Witam użyłem Combofixa i oto cały jest jego zapis który pokazał mi się w notatniku proszę o pomoc co dalej??? :? ComboFix 10-03-11.02 - pilica 2010-03-11 21:12:18.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.510.189 [GMT 1:00]
Uruchomiony z: d:\documents and settings\pilica\Pulpit\ComboFix.exe
Użyto następujących komend :: D:\CFScript.txt
FILE ::
“d:\windows\system32\sshij.dll”
.
((((((((((((((((((((((((( Pliki utworzone od 2010-02-11 do 2010-03-11 )))))))))))))))))))))))))))))))
.
2010-03-11 19:42 . 2010-03-11 19:42 -------- d-----w- d:\documents and settings\pilica\Dane aplikacji\ArcaBit
2010-03-11 18:22 . 2010-03-11 18:27 -------- d-----w- d:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2010-03-11 18:22 . 2010-03-11 18:26 -------- d-----w- d:\program files\Spybot - Search & Destroy
2010-03-11 17:14 . 2010-03-11 17:14 -------- d-s—w- d:\documents and settings\pilica\UserData
2010-03-10 22:15 . 2010-02-27 19:46 3691384 ----a-w- d:\documents and settings\pilica\Dane aplikacji\Simply Super Software\Trojan Remover\aoqC.exe
2010-03-10 22:10 . 2010-03-11 07:45 -------- d—a-w- d:\documents and settings\All Users\Dane aplikacji\TEMP
2010-03-10 22:08 . 2010-03-10 22:08 -------- d-----w- d:\documents and settings\pilica\Dane aplikacji\Simply Super Software
2010-03-09 19:18 . 2010-03-09 19:18 -------- d-----w- d:\documents and settings\LocalService\Pulpit
2010-03-09 19:07 . 2010-03-09 19:07 -------- d-----w- d:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Google
2010-03-09 19:02 . 2010-03-09 19:02 -------- d-----w- d:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Google
2010-03-09 19:02 . 2010-03-09 19:02 -------- d-----w- d:\program files\Google
2010-03-09 19:01 . 2010-03-10 19:18 -------- d-----w- d:\documents and settings\All Users\Dane aplikacji\Lavasoft
2010-03-09 18:49 . 2010-03-10 20:39 -------- d-----w- d:\program files\Anti Trojan Elite
2010-03-09 18:32 . 2010-03-11 19:46 -------- d-----w- d:\documents and settings\pilica\Dane aplikacji\ArcaVirMicroScan
2010-03-09 17:31 . 2010-03-09 17:31 -------- d-----w- d:\program files\AVG
2010-03-06 09:21 . 2010-03-06 09:21 439816 ----a-w- d:\documents and settings\pilica\Dane aplikacji\Real\Update\setup3.10\setup.exe
2010-02-21 07:34 . 2010-03-10 22:45 -------- d-----w- d:\documents and settings\pilica\Ustawienia lokalne\Dane aplikacji\Temp
2010-02-21 07:34 . 2010-03-10 22:44 -------- d-----w- d:\documents and settings\pilica\Ustawienia lokalne\Dane aplikacji\Google
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 17:52 . 2009-07-13 17:24 -------- d-----w- d:\documents and settings\pilica\Dane aplikacji\Skype
2010-03-11 17:49 . 2008-04-08 14:03 -------- d-----w- d:\documents and settings\pilica\Dane aplikacji\Lavasoft
2010-03-11 16:58 . 2009-07-16 14:54 -------- d-----w- d:\documents and settings\pilica\Dane aplikacji\skypePM
2010-03-11 07:35 . 2010-03-11 07:35 4096 ----a-w- d:\windows\system32\03.tmp
2010-03-10 22:22 . 2010-03-10 22:22 4096 ----a-w- d:\windows\system32\07.tmp
2010-03-10 20:43 . 2009-07-26 14:26 -------- d-----w- d:\program files\Common Files\Real
2010-03-10 20:15 . 2009-07-13 14:10 -------- d-----w- d:\documents and settings\pilica\Dane aplikacji\iPlus
2010-03-07 18:43 . 2010-03-07 18:43 4096 ----a-w- d:\windows\system32\08.tmp
2010-03-07 18:39 . 2010-03-07 18:39 4096 ----a-w- d:\windows\system32\06.tmp
2010-03-03 19:35 . 2010-03-03 19:35 4096 ----a-w- d:\windows\system32\05.tmp
2010-03-01 19:45 . 2009-12-16 14:10 -------- d-----w- d:\program files\Gadu-Gadu 10
2010-02-28 19:02 . 2010-02-28 19:02 4096 ----a-w- d:\windows\system32\04.tmp
2010-02-23 17:34 . 2008-03-26 18:29 -------- d-----w- d:\program files\Free TV Online
2010-02-23 17:33 . 2009-12-20 23:14 -------- d-----w- d:\program files\EasyLanguage
2010-02-22 21:57 . 2010-02-22 21:57 4096 ----a-w- d:\windows\system32\02.tmp
2010-02-22 21:56 . 2010-02-22 21:56 4096 ----a-w- d:\windows\system32\01.tmp
2010-01-31 09:53 . 2009-12-16 14:11 -------- d-----w- d:\documents and settings\pilica\Dane aplikacji\Gadu-Gadu 10
2010-01-24 20:01 . 2009-12-28 15:43 79488 ----a-w- d:\documents and settings\pilica\Dane aplikacji\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-14 10:12 . 2009-10-02 18:13 181120 ------w- d:\windows\system32\MpSigStub.exe
2009-12-31 16:14 . 2006-03-02 12:00 352640 ----a-w- d:\windows\system32\drivers\srv.sys
2009-12-22 05:43 . 2006-03-02 12:00 664576 ------w- d:\windows\system32\wininet.dll
2009-12-22 05:43 . 2006-03-02 12:00 81920 ----a-w- d:\windows\system32\ieencode.dll
2009-12-17 08:00 . 2008-03-19 21:13 345088 ----a-w- d:\windows\system32\mspaint.exe
2009-12-14 13:52 . 2006-03-02 12:00 68334 ----a-w- d:\windows\system32\perfc015.dat
2009-12-14 13:52 . 2006-03-02 12:00 439194 ----a-w- d:\windows\system32\perfh015.dat
2009-12-14 07:37 . 2006-03-02 12:00 33280 ----a-w- d:\windows\system32\csrsrv.dll
2008-04-07 09:21 . 2009-03-09 22:54 67696 ----a-w- d:\program files\mozilla firefox\components\jar50.dll
2008-04-07 09:21 . 2009-03-09 22:54 54376 ----a-w- d:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 09:21 . 2009-03-09 22:54 34952 ----a-w- d:\program files\mozilla firefox\components\myspell.dll
2008-04-07 09:21 . 2009-03-09 22:54 46720 ----a-w- d:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 09:21 . 2009-03-09 22:54 172144 ----a-w- d:\program files\mozilla firefox\components\xpinstal.dll
2009-03-21 14:21 . 2006-03-02 12:00 168371 --sha-r- d:\windows\system32\mjpcqzqd.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-11_07.39.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-03-11 17:51 . 2010-03-11 17:51 16384 d:\windows\Temp\Perflib_Perfdata_5cc.dat
- 2010-03-11 07:32 . 2010-03-11 07:32 16384 d:\windows\Temp\Perflib_Perfdata_5cc.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}”= “d:\program files\Winamp Toolbar\winamptb.dll” [2009-02-19 1262888]
[HKEY_CLASSES_ROOT\clsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2009-05-04 10:56 398776 ----a-w- d:\program files\BearShare Applications\BearShare\BearShareIEHelper.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“d:\program files\Skype\Phone\Skype.exe” [2009-06-26 25604904]
“Gadu-Gadu 10”=“d:\program files\Gadu-Gadu 10\gg.exe” [2010-01-20 12067432]
“SpybotSD TeaTimer”=“d:\program files\Spybot - Search & Destroy\TeaTimer.exe” [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“d:\program files\Java\jre6\bin\jusched.exe” [2009-07-15 136600]
“High Definition Audio Property Page Shortcut”=“HDAShCut.exe” [2004-10-27 61952]
“SoundMAXPnP”=“d:\program files\Analog Devices\Core\smax4pnp.exe” [2005-05-20 925696]
“NvCplDaemon”=“d:\windows\system32\NvCpl.dll” [2006-08-11 7630848]
“nwiz”=“nwiz.exe” [2006-08-11 1519616]
“NvMediaCenter”=“d:\windows\system32\NvMcTray.dll” [2006-08-11 86016]
“NeroFilterCheck”=“d:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“Lexmark 1200 Series”=“d:\program files\Lexmark 1200 Series\lxczbmgr.exe” [2006-07-13 57344]
“iPlusManager”=“d:\program files\iPlus\iPlusChecker.exe” [2009-05-06 438272]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“d:\windows\system32\CTFMON.EXE” [2006-03-02 15360]
“DWQueuedReporting”=“d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2007-03-13 39264]
d:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- d:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“d:\Program Files\NetMeeting\conf.exe”=
“d:\Program Files\BearShare Applications\BearShare\BearShare.exe”=
“d:\Program Files\Gadu-Gadu 10\gg.exe”=
“d:\WINDOWS\system32\dpvsetup.exe”=
“d:\Program Files\Skype\Phone\Skype.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“8461:TCP”= 8461:TCP:GoD High Port
“8462:TCP”= 8462:TCP:GoD Low Port
“6197:TCP”= 6197:TCP:stqspkwm
S0 vaxwqbq;vaxwqbq;d:\windows\system32\drivers\rsmmb.sys --> d:\windows\system32\drivers\rsmmb.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;??\d:\program files\Anti Trojan Elite\ATEPMon.sys --> d:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 gupdate;Usługa Google Update (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 135664]
S2 wdwmfof;Helper Manager;d:\windows\system32\svchost.exe -k netsvcs [2006-03-02 14336]
S3 erfiikd;erfiikd;d:\windows\system32\04.tmp [2010-02-28 4096]
S3 flrsoyst;flrsoyst;d:\windows\system32\07.tmp [2010-03-10 4096]
S3 gwvfjsmsx;gwvfjsmsx;??\d:\windows\system32\09.tmp --> d:\windows\system32\09.tmp [?]
S3 hzcwmkl;hzcwmkl;??\d:\windows\system32\09.tmp --> d:\windows\system32\09.tmp [?]
S3 kmiaimvt;kmiaimvt;d:\windows\system32\02.tmp [2010-02-22 4096]
S3 oekuw;oekuw;d:\windows\system32\03.tmp [2010-03-11 4096]
S3 yxuagipzr;yxuagipzr;d:\windows\system32\03.tmp [2010-03-11 4096]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wdwmfof
.
Zawartość folderu ‘Zaplanowane zadania’
2010-03-11 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:02]
2010-03-11 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:02]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.bearshare.com/
IE: &Winamp Search - d:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&ksport do programu Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\pilica\Dane aplikacji\Mozilla\Firefox\Profiles\68crizxi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www3.searchonthego.net/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.bearshare.com/
FF - prefs.js: keyword.URL - hxxp://www3.searchonthego.net/search.php?q=
FF - component: d:\documents and settings\pilica\Dane aplikacji\Mozilla\Firefox\Profiles\68crizxi.default\extensions{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www3.searchonthego.net/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www3.searchonthego.net/search.php?q=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 21:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\erfiikd]
“ImagePath”="??\d:\windows\system32\04.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\flrsoyst]
“ImagePath”="??\d:\windows\system32\07.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gwvfjsmsx]
“ImagePath”="??\d:\windows\system32\09.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hzcwmkl]
“ImagePath”="??\d:\windows\system32\09.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmiaimvt]
“ImagePath”="??\d:\windows\system32\02.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\oekuw]
“ImagePath”="??\d:\windows\system32\03.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yxuagipzr]
“ImagePath”="??\d:\windows\system32\03.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdwmfof]
“ServiceDll”=“d:\windows\system32\mjpcqzqd.dll”
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
-
-
-
-
-
-
- > ‘explorer.exe’(3904)
-
-
-
-
-
d:\windows\system32\msi.dll
.
Czas ukończenia: 2010-03-11 21:18:34
ComboFix-quarantined-files.txt 2010-03-11 20:18
ComboFix2.txt 2010-03-11 17:59
ComboFix3.txt 2010-03-11 17:21
ComboFix4.txt 2010-03-11 07:43
Przed: 106 283 057 152 bajtów wolnych
Po: 106 274 004 992 bajtów wolnych
-
- End Of File - - C1DF2E9DB9BA2BB39BEA8A8F56BF20DB