od jakiegos czasu avast znajduje mi rootkita…mialem jakis czas juz spokoj ale teraz znowu…;/ uzylem ComboFix’a oto moj log:
ComboFix 09-07-07.A8 - Nowak 2009-07-08 15:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.255.104 [GMT 2:00]
Uruchomiony z: d:!paki\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090707-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Pliki utworzone od 2009-06-08 do 2009-07-08 )))))))))))))))))))))))))))))))
.
2009-07-07 12:34 . 2009-07-07 12:34 -------- d-----w- c:\program files\ANDROME NV
2009-07-06 17:44 . 2009-07-06 17:43 108130 --sh–r- C:\q1alx.exe
2009-07-05 13:23 . 2009-07-05 13:23 111475 --sh–r- C:\aphqg.exe
2009-07-05 11:48 . 2009-07-05 11:48 -------- d–h--r- C:\MSOCache
2009-07-05 10:11 . 2009-07-05 10:12 -------- d-----w- c:\documents and settings\Nowak\Ustawienia lokalne\Dane aplikacji\Adobe
2009-07-05 10:04 . 2009-07-05 10:04 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\2DBoy
2009-07-04 17:53 . 2009-07-07 18:29 -------- d-----w- c:\documents and settings\Nowak\Dane aplikacji\Nowe Gadu-Gadu
2009-07-04 14:05 . 2009-07-04 14:05 0 ----a-w- c:\windows\nsreg.dat
2009-07-04 14:05 . 2009-07-04 14:05 -------- d-----w- c:\documents and settings\Nowak\Ustawienia lokalne\Dane aplikacji\Mozilla
2009-07-04 08:48 . 2009-07-04 08:48 -------- d-----w- c:\documents and settings\Nowak\Dane aplikacji\Apple Computer
2009-07-01 14:42 . 2009-07-01 14:43 107917 --sh–r- C:\hifdmgt.com
2009-06-30 10:05 . 2004-08-03 21:08 26496 -c–a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-30 10:05 . 2009-06-30 10:05 56 —ha-w- c:\windows\system32\ezsidmv.dat
2009-06-30 10:05 . 2009-07-08 13:16 -------- d-----w- c:\documents and settings\Nowak\Dane aplikacji\skypePM
2009-06-30 10:01 . 2004-08-03 20:58 5504 -c–a-w- c:\windows\system32\dllcache\mstee.sys
2009-06-30 10:01 . 2004-08-03 20:58 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-06-30 10:01 . 2004-08-03 21:10 10880 -c–a-w- c:\windows\system32\dllcache\ndisip.sys
2009-06-30 10:01 . 2004-08-03 21:10 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-06-30 10:01 . 2004-08-03 21:10 15360 -c–a-w- c:\windows\system32\dllcache\streamip.sys
2009-06-30 10:01 . 2004-08-03 21:10 15360 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-06-30 10:01 . 2004-08-03 21:10 11136 -c–a-w- c:\windows\system32\dllcache\slip.sys
2009-06-30 10:01 . 2004-08-03 21:10 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-06-30 10:01 . 2004-08-03 21:10 19328 -c–a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-06-30 10:01 . 2004-08-03 21:10 19328 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-06-30 10:01 . 2004-08-03 21:10 85376 -c–a-w- c:\windows\system32\dllcache\nabtsfec.sys
2009-06-30 10:01 . 2004-08-03 21:10 85376 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-06-30 09:59 . 2004-08-03 21:08 31616 -c–a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-06-30 09:59 . 2004-08-03 21:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-06-30 09:55 . 2003-06-18 23:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2009-06-30 09:54 . 2009-06-30 09:54 -------- d-----w- c:\program files\Microsoft.NET
2009-06-30 09:52 . 2009-06-30 09:54 -------- d-----w- c:\windows\SHELLNEW
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 13:56 . 2009-06-29 23:41 -------- d-----w- c:\documents and settings\Nowak\Dane aplikacji\Skype
2009-07-08 10:16 . 2009-06-29 23:50 -------- d-----w- c:\documents and settings\Nowak\Dane aplikacji\Winamp
2009-07-07 12:14 . 2009-06-29 23:41 -------- d-----w- c:\program files\Opera
2009-07-02 12:16 . 2009-06-29 23:17 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-30 10:00 . 2009-06-30 10:00 42168 ----a-w- c:\documents and settings\Nowak\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-06-30 09:53 . 2009-06-29 23:37 -------- d-----w- c:\program files\eMule
2009-06-30 01:51 . 2009-06-29 23:46 -------- d-----w- c:\program files\Shut Down-O-Matic
2009-06-29 23:59 . 2009-06-29 23:59 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-29 23:58 . 2009-06-29 23:58 -------- d-----w- c:\documents and settings\Nowak\Dane aplikacji\Leadertech
2009-06-29 23:58 . 2009-06-29 23:57 -------- d-----w- c:\program files\Diskeeper Corporation
2009-06-29 23:56 . 2009-06-29 23:56 -------- d-----w- c:\program files\QuickTime
2009-06-29 23:56 . 2009-06-29 23:56 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Apple Computer
2009-06-29 23:56 . 2009-06-29 23:56 -------- d-----w- c:\program files\Apple Software Update
2009-06-29 23:56 . 2009-06-29 23:56 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Apple
2009-06-29 23:55 . 2009-06-29 23:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-29 23:51 . 2009-06-29 23:50 -------- d-----w- c:\program files\Winamp
2009-06-29 23:48 . 2009-06-29 23:48 -------- d-----w- c:\program files\D-Tools
2009-06-29 23:47 . 2009-06-29 23:47 -------- d-----w- c:\program files\totalcmd
2009-06-29 23:47 . 2009-06-29 23:47 -------- d-----w- c:\program files\Tlumacz Komputerowy - Angielski
2009-06-29 23:45 . 2009-06-29 23:45 -------- d-----w- c:\program files\Ahead
2009-06-29 23:45 . 2009-06-29 23:45 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-29 23:44 . 2009-06-29 23:36 -------- d-----w- c:\program files\Broken Cross Disk Manager
2009-06-29 23:43 . 2009-06-29 23:43 -------- d-----w- c:\program files\MarBit
2009-06-29 23:42 . 2009-06-29 23:42 -------- d-----w- c:\documents and settings\Nowak\Dane aplikacji\Hamachi
2009-06-29 23:42 . 2009-06-29 23:42 -------- d-----w- c:\program files\Hamachi
2009-06-29 23:42 . 2009-06-29 23:42 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-06-29 23:41 . 2009-06-29 23:41 -------- d-----w- c:\program files\Skype
2009-06-29 23:41 . 2009-06-29 23:41 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Skype
2009-06-29 23:41 . 2009-06-29 23:41 -------- d-----w- c:\program files\Common Files\Skype
2009-06-29 23:39 . 2009-06-29 23:38 33 ----a-w- c:\windows\system32\drivers\adidsl.cfg
2009-06-29 23:38 . 2009-06-29 23:30 -------- d–h--w- c:\program files\InstallShield Installation Information
2009-06-29 23:38 . 2009-06-29 23:38 -------- d-----w- c:\program files\SAGEM
2009-06-29 23:38 . 2009-06-29 23:38 -------- d-----w- c:\documents and settings\Nowak\Dane aplikacji\InstallShield
2009-06-29 23:38 . 2009-06-29 23:37 -------- d-----w- c:\program files\Nowe Gadu-Gadu
2009-06-29 23:36 . 2009-06-29 23:36 -------- d-----w- c:\program files\WapSter
2009-06-29 23:32 . 2009-06-29 23:32 -------- d-----w- c:\program files\Alwil Software
2009-06-29 23:30 . 2009-06-29 23:30 -------- d-----w- c:\program files\Realtek Sound Manager
2009-06-29 23:30 . 2009-06-29 23:30 -------- d-----w- c:\program files\AvRack
2009-06-29 23:29 . 2009-06-29 23:29 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-29 23:26 . 2009-06-29 23:26 -------- d-----w- c:\program files\Gigabyte
2009-06-29 23:24 . 2001-10-26 16:15 49492 ----a-w- c:\windows\system32\perfc015.dat
2009-06-29 23:24 . 2001-10-26 16:15 355486 ----a-w- c:\windows\system32\perfh015.dat
2009-06-29 23:19 . 2009-06-29 23:19 -------- d-----w- c:\program files\microsoft frontpage
2009-06-29 23:17 . 2009-06-29 23:17 -------- d-----w- c:\program files\Usługi online
2009-06-29 23:14 . 2009-06-29 23:14 21856 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-02 16:11 . 2009-06-29 23:59 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-29 21:37 . 2009-06-29 23:59 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-05-29 21:31 . 2009-06-29 23:59 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-01 21:02 . 2009-06-29 23:59 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-06-29 23:59 685056 ----a-w- c:\windows\system32\divx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-07-02_11.06.28 )))))))))))))))))))))))))))))))))))))))))
.
-
2009-07-07 18:00 . 2009-07-07 18:00 16384 c:\windows\Temp\Perflib_Perfdata_58c.dat
-
2009-07-08 10:11 . 2009-07-08 10:11 16384 c:\windows\Temp\Perflib_Perfdata_204.dat
-
2009-06-29 23:17 . 2009-07-02 12:16 2426 c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
-
2009-06-29 23:18 . 2009-07-02 12:15 8972 c:\windows\pchealth\helpctr\Config\Cntstore.bin
-
2009-06-29 23:48 . 2009-06-29 23:48 184832 c:\windows\Installer\3c76c.msi
-
2009-06-29 23:38 . 2009-06-29 23:38 331264 c:\windows\Installer\3c75d.msi
-
2009-06-29 23:24 . 2009-06-29 23:24 265216 c:\windows\Installer\1684f.msi
-
2009-06-29 23:48 . 2009-06-29 23:48 802816 c:\windows\Downloaded Installations\DAEMON Tools 3.44\daemon.msi
-
2004-07-17 09:35 . 2004-07-17 09:35 1356288 c:\windows\system32\webfldrs.msi
-
2009-07-07 12:14 . 2009-07-07 12:14 1828352 c:\windows\Installer\63b0f.msi
-
2009-06-29 23:58 . 2009-06-29 23:58 6454784 c:\windows\Installer\4d4c3.msi
-
2009-06-29 23:56 . 2009-06-29 23:56 8992256 c:\windows\Installer\4d4bf.msi
-
2009-06-29 23:56 . 2009-06-29 23:56 1549312 c:\windows\Installer\4d4bb.msi
-
2009-06-29 23:55 . 2009-06-29 23:55 2811904 c:\windows\Installer\4d4b5.msi
-
2009-06-30 09:54 . 2009-06-30 09:54 5790208 c:\windows\Installer\4c945.msi
-
2009-06-29 23:41 . 2009-06-29 23:41 1247744 c:\windows\Installer\3c768.msi
-
2009-06-29 23:58 . 2009-06-29 23:58 21390848 c:\windows\Downloaded Installations\Diskeeper ProPremier{AF8FBE87-A9E0-4C11-AECB-E11DBFEA7E25}\Diskeeper Professional Premier Edition.msi
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2004-08-03 15360]
“Skype”=“c:\program files\Skype\Phone\Skype.exe” [2008-08-11 21741864]
“eMuleAutoStart”=“c:\program files\eMule\emule.exe” [2009-02-22 5668864]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“c:\windows\system32\V0420Ext.ax”=“c:\windows\system32\V0420Ext.ax” [X]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“DAEMON Tools-1033”=“c:\program files\D-Tools\daemon.exe” [2003-12-27 81920]
“WinampAgent”=“c:\program files\Winamp\winampa.exe” [2009-03-09 37888]
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2009-05-26 413696]
“DiskeeperSystray”=“c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe” [2005-11-22 221184]
“V0420Mon.exe”=“c:\windows\V0420Mon.exe” [2007-04-30 32768]
“SoundMan”=“SOUNDMAN.EXE” - c:\windows\SOUNDMAN.EXE [2003-08-15 57344]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-03 15360]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2009-6-30 1205840]
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\eMule\emule.exe”=
“c:\Program Files\WapSter\WapSter AQQ\AQQ.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [2009-06-30 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [2009-06-30 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-06-30 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-06-30 20560]
R3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\drivers\e4usbaw.sys [2009-06-30 104344]
S2 E4LOADER;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\drivers\e4ldr.sys [2009-06-30 69656]
S3 V0420VID;Live! Cam Vista IM (VF0420);c:\windows\system32\drivers\V0420Vid.sys [2009-06-30 99648]
.
Zawartość folderu ‘Zaplanowane zadania’
2009-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Skan uzupełniający -------
.
uInternet Connection Wizard,ShellNext = hxxp://c.wrzuta.pl/wi11887/e5f5a06c002a … /nightwish
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {9ECC84F6-45E6-4928-A457-CA34E2B378A1} = 213.241.79.37 83.238.255.76
FF - ProfilePath - c:\documents and settings\Nowak\Dane aplikacji\Mozilla\Firefox\Profiles\bon3q13d.default\
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 15:55
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
Czas ukończenia: 2009-07-08 15:57
ComboFix-quarantined-files.txt 2009-07-08 13:56
ComboFix2.txt 2009-07-07 08:27
ComboFix3.txt 2009-07-02 11:08
Przed: 18 335 772 672 bajtów wolnych
Po: 18 323 488 768 bajtów wolnych
182
– Dodane 08.07.2009 (Śr) 16:06 –
prosze o pomoc;))
