ComboFix 08-11-09.04 - Czesio 2008-11-10 23:32:45.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.701 [GMT 1:00] Uruchomiony z: F:\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\userinit.exe . . . jest zainfekowany!! . ((((((((((((((((((((((((( Pliki utworzone od 2008-10-10 do 2008-11-10 ))))))))))))))))))))))))))))))) . 2008-11-10 21:50 . 2008-11-10 21:50 2008-11-10 20:50 . 2008-11-10 17:25 2008-11-10 20:50 . 2008-11-10 17:25 2008-11-10 20:50 . 2008-11-10 17:30 2008-11-10 20:50 . 2008-11-10 17:25 2008-11-10 20:50 . 2008-11-10 17:25 2008-11-10 20:50 . 2008-11-10 17:25 2008-11-10 20:50 . 2008-11-10 21:01 2008-11-10 20:50 . 2008-11-10 20:50 2008-11-10 20:46 . 2008-11-10 20:46 4,444 --a------ c:\windows\system32\pid.PNF 2008-11-10 20:37 . 2005-12-21 09:16 470,048 -ra------ c:\windows\system32\drivers\ar5211.sys 2008-11-10 20:27 . 2008-11-10 20:27 2008-11-10 20:27 . 2005-06-17 04:41 61,440 --a------ c:\windows\system32\vuins32.dll 2008-11-10 20:27 . 2006-03-15 03:51 43,008 --a------ c:\windows\system32\drivers\fetnd5bv.sys 2008-11-10 20:26 . 2008-11-10 20:26 2008-11-10 20:26 . 2008-11-10 20:26 940,794 --a------ c:\windows\system32\LoopyMusic.wav 2008-11-10 20:26 . 2008-11-10 20:26 146,650 --a------ c:\windows\system32\BuzzingBee.wav 2008-11-10 20:23 . 2008-11-10 20:23 2008-11-10 20:23 . 2008-11-10 20:28 2008-11-10 20:23 . 2006-05-04 09:26 2,808,832 -r------- c:\windows\alcwzrd.exe 2008-11-10 20:23 . 2006-06-28 07:00 2,158,592 -r------- c:\windows\MicCal.exe 2008-11-10 20:23 . 2005-04-16 15:20 487,424 -r------- c:\windows\RtlExUpd.dll 2008-11-10 20:23 . 2005-09-21 03:25 299,008 -r------- c:\windows\system32\ALSndMgr.Cpl 2008-11-10 20:23 . 2005-05-03 11:43 69,632 -r------- c:\windows\Alcmtr.exe 2008-11-10 20:22 . 2008-11-10 20:28 287 --a------ c:\windows\UChromeP.uns 2008-11-10 20:21 . 2008-11-10 20:21 2008-11-10 20:20 . 2008-11-10 20:23 2008-11-10 20:12 . 2008-09-08 11:41 333,824 -----c— c:\windows\system32\dllcache\srv.sys 2008-11-10 20:12 . 2008-06-14 18:36 273,024 -----c— c:\windows\system32\dllcache\bthport.sys 2008-11-10 20:12 . 2008-08-14 11:04 138,496 -----c— c:\windows\system32\dllcache\afd.sys 2008-11-10 20:11 . 2008-08-14 14:26 2,190,464 -----c— c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-10 20:11 . 2008-08-14 14:26 2,146,816 -----c— c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-10 20:11 . 2008-08-14 14:26 2,067,328 -----c— c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-10 20:11 . 2008-08-14 14:26 2,025,472 -----c— c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-10 20:11 . 2008-09-15 16:27 1,846,656 -----c— c:\windows\system32\dllcache\win32k.sys 2008-11-10 20:09 . 2008-04-11 20:06 691,712 -----c— c:\windows\system32\dllcache\inetcomm.dll 2008-11-10 20:09 . 2008-05-01 15:37 331,776 -----c— c:\windows\system32\dllcache\msadce.dll 2008-11-10 20:09 . 2008-05-08 15:02 203,136 -----c— c:\windows\system32\dllcache\rmcast.sys 2008-11-10 20:08 . 2008-10-15 17:36 337,408 -----c— c:\windows\system32\dllcache\netapi32.dll 2008-11-10 20:07 . 2008-11-10 20:40 2008-11-10 20:07 . 2008-11-10 20:07 2008-11-10 19:59 . 2008-11-10 19:59 0 --a------ c:\windows\nsreg.dat 2008-11-10 19:37 . 2008-11-10 19:37 2008-11-10 19:37 . 2008-11-10 23:30 2008-11-10 19:37 . 2008-11-10 19:56 96,976 --a------ c:\windows\system32\drivers\klin.dat 2008-11-10 19:37 . 2008-11-10 19:56 87,855 --a------ c:\windows\system32\drivers\klick.dat 2008-11-10 19:36 . 2008-11-10 23:37 394,272 --ahs---- c:\windows\system32\drivers\fidbox.dat 2008-11-10 19:36 . 2008-11-10 23:36 27,424 --ahs---- c:\windows\system32\drivers\fidbox2.dat 2008-11-10 19:36 . 2008-11-10 23:34 7,328 --ahs---- c:\windows\system32\drivers\fidbox.idx 2008-11-10 19:36 . 2008-11-10 23:34 3,572 --ahs---- c:\windows\system32\drivers\fidbox2.idx 2008-11-10 19:34 . 2003-04-03 00:54 20,648 -ra------ c:\windows\system32\drivers\netrcacm.sys . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-10 18:56 112,144 ----a-w c:\windows\system32\drivers\kl1.sys 2008-11-10 17:55 --------- d-----w c:\program files\SubEdit-Player 2008-11-10 17:55 --------- d-----w c:\program files\7-Zip 2008-11-10 17:54 --------- d-----w c:\program files\Real Alternative 2008-11-10 17:54 --------- d-----w c:\program files\Foxit Software 2008-11-10 16:34 --------- d-----w c:\program files\microsoft frontpage 2008-11-10 16:33 558,142 ----a-w c:\windows\java\Packages\8VR5FRP3.ZIP 2008-11-10 16:33 155,995 ----a-w c:\windows\java\Packages\HV9RJXZR.ZIP 2008-11-10 16:30 --------- d-----w c:\program files\Usługi online 2008-09-15 15:27 1,846,656 ----a-w c:\windows\system32\win32k.sys 2008-08-20 05:11 668,672 ----a-w c:\windows\system32\wininet.dll 2008-08-14 13:26 2,146,816 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 13:26 2,025,472 ----a-w c:\windows\system32\ntkrnlpa.exe 2002-10-10 20:56 115,200 --sh–w c:\windows\system32\calc.exe 2002-10-10 20:56 9,842 --sh–w c:\windows\system32\mspw.dll 2002-10-10 20:56 66,560 --sh–w c:\windows\system32\notepad.exe 2002-10-10 20:56 115,200 -csh–w c:\windows\system32\dllcache\calc.exe 2002-10-10 20:56 66,560 -csh–w c:\windows\system32\dllcache\notepad.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “AVP”=“c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe” [2007-06-28 218376] “RTHDCPL”=“RTHDCPL.EXE” [2006-06-28 c:\windows\RTHDCPL.exe] “SkyTel”=“SkyTel.EXE” [2006-05-16 c:\windows\SkyTel.exe] “VTTimer”=“VTTimer.exe” [2006-09-21 c:\windows\system32\VTTimer.exe] “S3Trayp”=“S3trayp.exe” [2006-10-10 c:\windows\system32\S3Trayp.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\System32\CTFMON.EXE” [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] “DisableMonitoring”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344] R3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\S3gIGPm.sys [2006-11-15 634880] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d38a1be0-af49-11dd-a184-0040d0aea696}] \Shell\Auto\command - f:…\help.exe o_disk \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL …\help.exe o_disk \Shell\explore\Command - f:…\help.exe o_disk \Shell\open\Command - f:…\help.exe o_disk . . ------- Skan uzupełniający ------- . FireFox -: Profile - c:\documents and settings\Czesio\Dane aplikacji\Mozilla\Firefox\Profiles\6e5d6g0b.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 23:36:38 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\wscntfy.exe c:\windows\system32\wpabaln.exe . ************************************************************************** . Czas ukończenia: 2008-11-10 23:38:31 - komputer został uruchomiony ponownie [Czesio] ComboFix-quarantined-files.txt 2008-11-10 22:38:24 Przed: 16,541,024,256 bajtów wolnych Po: 16,499,380,224 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn 144 — E O F — 2008-11-10 19:40:39