ComboFix 11-03-10.01 - Ami 2011-03-10 22:23:23.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1014.512 [GMT 1:00] Uruchomiony z: c:\documents and settings\Ami\Pulpit\ComboFix.exe AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} * Utworzono nowy punkt przywracania . UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Dane aplikacji\xp c:\documents and settings\Ami\Dane aplikacji\avdrn.dat c:\documents and settings\Ami\Dane aplikacji\desktop.ini . c:\windows\regedit.exe . . . jest zainfekowany!! . c:\windows\system32\midimap.dll . . . jest zainfekowany!! . . ((((((((((((((((((((((((( Pliki utworzone od 2011-02-10 do 2011-03-10 ))))))))))))))))))))))))))))))) . . 2011-03-08 18:14 . 2011-03-08 18:14 182656 ----a-w- c:\windows\system32\dllcache\ndis.sys 2011-02-27 19:41 . 2011-03-10 21:27 -------- d-----w- c:\documents and settings\Ami\Dane aplikacji\Skype 2011-02-27 19:39 . 2011-02-27 19:39 -------- d-----w- c:\program files\Common Files\Skype 2011-02-27 19:39 . 2011-02-27 19:40 -------- d-----r- c:\program files\Skype 2011-02-27 19:38 . 2011-02-27 19:39 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Skype 2011-02-17 17:34 . 2011-02-27 13:07 -------- d-----w- c:\documents and settings\Ami\Dane aplikacji\x23eewslmqejiksnbaxynlz2rmzu1lyi2 2011-02-16 12:53 . 2011-02-16 12:53 40072 ----a-w- c:\windows\system32\eqrnovvaa.exe . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2009-10-27 19:11 440832 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2008-04-14 22:30 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 14:02 . 2010-01-17 14:01 1864320 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:32 . 2010-01-17 14:01 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:52 . 2009-10-29 06:43 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:52 . 2008-04-25 14:08 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:52 . 2009-03-14 07:35 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:24 . 2010-01-17 14:01 732160 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2010-01-17 14:03 385024 ----a-w- c:\windows\system32\html.iec . . ------- Sigcheck ------- . [7] 2011-03-08 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys [7] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ndis.sys . . [-] 2010-01-17 14:27 . 4678172D19476FA7D539682FCA42C942 . 1420800 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll . [-] 2010-01-17 . 335813EACD16E84F3047A3326F6E5473 . 549888 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe . [-] 2009-06-26 . 946665FA0CC98F57E1023CD21F149D8B . 642560 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll . [-] 2009-12-09 . A9BD5F368966EA709A4BFF992F583F07 . 1705984 . . [6.00.2900.5512] . . c:\windows\explorer.exe . [-] 2008-04-25 . C8BDAD4065118558B3DC360FC96D81DB . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . . [-] 2010-01-17 . 572B0A653990AFE6B71D38D7DD2F202D . 370688 . . [5.1.2600.5512] . . c:\windows\system32\hnetcfg.dll . c:\windows\System32\drivers\ndis.sys ... - brak elementu !! c:\windows\System32\drivers\tcpip.sys ... - brak elementu !! c:\windows\System32\ctfmon.exe ... - brak elementu !! . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}] 2009-12-20 09:51 87480 ----a-w- c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}] 2010-10-19 12:53 585136 ----a-w- c:\progra~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{0974BA1E-64EC-11DE-B2A5-E43756D89593}"= "c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll" [2009-12-20 87480] . [HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DrvIcon"="c:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152] "TCtryIOHook"="TCtrlIOHook.exe" [2007-06-30 28672] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-26 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-26 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-26 138008] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-03-06 819200] "RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000] "CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 638976] "HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] "_nltide_3"="advpack.dll" [2009-03-08 128512] . c:\documents and settings\Default User\Menu Start\Programy\Autostart\ Styler.lnk - c:\documents and settings\Ami\Dane aplikacji\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2010-3-22 15086] . c:\documents and settings\Administrator\Menu Start\Programy\Autostart\ Styler.lnk - c:\documents and settings\Ami\Dane aplikacji\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2010-3-22 15086] . c:\documents and settings\Ami\Menu Start\Programy\Autostart\ Styler.lnk - c:\documents and settings\Ami\Dane aplikacji\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2010-3-22 15086] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Bluetooth Monitor.lnk - c:\program files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2010-3-22 69632] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Gadu-Gadu 10\\gg.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Documents and Settings\\Ami\\Dane aplikacji\\xcmwpz2caloc2bxvrxkp3cnehepjx3vv2\\svcnost.exe"= "c:\\Documents and Settings\\Ami\\Dane aplikacji\\xd2r2tfjflvckzzc1rzoejsh2wclfm232\\svcnost.exe"= "c:\\Documents and Settings\\Ami\\Dane aplikacji\\jrflcpyzaxdqcivn2rcqkmfgjasmcqo2\\csrss.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "22672:TCP"= 22672:TCP:BitComet 22672 TCP "22672:UDP"= 22672:UDP:BitComet 22672 UDP . S1 aswSP;aswSP; [x] S2 aswFsBlk;aswFsBlk; [x] . Zawartość folderu 'Zaplanowane zadania' . 2011-03-10 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2010-03-25 21:18] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ uInternet Settings,ProxyServer = http=127.0.0.1:51758 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 . . ------- Skojarzenia plików ------- . JSEFile=NOTEPAD.EXE %1 . - - - - USUNIĘTO PUSTE WPISY - - - - . HKCU-Run-inetserv - c:\windows\system32\inetserv.exe HKCU-Run-eqrnovvaa - c:\documents and settings\Ami\eqrnovvaa.exe HKCU-Run-eqrnovvaZ - c:\documents and settings\Ami\eqrnovvaZ.exe HKLM-Run-conhost - c:\documents and settings\Ami\Dane aplikacji\Microsoft\conhost.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-10 22:30 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(384) c:\windows\system32\SETUPAPI.dll c:\windows\system32\sfc_os.dll c:\windows\system32\cscui.dll . - - - - - - - > 'lsass.exe'(440) c:\windows\system32\setupapi.dll . - - - - - - - > 'explorer.exe'(3076) c:\windows\system32\SHDOCVW.dll c:\windows\system32\WININET.dll c:\windows\system32\COMRes.dll c:\windows\System32\cscui.dll c:\windows\system32\LINKINFO.dll c:\windows\system32\ntshrui.dll c:\windows\system32\SETUPAPI.dll c:\windows\system32\NETSHELL.dll c:\windows\system32\credui.dll c:\windows\system32\MSVCP60.dll c:\windows\system32\webcheck.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll c:\program files\Common Files\Nero\SMC\NeroDigitalExt.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.POL . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\System32\SCardSvr.exe c:\windows\system32\netdde.exe c:\windows\system32\TCtrlIOHook.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe c:\progra~1\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE c:\windows\system32\agrsmsvc.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Nero\Nero 7\InCD\InCDsrv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Czas ukończenia: 2011-03-10 22:33:47 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2011-03-10 21:33 ComboFix2.txt 2010-06-02 19:33 . Przed: 12 866 195 456 bajtów wolnych Po: 12 815 261 696 bajtów wolnych . - - End Of File - - 55DBAF543927A76AEC014FE036C9D063