trojan temp1, temp2 HELP

[qwertyman]

gdy wlaczam komputer wyskakuje mi błąd temp1 i ujawnia się jako proces. przenosi sie na pen drivie

daje log z hijacka



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:40:55, on 2008-04-10
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\OrangeBs\TaskBarIcon.exe
C:\Program Files\OrangeBs\BusinessEverywhere.exe
C:\Program Files\OrangeBs\ComComp.exe
C:\Program Files\OrangeBs\Watch.exe
C:\WINDOWS\System32\FTCOMM~1\FTCOMM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla HiJackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [OBSWATCH] C:\PROGRA~1\OrangeBs\Watch.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Nowy folder\gg\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{86D0ADE5-26C2-4B14-8DBC-86EECBCA6391}: NameServer = 217.116.100.66 217.116.100.65
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

--
End of file - 3980 bytes


























i log z combo fix (tu widac te tempy...



ComboFix 08-04-09.9 - Administrator 2008-04-10 18:52:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.112 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\copy.exe
C:\host.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\temp2.exe
C:\WINDOWS\xcopy.exe
D:\Autorun.inf
D:\copy.exe
D:\host.exe
E:\Autorun.inf
E:\copy.exe
E:\host.exe
F:\Autorun.inf
F:\copy.exe
F:\host.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POWERMANAGER
-------\Service_PowerManager


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 18:28 . 2008-04-10 18:28 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-10 18:05 . 2008-04-10 18:05 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Lavasoft
2008-04-10 18:04 . 2008-04-10 18:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-10 15:47 . 2008-04-10 16:58 1,051 --a------ C:\WINDOWS\GTA-SA_Trn_Settings.ini
2008-04-09 19:44 . 2008-04-09 19:44 <DIR> d-------- C:\Documents and Settings\dziewczyny\Dane aplikacji\Thinstall
2008-04-07 22:21 . 2008-04-10 18:46 <DIR> d-------- C:\Documents and Settings\Administrator\Gadu-Gadu
2008-04-06 22:27 . 2008-04-06 22:27 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Teleca
2008-04-06 22:26 . 2008-03-29 19:20 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-04-06 22:26 . 2008-04-10 18:41 <DIR> dr------- C:\Documents and Settings\Administrator\Ulubione
2008-04-06 22:26 . 2008-03-29 19:43 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-04-06 22:26 . 2008-04-10 18:51 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-04-06 22:26 . 2008-04-06 22:43 <DIR> dr------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-04-06 22:26 . 2008-03-29 19:20 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-04-06 22:26 . 2008-04-10 18:05 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-04-03 00:18 . 2006-04-28 17:26 88,688 -ra------ C:\WINDOWS\system32\drivers\SE27mgmt.sys
2008-04-03 00:18 . 2006-04-28 17:27 86,560 -ra------ C:\WINDOWS\system32\drivers\SE27obex.sys
2008-04-03 00:18 . 2006-04-28 17:27 6,240 -ra------ C:\WINDOWS\system32\drivers\SE27cmnt.sys
2008-04-03 00:18 . 2006-04-28 17:27 6,240 -ra------ C:\WINDOWS\system32\drivers\SE27cm.sys
2008-04-03 00:09 . 2006-04-28 17:25 97,184 -ra------ C:\WINDOWS\system32\drivers\SE27mdm.sys
2008-04-03 00:09 . 2006-04-28 17:25 9,360 -ra------ C:\WINDOWS\system32\drivers\SE27mdfl.sys
2008-04-03 00:08 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2008-04-03 00:08 . 2003-08-25 18:06 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-04-02 18:28 . 2008-04-03 00:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-02 18:28 . 2008-04-02 18:28 <DIR> d-------- C:\Program Files\D-Tools
2008-04-02 18:28 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-04-02 18:28 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-04-02 18:09 . 2008-04-02 18:09 <DIR> d-------- C:\Program Files\PBP Unpacker
2008-04-02 18:09 . 2005-05-24 21:24 169,534 --a------ C:\WINDOWS\SFO.ICO
2008-04-02 17:49 . 2008-04-02 17:49 <DIR> d-------- C:\Program Files\Runtime Software
2008-04-02 16:34 . 2008-04-02 16:34 <DIR> d---s---- C:\Documents and Settings\dziewczyny\UserData
2008-03-30 22:42 . 2006-04-28 17:24 61,600 -ra------ C:\WINDOWS\system32\drivers\SE27bus.sys
2008-03-30 22:42 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-30 22:42 . 2006-04-28 17:24 5,872 -ra------ C:\WINDOWS\system32\drivers\SE27whnt.sys
2008-03-30 22:42 . 2006-04-28 17:24 5,872 -ra------ C:\WINDOWS\system32\drivers\SE27wh.sys
2008-03-30 22:40 . 2008-03-30 22:41 <DIR> d-------- C:\Documents and Settings\dziewczyny\Dane aplikacji\Teleca
2008-03-30 22:39 . 2008-03-30 22:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-30 22:38 . 2008-03-30 22:38 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-03-30 22:38 . 2008-03-30 22:38 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-03-30 22:38 . 2008-03-30 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Documents
2008-03-30 22:38 . 2008-03-30 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Teleca
2008-03-30 22:38 . 2008-03-30 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson
2008-03-30 22:37 . 2008-04-02 18:27 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-30 16:21 . 2002-09-20 18:03 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-30 16:21 . 2001-10-26 16:48 14,080 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-30 16:21 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-30 16:21 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-30 16:21 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-30 11:29 . 2008-04-09 18:07 <DIR> d-------- C:\Documents and Settings\dziewczyny\Gadu-Gadu
2008-03-30 01:24 . 2008-03-30 01:24 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-03-30 01:17 . 2005-09-08 21:12 <DIR> dr------- C:\Sakson's save 100%
2008-03-30 01:02 . 2008-03-30 01:02 303 --a------ C:\WINDOWS\ST6UNST.001
2008-03-30 00:57 . 2008-03-30 00:57 303 --a------ C:\WINDOWS\ST6UNST.000
2008-03-30 00:56 . 2008-04-10 16:24 <DIR> d-------- C:\Program Files\GTASA-Ultimate Editor
2008-03-30 00:56 . 2008-04-09 18:54 249,856 --------- C:\WINDOWS\Setup1.exe
2008-03-30 00:56 . 2008-04-09 18:54 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-03-30 00:52 . 2008-03-30 00:52 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-03-30 00:52 . 2008-03-30 01:33 <DIR> d-------- C:\Program Files\San Andreas Mod Installer
2008-03-30 00:52 . 2008-03-30 00:52 <DIR> d-------- C:\Program Files\7-Zip
2008-03-30 00:26 . 2008-03-30 00:26 <DIR> d-------- C:\Program Files\option
2008-03-30 00:25 . 2002-08-29 02:32 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-30 00:25 . 2002-08-29 02:32 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-30 00:21 . 2008-04-10 18:26 <DIR> d-------- C:\WINDOWS\system32\FTCOMModule
2008-03-30 00:21 . 2008-03-30 00:21 <DIR> d-------- C:\Program Files\FranceTelecomUninstall
2008-03-30 00:21 . 2008-03-31 21:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-30 00:21 . 2003-08-04 15:22 94,208 --a------ C:\WINDOWS\system32\W32n50.dll
2008-03-30 00:21 . 2004-06-10 17:20 40,960 --a------ C:\WINDOWS\system32\FTRTSVC.exe
2008-03-30 00:21 . 2005-10-06 16:27 36,864 --a------ C:\WINDOWS\system32\IfHelper.dll
2008-03-30 00:21 . 2003-08-04 15:22 16,128 --------- C:\WINDOWS\system32\PCANDIS5.SYS
2008-03-30 00:16 . 2006-05-29 11:52 112,000 --a------ C:\WINDOWS\system32\drivers\Gtm51Irp.sys
2008-03-30 00:16 . 2006-05-29 11:52 25,344 --a------ C:\WINDOWS\system32\drivers\gtmmdmusb.sys
2008-03-30 00:16 . 2006-05-29 11:52 21,760 --a------ C:\WINDOWS\system32\drivers\gtmserusb.sys
2008-03-30 00:16 . 2006-05-29 11:52 19,328 --a------ C:\WINDOWS\system32\drivers\gtscser.sys
2008-03-30 00:16 . 2006-05-29 11:52 16,128 --a------ C:\WINDOWS\system32\drivers\gtffbus.sys
2008-03-30 00:16 . 2006-05-29 11:52 8,064 --a------ C:\WINDOWS\system32\drivers\gtptser.sys
2008-03-30 00:16 . 2006-05-29 11:52 5,120 --a------ C:\WINDOWS\system32\drivers\GtVUsb.sys
2008-03-30 00:15 . 2008-04-10 18:55 <DIR> d-------- C:\Program Files\OrangeBs
2008-03-29 23:49 . 2008-04-10 18:04 <DIR> d-------- C:\Documents and Settings\dziewczyny\Dane aplikacji\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 19:39 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\AntiVir PersonalEdition Classic
2008-03-31 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 18:58 --------- d-----w C:\Program Files\Common Files\EPSON
2008-03-29 18:57 --------- d-----w C:\Program Files\EPSON
2008-03-29 18:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-29 18:22 --------- d-----w C:\Program Files\C-Media Audio
2008-03-29 18:06 --------- d-----w C:\Program Files\C-Media
2008-03-29 17:47 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-29 17:46 558,142 ----a-w C:\WINDOWS\java\Packages\SOJJVVNH.ZIP
2008-03-29 17:46 155,995 ----a-w C:\WINDOWS\java\Packages\FDBVJHJL.ZIP
2008-03-29 17:45 --------- d-----w C:\Program Files\Usługi online
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 18:05 13312]
"Gadu-Gadu"="D:\Nowy folder\gg\Gadu-Gadu\gg.exe" [2006-09-14 17:49 1672904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2006-03-29 13:54 233512]
"EPSON Stylus C42 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-02-19 05:03 74240]
"OBSWATCH"="C:\PROGRA~1\OrangeBs\Watch.exe" [2005-09-07 11:26 20480]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 18:05 13312]

C:\Documents and Settings\dziewczyny\Menu Start\Programy\Autostart\
Reboot.exe [2002-03-21 06:40:42 382464]

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\drivers\avgntmgr.sys [2005-07-04 13:58]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2006-02-23 19:17]
R3 GTFFBUS;GT FF BUS;C:\WINDOWS\System32\DRIVERS\gtffbus.sys [2006-05-29 11:52]
R3 GTMMDMUSB;GT M 3G+ USB MDM;C:\WINDOWS\System32\DRIVERS\gtmmdmusb.sys [2006-05-29 11:52]
R3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\System32\DRIVERS\Gtm51Irp.sys [2006-05-29 11:52]
R3 GTMSERUSB;GT M 3G+ USB SER;C:\WINDOWS\System32\DRIVERS\gtmserusb.sys [2006-05-29 11:52]
R3 GTPTSER;GT PT SER;C:\WINDOWS\System32\DRIVERS\gtptser.sys [2006-05-29 11:52]
R3 GTSCSER;GT SC SER;C:\WINDOWS\System32\DRIVERS\gtscser.sys [2006-05-29 11:52]
S3 GtVUsb;GlobeTrotter 3G+ Viper Filter Service;C:\WINDOWS\System32\DRIVERS\GtVUsb.sys [2006-05-29 11:52]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 01:32]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 18:56:00
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\FTRTSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-04-10 18:57:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 16:56:54
Pre-Run: 12,368,965,632 bajtów wolnych
Post-Run: 12,328,759,296 bajt˘w wolnych

[huber2t]

Log z Hijackthis jest czysty
Log z Combofix jest czysty

Program Combofix sam usunął pliki które ci wyskakiwały

Jesli są jeszcze jakieś problemy to napisz o nich

[qwertyman]

juz jest ok chcialem sie upewnic. thanks