Oto log z comobofixa prosze o pomoc:
ComboFix 09-01-19.05 - Bruce 2009-01-20 19:40:37.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.1024.723 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Bruce\Desktop\ComboFix.exe
AV: PC Tools AntiVirus 5.0.1.1 *On-access scanning enabled* (Updated)
FW: PC Tools Firewall Plus *enabled*
.
((((((((((((((((((((((((( Pliki utworzone od 2008-12-20 do 2009-01-20 )))))))))))))))))))))))))))))))
.
2009-01-20 16:25 . 2009-01-20 19:21
2009-01-20 10:34 . 2009-01-20 10:34
2009-01-20 08:07 . 2009-01-20 14:06
2009-01-20 07:36 . 2009-01-20 07:36 107,561 -r-hs---- C:\gy.exe
2009-01-19 13:50 . 2009-01-19 13:50
2009-01-18 08:23 . 2009-01-20 07:36 95,744 -r-hs---- c:\windows\system32\nmdfgds1.dll
2009-01-18 08:23 . 2008-04-14 01:12 69,120 --a------ c:\windows\AhnRpta.exe
2009-01-18 08:15 . 2009-01-20 07:36 107,561 -r-hs---- c:\windows\system32\olhrwef.exe
2009-01-18 08:15 . 2009-01-20 07:19 95,744 --------- c:\windows\system32\nmdfgds0.dll
2009-01-09 21:53 . 2009-01-09 21:53 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2009-01-09 14:22 . 2009-01-09 14:32
2009-01-08 08:55 . 2009-01-08 08:55
2009-01-08 08:51 . 2009-01-08 09:14
2009-01-05 12:03 . 2009-01-05 11:48 737,280 --a------ c:\windows\iun6002.exe
2009-01-05 12:03 . 2001-05-11 13:18 420,240 --a------ c:\windows\system32\mpg4c32.dll
2009-01-05 12:03 . 2001-05-16 17:54 309,616 --a------ c:\windows\system32\wmv8dmod.dll
2009-01-05 12:03 . 2001-03-26 04:41 245,760 --a------ c:\windows\system32\mp4sds32.ax
2009-01-05 11:48 . 2009-01-05 11:48
2009-01-04 12:59 . 2009-01-19 21:42 1,475 --a------ c:\windows\brydz3.ini
2009-01-04 12:59 . 2009-01-19 21:42 10 --a------ c:\windows\osoba3.cfg
2009-01-04 12:24 . 2009-01-04 12:42
2009-01-01 15:09 . 2009-01-01 15:09 122,880 --a------ c:\windows\lcmmfu.cpl
2009-01-01 15:09 . 2009-01-01 15:09 48,640 --a------ c:\windows\mmfs.dll
2009-01-01 15:09 . 2009-01-01 15:09 2,560 --a------ c:\windows\Runservice.exe
2009-01-01 15:09 . 2009-01-20 19:28 1,217 --ahs---- c:\windows\system32\mmf.sys
2009-01-01 13:02 . 2009-01-01 13:02
2009-01-01 13:02 . 2009-01-01 13:03
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 18:39 --------- d—a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 18:28 --------- d-----w c:\program files\PC Tools AntiVirus
2009-01-20 18:11 --------- d-----w c:\documents and settings\Bruce\Application Data\uTorrent
2009-01-19 22:13 --------- d-----w c:\documents and settings\Bruce\Application Data\foobar2000
2009-01-19 15:13 --------- d-----w c:\documents and settings\Bruce\Application Data\Skype
2009-01-19 15:04 --------- d-----w c:\documents and settings\Bruce\Application Data\skypePM
2009-01-13 22:10 --------- d-----w c:\documents and settings\Bruce\Application Data\Tlen.pl
2009-01-11 12:01 --------- d–h--w c:\program files\InstallShield Installation Information
2009-01-07 09:34 --------- d-----w c:\program files\Mozilla Sunbird
2009-01-04 15:48 --------- d-----w c:\program files\eMule
2009-01-04 14:31 184 ----a-w c:\program files\firebird.log
2008-12-14 13:49 --------- d-----w c:\program files\ScannerU
2008-12-14 13:30 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM
2008-12-12 11:54 --------- d-----w c:\program files\Skype
2008-12-06 07:07 --------- d-----w c:\program files\proGame
2008-12-05 20:25 --------- d-----w c:\documents and settings\Bruce\Application Data\SpeedSim
2008-12-04 11:57 --------- d-----w c:\program files\Electronic Arts
2008-12-04 11:52 --------- d-----w c:\program files\Tlen.pl
2008-12-04 11:52 --------- d-----w c:\program files\KB Piano
2008-12-01 20:07 --------- d-----w c:\program files\eTeacher 4
2008-11-27 10:02 --------- d-----w c:\documents and settings\All Users\Application Data\Tlen.pl
2008-11-20 09:10 --------- d-----w c:\documents and settings\Bruce\Application Data\GlarySoft
2008-11-20 09:09 --------- d-----w c:\program files\Glary Utilities
2008-10-29 09:20 152,904 ----a-w c:\windows\system32\vghd.scr
2008-10-29 08:08 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTStartup”=“c:\program files\Creative\Splash Screen\CTEaxSpl.EXE” [2001-12-20 28672]
“PCTAVApp”=“c:\program files\PC Tools AntiVirus\PCTAV.exe” [2009-01-20 1370000]
“00PCTFW”=“c:\program files\PC Tools Firewall Plus\FirewallGUI.exe” [2008-08-05 2611096]
“CanonMyPrinter”=“c:\program files\Canon\MyPrinter\BJMyPrt.exe” [2007-04-04 1603152]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{BB4C402F-882A-4526-8C08-51278EA437C1}”= “c:\windows\system32\afmain1.dll” [2008-04-14 78848]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.ac3filter”= ac3filter.acm
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Action Manager 32.lnk]
backup=c:\windows\pss\Action Manager 32.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdoosoft]
-r-hs---- 2009-01-20 07:36 107561 c:\windows\system32\olhrwef.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a------ 2008-04-14 01:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
–a------ 2008-03-20 11:04 2127296 c:\program files\Gadu-Gadu\gg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
–a------ 2001-11-29 00:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
–a------ 2008-09-17 08:55 13574144 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2008-09-17 08:55 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 15:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
–a------ 2008-09-17 08:55 1657376 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
–a------ 2002-07-02 10:56 24576 c:\windows\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“helpsvc”=2 (0x2)
“ERSvc”=2 (0x2)
“wuauserv”=2 (0x2)
“WebClient”=2 (0x2)
“Themes”=2 (0x2)
“seclogon”=2 (0x2)
“PolicyAgent”=2 (0x2)
“FastUserSwitchingCompatibility”=3 (0x3)
“ALG”=3 (0x3)
“aawservice”=2 (0x2)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=
“c:\Program Files\uTorrent\uTorrent.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-09-30 160792]
R3 FWAuth;FWAuth Driver;c:\windows\system32\drivers\FWAuthdriver.sys [2008-09-30 58136]
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-01-01 2560]
S4 BulkUsb;Plustek USB Scanner;c:\windows\system32\drivers\usbscan.sys [2008-11-22 15104]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{18511ede-ba00-11dd-a072-00e018b277bf}]
\Shell\AutoRun\command - nhbivui.exe
\Shell\explore\Command - nhbivui.exe
\Shell\open\Command - nhbivui.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1a1b101b-a409-11dd-a037-00e018b277bf}]
\Shell\AutoRun\command - I:\xih9.cmd
\Shell\explore\Command - I:\xih9.cmd
\Shell\open\Command - I:\xih9.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c5abc43d-e084-11dd-a0b7-0002447fc6c6}]
\Shell\AutoRun\command - J:\xih9.cmd
\Shell\explore\Command - J:\xih9.cmd
\Shell\open\Command - J:\xih9.cmd
.
Zawartość folderu ‘Zaplanowane zadania’
2009-01-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B46B0919-62BA-4D99-A5C4-916B57A6805C} - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - c:\program files\Techland\Common\InternetTranslator\InternetTranslator.dll
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\hrib6oat.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.pl/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 19:42:02
Windows 5.1.2600 Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???st???w? ?w???w???w4???.??w4???4???TA?s4???&8?T???t???5?B~e?B~????L????C@?\???\??????s????\??????s\????&8?A??s?&8??C@?x???
|?w???@
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
“1”=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
“2”=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
“3”=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\0685B4039E83FFC215FE6F791AF60AF7]
“1”=hex:e4,aa,f8,f3,74,8d,9e,c8,87,9d,1b,26,37,fe,f3,a9,e1,65,0b,4e,76,5e,be,
cc,22,d3,ec,74,16,8a,da,65,11,e3,07,bb,51,b8,fc,76
“2”=hex:ac,5d,cf,8a,eb,60,b6,ba
“3”=hex:81,20,8f,ab,28,6a,52,9c
“4”=hex:2f,ad,a2,e7,8a,bf,05,5e
“5”=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
“6”=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
“7”=hex:93,41,de,56,34,94,a7,b2,fc,ed,3e,91,10,66,4e,1a,c6,31,42,b5,d7,5d,59,
d2,15,2d,46,f0,84,ba,60,d2,1d,15,55,8f,94,36,ff,d9,13,fd,dc,f4,43,be,c7,61,\
“8”=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,0b,26,ce,91,53,4b,53,9a,85,70,6c,f0,9f,1f,18,c9,f3,fb,e2,b4,f6,a7,d8,a5,\
“9”=hex:81,20,8f,ab,28,6a,52,9c
“18”=hex:b6,dd,00,4d,9d,38,11,d1
“10”=hex:81,20,8f,ab,28,6a,52,9c
“11”=hex:81,20,8f,ab,28,6a,52,9c
“12”=hex:81,20,8f,ab,28,6a,52,9c
“13”=hex:81,20,8f,ab,28,6a,52,9c
“14”=hex:81,20,8f,ab,28,6a,52,9c
“24”=hex:81,20,8f,ab,28,6a,52,9c
“26”=hex:81,20,8f,ab,28,6a,52,9c
“27”=hex:81,20,8f,ab,28,6a,52,9c
“19”=hex:81,20,8f,ab,28,6a,52,9c
“22”=hex:81,20,8f,ab,28,6a,52,9c
.
Czas ukończenia: 2009-01-20 19:43:10
ComboFix-quarantined-files.txt 2009-01-20 18:43:05
ComboFix2.txt 2009-01-20 18:20:18
ComboFix3.txt 2008-11-19 19:44:16
ComboFix4.txt 2008-11-14 10:12:55
ComboFix5.txt 2009-01-20 18:40:12
Przed: 8 020 836 352 bytes free
Po: 8,007,090,176 bytes free
214 — E O F — 2008-11-12 06:33:21