Ok, wklejam w poprawny sposób logi z HJT i ComboFixa. Co do posta wyżej, nie miałem włączonego przywracania, wiec nie da rady :) Dodałem to wszystko w jednej paczce, bo miałem problem z załączaniem plików. Pomocy i pozdrawiam :)
ComboFix 09-06-09.05 - User 2010-03-03 10:28.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.1023.820 [GMT 1:00]
Uruchomiony z: c:\documents and settings\User\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100227-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.
- TRYB ZREDUKOWANEJ FUNKCJONALNOCI -
.
((((((((((((((((((((((((((((((((((((((( Usuniêto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\program files\Mozilla Firefox\plugins\NPMyGlSh.dll
c:\program files\myglobalsearch
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST
c:\program files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL
c:\program files\myglobalsearch\bar\1.bin\MGSBAR.DLL
c:\program files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]0027565
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]009CF4A
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]00B07E9.bin
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]00B0B74.bin
c:\program files\myglobalsearch\bar\Cache\[u]0[/u]00B0D68.bin
c:\program files\myglobalsearch\bar\Cache\files.ini
c:\program files\myglobalsearch\bar\History\search
c:\program files\myglobalsearch\bar\Settings\prevcfg.htm
c:\windows\IE4 Error Log.txt
c:\windows\msa.exe
c:\windows\system32\system
D:\Autorun.inf
.
((((((((((((((((((((((((( Pliki utworzone od 2010-02-03 do 2010-03-03 )))))))))))))))))))))))))))))))
.
2010-03-03 09:45 . 2006-03-02 13:00 1033728 ----a-w- c:\windows\nokia.exe
2010-02-27 12:07 . 2010-02-26 18:52 156672 ----a-w- c:\windows\msc.exe
2010-02-26 20:38 . 2010-02-26 20:38 -------- d-----w- c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\Help
2010-02-26 18:52 . 2010-02-26 18:52 12192 ----a-w- c:\windows\system32\drivers\adiusbawr.sys
2010-02-26 18:52 . 2010-02-26 18:52 12192 ----a-w- c:\windows\system32\drivers\adiusbawq.sys
2010-02-26 18:52 . 2010-02-26 15:27 150528 ----a-w- c:\windows\msb.exe
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 09:18 . 2009-12-20 20:27 -------- d-----w- c:\documents and settings\User\Dane aplikacji\OpenOffice.org2
2010-03-03 09:15 . 2009-12-19 11:22 0 ----a-w- c:\windows\system32\drivers\pgulxj.sys
2010-03-03 08:59 . 2009-02-19 22:00 -------- d-----w- c:\documents and settings\User\Dane aplikacji\Nowe Gadu-Gadu
2010-02-28 15:29 . 2009-02-26 18:19 -------- d-----w- c:\documents and settings\User\Dane aplikacji\Skype
2010-02-28 15:08 . 2009-02-26 18:21 -------- d-----w- c:\documents and settings\User\Dane aplikacji\skypePM
2010-02-28 14:35 . 2009-12-20 20:29 1 ----a-w- c:\documents and settings\User\Dane aplikacji\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-26 20:39 . 2004-02-25 15:18 -------- d-----w- c:\program files\microsoft frontpage
2010-02-26 15:29 . 2010-02-26 15:29 8 ----a-w- c:\documents and settings\LocalService\Dane aplikacji\pdytbs.dat
2010-02-26 15:29 . 2009-12-19 11:21 8 ----a-w- c:\documents and settings\User\Dane aplikacji\avdrn.dat
2010-02-22 20:58 . 2007-08-12 09:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-19 18:55 . 2009-01-16 13:18 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-27 19:33 . 2004-09-29 16:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-24 15:14 . 2009-01-16 11:35 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\avg8
2010-01-24 14:28 . 1979-12-31 22:00 89562 ----a-w- c:\windows\system32\perfc015.dat
2010-01-24 14:28 . 1979-12-31 22:00 501692 ----a-w- c:\windows\system32\perfh015.dat
2010-01-24 14:27 . 2010-01-24 14:27 -------- d-----w- c:\program files\MSBuild
2010-01-24 14:26 . 2010-01-24 14:26 -------- d-----w- c:\program files\Reference Assemblies
2010-01-24 14:21 . 2010-01-24 14:21 -------- d-----w- c:\program files\MSXML 6.0
2010-01-24 14:03 . 2010-01-24 14:03 129 ----a-w- c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\fusioncache.dat
2010-01-24 13:06 . 2009-02-15 12:06 117288 ----a-w- c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-12-22 05:43 . 2007-08-03 09:50 664576 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:43 . 2007-08-03 12:33 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-19 21:09 . 2009-12-01 17:24 1 ----a-w- c:\documents and settings\User\Dane aplikacji\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-19 11:22 . 2009-12-19 11:22 16 ----a-w- c:\documents and settings\LocalService\Dane aplikacji\fvgqad.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domylne, prawid³owe wpisy nie s¹ pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " c:\windows\system32\ctfmon.exe " [2004-08-03 15360]
" MSMSGS " = " c:\program files\Messenger\msmsgs.exe " [2004-12-11 1611480]
" Nowe Gadu-Gadu " = " c:\program files\Nowe Gadu-Gadu\gg.exe " [2009-02-16 9302632]
" Skype " = " c:\program files\Skype\Phone\Skype.exe " [2009-02-04 23975720]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" LaunchApp " = " Alaunch " [X]
" SynTPLpr " = " c:\program files\Synaptics\SynTP\SynTPLpr.exe " [2003-04-18 110592]
" SynTPEnh " = " c:\program files\Synaptics\SynTP\SynTPEnh.exe " [2003-04-18 610304]
" NvCplDaemon " = " c:\windows\system32\NvCpl.dll " [2004-01-07 3051520]
" LManager " = " c:\program files\Launch Manager\QtDTAcer.EXE " [2003-11-28 335872]
" IgfxTray " = " c:\windows\System32\igfxtray.exe " [2003-08-28 155648]
" HotKeysCmds " = " c:\windows\System32\hkcmd.exe " [2003-08-28 118784]
" TkBellExe " = " c:\program files\Common Files\Real\Update_OB\realsched.exe " [2006-06-09 180269]
" NeroFilterCheck " = " c:\windows\system32\NeroCheck.exe " [2001-07-09 155648]
" avast! " = " c:\progra~1\ALWILS~1\Avast4\ashDisp.exe " [2009-11-24 81000]
" Adobe Reader Speed Launcher " = " c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe " [2009-12-22 35760]
" Adobe ARM " = " c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe " [2009-12-11 948672]
" SoundMan " = " SOUNDMAN.EXE " - c:\windows\SOUNDMAN.EXE [2003-12-19 65024]
" nwiz " = " nwiz.exe " - c:\windows\system32\nwiz.exe [2004-01-07 753664]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " c:\windows\System32\CTFMON.EXE " [2004-08-03 15360]
c:\documents and settings\User\Menu Start\Programy\Autostart\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= " Service "
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
" %windir%\\system32\\sessmgr.exe " =
" c:\\Program Files\\Messenger\\msmsgs.exe " =
" c:\\WINDOWS\\system32\\fxsclnt.exe " =
" c:\\Program Files\\iTunes\\iTunes.exe " =
" c:\\Program Files\\Mozilla Firefox\\firefox.exe " =
" c:\\Program Files\\Skype\\Phone\\Skype.exe " =
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2007-07-13 15172]
S0 pgulxj;pgulxj;c:\windows\system32\drivers\pgulxj.sys [2009-12-19 0]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-01-24 114768]
S2 adiusbawq;adiusbawq;c:\windows\system32\drivers\adiusbawq.sys [2010-02-26 12192]
S2 adiusbawr;adiusbawr;c:\windows\system32\drivers\adiusbawr.sys [2010-02-26 12192]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-01-24 20560]
S2 DLPortIO;DLPORT I/O driver;c:\windows\system32\drivers\DLPortIO.sys [2004-09-29 3584]
S2 port_nt;port_nt;c:\windows\system32\drivers\port_nt.sys [2004-10-05 3608]
S2 SG_Service;SoftGuard Service;c:\program files\Common Files\RbtProt\sgsrv.exe [2007-04-04 180224]
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;c:\windows\system32\drivers\a311.sys [2004-02-26 33335]
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;c:\windows\system32\drivers\a310.sys [2004-02-26 33335]
S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [2007-09-18 35824]
S3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\DRIVERS\PhTVTune.sys -- & gt; c:\windows\system32\DRIVERS\PhTVTune.sys [?]
S3 ZDCndis5;ZDCndis5 Protocol Driver; [x]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SSHNAS
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - ycvvj.exe
\Shell\open\Command - ycvvj.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - ycvvj.exe
\Shell\open\Command - ycvvj.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - e:\hbcd\wintools\autorun.exe
\Shell\Option1\Command - e:\hbcd\wintools\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f1a2404-8ce2-11de-aa7d-00c09f431add}]
\Shell\AutoRun\command - H:\m1eqos3.exe
\Shell\open\Command - H:\m1eqos3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{229bb422-45e1-11de-a9fb-00c09f431add}]
\Shell\AutoRun\command - jm3cx96.bat
\Shell\open\Command - jm3cx96.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{332ade30-6edd-11de-aa62-00c09f431add}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{332ade32-6edd-11de-aa62-00c09f431add}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{920262ff-216c-11df-aba7-00c09f431add}]
\Shell\AutoRun\command - H:\NEVIDLJIVA///dokja.exe
\Shell\open\command - H:\NEVIDLJIVA///dokja.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95ec9f36-e4f6-11de-ab31-00c09f431add}]
\Shell\AutoRun\command - H:\ctu8r.exe
\Shell\open\Command - H:\ctu8r.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d52b5040-f48b-11dd-a93f-000b6b4b73a5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d52b5054-f48b-11dd-a93f-000b6b4b73a5}]
\Shell\AutoRun\command - H:\m1eqos3.exe
\Shell\open\Command - H:\m1eqos3.exe
.
Zawartoæ folderu 'Zaplanowane zadania'
2010-03-02 c:\windows\Tasks\{2CCF288E-A334-4773-BEC8-CEB4B7B3AFDA}_KOMPUTER_7_Artur.job
- c:\windows\system32\mobsync.exe [2007-08-03 22:44]
2008-12-30 c:\windows\Tasks\{76D511AD-6D22-45B1-9EF1-FA66F0D99C3C}_KOMPUTER_7_Artur.job
- c:\windows\system32\mobsync.exe [2007-08-03 22:44]
2009-12-11 c:\windows\Tasks\{A1FA0644-6497-4DBF-A06B-67A8D6AA19B5}_KOMPUTER_7_Artur.job
- c:\windows\system32\mobsync.exe [2007-08-03 22:44]
.
- - - - USUNIÊTO PUSTE WPISY - - - -
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKCU-Run-TOY5KNQ8OC - c:\docume~1\User\USTAWI~1\Temp\Oxr.exe
HKLM-Run-BearShare - c:\program files\BearShare\BearShare.exe
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
.
------- Skan uzupe³niaj¹cy -------
.
uStart Page = hxxp://search.bearshare.com/pl/
uInternet Connection Wizard,ShellNext = hxxp://www.avg.com/pl.special-enhance-protection-appf8
FF - ProfilePath - c:\documents and settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\7xsx8x0a.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg & type=yahoo_avg_hs2-tb-web_us & p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
---- FIREFOX - SPOSÓB POSTÊPOWANIA ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " media.enforce_same_site_origin " , false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " media.cache_size " , 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " media.ogg.enabled " , true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " media.wave.enabled " , true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " media.autoplay.enabled " , true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " browser.urlbar.autocomplete.enabled " , true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " capability.policy.mailnews.*.wholeText " , " noAccess " );
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " dom.storage.default_quota " , 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " content.sink.event_probe_rate " , 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " network.http.prompt-temp-redirect " , true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " layout.css.dpi " , -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " layout.css.devPixelsPerPx " , -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " gestures.enable_single_finger_input " , true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " dom.max_chrome_script_run_time " , 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " network.tcp.sendbuffer " , 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( " geo.enabled " , true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( " security.ssl3.rsa_seed_sha " , true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( " security.remember_cert_checkbox_default_setting " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( " browser.search.param.yahoo-fr " , " moz35 " );
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( " browser.search.param.yahoo-fr-cjkt " , " moz35 " );
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " extensions.blocklist.level " , 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " browser.urlbar.restrict.typed " , " ~ " );
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " browser.urlbar.default.behavior " , 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.history " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.formdata " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.passwords " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.downloads " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.cookies " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.cache " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.sessions " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.offlineApps " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.clearOnShutdown.siteSettings " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.history " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.formdata " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.passwords " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.downloads " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.cookies " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.cache " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.sessions " , true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.offlineApps " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.cpd.siteSettings " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " privacy.sanitize.migrateFx3Prefs " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " browser.ssl_override_behavior " , 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " security.alternate_certificate_error_page " , " certerror " );
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " browser.privatebrowsing.autostart " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " browser.privatebrowsing.dont_prompt_on_enter " , false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( " geo.wifi.uri " , " https://www.google.com/loc/json " );
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 10:29
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomylnie ukoñczone
ukryte pliki: 0
**************************************************************************
.
Czas ukoñczenia: 2010-03-03 10:33
ComboFix-quarantined-files.txt 2010-03-03 09:33
Przed: 62 633 619 456 bajtów wolnych
Po: 62 983 258 112 bajtów wolnych
241 --- E O F --- 2010-01-24 14:30