- Kod: Zaznacz wszystko
ComboFix 09-11-04.05 - Administrator 2009-11-05 17:29.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2047.1330 [GMT 1:00]
Uruchomiony z: E:\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091105-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Dane aplikacji\EurekaLog
c:\documents and settings\Administrator\Dane aplikacji\EurekaLog\EurekaLog.ini
c:\program files\INSTALL.LOG
c:\windows\system32\ieuinit.inf
.
((((((((((((((((((((((((( Pliki utworzone od 2009-10-05 do 2009-11-05 )))))))))))))))))))))))))))))))
.
2009-11-05 12:08 . 2009-11-05 12:08 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-05 12:07 . 2009-11-05 12:07 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-11-05 12:07 . 2009-11-05 12:07 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\nView_Profiles
2009-11-05 12:07 . 2009-11-05 12:07 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\NCH Swift Sound
2009-11-04 21:46 . 2009-11-05 12:06 -------- d-----w- c:\program files\Karaluch
2009-11-02 23:02 . 2009-11-02 23:02 -------- d-----w- c:\program files\Recuva
2009-11-02 20:48 . 2009-09-23 07:07 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-11-02 20:48 . 2009-09-23 07:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-11-02 20:48 . 2009-09-23 07:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-11-02 20:48 . 2009-11-02 20:48 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\PC Tools
2009-11-02 20:42 . 2009-11-02 20:42 180224 ----a-w- c:\windows\system32\pausep.exe
2009-11-02 19:45 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-02 19:45 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-02 19:45 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-02 19:45 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-02 19:45 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-02 19:45 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-02 19:45 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-02 19:45 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-02 19:45 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-02 19:45 . 2009-11-02 19:45 -------- d-----w- c:\program files\Alwil Software
2009-10-30 20:19 . 2009-10-30 20:19 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\IM
2009-10-30 20:18 . 2009-10-30 20:20 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\IM
2009-10-30 17:04 . 2009-10-30 17:04 -------- d-----w- c:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Apple
2009-10-25 18:50 . 2009-10-25 18:50 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Opera
2009-10-25 18:50 . 2009-10-30 19:49 -------- d-----w- c:\program files\Opera
2009-10-25 18:35 . 2009-10-25 18:35 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Apple Computer
2009-10-23 20:29 . 2009-10-23 20:30 -------- d-----w- c:\program files\direct x nie usuwac
2009-10-23 20:02 . 2009-03-09 13:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-10-22 16:51 . 2001-05-11 11:18 420240 ----a-w- c:\windows\system32\mpg4c32.dll
2009-10-15 18:54 . 2009-10-15 18:54 14 ----a-w- c:\windows\system32\getfile.dat
2009-10-15 18:26 . 2009-10-15 18:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-15 18:26 . 2009-10-15 18:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-15 18:26 . 2009-10-15 18:26 -------- d-----w- c:\program files\Windows Sidebar
2009-10-14 20:50 . 2009-10-14 20:50 -------- d-----w- c:\windows\system32\config\systemprofile\Dane aplikacji\ArcaBit
2009-10-14 20:47 . 2009-10-15 16:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-12 19:49 . 2008-03-11 13:14 941784 ----a-w- c:\windows\system32\drivers\CAMTHWDM.sys
2009-10-11 20:54 . 2009-10-11 20:54 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\ooVoo Details
2009-10-11 20:54 . 2009-10-28 12:03 -------- d-----w- c:\program files\ooVoo
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 21:11 . 2009-10-01 19:53 -------- d-----w- c:\program files\WapSter
2009-11-04 17:50 . 2009-05-15 16:18 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-03 22:50 . 2009-06-22 19:00 1 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-03 19:48 . 2008-04-26 12:21 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Skype
2009-11-03 19:07 . 2009-08-14 20:22 -------- d-----w- c:\program files\ChomikBox
2009-11-02 23:34 . 2001-10-26 16:15 85982 ----a-w- c:\windows\system32\perfc015.dat
2009-11-02 23:34 . 2001-10-26 16:15 494318 ----a-w- c:\windows\system32\perfh015.dat
2009-11-02 21:48 . 2009-09-19 18:38 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\RaimaRadio
2009-11-02 11:41 . 2009-08-06 16:48 -------- d-----w- c:\program files\The KMPlayer
2009-10-25 18:35 . 2009-06-14 21:16 22084 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-23 15:03 . 2009-09-18 18:23 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-20 18:51 . 2008-12-04 17:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-15 18:26 . 2009-10-15 18:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-15 18:26 . 2009-10-15 18:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-14 21:05 . 2009-08-28 15:56 -------- d-----w- c:\program files\Odkurzacz
2009-10-11 20:54 . 2006-09-30 16:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-01 17:11 . 2008-06-12 18:55 28176 -c--a-w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-10-01 17:04 . 2009-10-01 17:04 -------- d-----w- c:\program files\JRE
2009-10-01 17:04 . 2009-06-22 18:56 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-17 20:53 . 2009-09-17 20:53 -------- d-----w- c:\program files\Nowe Gadu-Gadu
2009-09-17 20:53 . 2009-09-17 20:52 -------- d-----w- c:\program files\Nowe Gadu-Gadu(3)
2009-09-14 20:43 . 2009-09-14 20:42 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\KomaMail
2009-08-17 14:38 . 2009-08-17 14:38 2560 -c--a-w- c:\windows\_MSRSTRT.EXE
2008-04-23 15:21 . 2008-04-15 20:23 56 -csh--r- c:\windows\system32\448FE413EB.sys
2008-04-22 17:16 . 2008-04-16 18:09 88 -csh--r- c:\windows\system32\EB13E48F44.sys
2008-04-23 15:21 . 2008-04-15 20:06 7518 -csha-w- c:\windows\system32\KGyGaAvL.sys
.
------- Sigcheck -------
[-] 2008-06-20 . 01D5EAAFF224415A7FF513E4C882BE30 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"AQQ"="c:\progra~1\WapSter\WapSter AQQ\AQQ.exe" [2009-09-29 6585856]
"oovoo.exe"="c:\program files\ooVoo\ooVoo.exe" [2009-10-12 17507000]
"Core Temp"="e:\coretemp\CoreTemp\CoreTemp32\Core Temp.exe" [2009-10-22 378384]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-17 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-06 7585792]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"Ashampoo FireWall"="c:\program files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 3251800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]
"ThreatFire"="d:\threatfire\TFTray.exe" [2009-09-23 382224]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-10-09 17021440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-09-06 1617920]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50001:TCP"= 50001:TCP:ArcaVir CommunicationPort (S)
"50000:TCP"= 50000:TCP:ArcaVir CommunicationPort (A)
"12562:TCP"= 12562:TCP:BitComet 12562 TCP
"12562:UDP"= 12562:UDP:BitComet 12562 UDP
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"443:TCP"= 443:TCP:ooVoo TCP port 443
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-02-28 39472]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-11-02 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-11-02 59664]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-02 114768]
R1 Start1Driver;Start1Driver;c:\windows\system32\drivers\Start1Driver.SYS [2009-06-05 5120]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-02 20560]
R2 ThreatFire;ThreatFire;d:\threatfire\TFService.exe service --> d:\threatfire\TFService.exe service [?]
R3 ABndisMP;ABndisMP;c:\windows\system32\drivers\abndis.sys [2009-02-12 33288]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\Administrator\Ustawienia lokalne\Temp\ALSysIO.sys --> c:\docume~1\Administrator\Ustawienia lokalne\Temp\ALSysIO.sys [?]
R3 SynMini;ASUS WebCam, 1.3M, USB2.0, FF;c:\windows\system32\drivers\SynMini.sys [2006-09-30 841110]
R3 SynScan;ASUS WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2006-09-30 8278]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-11-02 33552]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 ntiomin;ntiomin; [x]
S2 AVTasks2;ArcaBit Tasks Service;c:\progra~1\ArcaBit\Common\ArcaTasksService.exe --> c:\progra~1\ArcaBit\Common\ArcaTasksService.exe [?]
S3 ABndis;ABndis Service;c:\windows\system32\drivers\abndis.sys [2009-02-12 33288]
S3 EuMusDesignVirtualAudioCableWdm_lcs;Breakaway Pipeline (WDM);c:\windows\system32\DRIVERS\vaclcskd.sys --> c:\windows\system32\DRIVERS\vaclcskd.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-03-24 7808]
--- Inne Usługi/Sterowniki w Pamięci ---
*NewlyCreated* - ALSYSIO
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.mystart.com?pr=oovoo2_0
IE: {{40525A66-DB98-480D-BCF9-7AF88C1AF438} - {40525A66-DB98-480D-BCF9-7AF88C1AF438} -
LSP: c:\program files\Ashampoo\Ashampoo FireWall\spi.dll
FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\pqncc581.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http://www.wp.pl
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_fs&search=
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBILLARD8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcnmozillainterface.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: network.dns.disableIPv6 - true
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.cache.memory.capacity - 65536c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
.
------- Skojarzenia plików -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - USUNIĘTO PUSTE WPISY - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
AddRemove-Nokia PC Suite - c:\documents and settings\All Users\Dane aplikacji\Installations\{9C05FA75-0337-4523-AA57-9D3511018887}\Nokia_PC_Suite_rel_6_86_9_3_pol_web.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 17:40
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys >>UNKNOWN [0x8A7BD398]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8a7bd398
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\Administrator\Ustawienia lokalne\Temp\ASFWHide"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_USERS\S-1-5-21-606747145-1078145449-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C5EA8230-1C88-3BE9-1C6E-019EFA41F7EB}*]
"habpapiblbnnamlb"=hex:6a,61,70,62,66,66,70,62,68,63,6b,6a,70,65,69,6f,62,70,
6b,6c,00,00
"ialogfflmeenflipko"=hex:6a,61,70,62,66,66,70,62,68,63,6b,6a,70,65,69,6f,62,70,
6b,6c,00,2f
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BA015FE1-B7C7-2A43-D9C8-0BD192BB7083}\InProcServer32*]
"jampcbdepmhphnaeecpd"=hex:69,61,64,6b,6c,62,67,6b,68,62,6b,6e,67,66,66,6a,6d,
70,00,00
"iampadjledlhcaange"=hex:69,61,64,6b,6c,62,67,6b,68,62,6b,6e,67,66,66,6a,6d,70,
00,00
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'winlogon.exe'(1052)
c:\windows\system32\cscui.dll
d:\threatfire\TFWAH.dll
d:\threatfire\TFNI.dll
d:\threatfire\TFMon.dll
d:\threatfire\TFRK.dll
- - - - - - - > 'lsass.exe'(1112)
d:\threatfire\TFWAH.dll
.
Czas ukończenia: 2009-11-05 17:45
ComboFix-quarantined-files.txt 2009-11-05 16:45
Przed: 12 643 840 000 bajtów wolnych
Po: 12 666 572 800 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
Dodano Dzisiaj, 23:51:
do moderatora:
zamykamy temat szkoda miejsca na serwerach i tak zadnej odpowiedzi
