log z combofix
ComboFix 09-04-14.09 - Ja 2009-04-14 21:37.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.511.333 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Ja\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
C:\MS32DLL.dll.vbs
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe
c:\windows\dhcp\svchost.exe
c:\windows\MS32DLL.dll.vbs
c:\windows\system32\6to4v32.dll
c:\windows\system32\at1394.sys
c:\windows\system32\bversion.dll
c:\windows\system32\fhpatch.dll
c:\windows\system32\fiplock.dll
c:\windows\system32\IPHACTION.dll
c:\windows\system32\iphy.dll
c:\windows\system32\IpSvchostF.dll
c:\windows\system32\kr_done1
D:\Autorun.inf
D:\MS32DLL.dll.vbs
----- BITS: Możliwe zainfekowane strony -----
hxxp://www.hhdsoftware.com
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_AT1394
-------\Legacy_DHCPSRV
-------\Service_6to4
-------\Service_at1394
-------\Service_DhcpSrv
((((((((((((((((((((((((( Pliki utworzone od 2009-03-14 do 2009-04-14 )))))))))))))))))))))))))))))))
.
2009-04-14 19:40 . 2009-04-14 19:40 0 ------w c:\windows\system32\IpSvchostF.dll
2009-04-14 18:20 . 2008-06-25 22:26 335104 ----a-w c:\windows\system32\drivers\RTL8187B.sys
2009-04-14 15:06 . 2009-04-14 15:06 -------- d-sh--w C:\FOUND.010
2009-04-14 10:44 . 2009-04-14 10:45 735232 ----a-w c:\windows\system32\AdvOcr.dll
2009-04-14 09:38 . 2009-04-14 09:42 32137216 ----a-w c:\windows\system32\TRSOCR.dat
2009-04-14 04:22 . 2009-04-14 04:22 61440 ----a-w c:\windows\system32\tcpd.exe
2009-04-14 04:22 . 2009-04-14 04:22 20480 ----a-w c:\windows\system32\AUTMGR.EXE
2009-04-14 04:22 . 2009-04-14 04:22 10240 ----a-w c:\windows\system32\Packer.dll
2009-04-14 04:22 . 2009-04-14 04:22 1018368 ----a-w c:\windows\system32\kernel32_check.dll
2009-04-14 04:22 . 2009-04-14 04:22 172032 ----a-w c:\windows\system32\tcpcon.dll
2009-04-14 04:22 . 2009-04-14 04:22 108336 ----a-w c:\windows\system32\MSWINSCK.OCX
2009-04-14 04:22 . 2009-04-14 04:22 -------- d-----w c:\windows\system32\3361
2009-04-14 04:22 . 2009-04-14 04:22 -------- d-----w c:\windows\dhcp
2009-04-12 07:22 . 2009-04-12 07:22 -------- d-sh--w C:\FOUND.009
2009-04-10 19:07 . 2009-04-10 19:07 67 ----a-w c:\windows\system32\Monitor.inf
2009-04-10 19:07 . 2009-04-11 11:39 1462 ----a-w c:\windows\system32\LexFiles.usr
2009-04-10 19:07 . 2009-04-10 19:07 8521 ----a-w c:\windows\lmpcl2a.ini
2009-04-10 18:38 . 2009-04-10 18:38 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Skype
2009-04-10 18:37 . 2009-04-10 18:37 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Skype
2009-04-10 12:40 . 2009-04-10 12:40 55808 ---h--w c:\documents and settings\Ja\tokqmio.exe
2009-04-10 12:40 . 2009-04-10 12:40 55808 ----a-w c:\windows\system32\sfhgxi.exe
2009-04-10 10:51 . 2009-04-10 10:51 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Mixesoft
2009-04-09 14:48 . 2009-04-11 15:48 205 ----a-w c:\windows\wcx_ftp.ini
2009-04-09 14:47 . 2009-04-09 14:47 -------- d-----w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Help
2009-04-09 14:46 . 2007-09-14 05:02 545 ----a-w c:\windows\UC.PIF
2009-04-09 14:46 . 2007-09-14 05:02 545 ----a-w c:\windows\RAR.PIF
2009-04-09 14:46 . 2007-09-14 05:02 545 ----a-w c:\windows\PKZIP.PIF
2009-04-09 14:46 . 2007-09-14 05:02 545 ----a-w c:\windows\PKUNZIP.PIF
2009-04-09 14:46 . 2007-09-14 05:02 545 ----a-w c:\windows\NOCLOSE.PIF
2009-04-09 14:46 . 2007-09-14 05:02 545 ----a-w c:\windows\LHA.PIF
2009-04-09 14:46 . 2007-09-14 05:02 545 ----a-w c:\windows\ARJ.PIF
2009-04-09 14:46 . 2009-04-11 15:51 1446 ----a-w c:\windows\wincmd.ini
2009-04-09 14:46 . 2009-04-09 14:46 -------- d-----w C:\totalcmd
2009-04-09 09:33 . 2006-05-24 09:04 133 ----a-w c:\windows\system32\ftdiun2k.ini
2009-04-09 09:33 . 2006-05-24 08:47 106496 ----a-w c:\windows\system32\ftbusui.dll
2009-04-09 09:33 . 2006-05-24 08:45 176128 ----a-w c:\windows\system32\ftd2xx.dll
2009-04-09 09:33 . 2006-05-24 08:42 102400 ----a-w c:\windows\system32\FTLang.dll
2009-04-09 09:33 . 2006-05-24 08:40 188416 ----a-w c:\windows\system32\ftdiunin.exe
2009-04-09 09:33 . 2006-05-19 09:51 33360 ----a-w c:\windows\system32\ftserui2.dll
2009-04-09 09:33 . 2006-05-18 07:49 61067 ----a-w c:\windows\system32\drivers\ftser2k.sys
2009-04-09 09:33 . 2006-05-18 07:48 47249 ----a-w c:\windows\system32\drivers\ftdibus.sys
2009-04-08 22:47 . 2009-04-08 22:47 -------- d-----w C:\lexmark
2009-04-04 14:35 . 2009-04-04 14:35 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\EditPlus 3
2009-04-03 21:32 . 2009-04-08 18:21 32 ----a-w C:\ProgDVB.ini
2009-04-01 23:06 . 2009-04-01 23:14 1266 ----a-w C:\Nowy Dokument sformatowany.rtf
2009-04-01 21:25 . 2009-04-01 21:25 15631 ----a-w C:\kkkkkkkkkkll.rtf
2009-04-01 21:25 . 2009-04-01 23:14 2422 ----a-w C:\Bibliografia1452.rtf
2009-03-29 19:31 . 2009-03-29 19:31 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Radmin Communication Client
2009-03-29 18:22 . 2009-03-29 18:22 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Radmin
2009-03-29 18:21 . 2009-03-29 18:21 -------- d-----w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Downloaded Installations
2009-03-24 04:09 . 2009-03-24 04:09 -------- d-sh--w C:\FOUND.008
2009-03-23 19:24 . 2009-03-23 19:24 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\teamspeak2
2009-03-23 19:24 . 2009-03-23 19:24 34064 ----a-w c:\windows\system32\lhacm.acm
2009-03-21 16:49 . 2009-03-21 16:49 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\mIRC
2009-03-21 13:59 . 2009-03-21 13:44 60112 ----a-w C:\SatBazaar CardServer.ini
2009-03-21 13:42 . 2009-03-21 13:42 641635 ----a-w C:\Pulpit.rar
2009-03-20 12:07 . 2009-03-20 12:07 -------- d-sh--w C:\FOUND.007
2009-03-17 18:41 . 2009-03-17 18:41 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\OpenOffice.org
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 10:45 . 2009-04-14 10:45 -------- d-----w c:\program files\LanqiEngine
2009-04-14 04:21 . 2009-04-14 04:21 -------- d-sh--r c:\program files\ThunMail
2009-04-13 11:48 . 2009-04-13 11:48 -------- d-----w c:\program files\HHD Software
2009-04-12 09:30 . 2009-04-12 09:30 -------- d-----w c:\program files\AnalogX
2009-04-11 12:19 . 2009-04-11 12:19 -------- d-----w c:\program files\newcs
2009-04-10 18:37 . 2009-04-10 18:37 -------- d-----r c:\program files\Skype
2009-04-08 23:19 . 2009-04-08 23:19 -------- d-----w c:\program files\Lexmark
2009-04-08 23:03 . 2009-04-08 23:03 -------- d-----w c:\program files\Lexmark_HostCD
2009-04-04 14:35 . 2009-04-04 14:35 -------- d-----w c:\program files\EditPlus 3
2009-03-30 17:32 . 2009-03-30 17:32 -------- d-----w c:\program files\Ventrilo
2009-03-30 17:32 . 2009-03-30 17:32 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-23 19:23 . 2009-03-23 19:23 -------- d-----w c:\program files\Teamspeak2_RC2
2009-03-21 18:50 . 2008-11-02 11:51 130225 ----a-w c:\windows\War3Unin.dat
2009-03-21 16:49 . 2009-03-21 16:49 -------- d-----w c:\program files\mIRC
2009-03-16 13:12 . 2009-03-16 13:12 -------- d-----w c:\program files\No-IP
2009-03-11 12:53 . 2009-03-11 12:53 -------- d-----w c:\program files\DotAzilla
2009-03-07 04:27 . 2009-03-07 04:27 -------- d-----w c:\program files\TVAnts
2009-03-06 19:28 . 2009-03-06 19:28 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\PC Suite
2009-03-06 19:28 . 2009-03-06 19:28 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Nokia
2009-03-06 19:27 . 2009-03-06 19:27 -------- d-----w c:\program files\Common Files\PCSuite
2009-03-06 19:27 . 2009-03-06 19:27 -------- d-----w c:\program files\DIFX
2009-03-06 19:27 . 2009-03-06 19:27 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\PC Suite
2009-03-06 19:27 . 2009-03-06 19:27 -------- d-----w c:\program files\PC Connectivity Solution
2009-03-06 19:27 . 2009-03-06 19:27 -------- d-----w c:\program files\Nokia
2009-03-03 18:51 . 2009-03-03 18:51 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 21:01 . 2001-10-26 16:15 88946 ----a-w c:\windows\system32\perfc015.dat
2009-02-26 21:01 . 2001-10-26 16:15 500482 ----a-w c:\windows\system32\perfh015.dat
2009-02-22 22:06 . 2009-02-22 22:06 -------- d-----w c:\program files\ALLPlayer
2009-02-19 18:36 . 2009-02-19 18:36 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\CMUV
2009-02-19 15:40 . 2009-02-19 15:40 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\WebcamMax
2009-02-19 15:40 . 2009-02-19 15:40 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Webcammax
2009-02-19 15:39 . 2009-02-19 15:39 -------- d-----w c:\program files\WebcamMax
2009-02-18 12:35 . 2009-02-18 12:35 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Hamachi
2009-02-18 12:35 . 2009-02-18 12:35 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-02-18 12:35 . 2009-02-18 12:35 -------- d-----w c:\program files\Hamachi
2009-02-18 11:41 . 2009-02-18 11:41 -------- d-----w c:\program files\DVBViewerTE
2009-02-18 11:32 . 2008-11-02 11:22 18064 ----a-w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-02-18 11:22 . 2009-02-18 11:22 -------- d-----w c:\program files\TechniSat DVB
2009-02-09 13:07 . 2008-11-04 18:03 1847040 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 13:07 . 2004-08-03 20:37 1847040 ----a-w c:\windows\system32\win32k.sys
2008-12-08 00:34 . 2008-12-08 00:34 64200 ----a-w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat
2008-11-02 11:45 . 2008-11-02 11:45 127 ----a-w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\fusioncache.dat
.
------- Sigcheck -------
[-] 2008-04-14 16:21 1054208 AAEBA0C87B518C7513508E290E2A82C2 c:\windows\explorer.exe
[-] 2004-08-03 20:44 1033728 3E336EC099D0DD6FBF6AF87168CA0CFA c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 16:21 1035264 3BE726B6102EF26A0ECAAE2829B98000 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 16:21 34304 129F7C2B06CB8D0B0C40F1ECE92FA673 c:\windows\system32\ctfmon.exe
[-] 2004-08-03 20:44 15360 8D43EB834AC8FCE4882042DDCC42CC8D c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 16:21 15360 B4D52F34422B137557CFA0FD03C1F673 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 16:21 76800 FA21C19679FC287B26BA1CFF4D4C9794 c:\windows\system32\spoolsv.exe
[-] 2004-08-03 20:44 57856 B7029F654F97C7D42D54607B30B79F24 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 16:21 57856 9B9A0D458F8466A82B19AC74D0C76D22 c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 16:21 45568 EE058C387E9BF12A9962ADEFDAB415D5 c:\windows\system32\userinit.exe
[-] 2004-08-03 20:44 25088 420086D185BA614FEDEF5E0084763F34 c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 16:21 26624 78EE01CA82052F8A6D0B508F9A2C8E3E c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2009-04-14 04:22 1018368 E1FE6F383D5D4BF436E87153471F593B c:\windows\system32\kernel32.dll
[7] 2004-08-03 20:44 1012224 578BB2F44597CB53451DED99013573F3 c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2008-04-14 16:20 1018368 FCE4ECC34A36EDACF03DBE8DE5E28910 c:\windows\ServicePackFiles\i386\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 360448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"svchost.exe"="c:\windows\system32\3361\SVCHOST.exe" [2009-04-14 86016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"svchost.exe"="c:\windows\system32\3361\SVCHOST.exe" [2009-04-14 86016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 34304]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 49152]
"svc"="c:\program files\ThunMail\testabd.exe" [2009-04-14 66760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\ThunMail\testabd.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate]
2008-11-24 18:44 888832 ----a-w c:\program files\ALLPlayer\ALLUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2004-08-25 12:25 49152 ----a-w c:\program files\ATI Technologies\ATI.ACE\CLI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 16:21 34304 ----a-w c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:21 1714176 ------w c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
2007-08-02 13:30 3117056 ----a-w c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
2004-06-11 02:15 102912 ----a-r c:\windows\system32\nvraidservice.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sfhgxi]
2009-04-10 12:40 55808 ----a-w c:\windows\system32\sfhgxi.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-10 03:43 136600 ----a-w c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-09-12 15:45 55296 ----a-w c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-12-22 08:09 98304 ----a-w c:\windows\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Rózne\\Programy\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\TechniSat DVB\\bin\\Server4PC.exe"=
"c:\\Program Files\\DVBViewerTE\\ts_winlirc.exe"=
"c:\\Program Files\\Gadu-Gadu\\GG.EXE"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\WINDOWS\\System32\\sfhgxi.exe"=
"c:\\Documents and Settings\\Ja\\tokqmio.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\DRIVERS\CAMTHWDM.sys [2008-12-18 1051136]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2008-06-25 335104]
S3 SKYNET;B2C2 Broadband Receiver PCI Adapter;c:\windows\system32\DRIVERS\SkyNET.SYS [2003-08-18 438776]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6505027-a8d8-11dd-a2c3-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-AABBCCDDEE02}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\skrzynka.inf,profil.d
.
- - - - USUNIĘTO PUSTE WPISY - - - -
MSConfigStartUp-MS32DLL - c:\windows\MS32DLL.dll.vbs
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.onet.pl/
TCP: {409C892C-B3EC-486F-B363-C41BDC9DE80C} = 192.168.1.1
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 21:40
Windows 5.1.2600 Dodatek Service Pack 3 FAT NTAPI
detected NTDLL code modification:
ZwOpenFile
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E3807A3-F029-40F5-9977-69F24BC18C2C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"fakbfgfmdncc"=hex:6f,62,6f,70,67,67,6a,68,64,68,63,6d,63,6f,6e,68,66,70,62,69,
6b,65,6c,70,6b,70,6a,61,65,6a,62,6b,6a,65,64,6a,64,6e,62,6b,65,6a,68,64,62,\
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\tcpcon.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2660)
c:\program files\Gadu-Gadu\ggwhook.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\IVT CORPORATION\BLUESOLEIL\BTNTSERVICE.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\NO-IP\DUC20.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\windows\SYSTEM32\WGATRAY.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Czas ukończenia: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 19:42
Przed: 1 895 661 568 bajtów wolnych
Po: 2 915 188 736 bajtów wolnych
291 --- E O F --- 2009-03-15 00:02[/code]
z HiJackThis
[code]Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:32:32, on 2009-04-14 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\dhcp\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Documents and Settings\Ja\tokqmio.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\3361\SVCHOST.exe C:\Documents and Settings\Ja\Pulpit\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Ja\tokqmio.exe \s O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe” O4 - HKLM…\Run: [MS32DLL] C:\WINDOWS\MS32DLL.dll.vbs O4 - HKLM…\Run: [svchost.exe] “C:\WINDOWS\system32\3361\SVCHOST.exe” O4 - HKLM…\RunOnce: [svchost.exe] “C:\WINDOWS\system32\3361\SVCHOST.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS\S-1-5-18…\Run: [svc] c:\program Files\ThunMail\testabd.exe (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O17 - HKLM\System\CCS\Services\Tcpip…{409C892C-B3EC-486F-B363-C41BDC9DE80C}: NameServer = 192.168.1.1 O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\Lexbces.exe O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe – End of file - 4421 bytes