Format niestety nic nie daje Próbowałem z 3x … Możliwe że mam bad-sectory na dysku … Nie ogarniam tego
Macie logi z Combofix’a i HjiackThis.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:17, on 2009-06-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Nowe Gadu-Gadu\gg.exe
C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Bashoo\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [msm] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68A96BBA-8125-4B5F-BD44-2049538525F5}: NameServer = 10.200.58.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{68A96BBA-8125-4B5F-BD44-2049538525F5}: NameServer = 10.200.58.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{68A96BBA-8125-4B5F-BD44-2049538525F5}: NameServer = 10.200.58.1
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 4110 bytes
ComboFix 09-06-18.02 - Bashoo 2009-06-19 15:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.511.137 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Bashoo\Pulpit\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-1004336348-838170752-1177238915-1003
c:\windows\TEMP\fka5.tmp
C:\Autorun.inf
c:\recycler\S-1-5-21-1004336348-838170752-1177238915-1003\desktop.ini
c:\recycler\S-1-5-21-1004336348-838170752-1177238915-1003\INFO2
C:\setup.exe
c:\windows\system\internat.exe
c:\windows\system\system32.vxd
c:\windows\system32\drivers\services.exe
.
((((((((((((((((((((((((( Pliki utworzone od 2009-05-19 do 2009-06-19 )))))))))))))))))))))))))))))))
.
2009-06-19 13:03 . 2009-06-19 13:03 -------- d-----w- c:\program files\Trend Micro
2009-06-19 01:51 . 2009-06-19 01:51 -------- d-----w- c:\documents and settings\Bashoo\Dane aplikacji\OpenFM
2009-06-19 01:48 . 2009-06-19 01:48 -------- d-----w- c:\program files\ATI Technologies
2009-06-19 01:47 . 2009-06-19 01:47 628696 ----a-w- c:\windows\Radeon Omega Drivers v3.8.330 Uninstall.exe
2009-06-19 01:37 . 2009-02-25 13:15 771548 ------w- c:\windows\system32\ati2sgag.exe
2009-06-19 01:36 . 2009-06-19 01:36 -------- d-----w- C:\ATI
2009-06-19 01:31 . 2009-01-26 17:55 182995 ----a-w- c:\windows\system32\atiicdxx.dat
2009-06-19 00:39 . 2009-06-19 00:39 -------- d-----w- C:\directx
2009-06-19 00:30 . 2009-06-19 00:30 -------- d-----w- c:\documents and settings\Bashoo\Ustawienia lokalne\Dane aplikacji\PCHealth
2009-06-19 00:25 . 2009-06-19 00:25 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-18 23:16 . 2009-06-19 01:47 -------- d-----w- c:\program files\Radeon Omega Drivers
2009-06-18 23:16 . 2009-06-18 23:16 650198 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-06-18 20:48 . 2009-06-19 01:46 -------- d-----w- c:\documents and settings\Bashoo\Dane aplikacji\Nowe Gadu-Gadu
2009-06-18 20:48 . 2009-06-18 20:48 -------- d-----w- c:\program files\Nowe Gadu-Gadu
2009-06-18 19:06 . 2009-06-18 19:06 19890134 ----a-w- c:\documents and settings\Bashoo\Dane aplikacji\DC++\Downloads\Mirror's Edge\Mirrors.Edge.Update.Crack.1.01-RELOADED\MirrorsEdge_v1.01_Patch.exe
2009-06-18 19:06 . 2009-06-18 19:06 60347862 ----a-w- c:\documents and settings\Bashoo\Dane aplikacji\DC++\Downloads\Mirror's Edge\Mirrors.Edge.Update.Crack.1.01-RELOADED\MirrorsEdge.exe
2009-06-18 17:58 . 2009-06-18 17:58 -------- d-----w- c:\documents and settings\Bashoo\Ustawienia lokalne\Dane aplikacji\Google
2009-06-18 17:38 . 2009-06-19 01:56 -------- d-----w- c:\documents and settings\Bashoo\Dane aplikacji\DC++
2009-06-18 17:38 . 2009-06-18 17:38 -------- d-----w- c:\documents and settings\Bashoo\Ustawienia lokalne\Dane aplikacji\DC++
2009-06-18 17:38 . 2009-06-18 17:38 -------- d-----w- c:\program files\DC++
2009-06-18 17:28 . 2009-06-18 17:29 -------- d-----w- c:\documents and settings\Bashoo\Dane aplikacji\Ventrilo
2009-06-18 17:28 . 2009-06-18 17:28 -------- d-----w- c:\program files\Ventrilo
2009-06-18 17:28 . 2009-06-18 17:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-18 17:26 . 2009-06-18 17:26 0 ----a-w- c:\windows\nsreg.dat
2009-06-18 17:26 . 2009-06-18 17:26 -------- d-----w- c:\documents and settings\Bashoo\Ustawienia lokalne\Dane aplikacji\Mozilla
2009-06-18 17:23 . 2009-06-18 17:59 -------- d-----w- c:\program files\Google
2009-06-18 15:47 . 2009-06-18 17:23 -------- d-s---w- c:\windows\Downloaded Program Files
2009-06-10 19:36 . 2009-06-13 20:58 -------- d-----w- c:\documents and settings\Bashoo\Gadu-Gadu
2009-05-29 22:26 . 2009-05-29 22:26 -------- d-----w- c:\program files\Remere's Map Editor
2009-05-29 22:24 . 2009-06-18 17:32 -------- d-----w- c:\program files\Tibia
2009-05-28 09:23 . 2009-05-28 09:23 42088 ----a-w- c:\documents and settings\Bashoo\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll
2009-05-28 08:34 . 2009-05-28 08:34 11264 ----a-w- c:\documents and settings\Bashoo\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll
2009-05-26 22:13 . 2009-05-26 22:14 -------- d-----w- c:\windows\SHELLNEW
2009-05-26 22:13 . 2009-05-26 22:13 -------- d-----w- c:\program files\Microsoft.NET
2009-05-24 08:05 . 2009-05-24 08:05 -------- d-----w- c:\documents and settings\Bashoo\Ustawienia lokalne\Dane aplikacji\Identities
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 00:23 . 2009-03-13 22:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-15 20:47 . 2009-05-12 22:38 626134 ----a-w- c:\documents and settings\Bashoo\Ustawienia lokalne\Dane aplikacji\Menu.exe
2009-05-28 12:45 . 2009-03-13 22:37 41776 ----a-w- c:\documents and settings\Bashoo\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-05-27 17:09 . 2009-05-19 18:00 -------- d-----w- c:\documents and settings\Bashoo\Dane aplikacji\Ahead
2009-05-19 18:00 . 2009-05-19 18:00 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Ahead
2009-05-19 18:00 . 2009-05-19 17:59 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-19 17:59 . 2009-05-19 17:59 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Nero
2009-05-19 17:59 . 2009-05-19 17:59 -------- d-----w- c:\program files\Nero
2009-05-17 21:35 . 2009-04-11 22:45 2403796 ----a-w- c:\windows\inf\isprnt.exe
2009-05-17 21:34 . 2009-05-12 22:00 -------- d-----w- c:\program files\Asprate
2009-05-17 21:28 . 2009-05-12 21:51 -------- d-----w- c:\documents and settings\Bashoo\Dane aplikacji\Tibia
2009-05-06 18:16 . 2009-05-06 18:16 -------- d-----w- c:\program files\OniGames
2009-04-26 21:52 . 2009-04-26 21:52 -------- d--h--r- c:\documents and settings\Bashoo\Dane aplikacji\SecuROM
2009-04-26 21:52 . 2009-04-26 21:51 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-04-26 19:18 . 2002-09-28 21:00 77108 ----a-w- c:\windows\system32\perfc015.dat
2009-04-26 19:18 . 2002-09-28 21:00 454200 ----a-w- c:\windows\system32\perfh015.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Nowe Gadu-Gadu"="c:\program files\Nowe Gadu-Gadu\gg.exe" [2009-05-28 10667480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1566168]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 159744]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {68A96BBA-8125-4B5F-BD44-2049538525F5} = 10.200.58.1
FF - ProfilePath - c:\documents and settings\Bashoo\Dane aplikacji\Mozilla\Firefox\Profiles\wqctaa2z.default\
FF - prefs.js: browser.startup.homepage - www.google.pl
FF - plugin: c:\documents and settings\Bashoo\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 15:10
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_USERS\S-1-5-21-2025429265-57989841-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:a1,a1,93,bc,34,41,de,f1,7c,2b,10,08,5e,1b,48,56,a4,41,2f,97,66,
61,e7,ef,dd,28,04,46,a8,c8,3a,74,b4,00,e1,5a,d0,85,93,3d,e0,cf,9e,83,28,bb,\
"rkeysecu"=hex:eb,a5,71,0f,62,55,68,58,3f,db,c1,cc,a4,a0,d1,bb
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3564)
c:\docume~1\Bashoo\USTAWI~1\Temp\iya2.tmp
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Czas ukończenia: 2009-06-19 15:11 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-06-19 13:11
Przed: 5 747 793 920 bajtów wolnych
Po: 6 473 568 256 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
154