Dziwne błedy i komunikaty


(Grzgrzgrz3) #1

log z combofix

ComboFix 09-04-14.09 - Ja 2009-04-14 21:37.1 - [color=red][b]FAT32[/b][/color]x86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.511.333 [GMT 2:00]

Uruchomiony z: c:\documents and settings\Ja\Pulpit\ComboFix.exe

 * Utworzono nowy punkt przywracania


UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA 

.


((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.


C:\autorun.inf

c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat

C:\MS32DLL.dll.vbs

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe

c:\windows\dhcp\svchost.exe

c:\windows\MS32DLL.dll.vbs

c:\windows\system32\6to4v32.dll

c:\windows\system32\at1394.sys

c:\windows\system32\bversion.dll

c:\windows\system32\fhpatch.dll

c:\windows\system32\fiplock.dll

c:\windows\system32\IPHACTION.dll

c:\windows\system32\iphy.dll

c:\windows\system32\IpSvchostF.dll

c:\windows\system32\kr_done1

D:\Autorun.inf

D:\MS32DLL.dll.vbs


----- BITS: Możliwe zainfekowane strony -----


hxxp://www.hhdsoftware.com

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.


-------\Legacy_6TO4

-------\Legacy_AT1394

-------\Legacy_DHCPSRV

-------\Service_6to4

-------\Service_at1394

-------\Service_DhcpSrv



((((((((((((((((((((((((( Pliki utworzone od 2009-03-14 do 2009-04-14 )))))))))))))))))))))))))))))))

.


2009-04-14 19:40 . 2009-04-14 19:40	0	------w	c:\windows\system32\IpSvchostF.dll

2009-04-14 18:20 . 2008-06-25 22:26	335104	----a-w	c:\windows\system32\drivers\RTL8187B.sys

2009-04-14 15:06 . 2009-04-14 15:06	--------	d-sh--w	C:\FOUND.010

2009-04-14 10:44 . 2009-04-14 10:45	735232	----a-w	c:\windows\system32\AdvOcr.dll

2009-04-14 09:38 . 2009-04-14 09:42	32137216	----a-w	c:\windows\system32\TRSOCR.dat

2009-04-14 04:22 . 2009-04-14 04:22	61440	----a-w	c:\windows\system32\tcpd.exe

2009-04-14 04:22 . 2009-04-14 04:22	20480	----a-w	c:\windows\system32\AUTMGR.EXE

2009-04-14 04:22 . 2009-04-14 04:22	10240	----a-w	c:\windows\system32\Packer.dll

2009-04-14 04:22 . 2009-04-14 04:22	1018368	----a-w	c:\windows\system32\kernel32_check.dll

2009-04-14 04:22 . 2009-04-14 04:22	172032	----a-w	c:\windows\system32\tcpcon.dll

2009-04-14 04:22 . 2009-04-14 04:22	108336	----a-w	c:\windows\system32\MSWINSCK.OCX

2009-04-14 04:22 . 2009-04-14 04:22	--------	d-----w	c:\windows\system32\3361

2009-04-14 04:22 . 2009-04-14 04:22	--------	d-----w	c:\windows\dhcp

2009-04-12 07:22 . 2009-04-12 07:22	--------	d-sh--w	C:\FOUND.009

2009-04-10 19:07 . 2009-04-10 19:07	67	----a-w	c:\windows\system32\Monitor.inf

2009-04-10 19:07 . 2009-04-11 11:39	1462	----a-w	c:\windows\system32\LexFiles.usr

2009-04-10 19:07 . 2009-04-10 19:07	8521	----a-w	c:\windows\lmpcl2a.ini

2009-04-10 18:38 . 2009-04-10 18:38	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Skype

2009-04-10 18:37 . 2009-04-10 18:37	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\Skype

2009-04-10 12:40 . 2009-04-10 12:40	55808	---h--w	c:\documents and settings\Ja\tokqmio.exe

2009-04-10 12:40 . 2009-04-10 12:40	55808	----a-w	c:\windows\system32\sfhgxi.exe

2009-04-10 10:51 . 2009-04-10 10:51	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\Mixesoft

2009-04-09 14:48 . 2009-04-11 15:48	205	----a-w	c:\windows\wcx_ftp.ini

2009-04-09 14:47 . 2009-04-09 14:47	--------	d-----w	c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Help

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\UC.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\RAR.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\PKZIP.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\PKUNZIP.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\NOCLOSE.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\LHA.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\ARJ.PIF

2009-04-09 14:46 . 2009-04-11 15:51	1446	----a-w	c:\windows\wincmd.ini

2009-04-09 14:46 . 2009-04-09 14:46	--------	d-----w	C:\totalcmd

2009-04-09 09:33 . 2006-05-24 09:04	133	----a-w	c:\windows\system32\ftdiun2k.ini

2009-04-09 09:33 . 2006-05-24 08:47	106496	----a-w	c:\windows\system32\ftbusui.dll

2009-04-09 09:33 . 2006-05-24 08:45	176128	----a-w	c:\windows\system32\ftd2xx.dll

2009-04-09 09:33 . 2006-05-24 08:42	102400	----a-w	c:\windows\system32\FTLang.dll

2009-04-09 09:33 . 2006-05-24 08:40	188416	----a-w	c:\windows\system32\ftdiunin.exe

2009-04-09 09:33 . 2006-05-19 09:51	33360	----a-w	c:\windows\system32\ftserui2.dll

2009-04-09 09:33 . 2006-05-18 07:49	61067	----a-w	c:\windows\system32\drivers\ftser2k.sys

2009-04-09 09:33 . 2006-05-18 07:48	47249	----a-w	c:\windows\system32\drivers\ftdibus.sys

2009-04-08 22:47 . 2009-04-08 22:47	--------	d-----w	C:\lexmark

2009-04-04 14:35 . 2009-04-04 14:35	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\EditPlus 3

2009-04-03 21:32 . 2009-04-08 18:21	32	----a-w	C:\ProgDVB.ini

2009-04-01 23:06 . 2009-04-01 23:14	1266	----a-w	C:\Nowy Dokument sformatowany.rtf

2009-04-01 21:25 . 2009-04-01 21:25	15631	----a-w	C:\kkkkkkkkkkll.rtf

2009-04-01 21:25 . 2009-04-01 23:14	2422	----a-w	C:\Bibliografia1452.rtf

2009-03-29 19:31 . 2009-03-29 19:31	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Radmin Communication Client

2009-03-29 18:22 . 2009-03-29 18:22	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Radmin

2009-03-29 18:21 . 2009-03-29 18:21	--------	d-----w	c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Downloaded Installations

2009-03-24 04:09 . 2009-03-24 04:09	--------	d-sh--w	C:\FOUND.008

2009-03-23 19:24 . 2009-03-23 19:24	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\teamspeak2

2009-03-23 19:24 . 2009-03-23 19:24	34064	----a-w	c:\windows\system32\lhacm.acm

2009-03-21 16:49 . 2009-03-21 16:49	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\mIRC

2009-03-21 13:59 . 2009-03-21 13:44	60112	----a-w	C:\SatBazaar CardServer.ini

2009-03-21 13:42 . 2009-03-21 13:42	641635	----a-w	C:\Pulpit.rar

2009-03-20 12:07 . 2009-03-20 12:07	--------	d-sh--w	C:\FOUND.007

2009-03-17 18:41 . 2009-03-17 18:41	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\OpenOffice.org


.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-14 10:45 . 2009-04-14 10:45	--------	d-----w	c:\program files\LanqiEngine

2009-04-14 04:21 . 2009-04-14 04:21	--------	d-sh--r	c:\program files\ThunMail

2009-04-13 11:48 . 2009-04-13 11:48	--------	d-----w	c:\program files\HHD Software

2009-04-12 09:30 . 2009-04-12 09:30	--------	d-----w	c:\program files\AnalogX

2009-04-11 12:19 . 2009-04-11 12:19	--------	d-----w	c:\program files\newcs

2009-04-10 18:37 . 2009-04-10 18:37	--------	d-----r	c:\program files\Skype

2009-04-08 23:19 . 2009-04-08 23:19	--------	d-----w	c:\program files\Lexmark

2009-04-08 23:03 . 2009-04-08 23:03	--------	d-----w	c:\program files\Lexmark_HostCD

2009-04-04 14:35 . 2009-04-04 14:35	--------	d-----w	c:\program files\EditPlus 3

2009-03-30 17:32 . 2009-03-30 17:32	--------	d-----w	c:\program files\Ventrilo

2009-03-30 17:32 . 2009-03-30 17:32	--------	d-----w	c:\program files\Common Files\Wise Installation Wizard

2009-03-23 19:23 . 2009-03-23 19:23	--------	d-----w	c:\program files\Teamspeak2_RC2

2009-03-21 18:50 . 2008-11-02 11:51	130225	----a-w	c:\windows\War3Unin.dat

2009-03-21 16:49 . 2009-03-21 16:49	--------	d-----w	c:\program files\mIRC

2009-03-16 13:12 . 2009-03-16 13:12	--------	d-----w	c:\program files\No-IP

2009-03-11 12:53 . 2009-03-11 12:53	--------	d-----w	c:\program files\DotAzilla

2009-03-07 04:27 . 2009-03-07 04:27	--------	d-----w	c:\program files\TVAnts

2009-03-06 19:28 . 2009-03-06 19:28	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\PC Suite

2009-03-06 19:28 . 2009-03-06 19:28	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Nokia

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\program files\Common Files\PCSuite

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\program files\DIFX

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\PC Suite

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\program files\PC Connectivity Solution

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\program files\Nokia

2009-03-03 18:51 . 2009-03-03 18:51	--------	d-----w	c:\program files\Microsoft Silverlight

2009-02-26 21:01 . 2001-10-26 16:15	88946	----a-w	c:\windows\system32\perfc015.dat

2009-02-26 21:01 . 2001-10-26 16:15	500482	----a-w	c:\windows\system32\perfh015.dat

2009-02-22 22:06 . 2009-02-22 22:06	--------	d-----w	c:\program files\ALLPlayer

2009-02-19 18:36 . 2009-02-19 18:36	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\CMUV

2009-02-19 15:40 . 2009-02-19 15:40	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\WebcamMax

2009-02-19 15:40 . 2009-02-19 15:40	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Webcammax

2009-02-19 15:39 . 2009-02-19 15:39	--------	d-----w	c:\program files\WebcamMax

2009-02-18 12:35 . 2009-02-18 12:35	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Hamachi

2009-02-18 12:35 . 2009-02-18 12:35	25280	----a-w	c:\windows\system32\drivers\hamachi.sys

2009-02-18 12:35 . 2009-02-18 12:35	--------	d-----w	c:\program files\Hamachi

2009-02-18 11:41 . 2009-02-18 11:41	--------	d-----w	c:\program files\DVBViewerTE

2009-02-18 11:32 . 2008-11-02 11:22	18064	----a-w	c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-02-18 11:22 . 2009-02-18 11:22	--------	d-----w	c:\program files\TechniSat DVB

2009-02-09 13:07 . 2008-11-04 18:03	1847040	------w	c:\windows\system32\dllcache\win32k.sys

2009-02-09 13:07 . 2004-08-03 20:37	1847040	----a-w	c:\windows\system32\win32k.sys

2008-12-08 00:34 . 2008-12-08 00:34	64200	----a-w	c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat

2008-11-02 11:45 . 2008-11-02 11:45	127	----a-w	c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\fusioncache.dat

.


------- Sigcheck -------


[-] 2008-04-14 16:21	1054208	AAEBA0C87B518C7513508E290E2A82C2	c:\windows\explorer.exe

[-] 2004-08-03 20:44	1033728	3E336EC099D0DD6FBF6AF87168CA0CFA	c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2008-04-14 16:21	1035264	3BE726B6102EF26A0ECAAE2829B98000	c:\windows\ServicePackFiles\i386\explorer.exe


[-] 2008-04-14 16:21	34304	129F7C2B06CB8D0B0C40F1ECE92FA673	c:\windows\system32\ctfmon.exe

[-] 2004-08-03 20:44	15360	8D43EB834AC8FCE4882042DDCC42CC8D	c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 16:21	15360	B4D52F34422B137557CFA0FD03C1F673	c:\windows\ServicePackFiles\i386\ctfmon.exe


[-] 2008-04-14 16:21	76800	FA21C19679FC287B26BA1CFF4D4C9794	c:\windows\system32\spoolsv.exe

[-] 2004-08-03 20:44	57856	B7029F654F97C7D42D54607B30B79F24	c:\windows\$NtServicePackUninstall$\spoolsv.exe

[-] 2008-04-14 16:21	57856	9B9A0D458F8466A82B19AC74D0C76D22	c:\windows\ServicePackFiles\i386\spoolsv.exe


[-] 2008-04-14 16:21	45568	EE058C387E9BF12A9962ADEFDAB415D5	c:\windows\system32\userinit.exe

[-] 2004-08-03 20:44	25088	420086D185BA614FEDEF5E0084763F34	c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 16:21	26624	78EE01CA82052F8A6D0B508F9A2C8E3E	c:\windows\ServicePackFiles\i386\userinit.exe


[-] 2009-04-14 04:22	1018368	E1FE6F383D5D4BF436E87153471F593B	c:\windows\system32\kernel32.dll

[7] 2004-08-03 20:44	1012224	578BB2F44597CB53451DED99013573F3	c:\windows\$NtServicePackUninstall$\kernel32.dll

[7] 2008-04-14 16:20	1018368	FCE4ECC34A36EDACF03DBE8DE5E28910	c:\windows\ServicePackFiles\i386\kernel32.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 360448]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"svchost.exe"="c:\windows\system32\3361\SVCHOST.exe" [2009-04-14 86016]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"svchost.exe"="c:\windows\system32\3361\SVCHOST.exe" [2009-04-14 86016]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 34304]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 49152]

"svc"="c:\program files\ThunMail\testabd.exe" [2009-04-14 66760]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\ThunMail\testabd.dll


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ATI CATALYST System Tray.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\ATI CATALYST System Tray.lnk

backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate]

2008-11-24 18:44	888832	----a-w	c:\program files\ALLPlayer\ALLUpdate.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

2004-08-25 12:25	49152	----a-w	c:\program files\ATI Technologies\ATI.ACE\CLI.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2008-04-14 16:21	34304	----a-w	c:\windows\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 16:21	1714176	------w	c:\program files\Messenger\msmsgs.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]

2007-08-02 13:30	3117056	----a-w	c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]

2004-06-11 02:15	102912	----a-r	c:\windows\system32\nvraidservice.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sfhgxi]

2009-04-10 12:40	55808	----a-w	c:\windows\system32\sfhgxi.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-11-10 03:43	136600	----a-w	c:\program files\Java\jre6\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2008-09-12 15:45	55296	----a-w	c:\program files\Winamp\winampa.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-12-22 08:09	98304	----a-w	c:\windows\SOUNDMAN.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Spooler"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Rózne\\Programy\\Gadu-Gadu\\gg.exe"=

"c:\\Program Files\\Garena\\Garena.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Opera\\Opera.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\TechniSat DVB\\bin\\Server4PC.exe"=

"c:\\Program Files\\DVBViewerTE\\ts_winlirc.exe"=

"c:\\Program Files\\Gadu-Gadu\\GG.EXE"=

"c:\\Program Files\\TVAnts\\Tvants.exe"=

"c:\\WINDOWS\\System32\\sfhgxi.exe"=

"c:\\Documents and Settings\\Ja\\tokqmio.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=


S2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\DRIVERS\CAMTHWDM.sys [2008-12-18 1051136]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2008-06-25 335104]

S3 SKYNET;B2C2 Broadband Receiver PCI Adapter;c:\windows\system32\DRIVERS\SkyNET.SYS [2003-08-18 438776]



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6505027-a8d8-11dd-a2c3-806d6172696f}]

\Shell\AutoRun\command - E:\SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-AABBCCDDEE02}]

rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\skrzynka.inf,profil.d

.

- - - - USUNIĘTO PUSTE WPISY - - - -


MSConfigStartUp-MS32DLL - c:\windows\MS32DLL.dll.vbs



.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.onet.pl/

TCP: {409C892C-B3EC-486F-B363-C41BDC9DE80C} = 192.168.1.1

.


**************************************************************************


catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-14 21:40

Windows 5.1.2600 Dodatek Service Pack 3 FAT NTAPI


detected NTDLL code modification:

ZwOpenFile


skanowanie ukrytych procesów ...  


skanowanie ukrytych wpisów autostartu ... 


skanowanie ukrytych plików ...  


skanowanie pomyślnie ukończone

ukryte pliki: 0


**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------


[HKEY_USERS\S-1-5-21-1417001333-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E3807A3-F029-40F5-9977-69F24BC18C2C}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"fakbfgfmdncc"=hex:6f,62,6f,70,67,67,6a,68,64,68,63,6d,63,6f,6e,68,66,70,62,69,

   6b,65,6c,70,6b,70,6a,61,65,6a,62,6b,6a,65,64,6a,64,6e,62,6b,65,6a,68,64,62,\

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------


- - - - - - - > 'winlogon.exe'(908)

c:\windows\system32\tcpcon.dll

c:\windows\system32\Ati2evxx.dll


- - - - - - - > 'explorer.exe'(2660)

c:\program files\Gadu-Gadu\ggwhook.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\windows\SYSTEM32\ATI2EVXX.EXE

c:\windows\SYSTEM32\LEXBCES.EXE

c:\windows\SYSTEM32\ATI2EVXX.EXE

c:\program files\IVT CORPORATION\BLUESOLEIL\BTNTSERVICE.EXE

c:\program files\JAVA\JRE6\BIN\JQS.EXE

c:\program files\NO-IP\DUC20.EXE

c:\windows\SYSTEM32\WDFMGR.EXE

c:\windows\SYSTEM32\WGATRAY.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Czas ukończenia: ~,10time:~,-3machine was rebootedCombobatch-by

ComboFix-quarantined-files.txt 2009-04-14 19:42


Przed: 1 895 661 568 bajtów wolnych

Po: 2 915 188 736 bajtów wolnych


291	--- E O F ---	2009-03-15 00:02[/code]


z HiJackThis

[code]Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:32:32, on 2009-04-14 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\dhcp\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Documents and Settings\Ja\tokqmio.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\3361\SVCHOST.exe C:\Documents and Settings\Ja\Pulpit\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Ja\tokqmio.exe \s O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM..\Run: [MS32DLL] C:\WINDOWS\MS32DLL.dll.vbs O4 - HKLM..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe" O4 - HKLM..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe" O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM') O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O17 - HKLM\System\CCS\Services\Tcpip..{409C892C-B3EC-486F-B363-C41BDC9DE80C}: NameServer = 192.168.1.1 O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\Lexbces.exe O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 4421 bytes


(Cedar) #2

A ten system jest legalny? Mam wrażenie, że nie bardzo... C:\WINDOWS\system32\WgaTray.exe <- :o


(Grzgrzgrz3) #3

Dlaczego opisujesz swoje wraznia w tym temacie?


(Cedar) #4

Skoro nie umiesz odpowiedzieć na pytanie to Ci nie pomogę. Mam takie wrażenie, jak napisałem a w takim przypadku nie pomogę. Z mojej strony koniec tematu.


(Leon$) #5

a gdzie ty to wyczytałeś?

grzgrzgrz

usuń HijackThisem >> Fix checked

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:


(@Blade@) #6

A czy to nie wskazuje na obecność Viruta?? Jeśli nie to bardzo przepraszam za zamieszanie :frowning:


(Leon$) #7

to może oznaczać Viruta ale nie musi

:slight_smile:


(Frog) #8

OT --> Kosz


(Grzgrzgrz3) #9
ComboFix 09-04-14.09 - Ja 2009-04-16 14:58.2 - [color=red][b]FAT32[/b][/color]x86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.511.189 [GMT 2:00]

Uruchomiony z: c:\documents and settings\Ja\Pulpit\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\Ja\Pulpit\CFScript.txt

 * Utworzono nowy punkt przywracania


UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA 


FILE ::

c:\documents and settings\Ja\tokqmio.exe

c:\progra~1\ThunMail\testabd.dll

c:\windows\system32\3361\SVCHOST.exe

c:\windows\system32\sfhgxi.exe

.


((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.


c:\documents and settings\Ja\reader_s.exe

c:\documents and settings\Ja\tokqmio.exe

C:\FOUND.007

c:\found.007\FILE0000.CHK

c:\found.007\FILE0001.CHK

c:\found.007\FILE0002.CHK

c:\found.007\FILE0003.CHK

c:\found.007\FILE0004.CHK

c:\found.007\FILE0005.CHK

c:\found.007\FILE0006.CHK

c:\found.007\FILE0007.CHK

c:\found.007\FILE0008.CHK

c:\found.007\FILE0009.CHK

c:\found.007\FILE0010.CHK

c:\found.007\FILE0011.CHK

c:\found.007\FILE0012.CHK

c:\found.007\FILE0013.CHK

c:\found.007\FILE0014.CHK

c:\found.007\FILE0015.CHK

c:\found.007\FILE0016.CHK

c:\found.007\FILE0017.CHK

C:\FOUND.008

c:\found.008\FILE0000.CHK

c:\found.008\FILE0001.CHK

c:\found.008\FILE0002.CHK

c:\found.008\FILE0003.CHK

c:\found.008\FILE0004.CHK

c:\found.008\FILE0005.CHK

c:\found.008\FILE0006.CHK

c:\found.008\FILE0007.CHK

c:\found.008\FILE0008.CHK

c:\found.008\FILE0009.CHK

c:\found.008\FILE0010.CHK

c:\found.008\FILE0011.CHK

c:\found.008\FILE0012.CHK

C:\FOUND.009

c:\found.009\FILE0000.CHK

C:\FOUND.010

c:\found.010\FILE0000.CHK

c:\found.010\FILE0001.CHK

c:\found.010\FILE0002.CHK

c:\found.010\FILE0003.CHK

c:\found.010\FILE0004.CHK

c:\progra~1\ThunMail\testabd.dll

c:\windows\dhcp

c:\windows\dhcp\svchost.exe

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\3361

c:\windows\system32\3361\mlog

c:\windows\system32\3361\SVCHOST.exe

c:\windows\system32\6to4v32.dll

c:\windows\system32\at1394.sys

c:\windows\system32\bversion.dll

c:\windows\system32\config\systemprofile\reader_s.exe

c:\windows\system32\IPHACTION.dll

c:\windows\system32\IpSvchostF.dll

c:\windows\system32\reader_s.exe

c:\windows\system32\sfhgxi.exe


.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.


-------\Legacy_6TO4

-------\Legacy_AT1394

-------\Legacy_DHCPSRV

-------\Service_6to4

-------\Service_at1394

-------\Service_DhcpSrv

-------\Service_restore



((((((((((((((((((((((((( Pliki utworzone od 2009-03-16 do 2009-04-16 )))))))))))))))))))))))))))))))

.


2009-04-16 11:45 . 2009-04-16 11:45	--------	d-s---w	c:\windows\system32\config\systemprofile\UserData

2009-04-16 11:25 . 2009-04-16 11:25	543	----a-w	c:\windows\system32\MRT.INI

2009-04-16 11:19 . 2009-04-16 11:19	44	----a-w	c:\windows\system32\2.tmp

2009-04-15 23:38 . 2009-04-15 23:38	213120	----a-w	c:\windows\system32\dllcache\ndis.sys

2009-04-15 23:38 . 2009-04-15 23:38	0	----a-w	c:\windows\system32\744.tmp

2009-04-15 23:38 . 2009-04-15 23:38	44	----a-w	c:\windows\system32\742.tmp

2009-04-14 19:35 . 2006-03-02 21:42	101796	----a-w	C:\pv.exe

2009-04-14 18:20 . 2008-06-25 22:26	335104	----a-w	c:\windows\system32\drivers\RTL8187B.sys

2009-04-14 10:44 . 2009-04-14 10:45	735232	----a-w	c:\windows\system32\AdvOcr.dll

2009-04-14 09:38 . 2009-04-14 09:42	32137216	----a-w	c:\windows\system32\TRSOCR.dat

2009-04-14 04:22 . 2009-04-14 04:22	61440	----a-w	c:\windows\system32\tcpd.exe

2009-04-14 04:22 . 2009-04-14 04:22	20480	----a-w	c:\windows\system32\AUTMGR.EXE

2009-04-14 04:22 . 2009-04-14 04:22	10240	----a-w	c:\windows\system32\Packer.dll

2009-04-14 04:22 . 2009-04-14 04:22	1018368	----a-w	c:\windows\system32\kernel32_check.dll

2009-04-14 04:22 . 2009-04-14 04:22	172032	----a-w	c:\windows\system32\tcpcon.dll

2009-04-14 04:22 . 2009-04-14 04:22	108336	----a-w	c:\windows\system32\MSWINSCK.OCX

2009-04-10 19:07 . 2009-04-10 19:07	67	----a-w	c:\windows\system32\Monitor.inf

2009-04-10 19:07 . 2009-04-11 11:39	1462	----a-w	c:\windows\system32\LexFiles.usr

2009-04-10 19:07 . 2009-04-10 19:07	8521	----a-w	c:\windows\lmpcl2a.ini

2009-04-10 18:38 . 2009-04-10 18:38	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Skype

2009-04-10 18:37 . 2009-04-10 18:37	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\Skype

2009-04-10 10:51 . 2009-04-10 10:51	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\Mixesoft

2009-04-09 14:48 . 2009-04-11 15:48	205	----a-w	c:\windows\wcx_ftp.ini

2009-04-09 14:47 . 2009-04-09 14:47	--------	d-----w	c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Help

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\UC.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\RAR.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\PKZIP.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\PKUNZIP.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\NOCLOSE.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\LHA.PIF

2009-04-09 14:46 . 2007-09-14 05:02	545	----a-w	c:\windows\ARJ.PIF

2009-04-09 14:46 . 2009-04-11 15:51	1446	----a-w	c:\windows\wincmd.ini

2009-04-09 14:46 . 2009-04-09 14:46	--------	d-----w	C:\totalcmd

2009-04-09 09:33 . 2006-05-24 09:04	133	----a-w	c:\windows\system32\ftdiun2k.ini

2009-04-09 09:33 . 2006-05-24 08:47	106496	----a-w	c:\windows\system32\ftbusui.dll

2009-04-09 09:33 . 2006-05-24 08:45	176128	----a-w	c:\windows\system32\ftd2xx.dll

2009-04-09 09:33 . 2006-05-24 08:42	102400	----a-w	c:\windows\system32\FTLang.dll

2009-04-09 09:33 . 2006-05-24 08:40	208896	----a-w	c:\windows\system32\ftdiunin.exe

2009-04-09 09:33 . 2006-05-19 09:51	33360	----a-w	c:\windows\system32\ftserui2.dll

2009-04-09 09:33 . 2006-05-18 07:49	61067	----a-w	c:\windows\system32\drivers\ftser2k.sys

2009-04-09 09:33 . 2006-05-18 07:48	47249	----a-w	c:\windows\system32\drivers\ftdibus.sys

2009-04-08 22:47 . 2009-04-08 22:47	--------	d-----w	C:\lexmark

2009-04-04 14:35 . 2009-04-04 14:35	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\EditPlus 3

2009-04-03 21:32 . 2009-04-08 18:21	32	----a-w	C:\ProgDVB.ini

2009-04-01 23:06 . 2009-04-01 23:14	1266	----a-w	C:\Nowy Dokument sformatowany.rtf

2009-04-01 21:25 . 2009-04-01 21:25	15631	----a-w	C:\kkkkkkkkkkll.rtf

2009-04-01 21:25 . 2009-04-01 23:14	2422	----a-w	C:\Bibliografia1452.rtf

2009-03-29 19:31 . 2009-03-29 19:31	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Radmin Communication Client

2009-03-29 18:22 . 2009-03-29 18:22	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Radmin

2009-03-29 18:21 . 2009-03-29 18:21	--------	d-----w	c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Downloaded Installations

2009-03-23 19:24 . 2009-03-23 19:24	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\teamspeak2

2009-03-23 19:24 . 2009-03-23 19:24	34064	----a-w	c:\windows\system32\lhacm.acm

2009-03-21 16:49 . 2009-03-21 16:49	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\mIRC

2009-03-21 14:08 . 2009-03-21 14:09	1018368	------w	c:\windows\system32\dllcache\kernel32.dll

2009-03-21 13:59 . 2009-03-21 13:44	60112	----a-w	C:\SatBazaar CardServer.ini

2009-03-21 13:42 . 2009-03-21 13:42	641635	----a-w	C:\Pulpit.rar

2009-03-17 18:41 . 2009-03-17 18:41	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\OpenOffice.org


.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-15 23:38 . 2004-08-03 19:14	213120	----a-w	c:\windows\system32\drivers\ndis.sys

2009-04-14 20:06 . 2009-04-14 20:05	--------	d-----w	c:\program files\RealVNC

2009-04-14 10:45 . 2009-04-14 10:45	--------	d-----w	c:\program files\LanqiEngine

2009-04-14 04:21 . 2009-04-14 04:21	--------	d-sh--r	c:\program files\ThunMail

2009-04-13 11:48 . 2009-04-13 11:48	--------	d-----w	c:\program files\HHD Software

2009-04-12 09:30 . 2009-04-12 09:30	--------	d-----w	c:\program files\AnalogX

2009-04-11 12:19 . 2009-04-11 12:19	--------	d-----w	c:\program files\newcs

2009-04-10 18:37 . 2009-04-10 18:37	--------	d-----r	c:\program files\Skype

2009-04-08 23:19 . 2009-04-08 23:19	--------	d-----w	c:\program files\Lexmark

2009-04-08 23:03 . 2009-04-08 23:03	--------	d-----w	c:\program files\Lexmark_HostCD

2009-04-04 14:35 . 2009-04-04 14:35	--------	d-----w	c:\program files\EditPlus 3

2009-03-30 17:32 . 2009-03-30 17:32	--------	d-----w	c:\program files\Ventrilo

2009-03-30 17:32 . 2009-03-30 17:32	--------	d-----w	c:\program files\Common Files\Wise Installation Wizard

2009-03-23 19:23 . 2009-03-23 19:23	--------	d-----w	c:\program files\Teamspeak2_RC2

2009-03-21 18:50 . 2008-11-02 11:51	130225	----a-w	c:\windows\War3Unin.dat

2009-03-21 16:49 . 2009-03-21 16:49	--------	d-----w	c:\program files\mIRC

2009-03-16 13:12 . 2009-03-16 13:12	--------	d-----w	c:\program files\No-IP

2009-03-11 12:53 . 2009-03-11 12:53	--------	d-----w	c:\program files\DotAzilla

2009-03-07 04:27 . 2009-03-07 04:27	--------	d-----w	c:\program files\TVAnts

2009-03-06 19:28 . 2009-03-06 19:28	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\PC Suite

2009-03-06 19:28 . 2009-03-06 19:28	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Nokia

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\program files\Common Files\PCSuite

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\program files\DIFX

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\PC Suite

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\program files\PC Connectivity Solution

2009-03-06 19:27 . 2009-03-06 19:27	--------	d-----w	c:\program files\Nokia

2009-03-03 18:51 . 2009-03-03 18:51	--------	d-----w	c:\program files\Microsoft Silverlight

2009-03-02 23:11 . 2008-08-20 04:11	1499136	------w	c:\windows\system32\dllcache\shdocvw.dll

2009-02-26 21:01 . 2001-10-26 16:15	88946	----a-w	c:\windows\system32\perfc015.dat

2009-02-26 21:01 . 2001-10-26 16:15	500482	----a-w	c:\windows\system32\perfh015.dat

2009-02-22 22:06 . 2009-02-22 22:06	--------	d-----w	c:\program files\ALLPlayer

2009-02-20 08:12 . 2008-08-20 04:11	3089408	------w	c:\windows\system32\dllcache\mshtml.dll

2009-02-20 08:12 . 2009-02-20 08:11	81920	------w	c:\windows\system32\dllcache\ieencode.dll

2009-02-20 08:12 . 2008-08-20 04:11	668672	------w	c:\windows\system32\dllcache\wininet.dll

2009-02-20 08:12 . 2008-08-20 04:11	619520	------w	c:\windows\system32\dllcache\urlmon.dll

2009-02-20 08:12 . 2004-08-03 20:44	668672	----a-w	c:\windows\system32\wininet.dll

2009-02-20 08:12 . 2004-08-03 20:44	81920	----a-w	c:\windows\system32\ieencode.dll

2009-02-19 18:36 . 2009-02-19 18:36	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\CMUV

2009-02-19 15:40 . 2009-02-19 15:40	--------	d-----w	c:\documents and settings\All Users\Dane aplikacji\WebcamMax

2009-02-19 15:40 . 2009-02-19 15:40	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Webcammax

2009-02-19 15:39 . 2009-02-19 15:39	--------	d-----w	c:\program files\WebcamMax

2009-02-18 12:35 . 2009-02-18 12:35	--------	d-----w	c:\documents and settings\Ja\Dane aplikacji\Hamachi

2009-02-18 12:35 . 2009-02-18 12:35	25280	----a-w	c:\windows\system32\drivers\hamachi.sys

2009-02-18 12:35 . 2009-02-18 12:35	--------	d-----w	c:\program files\Hamachi

2009-02-18 11:41 . 2009-02-18 11:41	--------	d-----w	c:\program files\DVBViewerTE

2009-02-18 11:32 . 2008-11-02 11:22	18064	----a-w	c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-02-18 11:22 . 2009-02-18 11:22	--------	d-----w	c:\program files\TechniSat DVB

2009-02-09 13:07 . 2008-11-04 18:03	1847040	------w	c:\windows\system32\dllcache\win32k.sys

2009-02-09 13:07 . 2004-08-03 20:37	1847040	----a-w	c:\windows\system32\win32k.sys

2009-02-03 19:58 . 2009-02-03 19:58	56832	------w	c:\windows\system32\dllcache\secur32.dll

2009-02-03 19:58 . 2004-08-03 20:44	56832	----a-w	c:\windows\system32\secur32.dll

2008-12-08 00:34 . 2008-12-08 00:34	64200	----a-w	c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat

2008-11-02 11:45 . 2008-11-02 11:45	127	----a-w	c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\fusioncache.dat

.


------- Sigcheck -------


[-] 2009-04-15 23:38	213120	D9C9981C9E83DB13FFC803AEDF5CB57E	c:\windows\system32\drivers\ndis.sys

[-] 2009-04-15 23:38	213120	D9C9981C9E83DB13FFC803AEDF5CB57E	c:\windows\system32\dllcache\ndis.sys

[7] 2004-08-03 19:14	182912	558635D3AF1C7546D26067D5D9B6959E	c:\windows\$NtServicePackUninstall$\ndis.sys

[7] 2008-04-13 18:20	182656	1DF7F42665C94B825322FAE71721130D	c:\windows\ServicePackFiles\i386\ndis.sys


[-] 2008-04-14 16:21	1054208	AAEBA0C87B518C7513508E290E2A82C2	c:\windows\explorer.exe

[-] 2004-08-03 20:44	1052672	3E336EC099D0DD6FBF6AF87168CA0CFA	c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2008-04-14 16:21	1054208	3BE726B6102EF26A0ECAAE2829B98000	c:\windows\ServicePackFiles\i386\explorer.exe


[-] 2008-04-14 16:21	34304	129F7C2B06CB8D0B0C40F1ECE92FA673	c:\windows\system32\ctfmon.exe

[-] 2004-08-03 20:44	34304	8D43EB834AC8FCE4882042DDCC42CC8D	c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 16:21	34304	B4D52F34422B137557CFA0FD03C1F673	c:\windows\ServicePackFiles\i386\ctfmon.exe


[-] 2008-04-14 16:21	76800	FA21C19679FC287B26BA1CFF4D4C9794	c:\windows\system32\spoolsv.exe

[-] 2004-08-03 20:44	76800	B7029F654F97C7D42D54607B30B79F24	c:\windows\$NtServicePackUninstall$\spoolsv.exe

[-] 2008-04-14 16:21	76800	9B9A0D458F8466A82B19AC74D0C76D22	c:\windows\ServicePackFiles\i386\spoolsv.exe


[-] 2008-04-14 16:21	45568	EE058C387E9BF12A9962ADEFDAB415D5	c:\windows\system32\userinit.exe

[-] 2004-08-03 20:44	44032	420086D185BA614FEDEF5E0084763F34	c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 16:21	45568	78EE01CA82052F8A6D0B508F9A2C8E3E	c:\windows\ServicePackFiles\i386\userinit.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-04-14_19.40.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-04-16 13:02 . 2009-04-16 13:02	16384 c:\windows\temp\Perflib_Perfdata_264.dat

+ 2008-11-03 12:07 . 2007-11-30 12:40	19320 c:\windows\system32\spmsg.dll

- 2008-11-03 12:07 . 2007-11-30 10:21	19320 c:\windows\system32\spmsg.dll

+ 2004-08-03 20:44 . 2008-04-14 16:21	64000 c:\windows\system32\shmgrate.exe

+ 2004-08-03 20:44 . 2009-02-03 19:58	56832 c:\windows\system32\secur32.dll

+ 2001-10-26 17:30 . 2001-10-26 17:30	50176 c:\windows\system32\sc.exe

+ 2008-11-02 11:04 . 2008-04-14 16:21	81920 c:\windows\system32\rdpclip.exe

+ 2001-10-26 17:30 . 2001-10-26 17:30	50688 c:\windows\system32\ntsd.exe

+ 2008-11-02 11:04 . 2008-06-12 14:23	91648 c:\windows\system32\mtxoci.dll

- 2008-11-02 11:04 . 2008-04-14 16:20	91648 c:\windows\system32\mtxoci.dll

+ 2004-08-03 20:44 . 2008-06-12 14:23	66560 c:\windows\system32\mtxclu.dll

- 2004-08-03 20:44 . 2008-04-14 16:20	66560 c:\windows\system32\mtxclu.dll

+ 2004-08-03 20:44 . 2008-04-14 16:21	48128 c:\windows\system32\mshta.exe

+ 2008-11-02 11:04 . 2008-06-12 14:23	58880 c:\windows\system32\msdtclog.dll

- 2008-11-02 11:04 . 2008-04-14 16:20	58880 c:\windows\system32\msdtclog.dll

- 2004-08-03 20:44 . 2008-04-14 16:20	81920 c:\windows\system32\ieencode.dll

+ 2004-08-03 20:44 . 2009-02-20 08:12	81920 c:\windows\system32\ieencode.dll

+ 2004-08-03 20:44 . 2008-04-14 16:21	53248 c:\windows\system32\ie4uinit.exe

+ 2009-02-03 19:58 . 2009-02-03 19:58	56832 c:\windows\system32\dllcache\secur32.dll

+ 2008-06-12 14:23 . 2008-06-12 14:23	91648 c:\windows\system32\dllcache\mtxoci.dll

+ 2008-06-12 14:23 . 2008-06-12 14:23	66560 c:\windows\system32\dllcache\mtxclu.dll

+ 2008-06-12 14:23 . 2008-06-12 14:23	58880 c:\windows\system32\dllcache\msdtclog.dll

+ 2009-02-20 08:11 . 2009-02-20 08:12	81920 c:\windows\system32\dllcache\ieencode.dll

+ 2009-04-16 11:35 . 2009-04-16 12:50	49152 c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012009041620090417\index.dat

+ 2008-11-02 11:14 . 2009-04-16 13:02	49152 c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat

+ 2009-04-16 11:45 . 2009-04-16 12:45	32768 c:\windows\system32\config\systemprofile\UserData\index.dat

- 2008-11-02 11:14 . 2009-04-14 19:40	32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-11-02 11:14 . 2009-04-16 13:02	32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-04-14 16:21 . 2008-04-14 16:21	45568 c:\windows\ServicePackFiles\i386\userinit.exe

+ 2008-04-14 16:21 . 2008-04-14 16:21	76800 c:\windows\ServicePackFiles\i386\spoolsv.exe

+ 2008-04-14 16:21 . 2008-04-14 16:21	34304 c:\windows\ServicePackFiles\i386\ctfmon.exe

+ 2004-06-22 11:51 . 2004-06-22 11:51	73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe

+ 2008-11-04 14:32 . 2004-08-03 20:44	44032 c:\windows\$NtServicePackUninstall$\userinit.exe

+ 2008-11-04 14:32 . 2004-08-03 20:44	76800 c:\windows\$NtServicePackUninstall$\spoolsv.exe

+ 2008-11-04 14:32 . 2004-08-03 20:44	34304 c:\windows\$NtServicePackUninstall$\ctfmon.exe

- 2004-08-03 20:44 . 2008-10-16 00:02	668672 c:\windows\system32\wininet.dll

+ 2004-08-03 20:44 . 2009-02-20 08:12	668672 c:\windows\system32\wininet.dll

- 2004-08-03 20:44 . 2008-04-14 16:20	354304 c:\windows\system32\winhttp.dll

+ 2004-08-03 20:44 . 2008-12-16 12:32	354304 c:\windows\system32\winhttp.dll

+ 2004-08-03 20:44 . 2009-02-20 08:12	619520 c:\windows\system32\urlmon.dll

- 2004-08-03 20:44 . 2008-10-16 00:02	619520 c:\windows\system32\urlmon.dll

+ 2004-08-03 20:44 . 2008-04-14 16:21	128512 c:\windows\system32\progman.exe

+ 2008-11-02 11:04 . 2008-06-12 14:23	161792 c:\windows\system32\msdtcuiu.dll

- 2008-11-02 11:04 . 2008-04-14 16:20	161792 c:\windows\system32\msdtcuiu.dll

- 2008-11-02 11:04 . 2008-04-14 16:20	956928 c:\windows\system32\msdtctm.dll

+ 2008-11-02 11:04 . 2008-06-12 14:23	956928 c:\windows\system32\msdtctm.dll

+ 2008-11-02 11:04 . 2008-06-12 14:23	428032 c:\windows\system32\msdtcprx.dll

+ 2004-08-03 20:44 . 2008-04-14 16:21	239616 c:\windows\system32\logon.scr

+ 2009-04-09 09:33 . 2006-05-24 08:40	208896 c:\windows\system32\ftdiunin.exe

+ 2004-08-03 19:14 . 2009-04-15 23:38	213120 c:\windows\system32\drivers\ndis.sys

+ 2008-08-20 04:11 . 2009-02-20 08:12	668672 c:\windows\system32\dllcache\wininet.dll

- 2008-08-20 04:11 . 2008-10-16 00:02	668672 c:\windows\system32\dllcache\wininet.dll

+ 2008-12-16 12:32 . 2008-12-16 12:32	354304 c:\windows\system32\dllcache\winhttp.dll

- 2008-08-20 04:11 . 2008-10-16 00:02	619520 c:\windows\system32\dllcache\urlmon.dll

+ 2008-08-20 04:11 . 2009-02-20 08:12	619520 c:\windows\system32\dllcache\urlmon.dll

+ 2009-04-15 23:38 . 2009-04-15 23:38	213120 c:\windows\system32\dllcache\ndis.sys

+ 2008-06-12 14:23 . 2008-06-12 14:23	161792 c:\windows\system32\dllcache\msdtcuiu.dll

+ 2008-06-12 14:23 . 2008-06-12 14:23	956928 c:\windows\system32\dllcache\msdtctm.dll

+ 2008-06-12 14:23 . 2008-06-12 14:23	428032 c:\windows\system32\dllcache\msdtcprx.dll

+ 2008-11-02 11:14 . 2009-04-16 13:02	180224 c:\windows\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat

+ 2008-04-13 17:53 . 2008-04-13 17:53	577024 c:\windows\network diagnostic\xpnetdiag.exe

+ 2009-02-18 11:21 . 1998-10-29 14:45	325632 c:\windows\IsUninst.exe

- 2009-04-14 19:38 . 2005-10-20 18:02	185856 c:\windows\ERDNT\subs\ERDNT.EXE

+ 2009-04-16 13:01 . 2005-10-20 18:02	185856 c:\windows\ERDNT\subs\ERDNT.EXE

- 2004-08-03 20:44 . 2008-10-16 00:02	1499136 c:\windows\system32\shdocvw.dll

+ 2004-08-03 20:44 . 2009-03-02 23:11	1499136 c:\windows\system32\shdocvw.dll

- 2004-08-03 20:44 . 2008-05-07 04:12	1291776 c:\windows\system32\quartz.dll

+ 2004-08-03 20:44 . 2008-12-20 22:15	1291776 c:\windows\system32\quartz.dll

+ 2004-08-03 20:44 . 2009-02-20 08:12	3089408 c:\windows\system32\mshtml.dll

- 2004-08-03 20:44 . 2009-04-14 04:22	1018368 c:\windows\system32\kernel32.dll

+ 2004-08-03 20:44 . 2009-03-21 14:09	1018368 c:\windows\system32\kernel32.dll

- 2008-08-20 04:11 . 2008-10-16 00:02	1499136 c:\windows\system32\dllcache\shdocvw.dll

+ 2008-08-20 04:11 . 2009-03-02 23:11	1499136 c:\windows\system32\dllcache\shdocvw.dll

- 2008-05-07 04:12 . 2008-05-07 04:12	1291776 c:\windows\system32\dllcache\quartz.dll

+ 2008-05-07 04:12 . 2008-12-20 22:15	1291776 c:\windows\system32\dllcache\quartz.dll

+ 2008-08-20 04:11 . 2009-02-20 08:12	3089408 c:\windows\system32\dllcache\mshtml.dll

+ 2009-03-21 14:08 . 2009-03-21 14:09	1018368 c:\windows\system32\dllcache\kernel32.dll

+ 2008-04-14 16:21 . 2008-04-14 16:21	1054208 c:\windows\ServicePackFiles\i386\explorer.exe

+ 2008-11-04 14:32 . 2004-08-03 20:44	1052672 c:\windows\$NtServicePackUninstall$\explorer.exe

+ 2008-11-03 12:15 . 2009-04-06 14:57	24921544 c:\windows\system32\MRT.exe

.

-- Migawka wyzerowana --

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 360448]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 34304]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 49152]


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^ATI CATALYST System Tray.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\ATI CATALYST System Tray.lnk

backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate]

2008-11-24 18:44	888832	----a-w	c:\program files\ALLPlayer\ALLUpdate.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

2004-08-25 12:25	49152	----a-w	c:\program files\ATI Technologies\ATI.ACE\CLI.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2008-04-14 16:21	34304	----a-w	c:\windows\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 16:21	1714176	------w	c:\program files\Messenger\msmsgs.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]

2007-08-02 13:30	3117056	----a-w	c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]

2004-06-11 02:15	102912	----a-r	c:\windows\system32\nvraidservice.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-11-10 03:43	136600	----a-w	c:\program files\Java\jre6\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2008-09-12 15:45	55296	----a-w	c:\program files\Winamp\winampa.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-12-22 08:09	98304	----a-w	c:\windows\SOUNDMAN.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Spooler"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Rózne\\Programy\\Gadu-Gadu\\gg.exe"=

"c:\\Program Files\\Garena\\Garena.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Opera\\Opera.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\TechniSat DVB\\bin\\Server4PC.exe"=

"c:\\Program Files\\DVBViewerTE\\ts_winlirc.exe"=

"c:\\Program Files\\Gadu-Gadu\\GG.EXE"=

"c:\\Program Files\\TVAnts\\Tvants.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=


R2 CAMTHWDM;WebcamMax, WDM Video Capture; [x]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2008-06-25 335104]

S3 SKYNET;B2C2 Broadband Receiver PCI Adapter;c:\windows\system32\DRIVERS\SkyNET.SYS [2003-08-18 438776]



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6505027-a8d8-11dd-a2c3-806d6172696f}]

\Shell\AutoRun\command - E:\SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-AABBCCDDEE02}]

rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\skrzynka.inf,profil.d

.

- - - - USUNIĘTO PUSTE WPISY - - - -


HKU-Default-Run-svc - c:\program files\ThunMail\testabd.exe

HKU-Default-Run-reader_s - c:\windows\system32\config\systemprofile\reader_s.exe



.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.onet.pl/

TCP: {409C892C-B3EC-486F-B363-C41BDC9DE80C} = 192.168.1.1

.


**************************************************************************


catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-16 15:03

Windows 5.1.2600 Dodatek Service Pack 3 FAT NTAPI


detected NTDLL code modification:

ZwOpenFile


skanowanie ukrytych procesów ...  


skanowanie ukrytych wpisów autostartu ... 


skanowanie ukrytych plików ...  


skanowanie pomyślnie ukończone

ukryte pliki: 0


**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------


[HKEY_USERS\S-1-5-21-1417001333-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E3807A3-F029-40F5-9977-69F24BC18C2C}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"fakbfgfmdncc"=hex:6f,62,6f,70,67,67,6a,68,64,68,63,6d,63,6f,6e,68,66,70,62,69,

   6b,65,6c,70,6b,70,6a,61,65,6a,62,6b,6a,65,64,6a,64,6e,62,6b,65,6a,68,64,62,\

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------


- - - - - - - > 'winlogon.exe'(908)

c:\windows\system32\Ati2evxx.dll


- - - - - - - > 'explorer.exe'(2780)

c:\program files\Gadu-Gadu\ggwhook.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\windows\SYSTEM32\ATI2EVXX.EXE

c:\windows\SYSTEM32\LEXBCES.EXE

c:\program files\IVT CORPORATION\BLUESOLEIL\BTNTSERVICE.EXE

c:\program files\JAVA\JRE6\BIN\JQS.EXE

c:\program files\NO-IP\DUC20.EXE

c:\windows\SYSTEM32\WDFMGR.EXE

c:\program files\REALVNC\VNC4\WINVNC4.EXE

c:\windows\SYSTEM32\ATI2EVXX.EXE

c:\windows\SYSTEM32\WGATRAY.EXE

c:\windows\system32\MRT.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Czas ukończenia: ~,10time:~,-3machine was rebootedCombobatch-by

ComboFix-quarantined-files.txt 2009-04-16 13:06

ComboFix2.txt 2009-04-14 19:42


Przed: 2 362 441 728 bajtów wolnych

Po: 2 415 525 888 bajtów wolnych


423	--- E O F ---	2009-04-16 11:26

[/code]

(Leon$) #10

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

przeskanuj Dr.WEB CureIt! http://dobreprogramy.pl/index.php?dz=2& ... It!+4.44.5

:slight_smile: