Log z combofix do sprawdzenia

Dla specjalistów Bezpieczeństwo
#1

ComboFix 08-11-29.03 - MasterAdmin 2008-11-30 13:24:09.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.2999 [GMT 0:00]

Uruchomiony z: g:\instalki\ComboFix.exe

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\MasterAdmin\Dane aplikacji\inst.exe

c:\documents and settings\MasterAdmin\Moje dokumenty\My Documents.url

c:\program files\Applications\iebtu.exe

c:\program files\Applications\iebu.exe

c:\program files\Applications\myd.ico

c:\program files\Applications\mym.ico

c:\program files\Applications\myp.ico

c:\program files\Applications\myv.ico

c:\program files\Applications\ot.ico

c:\program files\Applications\ts.ico

.

((((((((((((((((((((((((( Pliki utworzone od 2008-10-28 do 2008-11-30 )))))))))))))))))))))))))))))))

.

2008-11-30 08:55 .

2008-11-28 21:00 . 2008-11-28 21:01

2008-11-23 20:07 . 2008-11-23 20:07

2008-11-23 05:50 . 2008-11-23 05:50

2008-11-23 05:32 . 2008-11-23 05:47

2008-11-23 05:32 . 2008-11-23 05:47

2008-11-16 11:45 . 2008-11-16 11:45

2008-11-16 11:45 . 2006-10-10 14:11 827,392 --a------ c:\windows\vsnp325.exe

2008-11-16 11:45 . 2006-10-10 15:49 270,336 --a------ c:\windows\tsnp325.exe

2008-11-16 11:45 . 2004-02-27 17:36 15,498 --a------ c:\windows\snp325.ini

2008-11-16 11:45 . 2004-02-27 17:36 13,023 --a------ c:\windows\snp325.src

2008-11-16 11:43 . 2007-04-20 18:51 10,253,056 --a------ c:\windows\system32\drivers\snp325.sys

2008-11-16 11:43 . 2006-04-12 12:11 147,456 --a------ c:\windows\system32\rsnp325.dll

2008-11-16 11:43 . 2007-03-14 11:21 61,440 --a------ c:\windows\system32\vsnpx32.dll

2008-11-13 19:00 . 2008-11-13 19:00

2008-11-13 19:00 . 2000-07-14 23:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL

2008-11-13 19:00 . 1998-06-17 23:00 89,360 --a------ c:\windows\system32\VB5DB.DLL

2008-11-12 20:44 . 2008-09-04 17:17 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 20:44 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-01 17:58 . 2008-11-01 17:58

2008-11-01 17:57 . 2008-11-01 17:57

2008-10-31 21:14 . 2008-10-31 21:15 217,088 --a------ c:\windows\system32\UAService7.exe

2008-10-30 15:35 . 2008-10-30 15:36

2008-10-26 10:26 . 2008-10-26 10:26 107,888 --a------ c:\windows\system32\CmdLineExt.dll

2008-10-24 07:11 . 2008-10-15 16:36 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

2008-10-23 21:40 . 2008-10-23 21:40

2008-10-16 18:11 . 2008-10-16 18:11

2008-10-16 18:06 . 2008-10-16 18:06

2008-10-15 15:50 . 2008-08-14 13:26 2,190,464 --------- c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-15 15:50 . 2008-08-14 13:26 2,146,816 --------- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-15 15:50 . 2008-08-14 13:26 2,067,328 --------- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-15 15:50 . 2008-08-14 13:26 2,025,472 --------- c:\windows\system32\dllcache\ntkrpamp.exe

2008-10-15 15:18 . 2008-09-15 15:27 1,846,656 --------- c:\windows\system32\dllcache\win32k.sys

2008-10-15 15:03 . 2008-09-08 10:41 333,824 --------- c:\windows\system32\dllcache\srv.sys

2008-10-01 15:49 . 2008-10-01 15:49

2008-10-01 15:49 . 2008-10-01 15:49

2008-10-01 15:41 . 2004-08-04 02:44 221,184 --a------ c:\windows\system32\wmpns.dll

2008-10-01 15:36 . 2008-10-01 15:36

2008-10-01 15:34 . 2008-04-13 22:53 1,309,184 --------- c:\windows\system32\drivers\mtlstrm.sys

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-30 13:26 16,608 ----a-w c:\windows\gdrv.sys

2008-11-30 13:24 --------- d-----w c:\program files\Applications

2008-11-30 13:10 --------- d-----w c:\documents and settings\MasterAdmin\Dane aplikacji\Skype

2008-11-30 10:54 --------- d-----w c:\documents and settings\MasterAdmin\Dane aplikacji\skypePM

2008-11-25 15:18 --------- d–h--w c:\program files\InstallShield Installation Information

2008-11-23 05:48 --------- d-----w c:\program files\Common Files\Nero

2008-11-15 01:25 --------- d-----w c:\documents and settings\MasterAdmin\Dane aplikacji\Winamp

2008-11-09 15:01 --------- d-----w c:\program files\Gadu-Gadu

2008-11-09 14:38 --------- d-----w c:\program files\Ubisoft

2008-10-28 18:22 --------- d-----w c:\program files\Common Files\Adobe

2008-10-26 10:23 66,872 ----a-w c:\windows\system32\PnkBstrA.exe

2008-10-26 10:23 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-10-26 10:23 22,328 ----a-w c:\documents and settings\MasterAdmin\Dane aplikacji\PnkBstrK.sys

2008-10-26 10:23 2,250,024 ----a-w c:\windows\system32\pbsvc.exe

2008-10-26 10:23 107,832 ----a-w c:\windows\system32\PnkBstrB.exe

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-03 17:26 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-10-01 14:00 --------- d-----w c:\program files\Common Files\InstallShield

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-29 21:19 --------- d-----w c:\program files\Winamp

2008-09-29 14:33 410,976 ----a-w c:\windows\system32\deploytk.dll

2008-09-29 14:33 --------- d-----w c:\program files\Java

2008-09-29 14:30 --------- d-----w c:\program files\SRWare Iron

2008-09-15 15:27 1,846,656 ----a-w c:\windows\system32\win32k.sys

2008-09-10 01:15 1,307,648 ------w c:\windows\system32\msxml6.dll

2008-09-10 01:15 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll

2008-09-04 17:17 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-08-27 12:29 47,360 ----a-w c:\documents and settings\MasterAdmin\Dane aplikacji\pcouffin.sys

2008-08-27 09:27 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-08-26 08:27 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-26 08:27 826,368 ------w c:\windows\system32\dllcache\wininet.dll

2008-08-26 08:27 671,232 ------w c:\windows\system32\dllcache\mstime.dll

2008-08-26 08:27 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll

2008-08-26 08:27 44,544 ------w c:\windows\system32\dllcache\pngfilt.dll

2008-08-26 08:27 233,472 ------w c:\windows\system32\dllcache\webcheck.dll

2008-08-26 08:27 193,024 ------w c:\windows\system32\dllcache\msrating.dll

2008-08-26 08:27 105,984 ------w c:\windows\system32\dllcache\url.dll

2008-08-26 08:27 102,912 ------w c:\windows\system32\dllcache\occache.dll

2008-08-26 08:27 1,159,680 ------w c:\windows\system32\dllcache\urlmon.dll

2008-08-25 08:42 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-08-14 13:26 2,146,816 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 13:26 2,025,472 ----a-w c:\windows\system32\ntkrnlpa.exe

2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys

2008-07-12 15:29 1 ----a-w c:\program files\MAXXCOM DD-1065 USB CameraBigtop.inf

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

“IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” [2008-02-28 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-11-18 81000]

“AcronisTimounterMonitor”=“c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe” [2007-02-16 1945960]

“Acronis Scheduler2 Service”=“c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe” [2007-02-16 149024]

“GEST”=“c:\program files\GIGABYTE\GEST\RUN.exe” [2007-12-14 236040]

“JMB36X IDE Setup”=“c:\windows\RaidTool\xInsIDE.exe” [2007-03-20 36864]

“36X Raid Configurer”=“c:\windows\system32\xRaidSetup.exe” [2007-08-29 1966080]

“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2007-11-06 8523776]

“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2008-09-29 144792]

“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2008-06-12 34672]

“FixCamera”=“c:\windows\FixCamera.exe” [2007-02-12 20480]

“tsnp325”=“c:\windows\tsnp325.exe” [2006-10-10 270336]

“snp325”=“c:\windows\vsnp325.exe” [2006-10-10 827392]

“NeroFilterCheck”=“c:\program files\Common Files\Nero\Lib\NeroCheck.exe” [2008-02-28 570664]

“NBKeyScan”=“c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” [2008-02-18 2221352]

“RTHDCPL”=“RTHDCPL.EXE” [2007-09-19 c:\windows\RTHDCPL.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“nltide_2”=“shell32” [X]

“nltide_3”=“advpack.dll” [2008-08-26 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-28 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“DisableStatusMessages”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoResolveTrack”= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoSMMyPictures”= 1 (0x1)

“NoSMConfigurePrograms”= 1 (0x1)

“NoSMHelp”= 1 (0x1)

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]

“NoSMMyPictures”= 1 (0x1)

“NoSMConfigurePrograms”= 1 (0x1)

“NoSMHelp”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]

–a------ 2007-02-12 14:50 20480 c:\windows\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

–a------ 2007-11-06 09:30 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]

–a------ 2007-02-16 16:45 1169776 c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipDiscount]

–a------ 2007-05-31 15:22 7419456 c:\program files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

–a------ 2007-10-10 05:28 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

–a------ 2007-11-06 09:30 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“%windir%\system32\sessmgr.exe”=

“c:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe”=

“c:\Program Files\SopCast\adv\SopAdver.exe”=

“c:\Program Files\SopCast\SopCast.exe”=

“c:\WINDOWS\system32\PnkBstrA.exe”=

“c:\WINDOWS\system32\PnkBstrB.exe”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\Ubisoft\Far Cry 2\bin\FarCry2.exe”=

“c:\Program Files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe”=

“c:\Program Files\Ubisoft\Far Cry 2\bin\FC2Editor.exe”=

“c:\WINDOWS\system32\dpvsetup.exe”=

“e:\CODWOATWAR\CoDWaWmp.exe”=

“e:\CODWOATWAR\CoDWaW.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-12 110160]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-12 20560]

R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-24 935208]

R3 GEST Service;GEST Service for program management.;“c:\program files\GIGABYTE\GEST\GSvr.exe” [2008-07-12 47624]

R3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\DRIVERS\snp325.sys [2008-11-16 10253056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1b64a746-5a57-11dd-9570-001d7dd2a8a0}]

\Shell\AutoRun\command - J:\AutoTransfer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8f441e74-8814-11dd-95f3-001d7dd2a8a0}]

\Shell\AutoRun\command - J:\AutoTransfer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{caf4b2e0-6c84-11dd-95ac-001d7dd2a8a0}]

\Shell\AutoRun\command - setupSNK.exe

.

        • USUNIĘTO PUSTE WPISY - - - -

MSConfigStartUp-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

MSConfigStartUp-Comrade - c:\program files\GameSpy\Comrade\Comrade.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-30 13:26:07

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

              • > ‘lsass.exe’(928)

c:\windows\system32\relog_ap.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\IoctlSvc.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

c:\windows\system32\UAService7.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\Common Files\Nero\Lib\NMIndexingService.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Czas ukończenia: 2008-11-30 13:27:32 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2008-11-30 13:27:29

Przed: 5 286 043 648 bajtów wolnych

Po: 5,227,425,792 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect

245 — E O F — 2008-11-29 22:40:12

#2

olabo ,

Zapoznaj się z tematem Ważny komunikat dotyczący tytułowania tematów - popraw tytuł na konkretny, mówiący o problemie. W celu dokonania zaleconej korekty - proszę użyć przycisku ac7a4cd89050aa6e.gif

Zignorowanie zalecenia będzie skutkowało usunięciem tematu do Kosza.

W związku ze zmianą, jaka obowiązuje przy wklejaniu logów w tym dziale, przeczytaj i zastosuj się do Tematu