Log do sprawdzenia---podejrzenie wirusów

Dla specjalistów Bezpieczeństwo
#1

Witam, mam prośbę o sprawdzenie poniższego loga. Myślę że na moim kompie jakiś syf jest (dziwnie się zachowuje). Oto log:

ComboFix 09-05-02.4 - Administrator 2009-05-03 20:58.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.3071.2545 [GMT 2:00]

Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated)

FW: Zapora osobista *enabled*

* Utworzono nowy punkt przywracania


UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA 

.


((((((((((((((((((((((((( Pliki utworzone od 2009-04-03 do 2009-05-03 )))))))))))))))))))))))))))))))

.


2009-05-02 07:51 . 2009-05-02 07:51 -------- d-----w c:\documents and settings\Administrator\DoctorWeb

2009-04-25 18:47 . 2009-04-25 18:47 -------- d-----w c:\program files\SimBin

2009-04-19 09:28 . 2009-01-09 10:46 39776 ----a-w c:\windows\system32\DfSdkBt64.exe

2009-04-19 09:28 . 2009-01-09 10:46 33632 ----a-w c:\windows\system32\DfSdkBt.exe

2009-04-18 10:46 . 2009-04-18 10:46 -------- d-----w c:\documents and settings\Administrator\Dane aplikacji\Thinstall

2009-04-18 08:53 . 2009-04-18 19:04 2286592 ----a-w c:\windows\system32\TUKernel.exe

2009-04-18 04:58 . 2009-04-18 04:58 -------- d-----w c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\ESET

2009-04-17 16:30 . 2009-04-17 16:30 -------- d-----w c:\documents and settings\Administrator\Dane aplikacji\TuneUp Software

2009-04-17 16:30 . 2009-04-17 16:30 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\TuneUp Software

2009-04-13 06:53 . 2009-04-13 06:53 -------- d-----w c:\documents and settings\LocalService\Pulpit

2009-04-11 11:42 . 2009-04-11 11:42 -------- d-----w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\ESET

2009-04-10 15:06 . 2009-04-10 15:06 271360 ----a-w c:\windows\system32\drivers\atksgt.sys

2009-04-10 15:06 . 2009-04-10 15:06 18048 ----a-w c:\windows\system32\drivers\lirsgt.sys

2009-04-07 07:49 . 2009-04-07 07:49 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Trymedia

2009-04-06 09:57 . 2009-04-06 14:30 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Test Drive Unlimited

2009-04-06 09:26 . 2009-04-06 09:26 -------- d--h--r c:\documents and settings\Administrator\Dane aplikacji\SecuROM

2009-04-06 09:26 . 2009-04-06 09:26 108144 ----a-w c:\windows\system32\CmdLineExt.dll


.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))

.

2009-05-03 18:57 . 2009-03-27 21:53 6 ---ha-w c:\windows\Tasks\SA.DAT

2009-04-26 22:14 . 2009-03-27 23:15 484 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job

2009-04-26 16:59 . 2009-04-02 08:36 15688 ----a-w c:\windows\system32\lsdelete.exe

2009-04-19 09:13 . 2009-03-27 21:59 57000 ----a-w c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-04-10 15:27 . 2009-03-27 22:53 -------- d-----w c:\program files\Common Files\LightScribe

2009-04-10 15:02 . 2009-03-27 22:01 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-06 07:33 . 2009-03-27 22:01 -------- d-----w c:\program files\Common Files\InstallShield

2009-03-30 22:29 . 2009-03-27 22:39 -------- d-----w c:\program files\Common Files\Adobe

2009-03-30 00:52 . 2009-03-27 21:50 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-03-28 08:39 . 2009-03-28 08:29 53985 ----a-w c:\windows\hppins02.dat

2009-03-28 08:39 . 2009-03-28 08:39 138 ----a-w c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\fusioncache.dat

2009-03-28 08:36 . 2009-03-28 08:36 -------- d-----w c:\program files\Hewlett-Packard

2009-03-28 08:35 . 2009-03-28 08:35 -------- d-----w c:\program files\Common Files\Hewlett-Packard

2009-03-28 08:34 . 2001-10-26 16:15 89562 ----a-w c:\windows\system32\perfc015.dat

2009-03-28 08:34 . 2001-10-26 16:15 500616 ----a-w c:\windows\system32\perfh015.dat

2009-03-28 08:33 . 2009-03-28 08:30 -------- d-----w c:\program files\HP

2009-03-28 08:29 . 2009-03-28 08:29 -------- d-----w c:\program files\Common Files\SWF Studio

2009-03-28 08:20 . 2009-03-28 08:20 717296 ----a-w c:\windows\system32\drivers\sptd.sys

2009-03-28 00:25 . 2009-03-28 00:25 56 ---ha-w c:\windows\system32\ezsidmv.dat

2009-03-27 23:32 . 2009-03-27 23:32 114856 ----a-w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat

2009-03-27 23:32 . 2009-03-27 23:32 -------- d-----w c:\program files\MSBuild

2009-03-27 23:31 . 2009-03-27 23:31 -------- d-----w c:\program files\Reference Assemblies

2009-03-27 23:26 . 2009-03-27 23:24 -------- d-----w c:\program files\Microsoft LifeCam

2009-03-27 23:14 . 2009-03-27 23:14 -------- d-----w c:\program files\Skype

2009-03-27 23:14 . 2009-03-27 23:14 -------- d-----w c:\program files\Common Files\Skype

2009-03-27 23:00 . 2009-03-27 23:00 -------- d-----w c:\program files\Microsoft.NET

2009-03-27 22:50 . 2009-03-27 22:50 -------- d-----w c:\program files\Common Files\Ahead

2009-03-27 22:27 . 2009-03-27 22:28 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-27 22:27 . 2009-03-27 22:27 -------- d-----w c:\program files\Java

2009-03-27 22:26 . 2009-03-27 22:26 0 ----a-w c:\windows\nsreg.dat

2009-03-27 22:04 . 2009-03-27 22:04 0 ----a-w c:\windows\ativpsrm.bin

2009-03-27 22:01 . 2009-03-27 22:01 -------- d-----w c:\program files\Realtek

2009-03-27 22:01 . 2009-03-27 22:01 315392 ----a-w c:\windows\HideWin.exe

2009-03-27 21:50 . 2001-07-21 22:36 67 --sha-w c:\windows\Fonts\desktop.ini

2009-03-27 21:49 . 2009-03-27 21:49 -------- d-----w c:\program files\Usługi online

2009-03-27 21:47 . 2009-03-27 21:47 21856 ----a-w c:\windows\system32\emptyregdb.dat

2009-03-27 21:47 . 2009-03-27 21:47 -------- d-----w c:\program files\Windows Media Connect 2

2009-02-06 13:24 . 2009-02-06 13:24 56280 ----a-w c:\windows\system32\drivers\epfwtdi.sys

2009-02-06 13:24 . 2009-02-06 13:24 33096 ----a-w c:\windows\system32\drivers\epfwndis.sys

2009-02-06 13:24 . 2009-02-06 13:24 130952 ----a-w c:\windows\system32\drivers\epfw.sys

2009-02-06 13:23 . 2009-02-06 13:23 106208 ----a-w c:\windows\system32\drivers\ehdrv.sys

2009-02-06 13:19 . 2009-02-06 13:19 113448 ----a-w c:\windows\system32\drivers\eamon.sys

.


------- Sigcheck -------


[-] 2008-05-02 06:48 361344 8E036EEC565910417EA020CE0962AA24 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Gadu-Gadu"="c:\programy install\Gadu-Gadu\gg.exe" [2008-03-20 2127296]

"DAEMON Tools Lite"="c:\programy install\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]

"ACU"="c:\programy install\Stery WIFI\Atheros\ACU.exe" [2007-10-23 376921]

"egui"="c:\programy install\Eset 4\egui.exe" [2009-02-06 2021400]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-27 148888]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]

"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]

"HP Software Update"="c:\programy install\HP LaserJet\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"ToolBoxFX"="c:\programy install\HP LaserJet\ToolBoxFX\bin\HPTLBXFX.exe" [2006-10-06 53248]

"HPUsageTracking"="c:\programy install\HP LaserJet\HP UT\bin\hppusg.exe" [2005-09-07 36864]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-20 16872448]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-03-01 124928]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]

"NoFileAssociate"= 0 (0x0)

"NoResolveTrack"= 1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]

"MaxRecentDocs"= 6 (0x6)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\documents and settings\All Users\Dane aplikacji\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]

"Ad-Aware GUI"=c:\programy install\Lavasoft\Ad-Aware\Ad-Aware.exe


[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]

"OODefragTray"=c:\windows\system32\oodtray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Programy Install\\Skype\\Phone\\Skype.exe"=


R3 DfSdkS;Defragmentation-Service;c:\programy install\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-01-09 410976]

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programy install\Lavasoft\Ad-Aware\AAWService.exe [2009-04-26 953168]

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]

S2 ekrn;ESET Service;c:\programy install\Eset 4\ekrn.exe [2009-02-06 727720]

S3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2007-03-28 57024]


.

Zawartość folderu 'Zaplanowane zadania'


2009-04-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\programy install\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:57]

.

.

------- Skan uzupełniający -------

.

uStart Page = about:blank

IE: E&ksport do programu Microsoft Excel - c:\progra~2\OFFICE~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\y0xb7lzf.defaul t\

FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/

FF - component: c:\programy install\Mozilla\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\programy install\Adobe Reader 6\Reader\browser\nppdf32.dll

FF - plugin: c:\programy install\Real Alternative\browser\plugins\nppl3260.dll

FF - plugin: c:\programy install\Real Alternative\browser\plugins\nprpjplug.dll


---- FIREFOX - SPOSÓB POSTĘPOWANIA ----

FF - user.js: browser.blink_allowed - true

FF - user.js: network.prefetch-next - true

FF - user.js: nglayout.initialpaint.delay - 250

FF - user.js: layout.spellcheckDefault - 1

FF - user.js: browser.urlbar.autoFill - false

FF - user.js: browser.search.openintab - false

FF - user.js: browser.tabs.closeButtons - 1

FF - user.js: browser.tabs.opentabfor.middleclick - true

FF - user.js: browser.tabs.tabMinWidth - 100

FF - user.js: browser.urlbar.hideGoButton - false

.


**************************************************************************


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-03 20:59

Windows 5.1.2600 Dodatek Service Pack 3 NTFS


skanowanie ukrytych procesów ...


skanowanie ukrytych wpisów autostartu ...


skanowanie ukrytych plików ...


skanowanie pomyślnie ukończone

ukryte pliki: 0


**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------


[HKEY_USERS\S-1-5-21-527237240-2111687655-1417001333-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:21,7c,ce,ee,2b,88,5e,1a,b5,e6,0a,3d,fb,b9 ,07,4e,4f,dc,33,5f,24,e4,8d,

82,74,78,19,29,35,c3,4b,88,7e,2a,39,09,22,98,54,70 ,b4,80,33,6c,9d,a5,5b,af,\

"??"=hex:37,7e,36,56,4a,e5,5d,0f,db,3c,79,97,ec,4d ,bd,aa


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\System*]

"OODEFRAG10.00.00.01WORKSTATION"="917E83A91683043F CBCF5983CFF64F501D308F657B4A6C5D2E845812D99F45C988 A3E3D758266713AC85D34571FEBC9E127BECC74CFEBC9E127B ECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BEC C74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B98 088EDD5E5BE2F6E667A6A0AC4980AC7933D644C671D9A9988D 17039A179EFB74D1B6E4961C8341CD31A21D2A17A50AC5CFD4 885B26974ED1235F1215091561EFD94029414F82E9ACC80E48 BA8E3DF375F06D0D822DBC8FBC10DB5E53C1027EF1C3459F78 77D7F1423C707AFE0AE45AAE7E34372DD38C456FB6831D5365 9BCD2C9B40EDE7AE4F94FB5FE96C70BE9C593A3491EDC0065C 0EB05DA4088939AF8C83CF0640AF37C952FBEA7258FB05FBD0 9AB4409F1956964A7D2DDFDC5BA91BBE91B43A4463743B6E99 7BD4FD835AA9E50284503B03F8B91F07B629DCA54452A82482 562D0BEDACED5F12AF225BDF6480D88C25B6C0CA57F4316AC9 CE353DDCD5BC522AB1A3CE399E8B91760C4DD9FCCB391C770A 87C7187A1420DEFA4F6B559311A4D68B9C68130D90C2ED8694 32D73973E2D232839233207C10D8302A486A740ADDD07A5AAD 7C8E9553B2E2E374EF7B8B7717AF5071781B6CDB7C4070F360 CE4643E240B4B64EB9F4D1B2F260D1D20C37D17787824C4A64 1683E1FEC0B18EBC96822BA4F63F75E83CB4B18FA1A020A6E4 D07BC21DB29E39646EF748AE66DF1C00291B7061A8F03CAF52 C594B5578D4BB1B4006C9C567F1B7267FCF7C19F548E3D2C77 74A8F4571644E859609E95643DF1A3B3966E8D0C4F909B86F0 730B7E7B3B625B81F44C4E1DA4972CD7CE9A0386AD289B5573 D075DD439DFD18357A058B9A85357061FB93BEB06350E131CB 59721FAC0EC103BF039444E3A0D76766242EB2B7C419FEF277 28F9B3AC6AA2B0EC903704B877679A8E84FECA7D9D63692B16 0B7B205CD0C3DD4C4656FAE0F378D73698651918DC49050414 8D7A5AF242FC37E337B21C4F29BEE311FA4CB9E9F2C6FA1B67 84C81754EB2AD8515084D5D391CDABB7B8BEE6FCA669093681 EABD157ABACA89A231BC6856D5D49A8B153EA472D60A2BC4AF F63F369B908153F19B774915662CEDFCE45AEF2845D48C8AD3 DFC094D726BD5DD31522FC3E37CA4EA6579C6F61933860201E 77849A4E896530542F8D239ED9B94545B157DB984682F19570 F164EB248B6F4EBD15F8B80AACE4F4058BABF0AA3B08BCC133 69C97A1788B7D587C9C029BAC9282BC7B82BEAE9F25A9D1EE8 5C0FDD4B0AC16097D46C9664E474E121041429170EB74DE620 5D29D23C67158405BF9F3462B6724E237892F96B83732E0B03 96B806F29944F565FC6D7B678759704403D99C3940A7884C9C 2BBCD0F5690FEB497DB97FE7C46E5D7B241B33CFFB0CFA0F48 36F4E47136E9CD53EBBD64FCAD15892D"

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------


- - - - - - - > 'winlogon.exe'(1080)

c:\windows\system32\Ati2evxx.dll


- - - - - - - > 'explorer.exe'(3660)

c:\programy install\Gadu-Gadu\ggwhook.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Czas ukończenia: 2009-05-03 20:59

ComboFix-quarantined-files.txt 2009-05-03 18:59


Przed: 18*739*826*688 bajtów wolnych

Po: 18*741*215*232 bajtów wolnych


189[/code]
#2

Proszę zmienić temat na konkretny, opcja EDYTUJ i popraw.JNJN

Poczytaj:

viewtopic.php?f=16&t=253052

#3

Optymalizacja XP: viewtopic.php?t=76580

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Opis RegCleaner - http://www.agavk.p9.pl/strony/progra_regcleaner.php

Zobacz - Obsługa jv16 PowerTools