SDFix
- Kod: Zaznacz wszystko
SDFix: Version 1.131
Run by Rafał on 2008-01-27 at 12:54
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
runtime
smtpdrv
Path:
\??\C:\WINDOWS.0\System32\drivers\runtime.sys
System32\DRIVERS\smtpdrv.sys
runtime - Deleted
smtpdrv - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\DOCUME~1\RAFA~1.SEA\USTAWI~1\Temp\GLF295B.tmp.dll - Deleted
C:\Program Files\Helper\1201364044.dll - Deleted
C:\WINDOWS.0\system32\4_exception.nls - Deleted
C:\WINDOWS.0\system32\winxtx32.dll - Deleted
Folder C:\Program Files\Helper - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS.0
No streams found.
C:\WINDOWS.0\explorer.exe
No streams found.
C:\WINDOWS.0\system32
No streams found.
C:\WINDOWS.0\system32\svchost.exe
No streams found.
C:\WINDOWS.0\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 12:59:06
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fak32]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS.0\system32\drivers\fak32.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fak32\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:73,ed,65,ea,97,c0,14,a2,ba,c6,97,4d,21,83,78,ee,ff,cf,11,64,ee,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:40,79,3d,98,23,3f,ae,53,cc,8c,9e,be,01,65,c7,dc,23,60,29,fa,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,63,5d,63,b6,a8,21,d4,2a,9f,f4,83,32,95,b6,24,c9,c5,..
"khjeh"=hex:ba,88,b4,a7,7a,5c,fd,59,b6,2e,a7,cb,94,21,87,bf,99,01,e9,00,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:60,e1,5d,1e,72,39,70,89,65,c7,6f,61,94,c7,b0,60,a1,ef,40,f3,61,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fak32]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS.0\system32\drivers\fak32.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fak32\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:73,ed,65,ea,97,c0,14,a2,ba,c6,97,4d,21,83,78,ee,ff,cf,11,64,ee,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:40,79,3d,98,23,3f,ae,53,cc,8c,9e,be,01,65,c7,dc,23,60,29,fa,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,63,5d,63,b6,a8,21,d4,2a,9f,f4,83,32,95,b6,24,c9,c5,..
"khjeh"=hex:ba,88,b4,a7,7a,5c,fd,59,b6,2e,a7,cb,94,21,87,bf,99,01,e9,00,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:60,e1,5d,1e,72,39,70,89,65,c7,6f,61,94,c7,b0,60,a1,ef,40,f3,61,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000000
"LastTraceFailure"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"D:\\Program Files\\Gadu-Gadu\\gg.exe"="D:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program główny"
"D:\\Program Files\\rFactor LIGNA\\rFactor\\rFactor Dedicated.exe"="D:\\Program Files\\rFactor LIGNA\\rFactor\\rFactor Dedicated.exe:*:Enabled:rFactor"
"D:\\Program Files\\rFactor LIGNA\\rFactorF1forum\\rFactor.exe"="D:\\Program Files\\rFactor LIGNA\\rFactorF1forum\\rFactor.exe:*:Enabled:rFactor"
"D:\\Program Files\\rFactor LIGNA\\rFactor\\rFactor.exe"="D:\\Program Files\\rFactor LIGNA\\rFactor\\rFactor.exe:*:Enabled:rFactor"
"D:\\Program Files\\BitComet\\BitComet.exe"="D:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"F:\\Program Files\\BearShare Pro\\Bearshare.exe"="F:\\Program Files\\BearShare Pro\\Bearshare.exe:*:Enabled:BearShare"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\WINDOWS.0\\system32\\PnkBstrA.exe"="C:\\WINDOWS.0\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS.0\\system32\\PnkBstrB.exe"="C:\\WINDOWS.0\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"="D:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe:*:Enabled:Test Drive Unlimited"
"D:\\Program Files\\Codemasters\\DiRT\\DiRT.exe"="D:\\Program Files\\Codemasters\\DiRT\\DiRT.exe:*:Enabled:DiRT Executable"
"D:\\Program Files\\Electronic Arts\\Need for Speed ProStreet\\ONLINE\\bombd.exe"="D:\\Program Files\\Electronic Arts\\Need for Speed ProStreet\\ONLINE\\bombd.exe:*:Enabled:bombd"
"C:\\Documents and Settings\\Rafał.SEAGATE-2INSTAL\\Pulpit\\xc\\WebCam360.exe"="C:\\Documents and Settings\\Rafał.SEAGATE-2INSTAL\\Pulpit\\xc\\WebCam360.exe:*:Enabled:WebCam360"
"C:\\Program Files\\Kuma Games\\KumaWar\\KumaWar.exe"="C:\\Program Files\\Kuma Games\\KumaWar\\KumaWar.exe:*:Enabled:KumaWar"
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"D:\\Program Files\\rFactor\\rFactor.exe"="D:\\Program Files\\rFactor\\rFactor.exe:*:Enabled:rFactor"
"D:\\Program Files\\rFactor\\rFactor Dedicated.exe"="D:\\Program Files\\rFactor\\rFactor Dedicated.exe:*:Enabled:rFactor"
"D:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"="D:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe:*:Enabled:CyberLink PowerDirector"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"D:\\Program Files\\rFactor LIGNA\\rFactorF1forum\\Support\\HostingTest.exe"="D:\\Program Files\\rFactor LIGNA\\rFactorF1forum\\Support\\HostingTest.exe:*:Enabled:Hosting Test"
"D:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"="D:\\Program Files\\Teamspeak2_RC2\\server_windows.exe:*:Enabled:Server"
"C:\\WINDOWS.0\\system32\\dpvsetup.exe"="C:\\WINDOWS.0\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS.0\\system32\\rundll32.exe"="C:\\WINDOWS.0\\system32\\rundll32.exe:*:Enabled:Uruchamia plik DLL jako aplikację"
"C:\\DOCUME~1\\RAFA~1.SEA\\USTAWI~1\\Temp\\win2726.exe"="C:\\DOCUME~1\\RAFA~1.SEA\\USTAWI~1\\Temp\\win2726.exe:*:Enabled:win2726"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sun 6 Jan 2008 425 A.SH. --- "C:\BOOT.BAK"
Mon 10 Dec 2007 848 A.SH. --- "C:\WINDOWS.0\system32\KGyGaAvL.sys"
Wed 29 Aug 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS.0\DRM\DRMv1.bak"
Sun 8 Jul 2007 857 A..HR --- "C:\RECYCLER\S-1-5-21-776561741-963894560-839522115-1004\Df8\UserData\securom_v7_01.bak"
Wed 2 Jan 2008 1,745 ...HR --- "C:\Documents and Settings\Rafaˆ.SEAGATE-2INSTAL\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"
Mon 9 Jul 2007 857 ...HR --- "C:\Documents and Settings\Rafaˆ\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"
Sat 26 Jan 2008 0 A.SH. --- "C:\WINDOWS.0\system32\config\systemprofile\Ustawienia lokalne\Temp\1ab7po71.TMP"
Wed 21 Nov 2007 2,585,872 A..H. --- "C:\Documents and Settings\Rafaˆ.SEAGATE-2INSTAL\Ustawienia lokalne\Temp\VSSETUP50727.42\1033\wcu\msi31\BIT39CB.tmp"
Finished!
ComboFIX
ComboFix 08-01-23.1C - Rafał 2008-01-27 13:03:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.564 [GMT 1:00]
Running from: C:\Documents and Settings\Rafał.SEAGATE-2INSTAL\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users.WINDOWS.0\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS.0\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://go.microsoft.com
hxxp://www.microsoft.com1C:\DOCUME~1\RAFA~1.SEA\USTAWI~1\Temp\BIT381C.tmp˙˙˙˙˙˙˙˙�C:\2\\?\Volume{52f1396d-2f04-11dc-a336-806d6172696f}\�,ht,˙˙˙˙˙˙˙˙€6ÚVwoQZC¬¬D˘H˙óMX�u�ţ�’xY,Č�g xY,Č�g xY,Č�đş�g xY,Č�çÍa�sČ������Ę�ĐŚťß��Ń�ŚzŔO—ë�“ąIúg��J–Ńyq|ü'‚*BITS job credentials�f¨�lecę—eC0�Ž…—HbíŰ�€ ��‚��D¶e«3gÁÇ٦TŞ�$ţ�ýc+ź,đĹ5*8Bo)›N…y�™ô2�Y¬˜�‰E©ü0�
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\smtpdrv
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-27 12:53 . 2008-01-27 12:53 <DIR> d-------- C:\WINDOWS.0\ERUNT
2008-01-27 12:24 . 2008-01-27 12:24 <DIR> d-------- C:\WINDOWS.0\LastGood.Tmp
2008-01-26 18:32 . 1994-12-06 00:00 12,800 --a------ C:\WINDOWS.0\system\WING32.DLL
2008-01-26 17:44 . 2008-01-26 17:44 54,156 --ah----- C:\WINDOWS.0\QTFont.qfn
2008-01-26 17:44 . 2008-01-26 17:44 1,409 --a------ C:\WINDOWS.0\QTFont.for
2008-01-26 17:30 . 2008-01-26 17:30 <DIR> d-------- C:\Program Files\WinAVI MP4 Converter
2008-01-26 17:14 . 2008-01-26 20:32 25,984 --a------ C:\WINDOWS.0\system32\drivers\Lqv27.sys
2008-01-26 17:14 . 2008-01-26 17:14 32 --a-s---- C:\WINDOWS.0\system32\3890668695.dat
2008-01-26 17:13 . 2008-01-26 17:13 54,764 --a------ C:\WINDOWS.0\system32\drivers\fak32.sys
2008-01-26 17:13 . 2008-01-26 17:13 16,384 --a------ C:\WINDOWS.0\system32\mmmsivyiv.dll
2008-01-26 16:13 . 2008-01-26 16:44 <DIR> d-------- C:\Program Files\123 AVI to GIF Converter
2008-01-22 11:48 . 2008-01-22 11:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-21 19:49 . 2008-01-21 19:49 0 --ah----- C:\WINDOWS.0\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-21 19:49 . 2008-01-21 19:49 0 --ah----- C:\WINDOWS.0\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-01-21 19:48 . 2006-11-13 15:45 1,419,232 --a------ C:\WINDOWS.0\system32\wdfcoinstaller01005.dll
2008-01-21 19:48 . 2007-04-02 22:13 21,632 --a------ C:\WINDOWS.0\system32\drivers\motmodem.sys
2008-01-21 19:47 . 2008-01-21 19:47 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-01-21 19:22 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS.0\system32\drivers\usbser.sys
2008-01-21 19:22 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS.0\system32\dllcache\usbser.sys
2008-01-16 20:25 . 1994-12-06 00:00 12,800 --a------ C:\WINDOWS.0\system32\WING32.DLL
2008-01-15 19:57 . 2008-01-15 19:57 34,064 --a------ C:\WINDOWS.0\system32\lhacm.acm
2008-01-13 18:34 . 2008-01-13 18:37 <DIR> d-------- C:\WINDOWS.0\speech
2008-01-13 16:28 . 2008-01-13 16:28 <DIR> d-------- C:\Program Files\Techland
2008-01-13 10:16 . 2001-08-17 22:02 8,576 --a------ C:\WINDOWS.0\system32\drivers\hidgame.sys
2008-01-13 10:16 . 2001-08-17 22:02 8,576 --a--c--- C:\WINDOWS.0\system32\dllcache\hidgame.sys
2008-01-06 14:01 . 2008-01-06 13:53 425 --ahs---- C:\BOOT.BAK
2008-01-03 14:14 . 2008-01-03 14:14 11 -ra------ C:\WINDOWS.0\amunres.lsl
2008-01-01 00:20 . 2008-01-01 00:20 <DIR> d-------- C:\Program Files\Hamachi
2008-01-01 00:20 . 2008-01-01 00:20 25,280 --a------ C:\WINDOWS.0\system32\drivers\hamachi.sys
2007-12-30 13:59 . 2007-12-30 13:59 <DIR> d-------- C:\Program Files\Edgard Multimedia
2007-12-28 19:37 . 2007-12-28 19:37 <DIR> d-------- C:\My Music
2007-12-28 19:36 . 2007-12-28 19:37 164 --a------ C:\WINDOWS.0\CDPLAYER.UNI
2007-12-28 17:16 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS.0\system32\drivers\mouhid.sys
2007-12-28 17:16 . 2001-10-26 16:57 12,160 --a--c--- C:\WINDOWS.0\system32\dllcache\mouhid.sys
2007-12-28 17:15 . 2004-08-04 00:38 14,848 --a------ C:\WINDOWS.0\system32\drivers\kbdhid.sys
2007-12-28 17:15 . 2004-08-04 00:38 14,848 --a--c--- C:\WINDOWS.0\system32\dllcache\kbdhid.sys
2007-12-28 17:14 . 2007-09-13 20:40 234,008 --a------ C:\WINDOWS.0\system32\WmJoyFrc.dll
2007-12-28 17:14 . 2007-09-13 20:41 51,608 --a------ C:\WINDOWS.0\system32\drivers\WmXlCore.sys
2007-12-28 17:14 . 2007-09-13 20:41 29,976 --a------ C:\WINDOWS.0\system32\drivers\WmFilter.sys
2007-12-28 17:14 . 2007-09-13 20:41 29,208 --a------ C:\WINDOWS.0\system32\drivers\WmHidLo.sys
2007-12-28 17:14 . 2007-09-13 20:40 19,352 --a------ C:\WINDOWS.0\system32\drivers\WmBEnum.sys
2007-12-28 17:14 . 2007-09-13 20:41 14,744 --a------ C:\WINDOWS.0\system32\drivers\WmVirHid.sys
2007-12-28 17:13 . 2008-01-03 21:24 <DIR> d-------- C:\Program Files\Logitech
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 12:05 --------- d-----w C:\Program Files\AutoConnect
2008-01-23 16:12 --------- d-----w C:\Program Files\USDownloader
2008-01-21 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 19:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-15 15:11 22,328 ----a-w C:\WINDOWS.0\system32\drivers\PnkBstrK.sys
2008-01-09 11:49 14,656 -c--a-w C:\WINDOWS.0\gdrv.sys
2007-12-26 10:38 23 ----a-w C:\WINDOWS.0\system32\drivers\adidsl.cfg
2007-12-26 10:31 --------- d-----w C:\Program Files\RegVac
2007-12-25 11:02 --------- d-----w C:\Program Files\Cyberlink
2007-12-23 16:20 --------- d-----w C:\Program Files\RADVideo
2007-12-19 17:54 --------- d-----w C:\Program Files\Kuma Games
2007-12-19 11:49 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-13 16:11 --------- d-----w C:\Program Files\Realtek
2007-12-10 18:05 --------- d-----w C:\Program Files\7-Zip
2007-12-08 10:32 --------- d-----w C:\Program Files\HD Tune
2007-12-06 18:28 227,779 ----a-w C:\WINDOWS.0\rFactor Data Acquisition Plugin Uninstaller.exe
2007-12-03 20:35 --------- d-----w C:\Program Files\SEC
2007-12-01 14:25 --------- d-----w C:\Program Files\Samsung
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92860A02-4D69-48c1-82D7-EF6B2C609502}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 23:29 165784]
"CTFMON.EXE"="C:\WINDOWS.0\system32\ctfmon.exe" [2004-08-03 23:44 15360]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" [2004-08-28 19:27 295424]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-03 23:55 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS.0\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 11:22 86016 C:\WINDOWS.0\system32\nvmctray.dll]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-12 10:31 949376]
"36X Raid Configurer"="C:\WINDOWS.0\system32\JMRaidSetup.exe" [2006-11-17 02:05 1953792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS.0\system32\CTFMON.EXE" [2004-08-03 23:44 15360]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide3"="cmd.exe" [2004-08-03 23:44 395776 C:\WINDOWS.0\system32\cmd.exe]
C:\Documents and Settings\All Users.WINDOWS.0\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-12-26 11:32:48 962660]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-12-03 21:36:01 49220]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxtx32]
winxtx32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS.0\system32\mmmsivyiv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lqv27.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS.0\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Menu Start^Programy^Autostart^DSLMON.lnk]
path=C:\Documents and Settings\All Users.WINDOWS.0\Menu Start\Programy\Autostart\DSLMON.lnk
backup=C:\WINDOWS.0\pss\DSLMON.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Rafał.SEAGATE-2INSTAL^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS.0\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS.0\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 18:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2007-05-04 08:17 863744 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2007-01-04 16:05 24576 C:\Program Files\Gigabyte\ET5\ETcall.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-04-16 16:10 1699840 D:\Program Files\FlashGet\flashget.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InternetCalls]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 16:30 249856 c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r---c--- 2006-10-31 05:44 36864 C:\WINDOWS.0\JM\JMInsIDE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS.0\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KMRemote]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-03 23:55 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 15:10 271360 D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2007-06-19 10:17 1241088 D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-11-14 10:21 16270848 C:\WINDOWS.0\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 11:04 2879488 C:\WINDOWS.0\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spyprodetector]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]
R0 hotcore2;hotcore2;C:\WINDOWS.0\system32\drivers\hotcore2.sys [2006-10-02 09:39]
R0 Lqv27;Lqv27;C:\WINDOWS.0\system32\Drivers\Lqv27.sys [2008-01-26 20:32]
S2 NMSAccessU;NMSAccessU;D:\Program Files\CDBurnerXP\NMSAccessU.exe []
S2 RDSessMgrShellHWDetection;Menedżer sesji pomocy pulpitu zdalnego RDSessMgrShellHWDetection;C:\WINDOWS.0\system32\config\SYSTEM~1\USTAWI~1\Temp\C1B52D31.exe srv []
S3 cpuz128;cpuz128;C:\DOCUME~1\RAFA~1.SEA\USTAWI~1\Temp\cpuz_x32.sys []
S3 gdrv;gdrv;C:\WINDOWS.0\gdrv.sys [2008-01-09 12:49]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2007-01-12 17:34]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS.0\system32\DRIVERS\motmodem.sys [2007-04-02 22:13]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 13:05:49
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-27 13:06:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 12:06:50
HiJackThis
- Kod: Zaznacz wszystko
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:08:13, on 2008-01-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\Explorer.EXE
D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\RunDLL32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS.0\system32\devldr32.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\system32\dwwin.exe
C:\Documents and Settings\Rafał.SEAGATE-2INSTAL\Pulpit\Programy\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: ConnectionServices module - {6D7B211A-88EA-490c-BAB9-3600D8D7C503} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: BitAccelerator module - {92860A02-4D69-48c1-82D7-EF6B2C609502} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS.0\system32\JMRaidSetup.exe boot
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54B6EF1F-4F78-444C-A89C-CA9FFE022DB8}: NameServer = 217.8.168.244 157.25.5.18
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS.0\system32\mmmsivyiv.dll
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - D:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS.0\system32\PnkBstrA.exe (file missing)
O23 - Service: Menedżer sesji pomocy pulpitu zdalnego RDSessMgrShellHWDetection (RDSessMgrShellHWDetection) - Unknown owner - C:\WINDOWS.0\system32\config\SYSTEM~1\USTAWI~1\Temp\C1B52D31.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 8117 bytes
PS. Bez przerwy po uruchomieniu windy NOD32 wywala mi komunikaty o wrusie "...TEMP\BN194.tmp" i "...\system32\drivers\smtpdvr.sys"
