\WINDOWS\system32\d3dx10_35.dll
2008-04-13 14:42 . 2008-04-14 08:04 <DIR> d-------- F:\WINDOWS\SxsCaPendDel
2008-04-12 17:12 . 2008-04-12 17:12 <DIR> d-------- F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Gadu-Gadu
2008-04-11 09:35 . 2008-04-12 17:03 <DIR> d-------- F:\Documents and Settings\Artur i Dorotka\Gadu-Gadu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 15:09 176,443,424 --sha-w F:\WINDOWS\system32\drivers\fidbox.dat
2008-05-02 13:46 6,246,544 ----a-w F:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-02 13:46 105,316 ----a-w F:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_02_11_53_34_small.dmp.zip
2008-05-02 13:45 2,082,668 --sha-w F:\WINDOWS\system32\drivers\fidbox.idx
2008-05-02 12:23 --------- d-----w F:\Program Files\XoftSpySE
2008-05-02 10:27 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\foobar2000
2008-04-24 19:35 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\InstallShield Installation Information
2008-04-09 15:44 278,984 ----a-w F:\WINDOWS\system32\drivers\atksgt.sys
2008-03-17 20:26 --------- d-----w F:\Program Files\SkanerOnline
2008-03-09 21:28 --------- d-----w F:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-03-09 15:05 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\skypePM
2008-03-08 11:07 32 ----a-w F:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="F:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 14:44 36864]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-05-11 00:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 00:03 1626112 F:\WINDOWS\system32\nwiz.exe]
"ZoneAlarm Client"="J:\Programy\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"WinampAgent"="J:\Programy\Winamp\winampa.exe" [2007-05-15 00:22 35328]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-05-11 00:03 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 F:\WINDOWS\RTHDCPL.exe]
"DAEMON Tools-1033"="J:\Programy\Daemon\daemon.exe" [2004-08-22 18:05 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghgd]
iifghgd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]
winpdc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk
backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk
backup=F:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^GIGABYTE VGA Utility.lnk]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\GIGABYTE VGA Utility.lnk
backup=F:\WINDOWS\pss\GIGABYTE VGA Utility.lnkStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Last.fm Helper.lnk]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Last.fm Helper.lnk
backup=F:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Tribes of the East.LNK]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Tribes of the East.LNK
backup=F:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Tribes of the East.LNKStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5.LNK]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5.LNK
backup=F:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 15:00 79224 J:\avast\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
J:\Programy\Daemon\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
--a------ 2008-03-20 12:04 2127296 J:\Programy\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 22:52 49152 F:\Program Files\hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 10:30 249856 F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 10:30 81920 F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:55 1667584 F:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 F:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 J:\Programy\Sony Ericsson\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
--a------ 2005-09-21 19:23 159744 F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"H:\\World in Conflict\\wic.exe"=
"H:\\World in Conflict\\wic_online.exe"=
"H:\\World in Conflict\\wic_ds.exe"=
"%windir%\\system32\\sessmgr.exe"=
"H:\\Call of Duty 4\\iw3mp.exe"=
"D:\\Perseus\\FEARXP2.exe"=

R0 pxark;pxark;F:\WINDOWS\system32\drivers\pxark.sys [2008-05-02 15:20]
R2 CA_LIC_CLNT;CA License Client;"F:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2004-08-31 16:21]
R2 CSIScanner;CSIScanner;"F:\Program Files\PrevxCSI\\PrevxCSI.exe" /service []
R2 LogWatch;Event Log Watch;"F:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 17:06]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;F:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2005-09-21 16:27]
S3 gdrv;gdrv;F:\WINDOWS\gdrv.sys [2007-09-05 18:38]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);F:\WINDOWS\system32\DRIVERS\k510bus.sys [2008-01-25 20:02]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2008-01-25 20:02]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;F:\WINDOWS\system32\DRIVERS\k510mdm.sys [2008-01-25 20:02]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);F:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2008-01-25 20:02]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;F:\WINDOWS\system32\DRIVERS\k510obex.sys [2008-01-25 20:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 17:09:46
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-02 17:10:17
ComboFix-quarantined-files.txt 2008-05-02 15:10:15

Pre-Run: 39,305,293,824 bajtów wolnych
Post-Run: 39,284,490,240 bajtów wolnych

154

[huber2t]

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghgd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

[delgard]

Gotowe, tutaj log:

ComboFix 08-05-01.1 - Artur i Dorotka 2008-05-02 17:22:18.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.654 [GMT 2:00]
Running from: I:\Fix do wirusów\ComboFix.exe
Command switches used :: I:\Fix do wirusów\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-05-02 14:45 . 2008-05-02 14:45 <DIR> d-------- F:\Program Files\PrevxCSI
2008-05-02 14:45 . 2008-05-02 15:20 <DIR> d-------- F:\Documents and Settings\All Users\Dane aplikacji\PrevxCSI
2008-05-02 14:45 . 2008-05-02 15:20 10,880 --a------ F:\WINDOWS\system32\drivers\pxark.sys
2008-04-24 19:29 . 2007-07-19 18:14 3,727,720 --a------ F:\WINDOWS\system32\d3dx9_35.dll
2008-04-24 19:29 . 2007-07-19 18:14 1,358,192 --a------ F:\WINDOWS\system32\D3DCompiler_35.dll
2008-04-24 19:29 . 2007-07-19 18:14 444,776 --a------ F:\WINDOWS\system32\d3dx10_35.dll
2008-04-13 14:42 . 2008-04-14 08:04 <DIR> d-------- F:\WINDOWS\SxsCaPendDel
2008-04-12 17:12 . 2008-04-12 17:12 <DIR> d-------- F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Gadu-Gadu
2008-04-11 09:35 . 2008-04-12 17:03 <DIR> d-------- F:\Documents and Settings\Artur i Dorotka\Gadu-Gadu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 15:23 176,490,528 --sha-w F:\WINDOWS\system32\drivers\fidbox.dat
2008-05-02 13:46 6,246,544 ----a-w F:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-02 13:46 105,316 ----a-w F:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_02_11_53_34_small.dmp.zip
2008-05-02 13:45 2,082,668 --sha-w F:\WINDOWS\system32\drivers\fidbox.idx
2008-05-02 12:23 --------- d-----w F:\Program Files\XoftSpySE
2008-05-02 10:27 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\foobar2000
2008-04-24 19:35 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\InstallShield Installation Information
2008-04-09 15:44 278,984 ----a-w F:\WINDOWS\system32\drivers\atksgt.sys
2008-03-17 20:26 --------- d-----w F:\Program Files\SkanerOnline
2008-03-09 21:28 --------- d-----w F:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-03-09 15:05 --------- d-----w F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\skypePM
2008-03-08 11:07 32 ----a-w F:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="F:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 14:44 36864]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-05-11 00:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 00:03 1626112 F:\WINDOWS\system32\nwiz.exe]
"ZoneAlarm Client"="J:\Programy\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"WinampAgent"="J:\Programy\Winamp\winampa.exe" [2007-05-15 00:22 35328]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-05-11 00:03 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 F:\WINDOWS\RTHDCPL.exe]
"DAEMON Tools-1033"="J:\Programy\Daemon\daemon.exe" [2004-08-22 18:05 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk
backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk
backup=F:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^GIGABYTE VGA Utility.lnk]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\GIGABYTE VGA Utility.lnk
backup=F:\WINDOWS\pss\GIGABYTE VGA Utility.lnkStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Last.fm Helper.lnk]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Last.fm Helper.lnk
backup=F:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Tribes of the East.LNK]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Tribes of the East.LNK
backup=F:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Tribes of the East.LNKStartup

[HKLM\~\startupfolder\F:^Documents and Settings^Artur i Dorotka^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5.LNK]
path=F:\Documents and Settings\Artur i Dorotka\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5.LNK
backup=F:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 15:00 79224 J:\avast\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
J:\Programy\Daemon\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
--a------ 2008-03-20 12:04 2127296 J:\Programy\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 22:52 49152 F:\Program Files\hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 10:30 249856 F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 10:30 81920 F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:55 1667584 F:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 F:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 J:\Programy\Sony Ericsson\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
--a------ 2005-09-21 19:23 159744 F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"H:\\World in Conflict\\wic.exe"=
"H:\\World in Conflict\\wic_online.exe"=
"H:\\World in Conflict\\wic_ds.exe"=
"%windir%\\system32\\sessmgr.exe"=
"H:\\Call of Duty 4\\iw3mp.exe"=
"D:\\Perseus\\FEARXP2.exe"=

R0 pxark;pxark;F:\WINDOWS\system32\drivers\pxark.sys [2008-05-02 15:20]
R2 CA_LIC_CLNT;CA License Client;"F:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2004-08-31 16:21]
R2 CSIScanner;CSIScanner;"F:\Program Files\PrevxCSI\\PrevxCSI.exe" /service []
R2 LogWatch;Event Log Watch;"F:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 17:06]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;F:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2005-09-21 16:27]
S3 gdrv;gdrv;F:\WINDOWS\gdrv.sys [2007-09-05 18:38]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);F:\WINDOWS\system32\DRIVERS\k510bus.sys [2008-01-25 20:02]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2008-01-25 20:02]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;F:\WINDOWS\system32\DRIVERS\k510mdm.sys [2008-01-25 20:02]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);F:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2008-01-25 20:02]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;F:\WINDOWS\system32\DRIVERS\k510obex.sys [2008-01-25 20:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 17:23:10
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-02 17:23:44
ComboFix-quarantined-files.txt 2008-05-02 15:23:42
ComboFix2.txt 2008-05-02 15:10:18

Pre-Run: 39,264,235,520 bajtów wolnych
Post-Run: 39,245,377,536 bajtów wolnych

151

[huber2t]

Log wyglada na czysty

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

[delgard]

Log z Kaspersky'ego

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2 maj 2008 20:07:26
System operacyjny: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600)
Kaspersky Online Scanner wersja: 5.0.98.0
Ostatnia aktualizacja Kaspersky Anti-Virus 2/05/2008
Liczba wpisów w bazie danych Kaspersky Anti-Virus735468
-------------------------------------------------------------------------------

Ustawienia skanowania:
Skanowanie przy użyciu następujących baz danych: rozszerzone
Skanuj archiwa: tak
Skanuj pocztowe bazy danych: nie

Obszar skanowania - Mój komputer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\

Statystyki skanowania:
Liczba skanowanych obiektów: 121328
Liczba wykrytych wirusów: 3
Liczba zainfekowanych obiektów: 91
Liczba podejrzanych obiektów: 0
Czas trwania skanowania: 02:08:35

Nazwa zainfekowanego obiektu / Nazwa wirusa / Ostatnie działanie
C:\oufddh.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046172.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046173.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046191.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046192.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046419.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046420.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046455.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046456.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046475.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046476.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046587.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
C:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP118\change.log Object is locked pominięty
D:\oufddh.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046174.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046175.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046193.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046194.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046421.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046422.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046457.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046458.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046477.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046478.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046588.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
D:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP118\change.log Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Cookies\index.dat Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\cert8.db Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\formhistory.dat Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\history.dat Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\key3.db Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\parent.lock Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\search.sqlite Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\urlclassifier2.sqlite Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Moje dokumenty\mIRC\mirc.exe Zainfekowanych: not-a-virus:Client-IRC.Win32.mIRC.631 pominięty
F:\Documents and Settings\Artur i Dorotka\ntuser.dat Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\ntuser.dat.LOG Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\Cache\_CACHE_001_ Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\Cache\_CACHE_002_ Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\Cache\_CACHE_003_ Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\dlbtc590.default\Cache\_CACHE_MAP_ Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty
F:\Documents and Settings\Artur i Dorotka\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty
F:\Documents and Settings\LocalService\ntuser.dat Object is locked pominięty
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty
F:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
F:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
F:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty
F:\Documents and Settings\LocalService\Ustawienia lokalne\Temp\Cookies\index.dat Object is locked pominięty
F:\Documents and Settings\LocalService\Ustawienia lokalne\Temp\Historia\History.IE5\index.dat Object is locked pominięty
F:\Documents and Settings\LocalService\Ustawienia lokalne\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
F:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty
F:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
F:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046171.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rrx pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046176.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046177.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046195.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046196.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046417.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rrx pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046423.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046424.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046454.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rrx pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046459.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046460.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046474.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rrx pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046479.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046480.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046584.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046585.dll Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rrx pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046586.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP116\A0046650.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
F:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP118\change.log Object is locked pominięty
F:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty
F:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked pominięty
F:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked pominięty
F:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked pominięty
F:\WINDOWS\Internet Logs\MY.ldb Object is locked pominięty
F:\WINDOWS\Internet Logs\tvDebug.log Object is locked pominięty
F:\WINDOWS\SchedLgU.Txt Object is locked pominięty
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty
F:\WINDOWS\Sti_Trace.log Object is locked pominięty
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty
F:\WINDOWS\system32\config\Antivirus.Evt Object is locked pominięty
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty
F:\WINDOWS\system32\config\default Object is locked pominięty
F:\WINDOWS\system32\config\default.LOG Object is locked pominięty
F:\WINDOWS\system32\config\SAM Object is locked pominięty
F:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty
F:\WINDOWS\system32\config\SECURITY Object is locked pominięty
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty
F:\WINDOWS\system32\config\software Object is locked pominięty
F:\WINDOWS\system32\config\software.LOG Object is locked pominięty
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty
F:\WINDOWS\system32\config\system Object is locked pominięty
F:\WINDOWS\system32\config\system.LOG Object is locked pominięty
F:\WINDOWS\system32\drivers\fidbox.dat Object is locked pominięty
F:\WINDOWS\system32\drivers\fidbox.idx Object is locked pominięty
F:\WINDOWS\system32\drivers\sptd.sys Object is locked pominięty
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty
F:\WINDOWS\Temp\ZLT01126.TMP Object is locked pominięty
F:\WINDOWS\Temp\ZLT02cd8.TMP Object is locked pominięty
F:\WINDOWS\wiadebug.log Object is locked pominięty
F:\WINDOWS\wiaservc.log Object is locked pominięty
F:\WINDOWS\WindowsUpdate.log Object is locked pominięty
G:\oufddh.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046178.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046179.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046197.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046198.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046425.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046426.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046461.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046462.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046481.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046482.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046589.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
G:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP118\change.log Object is locked pominięty
H:\oufddh.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046180.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046181.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046199.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046200.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046427.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046428.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046463.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046464.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046483.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046484.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046590.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
H:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP118\change.log Object is locked pominięty
I:\oufddh.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046182.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046183.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046201.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046202.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046429.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046430.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046465.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046466.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046485.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046486.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046591.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
I:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP118\change.log Object is locked pominięty
J:\oufddh.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046184.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP113\A0046185.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046203.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046204.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046431.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046432.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046467.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046468.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046487.exe Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP114\A0046488.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP115\A0046592.inf Zainfekowanych: Trojan-PSW.Win32.OnLineGames.rry pominięty
J:\System Volume Information\_restore{37B9C8DA-D197-47FF-A400-14D1D8F48202}\RP118\change.log Object is locked pominięty

Proces skanowania został zakończony.

[huber2t]

Pobierz Avenger

wklej do niego ten tekst:

Kod: Zaznacz wszystko

Files to delete:
C:\oufddh.exe
D:\oufddh.exe
G:\oufddh.exe
H:\oufddh.exe
J:\oufddh.exe


kopiuj to i klikasz na Paste Script from Clipboard wybierasz Execute oraz Potwierdzasz i zgadzasz się na restart klikając OK.
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

[delgard]

Log z Avengera


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\oufddh.exe" deleted successfully.
File "D:\oufddh.exe" deleted successfully.
File "G:\oufddh.exe" deleted successfully.
File "H:\oufddh.exe" deleted successfully.
File "J:\oufddh.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[huber2t]

Dla pewności przeskanuj jeszcze raz Kasperskim, ale już powinno być wszystko dobrze

[delgard]

Wielkie dzięki za pomoc