Potem log z usuwania Combofix
tutaj ten log::
ComboFix 08-04-04.1 - Rafal 2008-04-06 21:53:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1586 [GMT 2:00]
Running from: C:\Documents and Settings\Rafal\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rafal\Pulpit\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FDREDIR
-------\Legacy_FILEDISK2
-------\Legacy_SMIHLP
-------\Service_FdRedir
-------\Service_FileDisk2
-------\Service_smihlp
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.
2008-04-06 20:43 . 2008-04-06 20:43
2008-04-06 18:54 . 2008-04-06 18:54
2008-04-06 17:43 . 2008-04-06 17:43
2008-04-06 17:43 . 2008-04-06 17:44
2008-04-06 17:18 . 2008-04-06 21:43
2008-04-06 17:18 . 2008-04-06 17:18
2008-04-06 16:53 . 2008-04-06 17:33
2008-04-06 10:08 . 2008-04-06 10:08
2008-04-06 09:48 . 2008-04-06 09:48 40,496 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-04-05 20:52 . 2008-04-05 20:52
2008-04-05 18:16 . 2008-04-05 18:23
2008-03-21 08:45 . 2008-03-25 18:43
2008-03-21 08:44 . 2008-03-21 08:44
2008-03-21 08:44 . 2008-03-25 20:47
2008-03-21 08:20 . 2008-03-21 08:44
2008-03-20 03:35 . 2008-03-20 03:35 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-03-20 03:34 . 2008-03-21 08:44
2008-03-20 00:40 . 2008-03-20 00:40
2008-03-20 00:40 . 2008-03-20 00:40
2008-03-18 08:39 . 2008-03-18 08:39 0 --a------ C:\WINDOWS\nsreg.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 18:46 --------- d–h--w C:\Documents and Settings\Rafal\Dane aplikacji\AVG7
2008-04-06 16:53 --------- d-----w C:\Program Files\Winamp
2008-04-06 16:52 --------- d–h--w C:\Documents and Settings\Rafal\Dane aplikacji\Winamp
2008-04-06 15:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 19:43 --------- d–h--w C:\Documents and Settings\Rafal\Dane aplikacji\Azureus
2008-03-20 21:49 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\avg7
2008-02-25 13:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2008-02-18 19:44 --------- d–h--w C:\Documents and Settings\Rafal\Dane aplikacji\ArcSoft
2008-02-18 18:21 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-02-18 18:21 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-02-18 18:20 --------- d-----w C:\Program Files\Philips
2008-02-10 07:47 --------- d-----w C:\Program Files\TOSHIBA
2008-02-10 07:28 --------- d–h--w C:\Documents and Settings\Rafal\Dane aplikacji\Protector Suite
2008-02-10 07:18 --------- d–h--w C:\Documents and Settings\Rafal\Dane aplikacji\Apple Computer
2008-02-10 07:17 --------- d-----w C:\Program Files\QuickTime
2008-02-10 07:16 --------- d-----w C:\Program Files\Apple Software Update
2008-02-10 07:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple
2008-02-10 07:07 --------- d-----w C:\Program Files\Common Files\Adobe
.
------- Sigcheck -------
2001-10-30 14:00 432640 306530c12f412868e2e85431250e68a1 C:\WINDOWS$NtServicePackUninstall$\winlogon.exe
2004-08-04 08:44 544256 87d414eba254e42649f4d0a00bb653c6 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 08:44 544256 87d414eba254e42649f4d0a00bb653c6 C:\WINDOWS\system32\winlogon.exe
2004-08-04 08:44 504832 0344407089b08548d4feba62bb0f32d0 C:\WINDOWS\VistaMizer\old\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 08:44 25088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TCtryIOHook”=“TCtrlIOHook.exe” [2005-12-05 22:50 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
“TDispVol”=“TDispVol.exe” [2005-12-27 21:22 73728 C:\WINDOWS\system32\TDispVol.exe]
“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 22:43 45056]
“RTHDCPL”=“RTHDCPL.EXE” [2005-12-09 16:49 15691264 C:\WINDOWS\RTHDCPL.exe]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2008-01-09 00:46 579072]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 09:11 132496]
“HWSetup”=“C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe” [2004-05-01 21:45 28672]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-12 06:16 39792]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2008-02-01 07:13 385024]
“phc710”=“C:\WINDOWS\vphc700.exe” [2005-07-21 03:56 339968]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2008-04-01 20:49 36352]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 08:44 25088]
“AVG7_Run”=“C:\PROGRA~1\Grisoft\AVG7\avgw.exe” [2008-01-09 00:36 219136]
C:\Documents and Settings\Rafal\Menu Start\Programy\Autostart\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-03-20 00:40:49 3450608]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
TrayMin710.exe.lnk - C:\Program Files\Philips\Philips SPC710NC Webcam\TrayMin710.exe [2008-02-18 20:20:47 278528]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“MSVideo8”= VfWWDM32.dll
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Grisoft\AVG7\avginet.exe”=
“C:\Program Files\Grisoft\AVG7\avgamsvr.exe”=
“C:\Program Files\Grisoft\AVG7\avgcc.exe”=
“C:\Program Files\Grisoft\AVG7\avgemc.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Azureus\Azureus.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
“C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“49152:TCP”= 49152:TCP:BitTorrent
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-16 23:40]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 22:47]
S3 phc700;USB PC Camera (phc710);C:\WINDOWS\system32\DRIVERS\phc700.sys [2005-06-07 22:21]
.
Contents of the ‘Scheduled Tasks’ folder
“2008-04-01 15:19:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 21:56:57
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-04-06 21:59:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-06 19:59:09
ComboFix2.txt 2008-04-06 18:00:54
Pre-Run: 40,088,481,792 bajtów wolnych
Post-Run: 40,010,153,984 bajt˘w wolnych
.
2008-03-12 16:44:41 — E O F —
