Witam
Miałem problem z zainfekowanym komputerem. Byłem zmuszony sformatować dysk i postawić system na nowo. Pewną ważną część plików udało mi się odzyskać i skopiować do nowego systemu. Obawiam się jednak, że gdzieś wśród nich mógł być ukryty jakiś szkodnik.
Dlatego proszę o sprawdzenie logów:
HijackThis:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:43:44, on 2009-04-22 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Tlen.pl\tlen.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe” O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [startCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [PC Suite Tray] “C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe” -onlytray O4 - HKUS\S-1-5-19…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog (User ‘SYSTEM’) O4 - HKUS\S-1-5-18…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog (User ‘Default user’) O4 - HKUS.DEFAULT…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Default user’) O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Zaznaczanie HP Smart - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe – End of file - 5785 bytes
Silent Runners:
“Silent Runners.vbs”, revision 59, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “DAEMON Tools Lite” = ““C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun” [“DT Soft Ltd”] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “PC Suite Tray” = ““C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe” -onlytray” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe”” [“Kaspersky Lab”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “StartCCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun” [“Advanced Micro Devices, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre6\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0347C33E-8762-4905-BF09-768834316C61}(Default) = “HP Print Enhancer” -> {HKLM…CLSID} = “HP Print Enhancer” \InProcServer32(Default) = “C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll” [“Hewlett-Packard Co.”] {18DF081C-E8AD-4283-A596-FA578C2EBDC3}(Default) = “AcroIEHelperStub” -> {HKLM…CLSID} = “Adobe PDF Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll” [“Adobe Systems Incorporated”] {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}(Default) = “IEVkbdBHO” -> {HKLM…CLSID} = “IEVkbdBHO Class” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll” [“Kaspersky Lab”] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}(Default) = (no title provided) -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] {DBC80044-A445-435b-BC74-9C25C1C588A9}(Default) = (no title provided) -> {HKLM…CLSID} = “Java Plug-In 2 SSV Helper” \InProcServer32(Default) = “C:\Program Files\Java\jre6\bin\jp2ssv.dll” [“Sun Microsystems, Inc.”] {E7E6F031-17CE-4C07-BC86-EABFE594F69C}(Default) = “JQSIEStartDetectorImpl” -> {HKLM…CLSID} = “JQSIEStartDetectorImpl Class” \InProcServer32(Default) = “C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll” [“Sun Microsystems, Inc.”] {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}(Default) = “HP Smart BHO Class” -> {HKLM…CLSID} = “HP Smart BHO Class” \InProcServer32(Default) = “C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll” [“Hewlett-Packard Co.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete” -> {HKLM…CLSID} = “IE Microsoft AutoComplete” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Statystyki ochrony WWW” -> {HKLM…CLSID} = “Statystyki ochrony WWW” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll” [“Kaspersky Lab”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll” [“Advanced Micro Devices, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\phonebrowser.dll” [“Nokia”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] “{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” = “Groove GFS Browser Helper” -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}” = “Groove GFS Explorer Bar” -> {HKLM…CLSID} = “Groove Folder Synchronization” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{A449600E-1DC6-4232-B948-9BD794D62056}” = “Groove GFS Stub Icon Handler” -> {HKLM…CLSID} = “Groove GFS Stub Icon Handler” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{6C467336-8281-4E60-8204-430CED96822D}” = “Groove GFS Context Menu Handler” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{387E725D-DC16-4D76-B310-2C93ED4752A0}” = “Groove XML Icon Handler” -> {HKLM…CLSID} = “Groove XML Icon Handler” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{16F3DD56-1AF5-4347-846D-7C10C4192619}” = “Groove Explorer Icon Overlay 3 (GFS Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 3 (GFS Folder)” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}” = “Groove Explorer Icon Overlay 2 (GFS Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2 (GFS Stub)” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}” = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{99FD978C-D287-4F50-827F-B2C658EDA8E7}” = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{920E6DB1-9907-4370-B3A0-BAFC03D81399}” = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL” [MS] “{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” -> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll” [“Kaspersky Lab”] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “ForceClassicControlPanel” = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “NoInternetOpenWith” = (REG_DWORD) dword:0x00000001 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ MPCPlayCDAudioOnArrival\ “Provider” = “Media Player Classic” “InvokeProgID” = “MediaPlayerClassic.Autorun” “InvokeVerb” = “PlayCDAudio” HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /cd” [“mpc-hc@Sourceforge”] MPCPlayDVDMovieOnArrival\ “Provider” = “Media Player Classic” “InvokeProgID” = “MediaPlayerClassic.Autorun” “InvokeVerb” = “PlayDVDMovie” HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /dvd” [“mpc-hc@Sourceforge”] MPCPlayMusicFilesOnArrival\ “Provider” = “Media Player Classic” “InvokeProgID” = “MediaPlayerClassic.Autorun” “InvokeVerb” = “PlayMusicFiles” HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“mpc-hc@Sourceforge”] MPCPlayVideoFilesOnArrival\ “Provider” = “Media Player Classic” “InvokeProgID” = “MediaPlayerClassic.Autorun” “InvokeVerb” = “PlayVideoFiles” HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“mpc-hc@Sourceforge”] NMMPlayCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMPlayCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD “%L”” [“Nokia”] NMMRipCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMRipCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD “%L”” [“Nokia”] WinampMTPHandler\ “Provider” = “Winamp” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = “C:\Program Files\Winamp\winamp.exe” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “ShellExecute HW Event Handler” \LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] WinampPlayMediaOnArrival\ “Provider” = “Winamp” “InvokeProgID” = “Winamp.File” “InvokeVerb” = “Play” HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command(Default) = "“C:\Program Files\Winamp\winamp.exe” “%1"” [“Nullsoft”] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = “{46986115-84D6-459c-8F95-52DD653E532E}” -> {HKLM…CLSID} = (no title provided) \LocalServer32(Default) = ““C:\Program Files\Winamp\winamp.exe”” [“Nullsoft”] Startup items in “Admin” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}(Default) = “Groove Folder Synchronization” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\SOFTWARE\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Statystyki ochrony WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll” [“Kaspersky Lab”] HKLM\SOFTWARE\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Statystyki ochrony WWW” {2670000A-7350-4F3C-8081-5663EE0C6C49}\ “ButtonText” = “Wyślij do programu OneNote” “MenuText” = “Wyślij &do programu OneNote” “CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}” -> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {DDE87865-83C5-48C4-8357-2F5B1AA84522}\ “ButtonText” = “Zaznaczanie HP Smart” “CLSIDExtension” = “{DDE87865-83C5-48c4-8357-2F5B1AA84522}” -> {HKLM…CLSID} = “ClipBookBtn Class” \InProcServer32(Default) = “C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll” [“Hewlett-Packard Co.”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll ,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] hpqcxs08, hpqcxs08, “C:\WINDOWS\system32\svchost.exe -k hpdevmgmt” {“C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll” [“Hewlett-Packard Co.”]} Java Quick Starter, JavaQuickStarterService, ““C:\Program Files\Java\jre6\bin\jqs.exe” -service -config “C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf”” [“Sun Microsystems, Inc.”] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] Kaspersky Internet Security, AVP, ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe” -r” [“Kaspersky Lab”] ServiceLayer, ServiceLayer, ““C:\Program Files\PC Connectivity Solution\ServiceLayer.exe”” [“Nokia.”] Usługa HP CUE DeviceDiscovery, hpqddsvc, “C:\WINDOWS\system32\svchost.exe -k hpdevmgmt” {“C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll” [“Hewlett-Packard Co.”]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ LIDIL hpzll5mu\Driver = “hpzll5mu.dll” [“Hewlett-Packard Company”] Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS] ---------- (launch time: 2009-04-22 23:41:48) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 34 seconds, including 4 seconds for message boxes)
Pozdrawiam
Edit
Combofix:
ComboFix 09-04-23.02 - Admin 2009-04-22 23:56.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.3071.2446 [GMT 2:00] Uruchomiony z: c:\documents and settings\Admin\Pulpit\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\pthreadGC2.dll . ((((((((((((((((((((((((( Pliki utworzone od 2009-03-23 do 2009-04-23 ))))))))))))))))))))))))))))))) . 2009-04-22 21:28 . 2009-04-22 21:28 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\WEBREG 2009-04-22 21:22 . 2009-04-22 21:22 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\HP 2009-04-22 21:19 . 2009-04-22 21:19 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Hewlett-Packard 2009-04-22 21:19 . 2007-11-08 14:59 271704 ----a-r c:\windows\system32\hpzids01.dll 2009-04-22 21:19 . 2007-10-20 16:25 117760 ----a-w c:\windows\system32\hpzll5mu.dll 2009-04-22 21:18 . 2008-04-13 20:17 25856 -c–a-w c:\windows\system32\dllcache\usbprint.sys 2009-04-22 21:18 . 2008-04-13 20:17 25856 ----a-w c:\windows\system32\drivers\usbprint.sys 2009-04-22 21:18 . 2008-04-13 20:15 32128 -c–a-w c:\windows\system32\dllcache\usbccgp.sys 2009-04-22 21:18 . 2008-04-13 20:15 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys 2009-04-22 21:14 . 2009-04-22 21:22 168994 ----a-w c:\windows\hphins26.dat 2009-04-22 21:14 . 2008-01-18 16:49 787 ------w c:\windows\hphmdl26.dat 2009-04-22 21:02 . 2009-04-22 21:03 -------- d-----w c:\documents and settings\Admin\Ustawienia lokalne\Dane aplikacji\Adobe 2009-04-22 20:21 . 2009-04-22 20:21 73728 ----a-w c:\windows\system32\javacpl.cpl 2009-04-22 20:21 . 2009-04-22 20:21 410984 ----a-w c:\windows\system32\deploytk.dll 2009-04-22 20:15 . 2009-04-22 21:20 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\uTorrent 2009-04-22 12:15 . 2009-04-22 12:15 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\BESTplayer 2009-04-22 12:09 . 2006-10-26 17:56 32592 ----a-w c:\windows\system32\msonpmon.dll 2009-04-22 12:06 . 2009-04-22 12:08 -------- d-----w c:\windows\SHELLNEW 2009-04-22 12:06 . 2009-04-22 12:06 -------- d-----w c:\documents and settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft Help 2009-04-22 12:06 . 2009-04-22 12:09 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help 2009-04-22 12:05 . 2009-04-22 12:05 -------- d–h--r C:\MSOCache 2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\DAEMON Tools Pro 2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\DAEMON Tools 2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite 2009-04-22 11:56 . 2009-04-22 11:56 717296 ----a-w c:\windows\system32\drivers\sptd.sys 2009-04-22 11:56 . 2009-04-22 11:56 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\DAEMON Tools Lite 2009-04-22 11:29 . 2008-04-13 20:15 26368 -c–a-w c:\windows\system32\dllcache\usbstor.sys 2009-04-22 11:25 . 2009-04-22 11:25 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\Nokia Multimedia Player 2009-04-22 11:23 . 2009-04-22 11:23 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\PC Suite 2009-04-22 11:23 . 2009-04-22 11:25 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\Nokia 2009-04-22 11:23 . 2009-04-22 11:25 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\PC Suite 2009-04-22 11:23 . 2007-02-22 08:15 12288 ----a-w c:\windows\system32\drivers\nmwcdcm.sys 2009-04-22 11:23 . 2007-02-22 08:15 12288 ----a-w c:\windows\system32\drivers\nmwcdcj.sys 2009-04-22 11:23 . 2007-02-22 08:15 8320 ----a-w c:\windows\system32\drivers\nmwcdc.sys 2009-04-22 11:23 . 2007-02-22 08:15 137216 ----a-w c:\windows\system32\drivers\nmwcd.sys 2009-04-22 11:23 . 2007-02-22 08:15 65536 ----a-w c:\windows\system32\nmwcdcocls.dll 2009-04-22 11:23 . 2007-02-22 08:15 90624 ----a-w c:\windows\system32\nmwcdcls.dll 2009-04-22 11:12 . 2009-04-22 11:12 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Installations 2009-04-22 10:41 . 2009-04-22 10:41 -------- d-----w c:\documents and settings\Admin\Ustawienia lokalne\Dane aplikacji\Thunderbird 2009-04-22 10:41 . 2009-04-22 10:41 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\Thunderbird 2009-04-22 10:39 . 2009-04-22 10:40 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\Tlen.pl 2009-04-22 10:39 . 2009-04-22 10:39 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Tlen.pl 2009-04-22 10:37 . 2009-04-22 10:37 -------- d-----w c:\documents and settings\Normalne\Ustawienia lokalne\Dane aplikacji\Mozilla 2009-04-22 10:37 . 2009-04-22 19:14 65368 ----a-w c:\documents and settings\Normalne\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-04-22 10:37 . 2009-04-22 10:37 -------- d-----w c:\documents and settings\Normalne\Ustawienia lokalne\Dane aplikacji\ATI 2009-04-22 10:37 . 2009-04-22 10:37 -------- d-----w c:\documents and settings\Normalne\Dane aplikacji\ATI 2009-04-22 10:35 . 2009-04-22 10:35 -------- d-----w c:\documents and settings\Admin\Ustawienia lokalne\Dane aplikacji\Mozilla 2009-04-22 10:32 . 2009-04-22 21:22 65368 ----a-w c:\documents and settings\Admin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-04-22 10:32 . 2009-04-22 10:32 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\ATI 2009-04-22 10:32 . 2009-04-22 10:32 -------- d-----w c:\documents and settings\Admin\Ustawienia lokalne\Dane aplikacji\ATI 2009-04-22 10:32 . 2009-04-22 10:32 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\ATI 2009-04-22 10:30 . 2009-04-23 21:58 -------- d–h--w c:\documents and settings\Normalne\Ustawienia lokalne 2009-04-22 10:27 . 2005-06-28 07:21 22752 ----a-w c:\windows\system32\spupdsvc.exe 2009-04-22 10:26 . 2009-04-22 10:26 -------- d-----w c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\ApplicationHistory 2009-04-22 10:26 . 2009-04-22 10:26 138 ----a-w c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\fusioncache.dat 2009-04-22 10:26 . 2009-04-22 10:26 -------- d-----w c:\windows\Downloaded Installations 2009-04-22 10:23 . 2009-04-22 10:23 -------- d-----w c:\windows\system32\URTTemp . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-23 22:01 . 2009-04-22 00:36 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab 2009-04-23 21:59 . 2009-04-22 00:36 4044 --sha-w c:\windows\system32\drivers\fidbox2.idx 2009-04-23 21:59 . 2009-04-22 00:36 253984 --sha-w c:\windows\system32\drivers\fidbox2.dat 2009-04-23 21:59 . 2009-04-22 00:36 13548 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-04-23 21:59 . 2009-04-22 00:36 1193504 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-04-22 21:42 . 2009-04-22 21:42 -------- d-----w c:\program files\Trend Micro 2009-04-22 21:30 . 2009-04-22 10:41 -------- d-----w c:\program files\Mozilla Thunderbird 2009-04-22 21:30 . 2009-04-22 21:30 -------- d-----w c:\program files\SopCast 2009-04-22 21:26 . 2009-04-22 21:26 -------- d-----w c:\program files\NAPI-PROJEKT 2009-04-22 21:22 . 2009-04-22 21:18 -------- d-----w c:\program files\HP 2009-04-22 21:20 . 2009-04-22 21:20 -------- d-----w c:\program files\Common Files\HP 2009-04-22 21:01 . 2009-04-22 21:01 -------- d-----w c:\program files\Common Files\Adobe 2009-04-22 20:45 . 2009-04-22 20:45 -------- d-----w c:\program files\Defraggler 2009-04-22 20:42 . 2009-04-22 20:09 -------- d-----w c:\documents and settings\Admin\Dane aplikacji\Winamp 2009-04-22 20:37 . 2009-04-22 20:37 -------- d-----w c:\program files\CCleaner 2009-04-22 20:27 . 2009-04-22 20:26 -------- d-----w c:\program files\StrongDC 2009-04-22 20:21 . 2009-04-22 20:21 -------- d-----w c:\program files\Java 2009-04-22 20:15 . 2009-04-22 20:15 -------- d-----w c:\program files\uTorrent 2009-04-22 20:11 . 2009-04-22 20:09 -------- d-----w c:\program files\Winamp 2009-04-22 12:31 . 2009-04-22 00:26 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-04-22 12:14 . 2009-04-22 12:14 -------- d-----w c:\program files\K-Lite Codec Pack 2009-04-22 12:08 . 2009-04-22 12:08 -------- d-----w c:\program files\Microsoft Works 2009-04-22 12:08 . 2009-04-22 12:08 -------- d-----w c:\program files\MSBuild 2009-04-22 12:07 . 2009-04-22 12:07 -------- d-----w c:\program files\Microsoft.NET 2009-04-22 12:06 . 2009-04-22 12:06 -------- d-----w c:\program files\Microsoft Visual Studio 8 2009-04-22 12:03 . 2009-04-22 12:03 -------- d-----w c:\program files\DAEMON Tools Lite 2009-04-22 11:23 . 2009-04-22 00:53 -------- d-----w c:\program files\DIFX 2009-04-22 11:23 . 2009-04-22 11:23 -------- d-----w c:\program files\Common Files\PCSuite 2009-04-22 11:23 . 2009-04-22 11:23 -------- d-----w c:\program files\Common Files\Nokia 2009-04-22 11:23 . 2009-04-22 11:23 -------- d-----w c:\program files\Nokia 2009-04-22 11:23 . 2009-04-22 11:23 -------- d-----w c:\program files\PC Connectivity Solution 2009-04-22 10:39 . 2009-04-22 10:39 -------- d-----w c:\program files\Tlen.pl 2009-04-22 10:31 . 2009-04-22 01:01 -------- d-----w c:\program files\ATI 2009-04-22 10:29 . 2009-04-22 10:29 -------- d-----w c:\program files\Malicious Software Removal Tool 2009-04-22 10:29 . 2009-04-22 10:29 -------- d-----w c:\program files\Unlocker 2009-04-22 10:29 . 2001-10-26 15:15 79408 ----a-w c:\windows\system32\perfc015.dat 2009-04-22 10:29 . 2001-10-26 15:15 458022 ----a-w c:\windows\system32\perfh015.dat 2009-04-22 10:26 . 2009-04-22 10:26 -------- d-----w c:\program files\HighMAT CD Writing Wizard 2009-04-22 10:14 . 2009-04-22 10:13 -------- d-----w c:\program files\AutoPatcher 2009-04-22 10:03 . 2009-04-22 00:49 14656 ----a-w c:\windows\gdrv.sys 2009-04-22 01:00 . 2009-04-22 01:00 -------- d-----w c:\program files\ATI Technologies 2009-04-22 01:00 . 2009-04-22 00:53 -------- d–h--w c:\program files\InstallShield Installation Information 2009-04-22 00:59 . 2009-04-22 00:53 -------- d-----w c:\program files\Common Files\InstallShield 2009-04-22 00:54 . 2009-04-22 00:53 348 ----a-w C:\RHDSetup.log 2009-04-22 00:53 . 2009-04-22 00:53 -------- d-----w c:\program files\Realtek 2009-04-22 00:53 . 2009-04-22 00:53 315392 ----a-w c:\windows\HideWin.exe 2009-04-22 00:51 . 2009-04-22 00:51 -------- d-----w c:\documents and settings\Administrator\Dane aplikacji\InstallShield 2009-04-22 00:38 . 2008-01-29 15:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys 2009-04-22 00:38 . 2009-04-22 00:37 89601 ----a-w c:\windows\system32\drivers\klick.dat 2009-04-22 00:38 . 2009-04-22 00:37 101287 ----a-w c:\windows\system32\drivers\klin.dat 2009-04-22 00:36 . 2009-04-22 00:36 -------- d-----w c:\program files\Kaspersky Lab 2009-04-22 00:35 . 2009-04-22 00:35 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files 2009-04-22 00:26 . 2009-04-22 00:26 -------- d-----w c:\program files\microsoft frontpage 2009-04-22 00:24 . 2009-04-22 00:24 21856 ----a-w c:\windows\system32\emptyregdb.dat 2009-04-02 13:21 . 2009-04-22 12:14 84480 ----a-w c:\windows\system32\ff_vfw.dll 2009-03-17 19:05 . 2009-04-22 01:00 593920 ------w c:\windows\system32\ati2sgag.exe 2009-03-16 21:33 . 2009-03-16 21:33 3597312 ----a-w c:\windows\system32\drivers\ati2mtag.sys 2009-03-16 20:27 . 2009-03-16 20:27 442368 ----a-w c:\windows\system32\ATIDEMGX.dll 2009-03-16 20:26 . 2009-03-16 20:26 328704 ----a-w c:\windows\system32\ati2dvag.dll 2009-03-16 20:17 . 2009-03-16 20:17 307200 ----a-w c:\windows\system32\atiiiexx.dll 2009-03-16 20:17 . 2009-03-16 20:17 204800 ----a-w c:\windows\system32\atipdlxx.dll 2009-03-16 20:16 . 2009-03-16 20:16 155648 ----a-w c:\windows\system32\Oemdspif.dll 2009-03-16 20:16 . 2009-03-16 20:16 26112 ----a-w c:\windows\system32\Ati2mdxx.exe 2009-03-16 20:16 . 2009-03-16 20:16 43520 ----a-w c:\windows\system32\ati2edxx.dll 2009-03-16 20:16 . 2009-03-16 20:16 155648 ----a-w c:\windows\system32\ati2evxx.dll 2009-03-16 20:15 . 2009-03-16 20:15 602112 ----a-w c:\windows\system32\ati2evxx.exe 2009-03-16 20:13 . 2009-03-16 20:13 53248 ----a-w c:\windows\system32\ATIDDC.DLL 2009-03-16 20:06 . 2009-03-16 20:06 3820736 ----a-w c:\windows\system32\ati3duag.dll 2009-03-16 20:04 . 2009-03-16 20:04 11563008 ----a-w c:\windows\system32\atioglxx.dll 2009-03-16 19:53 . 2009-03-16 19:53 2675328 ----a-w c:\windows\system32\ativvaxx.dll 2009-03-16 19:53 . 2009-03-16 19:53 887724 ----a-w c:\windows\system32\ativva6x.dat 2009-03-16 19:53 . 2009-03-16 19:53 3107788 ----a-w c:\windows\system32\ativva5x.dat 2009-03-16 19:40 . 2009-03-16 19:40 49664 ----a-w c:\windows\system32\atimpc32.dll 2009-03-16 19:40 . 2009-03-16 19:40 49664 ----a-w c:\windows\system32\amdpcom32.dll 2009-03-16 19:36 . 2009-03-16 19:36 475136 ----a-w c:\windows\system32\atikvmag.dll 2009-03-16 19:35 . 2009-03-16 19:35 303104 ----a-w c:\windows\system32\atiok3x2.dll 2009-03-16 19:35 . 2009-03-16 19:35 45056 ----a-w c:\windows\system32\aticalrt.dll 2009-03-16 19:35 . 2009-03-16 19:35 131072 ----a-w c:\windows\system32\atiadlxx.dll 2009-03-16 19:34 . 2009-03-16 19:34 45056 ----a-w c:\windows\system32\aticalcl.dll 2009-03-16 19:34 . 2009-03-16 19:34 17408 ----a-w c:\windows\system32\atitvo32.dll 2009-03-16 19:34 . 2009-03-16 19:34 53248 ----a-w c:\windows\system32\drivers\ati2erec.dll 2009-03-16 19:33 . 2009-03-16 19:33 3264512 ----a-w c:\windows\system32\aticaldd.dll 2009-03-16 19:28 . 2009-03-16 19:28 630784 ----a-w c:\windows\system32\ati2cqag.dll 2009-03-03 19:56 . 2009-03-03 19:56 118784 ----a-w c:\windows\system32\atibtmon.exe 2009-02-23 21:39 . 2009-02-23 21:39 184394 ----a-w c:\windows\system32\atiicdxx.dat 2009-02-18 17:55 . 2009-02-18 17:55 294912 ----a-w c:\windows\system32\ATIODE.exe 2009-02-03 20:52 . 2009-02-03 20:52 45056 ----a-w c:\windows\system32\ATIODCLI.exe . ------- Sigcheck ------- [-] 2008-04-29 20:57 361344 030DC4D48CC2B894FEE2F390D8E66AD5 c:\windows\system32\drivers\tcpip.sys [-] 2008-04-29 21:04 1571840 5E84F867D2F52B3CAA4DFF79D97B2DDF c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “DAEMON Tools Lite”=“c:\program files\DAEMON Tools Lite\daemon.exe” [2008-12-29 687560] “ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360] “PC Suite Tray”=“c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe” [2007-12-10 695808] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “AVP”=“c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe” [2009-04-22 206088] “StartCCC”=“c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2009-03-17 61440] “SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-04-22 148888] “Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-02-27 35696] “HP Software Update”=“c:\program files\HP\HP Software Update\HPWuSchd2.exe” [2007-05-08 54840] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “Nokia.PCSync”=“c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2007-11-07 1294336] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “nltide_3”=“advpack.dll” - c:\windows\system32\advpack.dll [2008-04-14 100864] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “ForceClassicControlPanel”= 1 (0x1) [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “ForceClassicControlPanel”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] “DisableMonitoring”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) “DisableUnicastResponsesToMulticastBroadcast”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\Network Diagnostic\xpnetdiag.exe”= “%windir%\system32\sessmgr.exe”= “c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”= “c:\Program Files\Microsoft Office\Office12\GROOVE.EXE”= “c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”= “c:\Program Files\uTorrent\uTorrent.exe”= “c:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”= “c:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”= “c:\Program Files\HP\Digital Imaging\bin\hposid01.exe”= S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-22 33808] S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . . ------- Skan uzupełniający ------- . IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\8v4reoa8.marcin\ FF - prefs.js: browser.startup.homepage - www.onet.pl FF - prefs.js: network.proxy.ftp - proxy.interkam.pl FF - prefs.js: network.proxy.ftp_port - 8080 FF - prefs.js: network.proxy.http - proxy.interkam.pl FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\8v4reoa8.marcin\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- FF - user.js: network.http.max-connections-per-server - 6 FF - user.js: network.http.max-persistent-connections-per-server - 3 FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.interval - 750000 FF - user.js: nglayout.initialpaint.delay - 750 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-24 00:02 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘winlogon.exe’(852) c:\windows\system32\Ati2evxx.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wdfmgr.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe . ************************************************************************** . Czas ukończenia: 2009-04-23 0:03 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-04-23 22:02 Przed: 16 687 693 824 bajtów wolnych Po: 16 739 463 168 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect /usepmtimer 270