Powtorzylam jeszcze raz cos tam wyskakiwalo, to kliknelem dwa razy “tak” i chyba sie cos udalo, bo otworzylo mi sie w notatniku:
ComboFix 08-02-21 - Natalia 2008-02-21 1:55:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.543 [GMT 1:00]
Running from: C:\anty\ComboFix.exe
Command switches used :: C:\anty\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\DOCUME~1\Natalia\USTAWI~1\Temp\65exgmrgml19.exe
C:\WINDOWS\mrofinu2000382.exe
C:\WINDOWS\system\smvss.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\Natalia\USTAWI~1\Temp\65exgmrgml19.exe
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system\smvss.exe
----- BITS: Possible infected sites -----
hxxp://au.download.windowsupdate.cőj
.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.
2008-02-20 23:22 . 2008-02-20 23:22
2008-02-20 23:22 . 2008-02-20 23:22
2008-02-20 23:21 . 2008-02-21 00:44
2008-02-20 21:47 . 2008-02-20 21:57
2008-02-20 21:47 . 2008-02-20 21:47
2008-02-20 21:47 . 2008-02-21 01:53
2008-02-20 21:47 . 2007-12-10 14:53 81,288 --a------ C:\Windows\system32\drivers\iksyssec.sys
2008-02-20 21:47 . 2007-12-10 14:53 66,952 --a------ C:\Windows\system32\drivers\iksysflt.sys
2008-02-20 21:47 . 2007-12-10 14:53 41,864 --a------ C:\Windows\system32\drivers\ikfilesec.sys
2008-02-20 21:47 . 2007-12-10 14:53 29,576 --a------ C:\Windows\system32\drivers\kcom.sys
2008-02-09 22:03 . 2008-02-09 22:03 0 --a------ C:\Windows\nsreg.dat
2008-02-01 23:18 . 2008-02-01 23:18
2008-02-01 22:51 . 2008-02-01 23:29
2008-02-01 22:51 . 2008-02-01 22:51
2008-02-01 22:50 . 2008-02-03 02:04
2008-01-28 23:07 . 2008-02-19 16:14 117,640 --a------ C:\test.htm
2008-01-27 16:23 . 2008-01-31 23:38
2008-01-27 15:00 . 2006-03-02 13:00 38,016 --a------ C:\Windows\system32\drivers\bthmodem.sys
2008-01-27 15:00 . 2006-03-02 13:00 38,016 --a------ C:\Windows\system32\dllcache\bthmodem.sys
2008-01-27 14:53 . 2008-01-27 14:53
2008-01-22 17:57 . 2008-02-17 14:03
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 00:54 --------- d-----w C:\Program Files\OrangeBs
2008-01-12 13:21 --------- d-----w C:\Program Files\MSN Messenger
2008-01-11 05:41 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-26 23:33 --------- d-----w C:\Program Files\Flash
2007-12-26 20:29 --------- d-----w C:\Program Files\Java
2007-12-26 20:28 --------- d-----w C:\Program Files\Common Files\Java
2007-12-22 22:46 --------- d-----w C:\Program Files\BearShare Applications
2007-12-22 21:26 --------- d-----w C:\Program Files\eMule
2007-12-22 21:25 --------- d-----w C:\Documents and Settings\Natalia\Dane aplikacji\eMule
2007-12-22 10:51 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2007-12-21 22:34 --------- d-----w C:\Program Files\Gadu-Gadu
2007-12-21 20:55 --------- d-----w C:\Program Files\Google
2007-12-21 20:14 --------- d-----w C:\Program Files\AVAST!
2007-12-21 15:16 --------- d-----w C:\Documents and Settings\Natalia\Dane aplikacji\AdobeUM
2007-12-21 15:01 --------- d-----w C:\Program Files\FranceTelecomUninstall
2007-12-19 22:58 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:14 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:06 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:05 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:42 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-04-26 06:54 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 13:00 15360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-12-21 21:55 171448]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\Gadu-Gadu\gg.exe” [2005-08-30 19:51 1708032]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [2007-01-19 12:54 5674352]
“ares”=“C:\Program Files\Ares\Ares.exe” [2007-12-31 15:29 962560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 15:40 155648]
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2006-11-23 14:10 56928]
“LanguageShortcut”=“C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2006-12-05 21:55 54832]
“SMSERIAL”=“sm56hlpr.exe” [2005-07-03 16:03 544768 C:\Windows\sm56hlpr.exe]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2006-03-23 05:17 94208]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2006-03-23 05:13 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2006-03-23 05:17 118784]
“OBSWATCH”=“C:\PROGRA~1\OrangeBs\Watch.exe” [2005-09-07 10:26 20480]
“avast!”=“C:\PROGRA~1\AVAST!\ashDisp.exe” [2007-12-04 14:00 79224]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [2006-03-02 13:00 110592 C:\Windows\system32\bthprops.cpl]
“RTHDCPL”=“RTHDCPL.EXE” [2006-11-14 17:21 16270848 C:\Windows\RTHDCPL.EXE]
“SkyTel”=“SkyTel.EXE” [2006-05-16 18:04 2879488 C:\Windows\SkyTel.exe]
“ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [2007-12-10 14:53 1103752]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 13:00 15360]
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 08:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 09:01]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c7bd7529-b636-11dc-a726-001b773e7454}]
\Shell\Auto\command - F:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - F:\EXPLORER.EXE
\Shell\open\Command - F:\EXPLORER.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 01:57:01
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-21 1:57:39
ComboFix-quarantined-files.txt 2008-02-21 00:57:36
.
2008-02-13 22:40:11 — E O F —
nic teraz nie ruszam, czekam na odp co robić dalej 