
I logi:
Combofix:
- Kod: Zaznacz wszystko
ComboFix 09-03-19.02 - Konrad 2009-03-21 15:55:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.240 [GMT 1:00]
Uruchomiony z: d:\documents and settings\Konrad\Pulpit\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\system32\1\
.
((((((((((((((((((((((((( Pliki utworzone od 2009-02-21 do 2009-03-21 )))))))))))))))))))))))))))))))
.
2009-03-20 18:10 . 2009-03-20 18:10 <DIR> d-------- d:\program files\podatki.pl
2009-03-20 14:50 . 2009-03-20 14:50 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2009-03-19 22:07 . 2009-03-21 15:57 <DIR> d--h----- d:\documents and settings\postgress\Ustawienia lokalne
2009-03-19 22:07 . 2007-05-02 21:51 <DIR> d-------- d:\documents and settings\postgress\Ulubione
2009-03-19 22:07 . 2007-05-02 20:59 <DIR> d--h----- d:\documents and settings\postgress\Szablony
2009-03-19 22:07 . 2007-05-02 21:51 <DIR> d-------- d:\documents and settings\postgress\Pulpit
2009-03-19 22:07 . 2007-05-02 21:51 <DIR> d-------- d:\documents and settings\postgress\Moje dokumenty
2009-03-19 22:07 . 2007-05-02 21:51 <DIR> dr------- d:\documents and settings\postgress\Menu Start
2009-03-19 22:07 . 2007-05-02 21:51 <DIR> dr-h----- d:\documents and settings\postgress\Dane aplikacji
2009-03-19 22:07 . 2009-03-19 22:07 <DIR> d-------- d:\documents and settings\postgress
2009-03-19 22:06 . 2009-03-19 22:06 <DIR> d-------- d:\program files\PostgreSQL
2009-03-17 16:01 . 2009-03-17 16:01 106,496 -rahs---- d:\windows\system32\noxtlmth.dll
2009-03-14 13:43 . 2009-03-14 13:43 <DIR> d-------- d:\program files\PokerStrategy
2009-03-02 17:29 . 2009-03-15 11:16 <DIR> d-------- d:\documents and settings\Konrad\Dane aplikacji\U3
2009-02-27 22:29 . 2009-03-20 22:59 <DIR> d-------- d:\program files\Garena
2009-02-27 22:28 . 2009-02-27 22:28 <DIR> d-------- d:\documents and settings\Konrad\Dane aplikacji\InstallShield
2009-02-27 22:14 . 2009-02-27 22:32 139,264 --a------ d:\windows\War3Unin.exe
2009-02-27 22:14 . 2009-03-20 22:57 104,306 --a------ d:\windows\War3Unin.dat
2009-02-27 22:14 . 2009-02-27 22:32 2,829 --a------ d:\windows\War3Unin.pif
2009-02-23 18:53 . 2009-02-23 18:53 <DIR> d-------- d:\documents and settings\Konrad\Dane aplikacji\postgresql
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 22:23 --------- d-----w d:\program files\Warcraft III
2009-03-20 15:16 --------- d-----w d:\documents and settings\All Users\Dane aplikacji\f-secure
2009-03-20 13:51 --------- d-----w d:\program files\Lavasoft
2009-03-19 21:33 --------- d-----w d:\documents and settings\Konrad\Dane aplikacji\OpenOffice.org2
2009-03-19 19:43 --------- d-----w d:\documents and settings\Konrad\Dane aplikacji\uTorrent
2009-03-18 16:57 --------- d-----w d:\program files\PokerStars
2009-03-14 12:20 --------- d-----w d:\program files\EA GAMES
2009-03-10 17:48 --------- d-----w d:\program files\Full Tilt Poker
2009-03-10 16:58 --------- d-----w d:\program files\PartyGaming
2009-03-05 11:26 --------- d-----w d:\program files\Nowe Gadu-Gadu
2009-02-28 19:55 --------- d-----w d:\program files\Warkeys
2009-02-27 21:29 --------- d--h--w d:\program files\InstallShield Installation Information
2009-02-20 12:01 --------- d-----w d:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar
2009-02-12 18:24 --------- d-----w d:\program files\Asseco Poland SA
2009-02-02 18:31 --------- d-----w d:\documents and settings\Konrad\Dane aplikacji\F-Secure
2009-02-02 17:10 --------- d-----w d:\documents and settings\All Users\Dane aplikacji\fssg
2008-10-03 17:37 4 ----a-w d:\program files\is.dat
2008-09-27 10:32 16,384 ----a-w d:\program files\uik.dat
2008-01-04 16:30 32 ----a-w d:\documents and settings\All Users\Dane aplikacji\ezsid.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-03-20_17.04.46.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-21 14:40:26 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_e4.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nowe Gadu-Gadu"="d:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-27 9339496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
d:\documents and settings\Konrad\Menu Start\Programy\Autostart\
My_AutoWarkey_Script.lnk - d:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2008-03-09 240640]
Secunia PSI (RC3).lnk - d:\program files\Secunia\PSI (RC3)\psi.exe [2008-06-16 663552]
Warkeys Update.lnk - d:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2008-03-09 240640]
d:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-02 113664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuSubFolders"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_anet"= d:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.yv12"= d:\progra~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.iyuv"= d:\progra~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= d:\progra~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"msacm.msaudio1"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\D:^Documents and Settings^Konrad^Menu Start^Programy^Autostart^Cyber-shot Viewer Media Check Tool.lnk]
path=d:\documents and settings\Konrad\Menu Start\Programy\Autostart\Cyber-shot Viewer Media Check Tool.lnk
backup=d:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup
[HKLM\~\startupfolder\D:^Documents and Settings^Konrad^Menu Start^Programy^Autostart^OpenOffice.org 2.2.lnk]
path=d:\documents and settings\Konrad\Menu Start\Programy\Autostart\OpenOffice.org 2.2.lnk
backup=d:\windows\pss\OpenOffice.org 2.2.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 d:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-03 23:44 1667584 d:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 11:22 7700480 d:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 d:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-19 15:59 1449984 d:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-06 09:56 136600 d:\program files\Java\jre6\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"d:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"d:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Garena\\Garena.exe"=
"d:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"=
"d:\\Program Files\\PokerStrategy\\PokerStrategy Elephant\\PokerStrategy Elephant.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"46389:UDP"= 46389:UDP:PolicyVideo PagesMobile
"33084:TCP"= 33084:TCP:PolicyVideo ModemSecurity
"42946:TCP"= 42946:TCP:PolicyVideo PLAWeb
"50652:UDP"= 50652:UDP:PolicyVideo PatchPatch
R2 pgsql-8.3;PostgreSQL Database Server 8.3;d:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-02-01 65536]
R3 PSI;PSI;d:\windows\system32\drivers\psi_mf.sys [2008-06-16 7808]
S2 Irsrv;Update Security;d:\windows\system32\svchost.exe -k netsvcs [2007-05-02 14336]
S3 cdiskdun;cdiskdun;\??\d:\docume~1\Konrad\USTAWI~1\Temp\cdiskdun.sys --> d:\docume~1\Konrad\USTAWI~1\Temp\cdiskdun.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\d:\docume~1\Konrad\USTAWI~1\Temp\HBM173.tmp --> d:\docume~1\Konrad\USTAWI~1\Temp\HBM173.tmp [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Irsrv
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ec4f36a-0739-11de-807b-00304f318351}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
TCP: {02F7145B-8A62-4C61-8D26-F7853120BEC7} = 213.241.79.37 83.238.255.76
DPF: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\Konrad\Dane aplikacji\Mozilla\Firefox\Profiles\eil9yvew.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: d:\documents and settings\Konrad\Dane aplikacji\Mozilla\Firefox\Profiles\eil9yvew.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 15:57:26
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\d:\docume~1\Konrad\USTAWI~1\Temp\HBM173.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Irsrv]
"ServiceDll"="d:\windows\system32\noxtlmth.dll"
.
Czas ukończenia: 2009-03-21 15:59:13
ComboFix-quarantined-files.txt 2009-03-21 14:59:11
Przed: 6 623 027 200 bajtów wolnych
Po: 6,617,657,344 bajtów wolnych
165
Hijack:
- Kod: Zaznacz wszystko
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:05:28, on 2009-03-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
D:\Program Files\Secunia\PSI (RC3)\psi.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Nowe Gadu-Gadu\gg.exe
D:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "D:\Program Files\Nowe Gadu-Gadu\gg.exe"
O4 - HKUS\S-1-5-21-2025429265-1336601894-682003330-1006\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'postgress')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = D:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Startup: Secunia PSI (RC3).lnk = D:\Program Files\Secunia\PSI (RC3)\psi.exe
O4 - Startup: Warkeys Update.lnk = D:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .mpeg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{02F7145B-8A62-4C61-8D26-F7853120BEC7}: NameServer = 213.241.79.37 83.238.255.76
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - D:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
--
End of file - 3625 bytes