Spyware, złodziej haseł Total Commandera - czy jest czysto?

tatafilipa · 22 Kwiecień 2009 13:16

Witam

Proszę o pomoc w określeniu czy mam już czysty system. Ktoś/Coś uzyskało dostęp do mojego serwera ftp - w efekcie do każdego pliku index.html został wprowadzony “złośliwy” kod. Poczytałem, pozmieniałem hasła, wyczyściłem kod html i teraz chcę mieć pewność, że komp nie ma żadnych pozostałości.

Log z HiJacka:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:49:14, on 2009-04-22

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\Logitech\G-series Software\LCDMon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\VMSnap3.EXE

C:\WINDOWS\Domino.EXE

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEAE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Andrzej\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe

C:\Program Files\ScannerU\AM32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE

C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe

C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE

C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe

C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe

C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe

C:\Documents and Settings\Andrzej\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\DOCUME~1\Andrzej\USTAWI~1\Temp\Katalog tymczasowy 1 dla HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.pekaobiznes24.pl/do/login

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.co.uk/products/tips/photoshop.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: YouTube To ALLPlayer - {61DB16C5-B733-43F4-872E-B20DC9E72740} - C:\PROGRA~1\ALLPLA~1\YOUTUB~1.DLL

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM…\Run: [Launch LGDCore] “C:\Program Files\Logitech\G-series Software\LGDCore.exe” /SHOWHIDE

O4 - HKLM…\Run: [Launch LCDMon] “C:\Program Files\Logitech\G-series Software\LCDMon.exe”

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE

O4 - HKLM…\Run: [Domino] C:\WINDOWS\Domino.EXE

O4 - HKLM…\Run: [bigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime

O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”

O4 - HKLM…\Run: [F-Secure Manager] “C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE” /splash

O4 - HKLM…\Run: [F-Secure TNB] “C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [EPSON Stylus S20 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEAE.EXE /FU “C:\DOCUME~1\Andrzej\USTAWI~1\Temp\E_S26.tmp” /EF “HKCU”

O4 - HKCU…\Run: [ALLUpdate] “C:\Program Files\ALLPlayer\ALLUpdate.exe” “sleep”

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [Google Update] “C:\Documents and Settings\Andrzej\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe” /c

O4 - HKCU…\Run: [AdobeUpdater] “C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe”

O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe

O4 - Global Startup: Logo Calibration loader.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/version … Client.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso … 9209009812

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A41} (SignActivX Control) - https://www.pekaobiznes24.pl/sme/static … XPEKAO.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O17 - HKLM\System\CCS\Services\Tcpip…{D3519BA3-99E5-4887-AD9D-B7266C9D2EE3}: NameServer = 194.204.152.34,192.168.2.1,208.67.222.222,208.67.220.220

O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player__CDS2.dll (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe

O23 - Service: Menedżer Google Desktop 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Usługa Google Update (gupdate1c9bdb0e0363534) (gupdate1c9bdb0e0363534) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

–

End of file - 12942 bytes

Leon1 · 22 Kwiecień 2009 13:45

Log wygląda na czysty

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 uruchom dwuklikiem

pokaż log

Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirusy

tatafilipa · 22 Kwiecień 2009 14:21

Combo popracował i:

ComboFix 09-04-22.A23 - Andrzej 2009-04-22 15:57.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1428 [GMT 2:00]

Uruchomiony z: c:\temp\ComboFix.exe

AV: F-Secure Internet Security 2009 9.00 *On-access scanning disabled* (Updated)

FW: F-Secure Internet Security 2009 9.00 *disabled*

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

((((((((((((((((((((((((( Pliki utworzone od 2009-03-22 do 2009-04-22 )))))))))))))))))))))))))))))))

.

2009-04-22 13:49 . 2009-04-22 13:49 0 ----a-w c:\windows\LCDMedia.INI

2009-04-22 13:46 . 2009-04-22 13:46 2999014 ----a-r c:\temp\ComboFix.exe

2009-04-22 10:05 . 2009-04-22 10:05 33408 ----a-w c:\windows\system32\drivers\fsbts.sys

2009-04-22 09:57 . 2009-04-22 09:57 -------- d-----w c:\documents and settings\Andrzej\Dane aplikacji\F-Secure

2009-04-22 09:49 . 2009-04-22 09:49 -------- d-----w c:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\F-Secure

2009-04-22 09:49 . 2009-04-22 09:49 -------- d-----w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Moje rozszerzenia Google Gadgets

2009-04-22 09:49 . 2008-10-14 13:01 79904 ----a-w c:\windows\system32\drivers\fsdfw.sys

2009-04-22 09:47 . 2009-04-22 14:07 -------- d-----w c:\program files\F-Secure Internet Security

2009-04-22 09:43 . 2009-04-22 09:43 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\fssg

2009-04-22 09:40 . 2009-04-22 09:48 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\f-secure

2009-04-22 09:11 . 2009-04-22 09:11 -------- d-----w c:\documents and settings\Andrzej\Scripts

2009-04-17 21:10 . 2009-04-17 21:10 -------- d-sh–w c:\documents and settings\Andrzej\IETldCache

2009-04-17 18:18 . 2009-04-17 18:18 -------- d-sh–w c:\documents and settings\LocalService\IETldCache

2009-04-17 18:18 . 2009-04-17 18:18 -------- d-sh–w c:\documents and settings\Filip\IETldCache

2009-04-17 17:27 . 2009-04-17 17:27 -------- d-----w c:\windows\ie8updates

2009-04-17 17:24 . 2009-04-17 17:26 -------- dc-h–w c:\windows\ie8

2009-04-17 17:21 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-04-17 17:18 . 2009-04-17 17:19 17037680 ----a-w c:\temp\IE8-WindowsXP-x86-PLK.exe

2009-04-17 17:15 . 2009-04-17 17:15 4909440 ----a-w c:\temp\Silverlight.2.0.exe

2009-04-15 09:07 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 09:07 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-15 09:07 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe

2009-04-15 09:07 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 09:07 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-15 09:07 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 09:07 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 09:07 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-15 09:07 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-15 09:05 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb

2009-04-15 09:05 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-03-29 18:24 . 2009-03-29 18:25 -------- d–h--w c:\program files\Zero G Registry

2009-03-29 18:22 . 2009-03-29 18:22 -------- d–h--w c:\documents and settings\Andrzej\InstallAnywhere

2009-03-25 21:51 . 2009-03-25 21:52 -------- d-----w c:\program files\Safari

2009-03-25 21:44 . 2009-03-25 21:44 -------- d-----w c:\program files\iPod

2009-03-25 21:44 . 2009-03-25 21:44 -------- d-----w c:\program files\iTunes

2009-03-25 21:44 . 2009-03-25 21:44 -------- d-----w c:\documents and settings\All Users\Dane aplikacji{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-24 21:59 . 2009-03-24 22:01 -------- d-----w c:\documents and settings\gejgalis\Dane aplikacji

2009-03-24 21:59 . 2009-03-24 21:59 -------- d-----w c:\documents and settings\gejgalis

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-22 14:09 . 2008-01-01 11:34 -------- d-----w c:\documents and settings\Andrzej\Dane aplikacji\Skype

2009-04-22 14:06 . 2008-10-21 18:16 -------- d-----w c:\documents and settings\Andrzej\Dane aplikacji\WTablet

2009-04-22 14:06 . 2008-10-22 04:33 -------- d-----w c:\documents and settings\LocalService\Dane aplikacji\WTablet

2009-04-22 12:16 . 2008-04-27 19:36 -------- d-----w c:\program files\Mozilla Firefox 3 Beta 5

2009-04-22 10:49 . 2007-12-31 17:47 -------- d-----w c:\program files\Mozilla Thunderbird

2009-04-22 09:49 . 2004-08-04 12:00 92190 ----a-w c:\windows\system32\perfc015.dat

2009-04-22 09:49 . 2004-08-04 12:00 507610 ----a-w c:\windows\system32\perfh015.dat

2009-04-22 09:47 . 2008-01-01 11:35 -------- d-----w c:\documents and settings\Andrzej\Dane aplikacji\skypePM

2009-04-21 20:04 . 2008-01-15 06:19 -------- d-----w c:\documents and settings\Andrzej\Dane aplikacji\uTorrent

2009-04-15 10:01 . 2008-01-21 13:39 -------- d-----w c:\program files\Google

2009-04-03 05:04 . 2008-01-04 07:38 -------- d-----w c:\program files\Java

2009-03-25 22:24 . 2008-01-01 12:48 -------- d-----w c:\documents and settings\Andrzej\Dane aplikacji\Apple Computer

2009-03-25 21:44 . 2008-09-27 15:03 -------- d-----w c:\program files\Common Files\Apple

2009-03-25 21:43 . 2008-10-05 15:37 -------- d-----w c:\program files\Bonjour

2009-03-25 21:42 . 2007-12-31 18:11 -------- d-----w c:\program files\QuickTime

2009-03-24 18:25 . 2008-02-11 20:25 59360 ----a-w c:\documents and settings\Filip\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-03-21 18:38 . 2008-12-30 18:41 -------- d-----w c:\program files\NAPI-PROJEKT

2009-03-18 20:09 . 2009-03-18 19:56 -------- d-----w c:\documents and settings\Filip\Dane aplikacji\Skype

2009-03-18 19:57 . 2009-03-18 19:57 -------- d-----w c:\documents and settings\Filip\Dane aplikacji\skypePM

2009-03-16 12:55 . 2008-02-16 08:52 88 --sh–r c:\documents and settings\All Users\Dane aplikacji\3D37FC738B.sys

2009-03-16 12:55 . 2008-02-16 08:52 2828 --sha-w c:\documents and settings\All Users\Dane aplikacji\KGyGaAvL.sys

2009-03-11 13:49 . 2008-01-16 19:56 -------- d—a-w c:\documents and settings\All Users\Dane aplikacji\TEMP

2009-03-09 11:27 . 2008-11-27 07:08 -------- d-----w c:\program files\Common Files\Adobe AIR

2009-03-09 03:19 . 2008-11-30 08:33 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-08 02:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 02:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 02:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 02:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 02:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 02:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 02:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 02:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 02:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 02:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:22 . 2004-08-04 12:00 285696 ----a-w c:\windows\system32\pdh.dll

2009-02-27 06:03 . 2009-01-23 14:16 -------- d-----w c:\program files\Microsoft Silverlight

2009-02-09 14:07 . 2004-08-04 12:00 1847040 ----a-w c:\windows\system32\win32k.sys

2009-02-09 11:26 . 2004-08-04 00:39 2025472 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-09 11:26 . 2004-08-04 12:00 2146816 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-09 11:25 . 2004-08-04 12:00 111104 ----a-w c:\windows\system32\services.exe

2009-02-09 10:53 . 2004-08-04 12:00 731136 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 10:53 . 2004-08-04 12:00 686592 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 10:53 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 10:53 . 2004-08-04 12:00 722944 ----a-w c:\windows\system32\ntdll.dll

2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe

2009-02-03 19:58 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll

2009-02-01 20:25 . 2009-02-01 20:24 4213 ----a-w C:\sitemap.xml

2009-01-25 12:19 . 2008-02-11 09:48 59360 ----a-w c:\documents and settings\Andrzej\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-01-24 15:21 . 2008-01-02 16:20 59360 ----a-w c:\documents and settings\Andrzej\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2008-12-30 12:40 . 2008-02-28 13:25 57864 ----a-w c:\documents and settings\Joanna\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2008-11-28 16:51 . 2008-11-28 16:51 57456 ----a-w c:\documents and settings\Joanna\Dane aplikacji\GDIPFONTCACHEV1.DAT

2008-02-05 10:23 . 2008-02-05 10:23 552 ----a-w c:\documents and settings\Filip\Ustawienia lokalne\Dane aplikacji\d3d8caps.dat

2008-01-02 20:30 . 2008-01-02 20:30 75872 ----a-w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat

2008-01-01 21:26 . 2008-01-01 21:26 132 ----a-w c:\documents and settings\Andrzej\Ustawienia lokalne\Dane aplikacji\fusioncache.dat

2008-01-01 11:35 . 2008-01-01 11:35 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat

2007-12-31 19:54 . 2007-12-31 17:37 12816 ----a-w c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2008-01-21 13:2008-01-21 13:39 39:49 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2008-09-17 19:21 . 2008-09-17 19:21 32768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008091720080918\index.dat

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2007-11-14 2131392]

“ALLUpdate”=“c:\program files\ALLPlayer\ALLUpdate.exe” [2008-11-24 869888]

“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

“Skype”=“c:\program files\Skype\Phone\Skype.exe” [2009-01-29 24096040]

“Google Update”=“c:\documents and settings\Andrzej\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe” [2008-09-02 133104]

“AdobeUpdater”=“c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe” [2008-11-16 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Launch LGDCore”=“c:\program files\Logitech\G-series Software\LGDCore.exe” [2006-03-06 1122304]

“Launch LCDMon”=“c:\program files\Logitech\G-series Software\LCDMon.exe” [2006-03-06 497152]

“VMSnap3”=“c:\windows\VMSnap3.EXE” [2006-08-30 49152]

“Domino”=“c:\windows\Domino.EXE” [2006-06-28 49152]

“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2009-01-05 413696]

“iTunesHelper”=“c:\program files\iTunes\iTunesHelper.exe” [2009-03-12 342312]

“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-03-09 148888]

“F-Secure Manager”=“c:\program files\F-Secure Internet Security\Common\FSM32.EXE” [2008-10-14 182936]

“F-Secure TNB”=“c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe” [2008-10-14 957024]

“SoundMan”=“SOUNDMAN.EXE” - c:\windows\SOUNDMAN.EXE [2004-02-26 65024]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\

Action Manager 32.lnk - c:\program files\ScannerU\AM32.exe [2008-1-2 69632]

Logo Calibration loader.lnk - c:\program files\GretagMacbeth\i1\i1Match2.0\calibrationloader\CalibrationLoader.exe [2008-10-18 516096]

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“c:\Program Files\uTorrent\uTorrent.exe”=

“c:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe”=

“c:\Program Files\totalcmd\TOTALCMD.EXE”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\SopCast\adv\SopAdver.exe”=

“c:\Program Files\SopCast\SopCast.exe”=

“c:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe”=

“e:\Folder\Warhammer\Warhammer.exe”=

“c:\Program Files\Ramzes\ramzes.exe”=

“c:\Program Files\Warcraft III\Warcraft III.exe”=

“c:\Program Files\Sony Ericsson\Update Service\Update Service.exe”=

“c:\Program Files\Nowe Gadu-Gadu\gg.exe”=

“c:\Program Files\Bonjour\mDNSResponder.exe”=

“c:\Program Files\iTunes\iTunes.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“3703:TCP”= 3703:TCP:Adobe Version Cue CS3 Server

“3704:TCP”= 3704:TCP:Adobe Version Cue CS3 Server

“50900:TCP”= 50900:TCP:Adobe Version Cue CS3 Server

“50901:TCP”= 50901:TCP:Adobe Version Cue CS3 Server

R2 gupdate1c9bdb0e0363534;Usługa Google Update (gupdate1c9bdb0e0363534);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 133104]

R3 859aa6da-e833-4fe4-99d5-2c9db1df0572;859aa6da-e833-4fe4-99d5-2c9db1df0572; [x]

R3 Arfumdev;A4Tech USB Port RF-Mouse filter driver;c:\windows\system32\DRIVERS\Arfumx86.sys [2006-04-11 10240]

R3 Arfumftr;Trust RF-Mouse filter driver; [x]

R3 ATE_PROCMON;ATE_PROCMON; [x]

R3 EyeOneDp;EyeOneDp;c:\windows\system32\drivers\EyeOneDp.sys [2003-02-17 44344]

R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [2008-10-14 55904]

R3 GoogleDesktopManager-010108-205858;Menedżer Google Desktop 5.7.801.1629;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-01-21 29744]

R3 MtxVxd;MtxVxd; [x]

R4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2008-10-14 39776]

R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2008-10-14 25184]

S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2009-04-22 33408]

S0 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [2008-10-14 79904]

S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [2008-10-14 66720]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2009-04-22 84608]

S3 GT680xNT;USB Scanner Driver;c:\windows\system32\drivers\gt680x.sys [2002-10-04 17932]

S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2006-04-25 428160]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

“c:\windows\system32\rundll32.exe” “c:\windows\system32\iedkcs32.dll”,BrandIEActiveSetup SIGNUP

.

Zawartość folderu ‘Zaplanowane zadania’

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job

c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]

2009-04-22 c:\windows\Tasks\GoogleUpdateTaskMachine.job

c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 09:59]

2009-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-796845957-1801674531-1003.job

c:\documents and settings\Andrzej\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2008-09-02 20:12]

2009-04-22 c:\windows\Tasks\SDMsgUpdate (TE).job

c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-02-21 07:53]

.

- - - USUNIĘTO PUSTE WPISY - - - -

HKLM-Run-BigDog303 - c:\windows\VM303_STI.EXE

.

------- Skan uzupełniający -------

.

uStart Page = https://www.pekaobiznes24.pl/do/login

uInternet Connection Wizard,ShellNext = hxxp://www.adobe.co.uk/products/tips/photoshop.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL

TCP: {D3519BA3-99E5-4887-AD9D-B7266C9D2EE3} = 194.204.152.34,192.168.2.1,208.67.222.222,208.67.220.220

Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -

DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} - hxxp://install.anark.com/client/version … Client.cab

DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A41} - hxxps://www.pekaobiznes24.pl/sme/static … XPEKAO.cab

FF - ProfilePath - c:\documents and settings\Andrzej\Dane aplikacji\Mozilla\Firefox\Profiles\t1mxl7i2.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul

FF - component: c:\documents and settings\Andrzej\Dane aplikacji\Mozilla\Firefox\Profiles\t1mxl7i2.default\extensions{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\Andrzej\Dane aplikacji\Mozilla\Firefox\Profiles\t1mxl7i2.default\extensions{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll

FF - component: c:\documents and settings\Andrzej\Dane aplikacji\Mozilla\Firefox\Profiles\t1mxl7i2.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\documents and settings\Andrzej\Dane aplikacji\Mozilla\Firefox\Profiles\t1mxl7i2.default\extensions\SignPlugin@pekao.pl\plugins\NPSignPluginPEKAO.dll

FF - plugin: c:\documents and settings\Andrzej\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-22 16:07

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)???0???@???

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-1343024091-796845957-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{0A4B5100-94FC-0C71-F537-3C588513B17B}*]

“oadnklhekanmbfgecmakglfkhnkecd”=hex:69,61,6c,6b,6c,6d,69,61,61,62,65,64,69,6b,

6f,61,70,64,00,00

“panniihgnbakpdiidcghnncebihklclk”=hex:6a,61,6f,6b,62,6e,70,69,70,61,66,6a,6b,

6a,6b,69,6f,70,64,6c,00,ba

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - > ‘winlogon.exe’(684)

c:\windows\system32\Ati2evxx.dll

c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll

- - - - > ‘lsass.exe’(740)

c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL

c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll

- - - - > ‘explorer.exe’(2952)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\pl.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

- - - - > ‘csrss.exe’(652)

c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

c:\program files\F-Secure Internet Security\Common\FSMA32.EXE

c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\Tablet.exe

c:\program files\F-Secure Internet Security\Anti-Virus\fssm32.exe

c:\windows\system32\WTablet\TabUserW.exe

c:\windows\system32\Tablet.exe

c:\program files\Logitech\G-series Software\Applets\LCDClock.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\program files\F-Secure Internet Security\Common\FSLAUNCH.EXE

.

**************************************************************************

.

Czas ukończenia: 2009-04-22 16:14 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2009-04-22 14:14

Przed: 8 247 672 832 bajtów wolnych

Po: 13 504 561 152 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect

305 — E O F — 2009-04-15 20:58