Wyskakujący komunikat

[WVR]

Przy otwieraniu i przeglądaniu folderów wyskakuje mi taki komunikat:
"Your computer was infected by dangerous trojan
It's dangerous for tour system ( critical files can be lost)!
Click OK to dowload the antispyware program to clean your system! (Recommended)"

Czytałem o tym trochę już w sieci i jeżeli sie mylę to jest to wkręt, nie jest to trojan (chyba) tylko coś co ma za zadanie wymusić ode mnie kupno licencji do programu typu antyspyware który także mam pobrać, lecz nie jestem pewnien tej teorii. Przeczytałem też już kilka tematów na ten temat na innych stronach i forach, często chodziło tam o podanie loga systemu z programu ComboFix i/lub HijackThis, dla mnie jest to czarna magia. Wykonałem więc log za pomocą ComboFix i otrzymałem to:

Kod: Zaznacz wszystko

ComboFix 08-04-11.8 - xxx 2008-04-12 17:55:59.2 - NTFSx86
Running from: C:\Documents and Settings\xxx\Pulpit\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ntio256


(((((((((((((((((((((((((   Files Created from 2008-03-12 to 2008-04-12  )))))))))))))))))))))))))))))))
.

2008-04-12 16:55 . 2008-04-12 17:21   <DIR>   d-a------   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-04-12 15:27 . 2008-04-12 15:50   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-04-12 15:15 . 2008-04-12 15:15   <DIR>   d--------   C:\Program Files\MSECache
2008-04-12 15:14 . 2007-07-30 19:19   271,224   --a------   C:\WINDOWS\system32\mucltui.dll
2008-04-12 15:14 . 2007-07-30 19:18   30,072   --a------   C:\WINDOWS\system32\mucltui.dll.mui
2008-04-12 15:12 . 2007-07-30 19:19   38,232   --a------   C:\WINDOWS\system32\wucltui.dll.mui
2008-04-12 15:12 . 2007-07-30 19:20   30,040   --a------   C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-12 15:12 . 2007-07-30 19:20   30,040   --a------   C:\WINDOWS\system32\wuapi.dll.mui
2008-04-12 15:12 . 2007-07-30 19:18   21,336   --a------   C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-11 20:08 . 2008-04-11 20:09   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-04-10 17:18 . 2008-04-10 17:19   <DIR>   d--------   C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-04-09 16:04 . 2008-04-09 16:04   <DIR>   d--------   C:\Program Files\Lavasoft
2008-04-09 16:04 . 2008-04-09 16:04   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-04-09 15:57 . 2008-04-09 15:57   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 15:44 . 2008-04-09 15:48   <DIR>   d--------   C:\Program Files\Anti Trojan Elite
2008-04-09 15:33 . 2008-01-08 18:51   225,280   --a------   C:\Program Files\Uninstall My Global Search Bar.dll
2008-04-09 15:17 . 2008-04-09 15:17   216,064   --a------   C:\WINDOWS\cndr32a.dll
2008-04-09 15:17 . 2008-04-09 15:17   47   --a------   C:\smp.bat
2008-04-03 13:21 . 2008-04-03 13:21   <DIR>   d--------   C:\Program Files\XericDesign
2008-03-29 15:06 . 2008-03-29 15:06   <DIR>   d--------   C:\Documents and Settings\xxx\Dane aplikacji\QPrinter
2008-03-29 15:00 . 2008-03-29 15:03   <DIR>   d--------   C:\Program Files\WordToPDF
2008-03-20 16:27 . 2008-03-20 20:17   635   --a------   C:\WINDOWS\rtcwgoty.INI
2008-03-20 09:17 . 2008-03-21 18:31   <DIR>   d--------   C:\Program Files\KurczakiArmageddon Demo
2008-03-16 10:21 . 2008-03-24 11:16   <DIR>   d--------   C:\Program Files\VSD Software

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 17:26   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Skype
2008-04-02 17:21   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\skypePM
2008-03-24 09:23   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\XnView
2008-03-20 15:14   ---------   d-----w   C:\Program Files\MarBit
2008-03-20 15:14   ---------   d-----w   C:\Program Files\DivX
2008-03-19 15:47   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\FrostWire
2008-03-17 15:38   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles
2008-03-07 16:59   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Orbit
2008-03-02 16:11   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\IrfanView
2008-02-25 13:12   ---------   d-----w   C:\Program Files\Media Player Classic
2008-02-23 16:04   ---------   d-----w   C:\Program Files\InstallShield Installation Information
2008-02-22 18:48   12,464   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2008-02-22 17:38   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Uniblue
2008-02-22 17:18   ---------   d-----w   C:\Program Files\Firefly Studios
2008-02-22 13:27   72,234   ----a-w   C:\WINDOWS\BricoPackUninst.cmd
2008-02-22 13:27   5,656   ----a-w   C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-02-19 18:32   ---------   d-----w   C:\Program Files\MathType
2008-02-19 18:32   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Design Science
2008-02-17 19:25   ---------   d-----w   C:\Program Files\Valve
2008-02-15 14:53   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Winamp
2007-12-29 18:59   32   ----a-w   C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2004-08-03 22:44   93,184   --sha-w   C:\WINDOWS\BricoPacks\SysFiles\79_iexplore.exe
.

------- Sigcheck -------

2007-02-19 17:05  695808  121fa5a9175c5b2732807ca98008cd8c   C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-02-19 17:05  661504  7e74aedaac9627358c3533b0837a6f36   C:\WINDOWS\SoftwareDistribution\Download\c4d240c7b2d9e29538862d61e6863bb0\SP2GDR\wininet.dll
2007-02-19 17:23  668160  f3d9666793b8c21ef3101d367de29519   C:\WINDOWS\SoftwareDistribution\Download\c4d240c7b2d9e29538862d61e6863bb0\SP2QFE\wininet.dll
2008-02-16 11:05  662016  37c7b292d6fcd9636d42c738cd288db8   C:\WINDOWS\SoftwareDistribution\Download\d60395829b8e75e863df2a5e0b559a5e\sp2gdr\wininet.dll
2008-02-16 11:32  668672  193f94d811881d00867aeb1d6780f44f   C:\WINDOWS\SoftwareDistribution\Download\d60395829b8e75e863df2a5e0b559a5e\sp2qfe\wininet.dll
2007-02-19 17:05  695808  121fa5a9175c5b2732807ca98008cd8c   C:\WINDOWS\system32\wininet.dll
2007-02-19 17:05  695808  121fa5a9175c5b2732807ca98008cd8c   C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-04 00:14  359040  9f4b36614a0fc234525ba224957de55c   C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-10-30 19:20  360064  90caff4b094573449a0872a0f919b178   C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2gdr\tcpip.sys
2007-10-30 18:53  360832  64798ecfa43d78c7178375fcdd16d8c8   C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2qfe\tcpip.sys
2006-04-20 13:51  359808  1dbf125862891817f374f407626967f4   C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 13:51  359808  45265cbad25c6254afafc7bdd88bdb4b   C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 00:44  975872  196c130d31317fe53de984220b5e13b9   C:\WINDOWS\explorer.exe
2004-08-04 00:44  975872  196c130d31317fe53de984220b5e13b9   C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 15:23  1034752  029a562e81bbee088c61d418bf408f44   C:\WINDOWS\SoftwareDistribution\Download\8d454b309577cd5649a81b0f39c2c9c7\sp2gdr\explorer.exe
2007-06-13 15:12  1034752  8db0650b211425b9cdb7d1c4a8f6b482   C:\WINDOWS\SoftwareDistribution\Download\8d454b309577cd5649a81b0f39c2c9c7\sp2qfe\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D820860-2FA8-49A8-8809-B450ED80D3BB}]
2008-04-09 15:17   216064   --a------   C:\WINDOWS\cndr32a.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-30 15:51   267592   --a------   C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= "C:\Program Files\Video ActiveX Object\iesplugin.dll" [ ]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2008-01-30 15:51 267592]

[HKEY_CLASSES_ROOT\clsid\{0d045baa-4bd3-4c94-be8b-21536bd6bd9f}]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= C:\Program Files\Video ActiveX Object\iesplugin.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{0d045baa-4bd3-4c94-be8b-21536bd6bd9f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="D:\Program Files\Gadu-Gadu\gg.exe" [2007-04-19 17:43 2101248]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 20:27 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-03-28 15:20 1271032]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 14:12 90112 C:\WINDOWS\soundman.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-10-19 02:46 921600]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-17 04:31 7307264]
"nwiz"="nwiz.exe" [2005-10-17 04:31 1519616 C:\WINDOWS\system32\nwiz.exe]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"VStorage"= {0986121E-C8FB-4BD4-8052-8647F8A9C555} - swmclip.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"D:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gen16\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25219:TCP"= 25219:TCP:BitComet 25219 TCP
"25219:UDP"= 25219:UDP:BitComet 25219 UDP
"14288:TCP"= 14288:TCP:BitComet 14288 TCP
"14288:UDP"= 14288:UDP:BitComet 14288 UDP

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-04 00:00]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 10:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 10:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 10:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 10:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 10:42]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 18:01:08
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\LClock\LC.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-12 18:05:10 - machine was rebooted [xxx]
ComboFix-quarantined-files.txt  2008-04-12 16:04:56
Pre-Run: 8,585,408,512 bajtów wolnych
Post-Run: 8,572,727,296 bajt˘w wolnych

teraz powstaje pytanie, co mam robić dalej??????? jak pozbyć sie tego wyskakującego komunikatu??????? a może gdzieś popełniłem błąd w mym rozumowaniu??????? czekam na szybką pomoc!!!!!!!!

[huber2t]

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

File::
C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
C:\Program Files\Uninstall My Global Search Bar.dll
C:\WINDOWS\cndr32a.dll
C:\smp.bat
C:\WINDOWS\rtcwgoty.INI
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

Folder::
C:\Program Files\AskSBar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D820860-2FA8-49A8-8809-B450ED80D3BB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"=-



Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
[obrazek nie jest już dostępny]
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox

Daj nowy log z usuwania combofix + log z Hijackthis

[WVR]

Log z ComboFix:

Kod: Zaznacz wszystko

ComboFix 08-04-11.8 - xxx 2008-04-12 21:12:30.3 - NTFSx86
Running from: C:\Documents and Settings\xxx\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\xxx\Pulpit\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
C:\Program Files\Uninstall My Global Search Bar.dll
C:\smp.bat
C:\WINDOWS\cndr32a.dll
C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
C:\WINDOWS\rtcwgoty.INI
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AskSBar
C:\Program Files\AskSBar\bar\1.bin\A2FFXTBR.JAR
C:\Program Files\AskSBar\bar\1.bin\A2FFXTBR.MANIFEST
C:\Program Files\AskSBar\bar\1.bin\A2HIGHIN.EXE
C:\Program Files\AskSBar\bar\1.bin\A2NTSTBR.JAR
C:\Program Files\AskSBar\bar\1.bin\A2NTSTBR.MANIFEST
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
C:\Program Files\AskSBar\bar\1.bin\NPASKSBR.DLL
C:\Program Files\AskSBar\bar\Cache\[u]0[/u]11F01B1
C:\Program Files\AskSBar\bar\Cache\[u]0[/u]11F0441
C:\Program Files\AskSBar\bar\Cache\[u]0[/u]11F072F.bin
C:\Program Files\AskSBar\bar\Cache\[u]0[/u]11F0933.bin
C:\Program Files\AskSBar\bar\Cache\[u]0[/u]11F0BD3.bin
C:\Program Files\AskSBar\bar\Cache\files.ini
C:\Program Files\AskSBar\bar\History\search2
C:\Program Files\AskSBar\bar\Settings\prevcfg2.htm
C:\Program Files\Uninstall My Global Search Bar.dll
C:\smp.bat
C:\WINDOWS\cndr32a.dll
C:\WINDOWS\rtcwgoty.INI

.
(((((((((((((((((((((((((   Files Created from 2008-03-12 to 2008-04-12  )))))))))))))))))))))))))))))))
.

2008-04-12 16:55 . 2008-04-12 17:21   <DIR>   d-a------   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-04-12 15:27 . 2008-04-12 15:50   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-04-12 15:15 . 2008-04-12 15:15   <DIR>   d--------   C:\Program Files\MSECache
2008-04-12 15:14 . 2007-07-30 19:19   271,224   --a------   C:\WINDOWS\system32\mucltui.dll
2008-04-12 15:14 . 2007-07-30 19:18   30,072   --a------   C:\WINDOWS\system32\mucltui.dll.mui
2008-04-12 15:12 . 2007-07-30 19:19   38,232   --a------   C:\WINDOWS\system32\wucltui.dll.mui
2008-04-12 15:12 . 2007-07-30 19:20   30,040   --a------   C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-12 15:12 . 2007-07-30 19:20   30,040   --a------   C:\WINDOWS\system32\wuapi.dll.mui
2008-04-12 15:12 . 2007-07-30 19:18   21,336   --a------   C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-11 20:08 . 2008-04-11 20:09   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-04-10 17:18 . 2008-04-10 17:19   <DIR>   d--------   C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-04-09 16:04 . 2008-04-09 16:04   <DIR>   d--------   C:\Program Files\Lavasoft
2008-04-09 16:04 . 2008-04-09 16:04   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-04-09 15:57 . 2008-04-09 15:57   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 15:44 . 2008-04-09 15:48   <DIR>   d--------   C:\Program Files\Anti Trojan Elite
2008-04-03 13:21 . 2008-04-03 13:21   <DIR>   d--------   C:\Program Files\XericDesign
2008-03-29 15:06 . 2008-03-29 15:06   <DIR>   d--------   C:\Documents and Settings\xxx\Dane aplikacji\QPrinter
2008-03-29 15:00 . 2008-03-29 15:03   <DIR>   d--------   C:\Program Files\WordToPDF
2008-03-20 09:17 . 2008-03-21 18:31   <DIR>   d--------   C:\Program Files\KurczakiArmageddon Demo
2008-03-16 10:21 . 2008-03-24 11:16   <DIR>   d--------   C:\Program Files\VSD Software

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 17:26   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Skype
2008-04-02 17:21   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\skypePM
2008-03-24 09:23   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\XnView
2008-03-20 15:14   ---------   d-----w   C:\Program Files\MarBit
2008-03-20 15:14   ---------   d-----w   C:\Program Files\DivX
2008-03-19 15:47   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\FrostWire
2008-03-17 15:38   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles
2008-03-07 16:59   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Orbit
2008-03-02 16:11   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\IrfanView
2008-02-25 13:12   ---------   d-----w   C:\Program Files\Media Player Classic
2008-02-23 16:04   ---------   d-----w   C:\Program Files\InstallShield Installation Information
2008-02-22 18:48   12,464   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2008-02-22 17:38   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Uniblue
2008-02-22 17:18   ---------   d-----w   C:\Program Files\Firefly Studios
2008-02-22 13:27   72,234   ----a-w   C:\WINDOWS\BricoPackUninst.cmd
2008-02-22 13:27   5,656   ----a-w   C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-02-22 13:27   219,648   ----a-w   C:\WINDOWS\system32\uxtheme.dll
2008-02-19 18:32   ---------   d-----w   C:\Program Files\MathType
2008-02-19 18:32   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Design Science
2008-02-17 19:25   ---------   d-----w   C:\Program Files\Valve
2008-02-15 14:53   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Winamp
2007-12-29 18:59   32   ----a-w   C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2004-08-03 22:44   93,184   --sha-w   C:\WINDOWS\BricoPacks\SysFiles\79_iexplore.exe
.

------- Sigcheck -------

2007-02-19 17:05  695808  121fa5a9175c5b2732807ca98008cd8c   C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-02-19 17:05  661504  7e74aedaac9627358c3533b0837a6f36   C:\WINDOWS\SoftwareDistribution\Download\c4d240c7b2d9e29538862d61e6863bb0\SP2GDR\wininet.dll
2007-02-19 17:23  668160  f3d9666793b8c21ef3101d367de29519   C:\WINDOWS\SoftwareDistribution\Download\c4d240c7b2d9e29538862d61e6863bb0\SP2QFE\wininet.dll
2008-02-16 11:05  662016  37c7b292d6fcd9636d42c738cd288db8   C:\WINDOWS\SoftwareDistribution\Download\d60395829b8e75e863df2a5e0b559a5e\sp2gdr\wininet.dll
2008-02-16 11:32  668672  193f94d811881d00867aeb1d6780f44f   C:\WINDOWS\SoftwareDistribution\Download\d60395829b8e75e863df2a5e0b559a5e\sp2qfe\wininet.dll
2007-02-19 17:05  695808  121fa5a9175c5b2732807ca98008cd8c   C:\WINDOWS\system32\wininet.dll
2007-02-19 17:05  695808  121fa5a9175c5b2732807ca98008cd8c   C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-04 00:14  359040  9f4b36614a0fc234525ba224957de55c   C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-10-30 19:20  360064  90caff4b094573449a0872a0f919b178   C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2gdr\tcpip.sys
2007-10-30 18:53  360832  64798ecfa43d78c7178375fcdd16d8c8   C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2qfe\tcpip.sys
2006-04-20 13:51  359808  1dbf125862891817f374f407626967f4   C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 13:51  359808  45265cbad25c6254afafc7bdd88bdb4b   C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 00:44  975872  196c130d31317fe53de984220b5e13b9   C:\WINDOWS\explorer.exe
2004-08-04 00:44  975872  196c130d31317fe53de984220b5e13b9   C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 15:23  1034752  029a562e81bbee088c61d418bf408f44   C:\WINDOWS\SoftwareDistribution\Download\8d454b309577cd5649a81b0f39c2c9c7\sp2gdr\explorer.exe
2007-06-13 15:12  1034752  8db0650b211425b9cdb7d1c4a8f6b482   C:\WINDOWS\SoftwareDistribution\Download\8d454b309577cd5649a81b0f39c2c9c7\sp2qfe\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= "C:\Program Files\Video ActiveX Object\iesplugin.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{0d045baa-4bd3-4c94-be8b-21536bd6bd9f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= C:\Program Files\Video ActiveX Object\iesplugin.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{0d045baa-4bd3-4c94-be8b-21536bd6bd9f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="D:\Program Files\Gadu-Gadu\gg.exe" [2007-04-19 17:43 2101248]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 20:27 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-03-28 15:20 1271032]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 14:12 90112 C:\WINDOWS\soundman.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-10-19 02:46 921600]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-17 04:31 7307264]
"nwiz"="nwiz.exe" [2005-10-17 04:31 1519616 C:\WINDOWS\system32\nwiz.exe]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"VStorage"= {0986121E-C8FB-4BD4-8052-8647F8A9C555} - swmclip.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"D:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gen16\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25219:TCP"= 25219:TCP:BitComet 25219 TCP
"25219:UDP"= 25219:UDP:BitComet 25219 UDP
"14288:TCP"= 14288:TCP:BitComet 14288 TCP
"14288:UDP"= 14288:UDP:BitComet 14288 UDP

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-04 00:00]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 10:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 10:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 10:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 10:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 10:42]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 21:14:56
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-12 21:15:29
ComboFix-quarantined-files.txt  2008-04-12 19:15:17
ComboFix2.txt  2008-04-12 16:05:11
Pre-Run: 8,520,151,040 bajtów wolnych
Post-Run: 8,506,568,704 bajtów wolnych



Log z HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:23:17, on 2008-04-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sbs2k:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: CnfSearch Class - {D7CD08F0-D691-11D8-9669-0800200C9A66} - C:\WINDOWS\System32\ConfuSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxpt022YYPL
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - D:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208005689765
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208006046843
O17 - HKLM\System\CCS\Services\Tcpip\..\{231139DB-A57F-450E-ADC2-BBEFD57C7F4A}: NameServer = 217.95.13.211,80.50.50.50
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: VStorage - {0986121E-C8FB-4BD4-8052-8647F8A9C555} - swmclip.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/xxx/USTAWI~1/Temp/msohtml1/01/clip_image002.jpg

[pp3088]

fixy-na-trudne-przypadki-t6607.html#p40230

Tu znajdziesz wszystko.

[huber2t]

Wyłącz przywracanie systemu na wszystkich dyskach.

Kod: Zaznacz wszystko

http://support.microsoft.com/kb/310405/pl

Fix w hijackthis:

Kod: Zaznacz wszystko

R3 - URLSearchHook: CnfSearch Class - {D7CD08F0-D691-11D8-9669-0800200C9A66} - C:\WINDOWS\System32\ConfuSearch.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxpt022YYPL
O8 - Extra context menu item: Download Link Using Mega Manager... - D:\Program Files\Megaupload\Mega Manager\mm_file.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBIniti alSetup1.0.0.15.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{231139DB-A57F-450E-ADC2-BBEFD57C7F4A}: NameServer = 217.95.13.211,80.50.50.50
Unknown
O21 - SSODL: VStorage - {0986121E-C8FB-4BD4-8052-8647F8A9C555} - swmclip.dll (file missing)


Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

File::
C:\WINDOWS\System32\ConfuSearch.dll
C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
[obrazek nie jest już dostępny]
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox



Windows Worms Doors Cleaner (WWDC) jest programem, służącym do zamykania portów i usług, przez które często przedostają się robaki. Nie trzeba już męczyć się edycją rejestru, czy innymi bardziej skomplikowanym narzędziami.
Jeśli po uruchomieniu WWDC widnieje jakiś czerwony krzyżyk, to zmieniamy go na zielony, tak jak poniżej:

http://www.fotosik.pl/showFullSize.php?id=6b5ad89ceca1cff7

Następnie komputer powinien uruchomić się ponownie. Porty, przez które przedostają się robaki powinny już być zamknięte (wszystkie znaczki zielone).

Czasem występują problemy z zamknięciem NetBIOSu, dlatego może on zostać ewentualnie na żółto.

[WVR]

Oto kolejny log z ComboFix:

Kod: Zaznacz wszystko

ComboFix 08-04-11.8 - xxx 2008-04-13  8:35:32.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.65 [GMT 2:00]
Running from: C:\Documents and Settings\xxx\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\xxx\Pulpit\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
C:\WINDOWS\System32\ConfuSearch.dll
.

(((((((((((((((((((((((((   Files Created from 2008-03-13 to 2008-04-13  )))))))))))))))))))))))))))))))
.

2008-04-12 22:21 . 2008-04-12 22:21   <DIR>   d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-12 22:17 . 2008-04-12 22:17   <DIR>   d--------   C:\Program Files\MSXML 4.0
2008-04-12 22:17 . 2008-04-13 08:09   1,374   --a------   C:\WINDOWS\imsins.BAK
2008-04-12 21:22 . 2008-04-12 21:22   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-12 16:55 . 2008-04-12 17:21   <DIR>   d-a------   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-04-12 15:27 . 2008-04-13 08:09   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-04-12 15:15 . 2008-04-12 15:15   <DIR>   d--------   C:\Program Files\MSECache
2008-04-12 15:14 . 2007-07-30 19:19   271,224   --a------   C:\WINDOWS\system32\mucltui.dll
2008-04-12 15:14 . 2007-07-30 19:18   30,072   --a------   C:\WINDOWS\system32\mucltui.dll.mui
2008-04-12 15:12 . 2007-07-30 19:19   38,232   --a------   C:\WINDOWS\system32\wucltui.dll.mui
2008-04-12 15:12 . 2007-07-30 19:20   30,040   --a------   C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-12 15:12 . 2007-07-30 19:20   30,040   --a------   C:\WINDOWS\system32\wuapi.dll.mui
2008-04-12 15:12 . 2007-07-30 19:18   21,336   --a------   C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-11 20:08 . 2008-04-11 20:09   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-04-10 17:18 . 2008-04-10 17:19   <DIR>   d--------   C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-04-09 16:04 . 2008-04-09 16:04   <DIR>   d--------   C:\Program Files\Lavasoft
2008-04-09 16:04 . 2008-04-09 16:04   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-04-09 15:57 . 2008-04-09 15:57   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 15:44 . 2008-04-09 15:48   <DIR>   d--------   C:\Program Files\Anti Trojan Elite
2008-04-03 13:21 . 2008-04-03 13:21   <DIR>   d--------   C:\Program Files\XericDesign
2008-03-29 15:06 . 2008-03-29 15:06   <DIR>   d--------   C:\Documents and Settings\xxx\Dane aplikacji\QPrinter
2008-03-29 15:00 . 2008-03-29 15:03   <DIR>   d--------   C:\Program Files\WordToPDF
2008-03-20 09:17 . 2008-03-21 18:31   <DIR>   d--------   C:\Program Files\KurczakiArmageddon Demo
2008-03-16 10:21 . 2008-03-24 11:16   <DIR>   d--------   C:\Program Files\VSD Software

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 17:26   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Skype
2008-04-02 17:21   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\skypePM
2008-03-24 09:23   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\XnView
2008-03-20 15:14   ---------   d-----w   C:\Program Files\MarBit
2008-03-20 15:14   ---------   d-----w   C:\Program Files\DivX
2008-03-20 08:09   1,845,504   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-19 15:47   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\FrostWire
2008-03-17 15:38   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles
2008-03-07 16:59   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Orbit
2008-03-02 16:11   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\IrfanView
2008-02-25 13:12   ---------   d-----w   C:\Program Files\Media Player Classic
2008-02-23 16:04   ---------   d-----w   C:\Program Files\InstallShield Installation Information
2008-02-22 17:38   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Uniblue
2008-02-22 17:18   ---------   d-----w   C:\Program Files\Firefly Studios
2008-02-22 13:27   72,234   ----a-w   C:\WINDOWS\BricoPackUninst.cmd
2008-02-22 13:27   5,656   ----a-w   C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-02-22 13:27   219,648   ----a-w   C:\WINDOWS\system32\uxtheme.dll
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 18:32   ---------   d-----w   C:\Program Files\MathType
2008-02-19 18:32   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Design Science
2008-02-17 19:25   ---------   d-----w   C:\Program Files\Valve
2008-02-16 09:05   662,016   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-02-15 14:53   ---------   d-----w   C:\Documents and Settings\xxx\Dane aplikacji\Winamp
2007-12-29 18:59   32   ----a-w   C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2004-08-03 22:44   93,184   --sha-w   C:\WINDOWS\BricoPacks\SysFiles\79_iexplore.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= C:\Program Files\Video ActiveX Object\iesplugin.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{0d045baa-4bd3-4c94-be8b-21536bd6bd9f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="D:\Program Files\Gadu-Gadu\gg.exe" [2007-04-19 17:43 2101248]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 20:27 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-03-28 15:20 1271032]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 14:12 90112 C:\WINDOWS\soundman.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-10-19 02:46 921600]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-17 04:31 7307264]
"nwiz"="nwiz.exe" [2005-10-17 04:31 1519616 C:\WINDOWS\system32\nwiz.exe]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"D:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gen16\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25219:TCP"= 25219:TCP:BitComet 25219 TCP
"25219:UDP"= 25219:UDP:BitComet 25219 UDP
"14288:TCP"= 14288:TCP:BitComet 14288 TCP
"14288:UDP"= 14288:UDP:BitComet 14288 UDP

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-04 00:00]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 10:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 10:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 10:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 10:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 10:42]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 08:38:11
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13  8:38:54
ComboFix-quarantined-files.txt  2008-04-13 06:38:43
Pre-Run: 8,836,349,952 bajtów wolnych
Post-Run: 8,822,251,520 bajtów wolnych

.
2008-04-13 06:09:48   --- E O F ---

Sądzę jednak że ten log można puścić w niepamięć z tego powodu że komputer odzyskał dawną sprawność. Dziękuję bardzo Ci hubert2t za pomoc przydała się ;D

[huber2t]

Log jest juz czysty wykonałes moją wskazówkę z zamykaniem portów?

[WVR]

no oczywiście, jestem fanatykiem na punkcie bezpieczeństwa, nie chce mieć juz nigdy tego problemu ;D jeszcze raz dzięki xD