ComboFix:
- Kod: Zaznacz wszystko
ComboFix 08-10-26.01 - Agnieszka 2008-10-27 16:41:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.762 [GMT 1:00]
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\Desktop_.ini
C:\windows\system32\explorer.exe
C:\xih9.cmd
D:\Autorun.inf
D:\xih9.cmd
.
((((((((((((((((((((((((( Pliki utworzone od 2008-09-27 do 2008-10-27 )))))))))))))))))))))))))))))))
.
2008-10-23 13:22 . 2008-10-23 13:22 <DIR> d-------- C:\Program Files\Winamp
2008-10-23 13:22 . 2004-12-20 19:37 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-10-23 13:22 . 2008-10-26 12:48 192 --a------ C:\WINDOWS\winamp.ini
2008-10-23 11:31 . 2008-10-23 11:31 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-10-23 11:31 . 2008-10-23 16:34 <DIR> d-------- C:\Documents and Settings\Agnieszka\Gadu-Gadu
2008-10-23 11:31 . 2008-10-23 11:31 <DIR> d-------- C:\Documents and Settings\Agnieszka\Dane aplikacji\Gadu-Gadu
2008-10-22 20:38 . 2008-10-22 20:38 <DIR> d-------- C:\Documents and Settings\Agnieszka\Dane aplikacji\Media Player Classic
2008-10-22 15:19 . 2008-10-22 15:19 <DIR> d-------- C:\Documents and Settings\Agnieszka\Dane aplikacji\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 19:41 --------- d-----w C:\Program Files\NAPI-PROJEKT
2008-10-22 19:41 --------- d-----w C:\Program Files\ALLPlayer
2008-10-22 19:38 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-10-22 19:27 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-10-22 19:26 --------- d-----w C:\Program Files\MSBuild
2008-10-22 19:26 --------- d-----w C:\Program Files\Microsoft Works
2008-10-22 19:15 --------- d-----w C:\Program Files\Alcohol Soft
2008-10-22 19:11 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-10-22 16:28 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-22 16:00 --------- d-----w C:\Program Files\Opera
2008-10-22 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-22 14:19 --------- d-----w C:\Program Files\Broadcom
2008-10-22 14:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Broadcom
2008-10-22 13:59 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Intel
2008-10-22 13:56 --------- d-----w C:\Program Files\Realtek
2008-10-22 13:55 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-10-22 13:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-22 13:45 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-22 13:44 --------- d-----w C:\Program Files\Usługi online
2008-09-19 07:11 920,088 ----a-w C:\WINDOWS\system32\igxpun.exe
2008-09-15 15:40 1,846,272 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-11 09:00 147,456 ----a-w C:\WINDOWS\system32\igfxCoIn_v4990.dll
2008-09-11 08:53 3,401,216 ----a-w C:\WINDOWS\system32\igxpdx32.dll
2008-09-11 08:52 6,047,904 ----a-w C:\WINDOWS\system32\drivers\igxpmp32.sys
2008-09-11 08:52 2,352,128 ----a-w C:\WINDOWS\system32\igxpdv32.dll
2008-09-11 08:52 181,760 ----a-w C:\WINDOWS\system32\igxpgd32.dll
2008-09-11 08:52 1,481,884 ----a-w C:\WINDOWS\system32\igkrng400.bin
2008-09-11 08:51 57,344 ----a-w C:\WINDOWS\system32\igxprd32.dll
2008-09-11 08:34 2,277,376 ----a-w C:\WINDOWS\system32\ig4dev32.dll
2008-09-11 08:27 3,862,528 ----a-w C:\WINDOWS\system32\ig4icd32.dll
2008-09-11 08:18 651,264 ----a-w C:\WINDOWS\system32\igfxcfg.exe
2008-09-11 08:17 172,032 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-09-11 08:17 143,360 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-09-11 08:16 52,224 ----a-w C:\WINDOWS\system32\igfxsrvc.dll
2008-09-11 08:16 249,856 ----a-w C:\WINDOWS\system32\igfxsrvc.exe
2008-09-11 08:16 24,576 ----a-w C:\WINDOWS\system32\igfxexps.dll
2008-09-11 08:16 212,992 ----a-w C:\WINDOWS\system32\igfxpph.dll
2008-09-11 08:16 172,032 ----a-w C:\WINDOWS\system32\igfxext.exe
2008-09-11 08:16 143,360 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-09-11 08:16 135,168 ----a-w C:\WINDOWS\system32\igfxdo.dll
2008-09-11 08:16 106,496 ----a-w C:\WINDOWS\system32\hccutils.dll
2008-09-11 08:15 5,672,960 ----a-w C:\WINDOWS\system32\igfxress.dll
2008-09-11 08:15 217,088 ----a-w C:\WINDOWS\system32\igfxdev.dll
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 13:46 2,181,632 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 13:46 2,059,008 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"EXPLORER.EXE"="EXPLORER.EXE" [2004-08-03 C:\WINDOWS\explorer.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-09-11 143360]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-09-11 172032]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-09-11 143360]
"AzMixerSel"="C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 33792]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-18 C:\WINDOWS\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d540536c-a06d-11dd-85f6-001eec5398bd}]
\Shell\AutoRun\command - F:\xih9.cmd
\Shell\explore\Command - F:\xih9.cmd
\Shell\open\Command - F:\xih9.cmd
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - USUNIĘTO PUSTE WPISY - - - -
HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe
HKCU-Run-wsctf.exe - wsctf.exe
.
------- Skan uzupełniający -------
.
O8 -: E&ksportuj do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 16:45:52
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
Czas ukończenia: 2008-10-27 16:46:36
ComboFix-quarantined-files.txt 2008-10-27 15:46:32
Przed: 15,265,406,976 bajtów wolnych
Po: 15,267,282,944 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
138 --- E O F --- 2008-10-22 21:38:29
hijackthis:
- Kod: Zaznacz wszystko
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:27:12, on 2008-10-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
--
End of file - 4253 bytes
