logi:
- Kod: Zaznacz wszystko
ComboFix 08-06-30.2 - Właściciel 2008-07-02 8:11:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.162 [GMT 2:00]
Running from: C:\Documents and Settings\Właściciel\Pulpit\ComboFix.exe
* Created a new restore point
* Resident AV is active
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.
2008-07-02 08:08 . 2008-07-02 08:09 <DIR> d-------- C:\327882R2FWJFW
2008-07-01 07:29 . 2008-07-01 07:28 125,990 -r-hs---- C:\vmhr.bat
2008-06-25 07:05 . 2008-06-25 07:04 125,264 -r-hs---- C:\br1e.com
2008-06-23 07:02 . 2008-06-24 07:00 123,013 -r-hs---- C:\uwlmj.com
2008-06-20 07:06 . 2008-06-20 07:05 123,769 -r-hs---- C:\s2vgyp.exe
2008-06-19 07:57 . 2008-06-19 07:01 128,288 -r-hs---- C:\n.com
2008-06-16 06:55 . 2008-06-16 06:55 131,584 -r-hs---- C:\WINDOWS\system32\kavo2.dll
2008-06-11 07:12 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:12 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 06:58 . 2008-06-04 06:57 122,870 -r-hs---- C:\90imhpnc.exe
2008-06-04 06:57 . 2008-06-03 07:06 123,260 -r-hs---- C:\p1t.bat
2008-06-02 07:05 . 2008-06-02 07:05 119,727 -r-hs---- C:\p0sc9t.cmd
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 11:24 --------- d-----w C:\Program Files\Screamer Radio
2008-06-11 08:04 --------- d-----w C:\Program Files\Winamp
2008-05-30 05:11 122,875 --sh--r C:\yp.bat
2008-05-28 05:06 119,463 --sh--r C:\sdc.bat
2008-05-27 05:06 119,816 --sh--r C:\2.cmd
2008-05-26 05:11 121,998 --sh--r C:\9mf.exe
2008-05-19 05:07 117,655 --sh--r C:\lgnaqil.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:03 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 14:37 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 14:19 118784]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"ArcaCheck"="C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe" [2008-03-11 13:43 454656]
"AVMenu"="C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" [2008-03-10 11:36 561152]
"abregmon"="C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" [2006-02-22 12:09 307200]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 20:41 33792]
"LANChatPro"="C:\Program Files\LANChat Pro\LANChat.exe" [2001-04-23 21:01 163840]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-08-12 19:43 537088]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Corel Family and Friends Reminders.LNK - C:\Program Files\Corel\Print House Magic\cffrem.exe [2008-01-07 09:22:47 666112]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener]
2006-09-01 11:41 139264 C:\WINDOWS\system32\ts_logonlistener.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LANChat Pro\\LANChat.exe"=
"C:\\Program Files\\VULCAN\\Sekretariat Optivum\\sekretariat.exe"=
R1 ABTDI;ABTDI;C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys [2005-12-22 12:05]
R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe [2006-10-04 06:55]
R2 ArcaVirMonitor;ArcaVir Antivirus Monitor Service;C:\Program Files\ArcaBit\ArcaVir\AvMon.exe [2008-04-11 12:05]
R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;"C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe" [2007-06-05 10:37]
R3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;"C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe" [2007-06-05 10:37]
R3 arcaen;ArcaVir Monitor Kernel Engine Driver;C:\Program Files\ArcaBit\ArcaVir\arcaen.sys [2006-05-22 14:12]
R3 arcaev;ArcaVir Monitor Kernel Events Driver;C:\Program Files\ArcaBit\ArcaVir\arcaev.sys [2006-10-09 12:18]
R3 arcafd;ArcaVir Monitor Kernel Filter Driver;C:\Program Files\ArcaBit\ArcaVir\arcafd.sys [2004-10-11 11:51]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97141964-9af6-11db-856f-0030053c136d}]
\Shell\AutoRun\command - E:\vmhr.bat
\Shell\explore\Command - E:\vmhr.bat
\Shell\open\Command - E:\vmhr.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b19da051-2331-11dd-8711-0030053c136d}]
\Shell\AutoRun\command - E:\w2qagd.com
\Shell\explore\Command - E:\w2qagd.com
\Shell\open\Command - E:\w2qagd.com
*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 08:15:36
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-02 8:17:44
ComboFix-quarantined-files.txt 2008-07-02 06:17:35
Pre-Run: 23,661,764,608 bajtów wolnych
Post-Run: 23,706,169,344 bajtów wolnych
109 --- E O F --- 2008-06-20 12:49:14
- Kod: Zaznacz wszystko
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:20:09, on 2008-07-02
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe
C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe
C:\Program Files\ArcaBit\ArcaVir\AvMon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ArcaBit\Common\TaskScheduler.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe
C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Właściciel\Pulpit\hijackthis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOfficeUpdateFromClient?CTT=6&Origin=EC010227221045
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.tpsa.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ArcaCheck] C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup
O4 - HKLM\..\Run: [AVMenu] C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe
O4 - HKLM\..\Run: [abregmon] C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LANChatPro] C:\Program Files\LANChat Pro\LANChat.exe /q
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Family and Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic\cffrem.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DF91EA1-E22D-4997-874C-3D473B17533F}: NameServer = 194.204.152.34,194.204.159.1
O20 - Winlogon Notify: TS_LogonListener - C:\WINDOWS\SYSTEM32\TS_LogonListener.dll
O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe
O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe
O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe
O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - C:\Program Files\ArcaBit\Common\TaskScheduler.exe
O23 - Service: ArcaVir Antivirus Monitor Service (ArcaVirMonitor) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\AvMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5441 bytes
