Witam, chcąc otworzyć dysk otwiera się wyniki wyszukiwania czyli szukaj.
log:
ComboFix 08-12-29.02 - xxx 2008-12-30 13:04:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.256.35 [GMT 1:00]
Uruchomiony z: c:\documents and settings\xxx\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
* Resident AV is active
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\08dgu.com
C:\0w.com
C:\2u.com
C:\68.exe
C:\autorun.inf
C:\b.exe
C:\ev60a2.cmd
C:\itsduel.exe
C:\nq0cq.cmd
C:\ov.cmd
C:\rs.cmd
C:\u9dyi.exe
c:\windows\system32\Bitkv0.dll
c:\windows\system32\gasretyw1.dll
C:\wjlfhtfm.cmd
C:\xih9.cmd
D:\0.com
D:\08dgu.com
D:\0w.com
D:\1rfw8hjr.com
D:\2u.com
D:\6.bat
D:\68.exe
D:\Autorun.inf
D:\b.exe
D:\b3b9u.com
D:\bpu.exe
D:\ev60a2.cmd
D:\itsduel.exe
D:\lky.exe
D:\n.com
D:\nfdmg.com
D:\nq0cq.cmd
D:\ov.cmd
D:\rs.cmd
D:\t1ypkh.exe
D:\tyktjfww.exe
D:\u9dyi.exe
D:\vxl.exe
D:\wjlfhtfm.cmd
D:\xih9.cmd
E:\0.com
E:\08dgu.com
E:\0w.com
E:\1rfw8hjr.com
E:\2u.com
E:\6.bat
E:\68.exe
E:\Autorun.inf
E:\b.exe
E:\b3b9u.com
E:\bpu.exe
E:\ev60a2.cmd
E:\itsduel.exe
E:\lky.exe
E:\n.com
E:\nfdmg.com
E:\nq0cq.cmd
E:\ov.cmd
E:\rs.cmd
E:\t1ypkh.exe
E:\tyktjfww.exe
E:\u9dyi.exe
E:\vxl.exe
E:\wjlfhtfm.cmd
E:\xih9.cmd
.
((((((((((((((((((((((((( Pliki utworzone od 2008-11-28 do 2008-12-30 )))))))))))))))))))))))))))))))
.
2008-12-30 12:23 . 2008-12-30 12:23
2008-12-30 11:34 . 2008-12-30 13:05
2008-12-30 11:34 . 2008-07-09 17:27
2008-12-30 11:34 . 2008-07-09 15:33
2008-12-30 11:34 . 2008-07-09 17:27
2008-12-30 11:34 . 2008-07-09 17:27
2008-12-30 11:34 . 2008-07-09 17:27
2008-12-30 11:34 . 2008-07-09 17:27
2008-12-30 11:34 . 2008-12-30 11:35
2008-12-30 10:54 . 2008-12-30 11:08
2008-12-30 10:53 . 2008-12-30 11:09
2008-12-30 10:53 . 2008-12-30 10:52 512,096 --a------ c:\windows\system32\drivers\amon.sys
2008-12-30 10:53 . 2008-12-30 10:52 298,104 --a------ c:\windows\system32\imon.dll
2008-12-30 10:53 . 2008-12-30 10:52 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2008-12-30 10:38 . 2008-12-30 10:38
2008-12-30 10:02 . 2008-12-30 11:20
2008-12-30 09:48 . 2008-12-30 10:16
2008-12-30 09:36 . 2008-12-30 09:36
2008-12-20 16:39 . 2008-12-08 21:16 107,045 -r-hs---- C:\1gk8ha.bat
2008-12-16 12:18 . 2008-12-08 21:16 107,045 -r-hs---- C:\p1y2.cmd
2008-12-14 20:37 . 2008-12-08 21:16 107,045 -r-hs---- C:\h3.bat
2008-12-10 16:40 . 2008-12-08 21:16 107,045 -r-hs---- C:\6fnlpetp.exe
2008-12-10 16:40 . 2008-12-26 14:45 85,504 -r-hs---- c:\windows\system32\vbsdfe1.dll
2008-12-09 15:31 . 2008-12-08 21:16 107,045 -r-hs---- C:\3rl3lqbq.bat
2008-12-09 15:30 . 2008-12-26 14:45 115,869 -r-hs---- c:\windows\system32\vamsoft.exe
2008-12-09 15:30 . 2008-12-30 11:51 85,504 -r-hs---- c:\windows\system32\vbsdfe0.dll
2008-12-03 17:46 . 2008-12-03 17:46 108,963 -r-hs---- C:\rcukd.cmd
2008-12-02 14:18 . 2008-12-02 14:18
2008-12-02 14:16 . 2008-12-02 14:16 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-12-02 14:15 . 2008-12-02 14:15
2008-12-02 14:14 . 2008-12-02 14:14
2008-12-02 14:14 . 2002-02-27 18:50 197,120 --a------ c:\windows\patchw32.dll
2008-11-30 21:38 . 2008-11-30 21:38
2008-11-30 18:00 . 2008-12-02 14:48 108,698 -r-hs---- C:\e.cmd
2008-11-28 00:58 . 2008-11-28 00:58 108,477 -r-hs---- C:\m2nl.bat
2008-11-26 23:22 . 2008-11-26 23:21 109,489 -r-hs---- C:\ij.bat
2008-11-18 19:23 . 2008-11-24 21:19 108,888 -r-hs---- C:\abk.bat
2008-11-17 13:23 . 2008-11-17 13:22 106,174 -r-hs---- C:\yannh.cmd
2008-11-12 12:52 . 2008-10-24 12:10 453,632 -----c— c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 20:01 . 2008-11-11 09:47 108,271 -r-hs---- C:\whi.com
2008-11-10 20:00 . 2008-11-08 15:07 108,973 -r-hs---- C:\sq.com
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 11:53 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2008-12-30 11:04 --------- d-----w c:\program files\Neostrada TP
2008-12-30 11:03 --------- d-----w c:\program files\Google
2008-12-30 10:36 --------- d-----w c:\program files\Alwil Software
2008-12-30 10:03 --------- d-----w c:\documents and settings\xxx\Dane aplikacji\Autodesk
2008-12-30 10:03 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Autodesk
2008-12-30 10:01 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-30 08:59 --------- d-----w c:\program files\BearShare
2008-12-30 08:36 --------- d–h--w c:\program files\InstallShield Installation Information
2008-12-30 08:22 --------- d-----w c:\program files\AutoCAD 2005
2008-12-05 19:58 --------- d-----w c:\documents and settings\xxx\Dane aplikacji\Skype
2008-11-11 08:48 --------- d-----w c:\documents and settings\xxx\Dane aplikacji\BearShare
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 19:29 104,123 --sh–r C:\xlk9.com
2008-10-21 20:56 103,973 --sh–r C:\2fiji.com
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:39 662,016 ----a-w c:\windows\system32\wininet.dll
2008-10-12 09:08 103,109 --sh–r C:\bo1dhu.bat
2008-10-08 17:58 101,132 --sh–r C:\n6t1h.cmd
2008-10-08 16:00 90,834 --sh–r C:\r1y1.bat
2008-10-07 06:55 92,932 --sh–r C:\ktnquo.exe
2008-10-03 17:56 90,911 --sh–r C:\kk3.bat
2008-10-03 10:17 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 17:54 101,735 --sh–r C:\otyh.cmd
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:40 1,846,272 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:46 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6D023EBF-70B8-45A6-9ED5-556515FA0FE4}]
2008-07-07 10:27 398776 --a------ c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-10-22 7700480]
“nod32kui”=“c:\program files\Eset\nod32kui.exe” [2008-12-30 949376]
“nwiz”=“nwiz.exe” [2006-10-22 c:\windows\system32\nwiz.exe]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2006-10-22 11:22 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
–a------ 2008-11-04 17:15 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vamsoft]
-r-hs---- 2008-12-26 14:45 115869 c:\windows\system32\vamsoft.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“Pml Driver HPZ12”=2 (0x2)
“ose”=3 (0x3)
“odserv”=3 (0x3)
“Microsoft Office Groove Audit Service”=3 (0x3)
“gusvc”=3 (0x3)
“Autodesk Licensing Service”=3 (0x3)
“NVSvc”=2 (0x2)
“avast! Web Scanner”=3 (0x3)
“avast! Mail Scanner”=3 (0x3)
“avast! Antivirus”=2 (0x2)
“aswUpdSv”=2 (0x2)
“Schedule”=2 (0x2)
“wscsvc”=2 (0x2)
“wuauserv”=2 (0x2)
“aspnet_state”=3 (0x3)
“clr_optimization_v2.0.50727_32”=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\BearShare\BearShare.exe”=
“c:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=
“c:\Documents and Settings\xxx\Dane aplikacji\PowerChallenge\PowerSoccer\PowerSoccer.exe”=
“d:\sterowniki\Digital Imaging\bin\hpqtra08.exe”=
“d:\sterowniki\Digital Imaging\bin\hpqste08.exe”=
“d:\sterowniki\Digital Imaging\bin\hpofxm08.exe”=
“d:\sterowniki\Digital Imaging\bin\hposfx08.exe”=
“d:\sterowniki\Digital Imaging\bin\hposid01.exe”=
“d:\sterowniki\Digital Imaging\bin\hpqscnvw.exe”=
“d:\sterowniki\Digital Imaging\bin\hpqkygrp.exe”=
“d:\sterowniki\Digital Imaging\bin\hpqCopy.exe”=
“d:\sterowniki\Digital Imaging\bin\hpfccopy.exe”=
“d:\sterowniki\Digital Imaging\bin\hpzwiz01.exe”=
“d:\sterowniki\Digital Imaging\Unload\HpqPhUnl.exe”=
“d:\sterowniki\Digital Imaging\Unload\HpqDIA.exe”=
“d:\sterowniki\Digital Imaging\bin\hpoews01.exe”=
“d:\sterowniki\Digital Imaging\bin\hpqnrs08.exe”=
“e:\Skype\Phone\Skype.exe”=
“e:\Gadu-Gadu\gg.exe”=
“d:\Skype\Phone\Skype.exe”=
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-30 15424]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0a02d7a0-8180-11dd-ae84-4d6564696130}]
\Shell\AutoRun\command - H:\2fiji.com
\Shell\explore\Command - H:\2fiji.com
\Shell\open\Command - H:\2fiji.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1338e720-832a-11dd-af4c-806d6172696f}]
\Shell\AutoRun\command - F:\31n3b2h.exe
\Shell\explore\Command - F:\31n3b2h.exe
\Shell\open\Command - F:\31n3b2h.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1338e721-832a-11dd-af4c-806d6172696f}]
\Shell\AutoRun\command - G:\31n3b2h.exe
\Shell\explore\Command - G:\31n3b2h.exe
\Shell\open\Command - G:\31n3b2h.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{18bfc5a0-88c5-11dd-af6f-000c6e9675d5}]
\Shell\AutoRun\command - H:\fooool.exe
\Shell\explore\Command - H:\fooool.exe
\Shell\open\Command - H:\fooool.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{31679910-620c-11dd-ad9e-4d6564696130}]
\Shell\AutoRun\command - H:\6fnlpetp.exe
\Shell\explore\Command - H:\6fnlpetp.exe
\Shell\open\Command - H:\6fnlpetp.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3cf99310-c879-11dd-b13c-4d6564696130}]
\Shell\AutoRun\command - H:\m9ma.exe
\Shell\explore\Command - H:\m9ma.exe
\Shell\open\Command - H:\m9ma.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{53285880-95d2-11dd-afd0-4d6564696130}]
\Shell\AutoRun\command - I:\08dgu.com
\Shell\explore\Command - I:\08dgu.com
\Shell\open\Command - I:\08dgu.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{55e65120-6241-11dd-ada2-000c6e9675d5}]
\Shell\AutoRun\command - xqf.com
\Shell\explore\Command - xqf.com
\Shell\open\Command - xqf.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6cb82d63-d64d-11dd-b16f-4d6564696130}]
\Shell\AutoRun\command - H:\iqe68o.bat
\Shell\explore\Command - H:\iqe68o.bat
\Shell\open\Command - H:\iqe68o.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{83d54a80-8bea-11dd-af8a-4d6564696130}]
\Shell\AutoRun\command - I:\b0j6j16.bat
\Shell\explore\Command - I:\b0j6j16.bat
\Shell\open\Command - I:\b0j6j16.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b6a915f0-9084-11dd-afb1-000c6e9675d5}]
\Shell\AutoRun\command - H:\abk.bat
\Shell\explore\Command - H:\abk.bat
\Shell\open\Command - H:\abk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d44330b6-7f19-11dd-ae71-4d6564696130}]
\Shell\AutoRun\command - I:\fooool.exe
\Shell\explore\Command - I:\fooool.exe
\Shell\open\Command - I:\fooool.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d76b32e0-8a33-11dd-adf5-4d6564696130}]
\Shell\AutoRun\command - fooool.exe
\Shell\explore\Command - fooool.exe
\Shell\open\Command - fooool.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f3103a10-c070-11dd-b107-4d6564696130}]
\Shell\AutoRun\command - H:\e.cmd
\Shell\explore\Command - H:\e.cmd
\Shell\open\Command - H:\e.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f5a25510-91ee-11dd-afbe-4d6564696130}]
\Shell\AutoRun\command - H:\08dgu.com
\Shell\explore\Command - H:\08dgu.com
\Shell\open\Command - H:\08dgu.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ff7fac21-92c6-11dd-ae48-4d6564696130}]
\Shell\AutoRun\command - H:\2fiji.com
\Shell\explore\Command - H:\2fiji.com
\Shell\open\Command - H:\2fiji.com
*Newly Created Service* - PROCEXP90
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
-
-
MSConfigStartUp-kamsoft - c:\windows\system32\kamsoft.exe
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.onet.pl/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Eksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: { - c:\program files\Messenger\msmsgs.exe
LSP: c:\windows\system32\imon.dll
TCP: {04910802-3691-443D-9103-F0DFA89B732F} = 194.204.152.34 217.98.63.164
c:\windows\system32\SkanerOnlineUninstall.exe - c:\windows\system32\SkanerOnline.dll
O16 -: {68282C51-9459-467B-95BF-3C0E89627E55}
hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
c:\windows\Downloaded Program Files\SkanerOnline.inf
FF - ProfilePath - c:\documents and settings\xxx\Dane aplikacji\Mozilla\Firefox\Profiles\wv3eo0jj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 13:06:14
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
-
-
-
-
-
-
- ‘lsass.exe’(600)
-
-
-
-
-
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Czas ukończenia: 2008-12-30 13:07:33
ComboFix-quarantined-files.txt 2008-12-30 12:07:16
Przed: 1 379 950 592 bajtów wolnych
Po: 1,394,614,272 bajtów wolnych
332 — E O F — 2008-12-20 08:07:56