Przy montażu procesor aktualizowałem biosa.
Tak mam
HiJack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:55:15, on 2008-02-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox 3 Beta 3\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O4 - HKLM…\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM…\Run: [NBKeyScan] “C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM…\Run: [kis] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”
O4 - HKLM…\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM…\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [RocketDock] “C:\Program Files\RocketDock\RocketDock.exe”
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-19…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-20…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Dodaj do Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
–
End of file - 6011 bytes
Combofix
Tutaj na po zaakceptowaniu licencji wyskoczyło mi takie okienko
Kontynuowałem i tu daje loga.
ComboFix 08-02-20.2 - Sebastian 2008-02-20 1:00:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.641 [GMT 1:00]
Running from: C:\Documents and Settings\Sebastian\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.
2008-02-20 00:54 . 2008-02-20 00:54
2008-02-19 15:09 . 2008-02-19 15:09
2008-02-19 14:51 . 2008-02-19 14:51
2008-02-19 14:51 . 2008-02-19 14:51
2008-02-19 13:02 . 2008-02-19 13:02
2008-02-18 23:41 . 2008-02-20 00:58
2008-02-18 22:46 . 2008-02-18 22:46
2008-02-18 20:10 . 2008-02-18 20:10
2008-02-18 20:10 . 2008-02-18 20:10 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-18 19:41 . 2008-02-18 19:46
2008-02-18 19:40 . 2008-02-18 23:01
2008-02-18 19:40 . 2008-02-18 19:40
2008-02-18 19:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-18 18:00 . 2008-02-18 18:00
2008-02-18 12:52 . 2008-02-18 12:52
2008-02-18 00:50 . 2008-02-18 00:51
2008-02-18 00:41 . 2008-02-18 00:42
2008-02-18 00:40 . 2008-02-18 00:42
2008-02-18 00:40 . 2008-02-18 00:40
2008-02-18 00:40 . 2008-02-17 22:43
2008-02-18 00:40 . 2008-02-19 22:37
2008-02-18 00:40 . 2008-02-19 20:29
2008-02-18 00:40 . 2008-02-17 23:28
2008-02-18 00:40 . 2008-02-18 00:40
2008-02-18 00:40 . 2008-02-18 00:40
2008-02-18 00:40 . 2008-02-18 20:20
2008-02-18 00:39 . 2008-02-18 00:39
2008-02-18 00:08 . 2008-02-18 00:08
2008-02-18 00:08 . 2008-02-18 00:08
2008-02-18 00:07 . 2008-02-18 00:37
2008-02-18 00:07 . 2008-02-18 00:08
2008-02-18 00:07 . 2008-02-17 22:43
2008-02-18 00:07 . 2008-02-18 00:31
2008-02-18 00:07 . 2008-02-18 00:39
2008-02-18 00:07 . 2008-02-17 23:28
2008-02-18 00:07 . 2008-02-18 00:08
2008-02-18 00:04 . 2008-02-18 00:04
2008-02-18 00:01 . 2008-02-18 00:01
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 00:02 2,456,864 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-20 00:02 143,904 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-20 00:02 --------- d-----w C:\Program Files\Kaspersky Lab
2008-02-19 21:40 41,108 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-19 21:40 17,288 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-19 13:51 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-02-17 23:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-02-17 22:58 --------- d-----w C:\Program Files\Microsoft Works
2008-02-17 22:57 --------- d-----w C:\Program Files\MSBuild
2008-02-17 22:56 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-17 22:53 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-02-17 22:46 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-02-17 22:42 --------- d-----w C:\Program Files\AVIcodec
2008-02-17 22:41 --------- d-----w C:\Program Files\IrfanView
2008-02-17 22:38 --------- d-----w C:\Program Files\Dziobas Rar Player
2008-02-17 22:31 --------- d-----w C:\Program Files\Winamp
2008-02-17 22:29 --------- d-----w C:\Documents and Settings\Sebastian\Dane aplikacji\Nero
2008-02-17 22:28 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-17 22:27 --------- d-----w C:\Program Files\Nero
2008-02-17 22:27 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Nero
2008-02-17 22:24 --------- d-----w C:\Program Files\DFX
2008-02-17 22:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 22:15 --------- d-----w C:\Program Files\BestPlayer
2008-02-17 22:13 --------- d-----w C:\Documents and Settings\Sebastian\Dane aplikacji\ATI
2008-02-17 22:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ATI
2008-02-17 22:10 --------- d-----w C:\Program Files\ATI Technologies
2008-02-17 22:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-17 22:06 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-02-17 21:46 --------- d-----w C:\Program Files\Usługi online
2008-02-17 21:43 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-26 20:56 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-11-26 20:56 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
.
------- Sigcheck -------
“C:\WINDOWS\system32\user32.dll”
----a-w 642,560 2007-07-10 13:06:54 C:\WINDOWS\system32\user32.dll
“C:\WINDOWS\system32\wininet.dll”
----a-w 814,592 2007-07-13 22:56:20 C:\WINDOWS\system32\wininet.dll
“C:\WINDOWS\system32\drivers\tcpip.sys”
----a-w 360,576 2007-10-15 23:19:49 C:\WINDOWS\system32\drivers\tcpip.sys
“C:\WINDOWS\system32\ntkrnlpa.exe”
----a-w 2,066,816 2007-10-18 22:19:35 C:\WINDOWS\system32\ntkrnlpa.exe
“C:\WINDOWS\system32\ntoskrnl.exe”
----a-w 2,189,824 2007-10-18 22:19:24 C:\WINDOWS\system32\ntoskrnl.exe
“C:\WINDOWS\explorer.exe”
----a-w 974,848 2007-10-17 19:30:07 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 03:44 15360]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]
“RocketDock”=“C:\Program Files\RocketDock\RocketDock.exe” [2007-03-19 00:05 630784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-11-21 18:38 35328]
“NeroFilterCheck”=“C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe” [2007-03-01 15:57 153136]
“NBKeyScan”=“C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” [2007-09-20 09:51 1836328]
“kis”=“C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” [2006-03-24 19:09 139367]
“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 00:47 31016]
“LXCCCATS”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll” [2005-07-20 14:44 73728]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 03:44 15360]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“nltide_2”=“regsvr32 /s /n /i:U shell32” []
“nltide_3”=“advpack.dll” [2007-10-09 01:01 124928 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“DisableStatusMessages”= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoSMMyPictures”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoSMMyPictures”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
R0 viaxraid;viaxraid;C:\WINDOWS\system32\drivers\viaxraid.sys [2007-10-17 19:23]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-10-17 19:23]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 01:02:51
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2649]