ok podaje log
ComboFix 08-04-29.3 - x 2008-04-30 20:33:36.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.60 [GMT 2:00]
Running from: D:\karool\ComboFix.exe
Command switches used :: D:\karool\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\system32\doxklsti.exe
C:\WINDOWS\system32\WINWGPX.EXE
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Dane aplikacji\obwtalut
C:\Documents and Settings\All Users\Dane aplikacji\obwtalut\kvmjgnkb.exe
C:\WINDOWS\system32\doxklsti.exe
C:\WINDOWS\system32\WINWGPX.EXE
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.
2008-04-30 20:25 . 2008-04-30 20:25
2008-04-30 19:11 . 2008-04-30 19:11 110,592 --a------ C:\WINDOWS\system32\qnsdcdoj.exe
2008-04-29 13:51 . 2008-04-29 13:59
2008-04-28 19:47 . 2008-04-28 19:47 4,096 --a------ C:\WINDOWS\system32\winsystem.exe
2008-04-21 15:31 . 2008-04-21 15:31
2008-04-09 17:52 . 2008-04-09 18:17
2008-03-25 19:38 . 2008-03-25 19:38
2008-03-19 09:19 . 2008-03-19 09:20
2008-03-19 09:19 . 2008-03-19 09:20
2008-03-12 18:14 . 2008-04-28 19:53
2008-03-12 18:13 . 2008-04-30 20:24
2008-03-12 18:13 . 2008-03-12 18:13 77,824 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 18:22 --------- d-----w C:\Program Files\DialNet
2008-04-25 11:48 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-04-24 15:14 --------- dc----w C:\Documents and Settings\x\Dane aplikacji\Tibia
2008-04-20 15:31 --------- d-----w C:\Program Files\Championship Manager 5 Demo
2008-04-20 15:27 --------- d-----w C:\Program Files\Polskie Derby
2008-04-08 18:35 --------- dc----w C:\Documents and Settings\x\Dane aplikacji\BearShare
2008-04-08 16:23 --------- dc–a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-03-05 15:32 19,688 -c–a-w C:\Documents and Settings\x\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-10-20 08:21 149 -c–a-w C:\Program Files\INSTALL.LOG
2001-11-23 04:08 712,704 -c–a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-11-15 15:12 56 -csh–r C:\WINDOWS\system32\6E12D84BB1.sys
2007-11-15 15:12 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-30_16.09.53,22 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 12:15:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-30 18:22:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24 1694208]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05 143360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-04-09 19:36 68856]
“PC-Cleaner”=“C:\Program Files\PC-Cleaner\PC-Cleaner.exe” []
“iblqtzus”=“C:\WINDOWS\system32\qnsdcdoj.exe” [2008-04-30 19:11 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CapFax”=“C:\Program Files\Classic PhoneTools\CapFax.EXE” [2001-12-10 18:34 20739]
“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 09:34 57344 C:\WINDOWS\SOUNDMAN.EXE]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 02:11 132496]
“SiSUSBRG”=“C:\WINDOWS\SiSUSBrg.exe” [2002-07-12 12:15 106496]
“Cmaudio”=“cmicnfg.cpl” []
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 15:40 155648]
“RestartNeroSetup”=“F:\CDS\Nero\Installation\SetupX.exe” []
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2006-11-23 15:10 56928]
“LanguageShortcut”=“C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2006-12-05 22:55 54832]
“WinampAgent”=“D:\Winamp\winampa.exe” [2007-05-15 00:22 35328]
“UnlockerAssistant”=“C:\Program Files\Unlocker\UnlockerAssistant.exe” [2006-09-07 19:19 15872]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-10-19 21:16 286720]
“DAEMON Tools”=“C:\Documents and Settings\x\Moje dokumenty\DAEMON Tools\daemon.exe” [2005-12-10 16:57 133016]
“a-winpoet-service”=“C:\Program Files\DialNet\winpppoverethernet.exe” [2007-07-06 09:40 405504]
“z-WrDialer”=“C:\Program Files\DialNet\wrdialer.exe” [2007-07-11 18:11 561152]
“SpIDerMail”=“C:\Program Files\DrWeb\spiderml.exe” [2007-12-25 15:34 500976]
“DrWebScheduler”=“C:\Program Files\DrWeb\DRWEBSCD.EXE” [2008-03-31 15:33 283888]
“SpIDerNT”=“C:\PROGRA~1\DrWeb\spiderui.exe” [2008-03-31 15:33 230936]
“watch”=“D:\karool\RÓŻNE ;P\oprogramowanie\actics” [2008-03-25 16:13 0]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 14:00 15360]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“tscuninstall”=“C:\WINDOWS\system32\tscupgrd.exe” [2004-08-04 00:33 44544]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 2006-11-04 11:28 5376 C:\WINDOWS\system32\antiwpa.dll
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“E:\Program Files\BearShare Applications\BearShare\BearShare.exe”=
“E:\Gadu-Gadu\gg.exe”=
“C:\Program Files\Internet Explorer\IEXPLORE.EXE”=
“D:\gry\MotoGP2 Demo\motogp2_demo.exe”=
“D:\gry\Skoki Narciarskie 2005\SkiJumping2005.exe”=
“C:\WINDOWS\system32\dpvsetup.exe”=
“C:\WINDOWS\system32\rundll32.exe”=
“E:\Dark781v2_RC2\Darkonia781\DARK781.exe”=
“D:\gry\rct.exe”=
“E:\Angielski w pigulce 2.0 Rzeczpospolita\50\Tibia\ghjgj\hjkl\Dark781v2_RC2\Darkonia781\DARK781.exe”=
“E:\Angielski w pigulce 2.0 Rzeczpospolita\50\Tibia\ghjgj\dwdd\Zorzin OTServ 1.1 (XML)\XML Version 1.1\Zorzin OTServer 1.1 - XML.exe”=
“D:\karool\pozostałe\eMule\emule.exe”=
“D:\Criss\rozne\ots\Zorzin OTServ 1.1 (XML)\XML Version 1.1\Zorzin OTServer 1.1 - XML.exe”=
“D:\gry\Stronghold2Demo.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“24016:TCP”= 24016:TCP:BitComet 24016 TCP
“24016:UDP”= 24016:UDP:BitComet 24016 UDP
“7951:TCP”= 7951:TCP:BitComet 7951 TCP
“7951:UDP”= 7951:UDP:BitComet 7951 UDP
R2 OpSrv;Opiekun;C:\WINDOWS\system32\opsrv.exe [2006-02-14 16:15]
R2 SPIDER;SpIDer Guard File System Monitor;C:\PROGRA~1\DrWeb\spider.sys [2008-03-31 15:33]
R2 SPIDERNT;SpIDer Guard for Windows;C:\PROGRA~1\DrWeb\spidernt.exe [2008-03-31 15:33]
R2 TopWinPoETDriver;WinPoET PPPoE Optimized Driver;C:\WINDOWS\system32\DRIVERS\WrKPoET2000.sys [2007-07-04 17:27]
R3 FPD;Fine Point Packet Service;C:\WINDOWS\system32\drivers\fpd.sys [2007-07-04 17:27]
R3 WrKPoET2000;WrKPoET2000;C:\Program Files\DialNet\WrKPoET2000.sys [2007-07-04 17:27]
R3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2007-07-04 17:27]
S3 ewdmaudn;ewdmaudn;C:\DOCUME~1\x\USTAWI~1\Temp\ewdmaudn.sys []
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;D:\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 14:00]
.
Contents of the ‘Scheduled Tasks’ folder
“2008-04-28 13:06:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 20:36:38
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OpSrv]
“ImagePath”=“C:\WINDOWS\system32\opsrv.exe /startedbyscm:BB66DA22-40E2A281-OpiekunService”
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
- C:\WINDOWS\system32\OPLSP.DLL
.
Completion time: 2008-04-30 20:39:46
ComboFix-quarantined-files.txt 2008-04-30 18:39:41
ComboFix2.txt 2008-04-30 14:49:02
ComboFix3.txt 2008-04-30 14:10:32
Pre-Run: 477,958,144 bajtów wolnych
Post-Run: 495,050,752 bajtów wolnych
153 — E O F — 2008-04-30 17:47:04
W dniu 30.04.2008 , o godzinie 21:57 został dopisany post przez Arcane
mam jedno pytanko: jak skanuję tym ComboFix’em to za pierwszym razem znika mi pasek menu, wiec jak raz próbowałem zminimalizować stronkę, to już nie mogłem jej odzyskać żeby wkleić loga, a podczas skanowania mój antywirus, nagle znajduje zainfekowane pliki, które należą do ComboFix’a więc muszę je ignorować. Czy takie zachowanie jest normalne??