Wykryto 5 trojanów


(system) #1

Cześć

A-squared wykrył w moim komputerze 5 trojanów.Chciałbym mieć 100% pewność ,że ich już nie ma.Dlatego proszę o pomoc.

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "EpsonToolBandKicker Class"

                   \InProcServer32\(Default) = "D:\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"

  -> {HKLM...CLSID} = "PropPage Class"

                   \InProcServer32\(Default) = "C:\Program Files\Symantec\Norton Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


<> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"



Windows Portable Device AutoPlay Handlers

-----------------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\


MSPlayCDAudioOnArrival\

"Provider" = "ALLPlayer"

"InvokeProgID" = "AllPlayerFile"

"InvokeVerb" = "play"

HKCU\Software\Classes\AllPlayerFile\shell\play\command\(Default) = ""C:\Program Files\ALLPlayer\ALLPlayer.exe" "%1"" ["ALLPlayer"]



Startup items in "FOTO" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\FOTO\Menu Start\Programy\Autostart

"ERUNT AutoBackup" -> shortcut to: "C:\Program Files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Ralink Wireless Utility" -> shortcut to: "C:\Program Files\RALINK\Common\RaUI.exe -s" ["Ralink Technology, Corp."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"

  -> {HKLM...CLSID} = "EPSON Web-To-Page"

                   \InProcServer32\(Default) = "D:\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]


HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" = (no title provided)

  -> {HKLM...CLSID} = "EPSON Web-To-Page"

                   \InProcServer32\(Default) = "D:\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

GhostStartService, GhostStartService, "C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe" ["Symantec Corporation"]

O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]



---------- (launch time: 2009-03-07 11:27:34)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 34 seconds.

---------- (total run time: 97 seconds)

ComboFix 09-03-04.01 - FOTO 2009-03-07 11:40:14.3 - [color=red][b]FAT32[/b][/color]x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.255.119 [GMT 1:00]

Uruchomiony z: c:\documents and settings\FOTO\Pulpit\logi\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090306-0] *On-access scanning disabled* (Updated)

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)

 * Utworzono nowy punkt przywracania

.


((((((((((((((((((((((((( Pliki utworzone od 2009-02-07 do 2009-03-07 )))))))))))))))))))))))))))))))

.


Nie utworzono żadnych nowych plików w tym okresie


.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-04 21:45	---------	d-----w	c:\program files\Team17

2009-02-03 19:16	---------	d-----w	c:\program files\OO Software

2009-02-02 12:23	81,984	----a-w	c:\windows\system32\bdod.bin

2009-02-02 11:57	---------	d-----w	c:\program files\Raxco

2009-02-02 10:37	---------	d-----w	c:\program files\BitDefender

2009-02-02 09:57	---------	d-----w	c:\program files\ALLPlayer

2009-02-01 09:40	---------	d-----w	c:\program files\VS Revo Group

2009-01-31 20:42	---------	d-----w	c:\program files\ERUNT

2009-01-31 11:59	---------	d-----w	c:\program files\Odkurzacz

2008-12-23 21:25	249,592	----a-w	c:\windows\system32\cssdll32.dll

.


------- Sigcheck -------


2004-08-04 00:44 14336 ba98327e90022dbd6ee76490e0622e2e	c:\windows\system32\svchost.exe

2004-08-04 00:44 14336 ba98327e90022dbd6ee76490e0622e2e	c:\windows\ServicePackFiles\i386\svchost.exe

2008-04-14 19:21 14336 8607d35d92528e2df386f19a960d23ce	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\svchost.exe

2001-10-26 17:30 12800 b3c95bfeef6781a82a1c429f466a3a11	c:\windows\$NtServicePackUninstall$\svchost.exe


2007-03-08 17:38 579072 a37a4637f84f8dd771274eaf8d17fa65	c:\windows\system32\user32.dll

2007-03-08 17:38 579072 a37a4637f84f8dd771274eaf8d17fa65	c:\windows\system32\dllcache\user32.dll

2004-08-04 00:44 578560 0c81764f50f32d376e6e4b9e9f4b01a0	c:\windows\ServicePackFiles\i386\user32.dll

2008-04-14 19:20 580096 a435c5c069afd901751ac323ad238793	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\user32.dll

2005-03-02 20:21 578560 6a93565be9b8422eb7538c66ac732d76	c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

2007-03-08 17:51 579584 11abdecc02efc1d2b6a6a0fa46c26594	c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

2002-09-20 17:04 561664 3a4892a57cfe05d61e4bbc3ec3e24a63	c:\windows\$NtServicePackUninstall$\user32.dll


2004-08-04 00:44 82944 ab82237486b727dd7dab36a76f38a3a2	c:\windows\system32\ws2_32.dll

2004-08-04 00:44 82944 ab82237486b727dd7dab36a76f38a3a2	c:\windows\ServicePackFiles\i386\ws2_32.dll

2008-04-14 19:20 82432 c0aa2ab856680c44739b41e01f5bd4e9	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\ws2_32.dll

2001-10-26 17:29 75264 9b7d1c56cc12d806314b853bf52ecb4c	c:\windows\$NtServicePackUninstall$\ws2_32.dll


2008-06-23 18:42 826368 15c09e8a74a0988fb2f24eff9d68d886	c:\windows\system32\wininet.dll

2008-06-23 18:42 826368 15c09e8a74a0988fb2f24eff9d68d886	c:\windows\system32\dllcache\wininet.dll

2004-08-04 00:44 658944 d37dafb534ac8343d59a1b501abe852c	c:\windows\ServicePackFiles\i386\wininet.dll

2008-04-14 19:20 668672 0457f0afd6ee10445d8cf721fb5fa4eb	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\wininet.dll

2008-06-23 18:42 826368 15c09e8a74a0988fb2f24eff9d68d886	c:\windows\SoftwareDistribution\Download\a446573125167845eb48bcbe6a194592\SP2GDR\wininet.dll

2008-06-23 17:41 827904 e02939ebf940d5eb274903f58154dc56	c:\windows\SoftwareDistribution\Download\a446573125167845eb48bcbe6a194592\SP2QFE\wininet.dll

2008-02-16 11:32 668672 193f94d811881d00867aeb1d6780f44f	c:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll

2008-04-21 08:58 669184 e937ccfe8348f56c46c14c8a7e26f71b	c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll

2008-04-21 08:44 668672 4f1ea30f3e4fb419e1637d9eb082662f	c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll

2008-04-21 08:41 669184 a3c7b35454f87a0635c73e8cb5a36d1f	c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll

2008-06-23 18:16 669696 bc26f2968396842367b02730435dd588	c:\windows\$hf_mig$\KB953838\SP2QFE\wininet.dll

2008-06-23 17:13 668672 28fa0fd33916ebebc3e0dc1410f48651	c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll

2008-06-23 16:57 669184 9ea369835e233f077c0d832676a29d40	c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll

2008-06-23 17:41 827904 e02939ebf940d5eb274903f58154dc56	c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll

2008-06-23 17:41 662016 32dc67b19496a88850c892cadf8366e3	c:\windows\ie7\wininet.dll

2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9	c:\windows\ie7updates\KB953838-IE7\wininet.dll

2002-09-20 17:05 601600 4965c02574610e9b2d1e18d63d11a772	c:\windows\$NtServicePackUninstall$\wininet.dll


2008-06-20 12:45 360320 2a5554fc5b1e04e131230e3ce035c3f9	c:\windows\system32\drivers\tcpip.sys

2008-06-20 12:45 360320 2a5554fc5b1e04e131230e3ce035c3f9	c:\windows\system32\dllcache\tcpip.sys

2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c	c:\windows\ServicePackFiles\i386\tcpip.sys

2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\tcpip.sys

2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8	c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48	c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d	c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e	c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

2002-08-29 00:58 332928 244a2f9816bc9b593957281ef577d976	c:\windows\$NtServicePackUninstall$\tcpip.sys


2004-08-04 00:44 504832 0344407089b08548d4feba62bb0f32d0	c:\windows\system32\winlogon.exe

2004-08-04 00:44 504832 0344407089b08548d4feba62bb0f32d0	c:\windows\ServicePackFiles\i386\winlogon.exe

2008-04-14 19:21 510464 51fd2e13d723857b9ca239ae77150f48	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\winlogon.exe

2002-09-20 17:05 519168 8b6e6bb5d451f8bbc0621203b687d993	c:\windows\$NtServicePackUninstall$\winlogon.exe


2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e	c:\windows\system32\drivers\ndis.sys

2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e	c:\windows\ServicePackFiles\i386\ndis.sys

2008-04-13 21:20 182656 1df7f42665c94b825322fae71721130d	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\ndis.sys

2002-08-29 01:09 167552 3b350e5a2a5e951453f3993275a4523a	c:\windows\$NtServicePackUninstall$\ndis.sys


2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855	c:\windows\system32\drivers\ip6fw.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855	c:\windows\ServicePackFiles\i386\ip6fw.sys

2008-04-13 20:53 36608 3bb22519a194418d5fec05d800a19ad0	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\ip6fw.sys


2007-02-28 18:04 2058880 2bdc1a6cefe320e9c39fabf1961ebb9d	c:\windows\system32\ntkrnlpa.exe

2007-02-28 18:04 2058880 2bdc1a6cefe320e9c39fabf1961ebb9d	c:\windows\system32\dllcache\ntkrnlpa.exe

2004-08-04 00:38 2058112 44d1bc1b05e0c7c82e81687b79c653c7	c:\windows\ServicePackFiles\i386\ntkrnlpa.exe

2008-04-14 18:29 2067200 4bba965664faa56b187c27f4cad7e7c5	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\ntkrnlpa.exe

2005-03-02 20:14 2058240 35d11fdc381536ab95e3005489131f44	c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe

2007-02-28 18:09 2060672 2f4a36b1b03d64fb176cb0f3eb597118	c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe

2002-09-20 17:18 1949184 79d262478c985e736deb38ce2224fc75	c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe


2007-02-28 18:04 2181632 c378be3a1edc5e4421d428655ac4a48c	c:\windows\system32\ntoskrnl.exe

2007-02-28 18:04 2181632 c378be3a1edc5e4421d428655ac4a48c	c:\windows\system32\dllcache\ntoskrnl.exe

2004-08-04 00:39 2182272 dcf53422b7edded3b7431fbae4a7ee3f	c:\windows\ServicePackFiles\i386\ntoskrnl.exe

2008-04-14 18:30 2190336 8ca14ecf04594eabbe93c9ff2e3cbfb1	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\ntoskrnl.exe

2005-03-02 20:14 2180864 dba3e4215279c8012b37d2135b531258	c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

2007-02-28 18:09 2183424 c450518ef9acc02a2d799698021e31a8	c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe

2002-09-20 16:12 2043520 ae94ae0da6ed874ce08912fc63f8c6c2	c:\windows\$NtServicePackUninstall$\ntoskrnl.exe


2007-06-13 15:23 1034752 029a562e81bbee088c61d418bf408f44	c:\windows\explorer.exe

2007-06-13 15:23 1034752 029a562e81bbee088c61d418bf408f44	c:\windows\system32\dllcache\explorer.exe

2004-08-04 00:44 1033728 379098a96e6c165b659de7e4328010ea	c:\windows\ServicePackFiles\i386\explorer.exe

2008-04-14 19:21 1035264 c791ed9eac5e76d9525e157b1d7a599a	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\explorer.exe

2007-06-13 15:12 1034752 8db0650b211425b9cdb7d1c4a8f6b482	c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

2002-09-20 17:05 1005568 f4af85d918e83d71341fce2aa5318181	c:\windows\$NtServicePackUninstall$\explorer.exe


2004-08-04 00:44 108544 3da8d964d2cc12ef8e8c342471a37917	c:\windows\system32\services.exe

2004-08-04 00:44 108544 3da8d964d2cc12ef8e8c342471a37917	c:\windows\ServicePackFiles\i386\services.exe

2008-04-14 19:21 109056 3e3ae424e27c4cefe4cab368c7b570ea	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\services.exe

2001-10-26 17:30 101888 bf4cbefdce42a699389791647cb95ca2	c:\windows\$NtServicePackUninstall$\services.exe


2004-08-04 00:44 13312 f485fefc8cc4fd29243d800be5d275d1	c:\windows\system32\lsass.exe

2004-08-04 00:44 13312 f485fefc8cc4fd29243d800be5d275d1	c:\windows\ServicePackFiles\i386\lsass.exe

2008-04-14 19:21 13312 88296f7943f30a1ee3af735440b92268	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\lsass.exe

2002-09-20 17:05 11776 fa2c871f57352339f0a1802bb9aea6e7	c:\windows\$NtServicePackUninstall$\lsass.exe


2004-08-04 00:44 15360 cbfa30492d70ce3938d8a7783d0c0436	c:\windows\system32\ctfmon.exe

2004-08-04 00:44 15360 cbfa30492d70ce3938d8a7783d0c0436	c:\windows\ServicePackFiles\i386\ctfmon.exe

2008-04-14 19:21 15360 1bd41eda5b869afc99895c39a8de36e1	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\ctfmon.exe

2002-09-20 17:05 13312 0c4c012b0a8960f48a666c240a7baa3d	c:\windows\$NtServicePackUninstall$\ctfmon.exe


2005-06-11 01:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f	c:\windows\system32\spoolsv.exe

2004-08-04 00:44 57856 bebe8a85954ff460374fd5a0cd21e19b	c:\windows\ServicePackFiles\i386\spoolsv.exe

2008-04-14 19:21 57856 dd69ec597ab942c39b950d9c3ce1375d	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\spoolsv.exe

2005-06-11 02:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788	c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2001-10-26 17:30 51200 414af353e9eeed8637d90370fd0c3b68	c:\windows\$NtServicePackUninstall$\spoolsv.exe


2004-08-04 00:44 25088 bd768099b4c44aa631728cb74eb54396	c:\windows\system32\userinit.exe

2004-08-04 00:44 25088 bd768099b4c44aa631728cb74eb54396	c:\windows\ServicePackFiles\i386\userinit.exe

2008-04-14 19:21 26624 2a5b37d520508be6570a3ea79695f5b5	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\userinit.exe

2002-09-20 17:05 22528 323d3ffcbf99c59b2d20b4c5a7ece347	c:\windows\$NtServicePackUninstall$\userinit.exe


2004-08-04 00:44 296448 2c28157229925280916b3041ccc5fe4b	c:\windows\system32\termsrv.dll

2004-08-04 00:44 296448 2c28157229925280916b3041ccc5fe4b	c:\windows\ServicePackFiles\i386\termsrv.dll

2008-04-14 19:20 296448 52e0505408edd4ab5ccc7f83b67b4299	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\termsrv.dll

2002-09-20 19:04 201216 c4ee140f5edcf2fc20099b56ddbe5445	c:\windows\$NtServicePackUninstall$\termsrv.dll


2007-04-16 17:54 1013248 c0aafee37ee787d9609d9fe00fa427f8	c:\windows\system32\kernel32.dll

2007-04-16 17:54 1013248 c0aafee37ee787d9609d9fe00fa427f8	c:\windows\system32\dllcache\kernel32.dll

2004-08-04 00:44 1012224 578bb2f44597cb53451ded99013573f3	c:\windows\ServicePackFiles\i386\kernel32.dll

2008-04-14 19:20 1018368 fce4ecc34a36edacf03dbe8de5e28910	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\kernel32.dll

2007-04-16 18:11 1014784 d8acc0b8c46fc756e3f64c14eaf9ce8f	c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll

2002-09-20 17:04 958976 8d452c28d7cad9b5bbdb3c41730305e9	c:\windows\$NtServicePackUninstall$\kernel32.dll


2004-08-04 00:44 17408 b20bb2a65349ef132fa7f2eb51a29e5c	c:\windows\system32\powrprof.dll

2004-08-04 00:44 17408 b20bb2a65349ef132fa7f2eb51a29e5c	c:\windows\ServicePackFiles\i386\powrprof.dll

2008-04-14 19:20 17408 414c17a2958aedac700bbaafbf999f94	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\powrprof.dll

2001-10-26 17:29 14848 cf06ff4307712677dd2ea86921ccd52f	c:\windows\$NtServicePackUninstall$\powrprof.dll


2004-08-04 00:44 110080 bdb679c04273b19bf46bd0d591fdeec3	c:\windows\system32\imm32.dll

2004-08-04 00:44 110080 bdb679c04273b19bf46bd0d591fdeec3	c:\windows\ServicePackFiles\i386\imm32.dll

2008-04-14 19:20 110080 2e9a03268e609917b83921ee16fd9cfb	c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\imm32.dll

2002-09-20 17:03 103936 b85f29a061f7d554c8f8092ade4ec107	c:\windows\$NtServicePackUninstall$\imm32.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  

REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]


c:\documents and settings\All Users\Menu Start\Programy\Autostart\

Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-05-13 614400]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=  


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute	REG_MULTI_SZ autocheck autochk *\[u]0[/u]OODBS


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate]

--a------ 2008-11-24 20:44 869888 c:\program files\ALLPlayer\ALLUpdate.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]

--a------ 2002-08-14 15:21 94208 c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD]

--a------ 2008-08-16 16:01 264704 c:\program files\Odkurzacz\odk_mcd.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]

--a------ 2008-09-04 06:01 2524416 c:\windows\system32\oodtray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=


R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-02 114768]

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [2002-08-14 5632]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-02 20560]

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.google.pl/

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\FOTO\Dane aplikacji\Mozilla\Firefox\Profiles\yd2qf5jn.default\

FF - prefs.js: browser.startup.homepage - hxxP://www.google.pl

.


**************************************************************************


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-07 11:41:52

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI


skanowanie ukrytych procesów ...  


skanowanie ukrytych wpisów autostartu ... 


skanowanie ukrytych plików ...  


skanowanie pomyślnie ukończone

ukryte pliki: 0


**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]

"OODEFRAG11.00.00.01WORKSTATION"="567063CF5C22B1C1EC471A66AF75F90C53223588122376042B512A291EF0019A1BE536BBFD556F9DCD35DD2B897D036A42E343D7476621406E07CCAAB080E316AD5114B9CAE6728301CFB1F810282E41A23C4C7DA817352E635A7DCE7139246CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933FEBC9E127BECC74C5D575E7D6A3B9808CDED2A82EF190F4A9F2EAC73E3E4C3B74D824F834888C6B907F0C060671FD874B99286824271B75EF273627C99DD6DD613FC085DC053EDD346F89EA64C510299DC1B964D08820688E7A7D1C7BDE072F22C16113953703C8C5C5B3F9DAAFE7FE03530020B62817C62D0731E895AF3E2FE5F982D740C5770CF28A4246734B15C4F543CA4C8CAA611AA92459FD64B2141128A13514BCE82392D9723FE0EF073920F5EF08C798CAF2FC2A94E63AAC17484E79BD6A6624F713B5931EAB47E3AD4156A8EC07EF1475CB231A282AAE2C200985E95798BC298A50D2C0BD1610740E8C9D330E5F1EB6EF1EF9EA01CE842A55A5B788F5611D488A6BDA0517454DE05488761265B9204CBB82B5A5817C7EE981D9F5EB50CFB6BD0FD4A57C6318D9B5E0E9C49E461BFBB787D9E5617B523739D652ED947FAC737F5BB28153D2BC5BB79D94BEA747B0CF96511F727387D0BBE85D4C0D816CAA0CFD3F13F401FC9E69ED24E45467572410655C65B07AF36C3227D1285700CE567B21637EA6566B78E88BE9436009553580EE2795C5583EC47D500C52256A1F8333D4026FB3425E490A263583ADF9CEC03A4F60406924EF341F15D9C2B6467F5CCB326DCB601FD8472F8BB496355E25423BC52C75764BDE012763B4A2C1C8194B1BDF37ED1C2AB8CEFFB9598356FD56050B1092AC095130BCEC49204A49E254E92E5A5B2FA96F73876009581A9E3F52FD7410392A8142611BFA4300287339F61D69B0F23CF3C4408A8BDB0BDAC8BD89F378BFB6DE870E054E0BEB3043CC4CECF1733537DE79605BE5DD1B28C21E22AD5A295822DD0E2C17864A393499D63A6DF2163ED7648AEC2621F3B3AB35A0BA3BA02CA7C4421435BE6ACC3971A7A3FAE9B74C82BC36EAF19BFAC5F39F723C99779F0F69FAD1190D1CD53765CBE153101D1C9602F9FC9E9B764778678A636866D823F4CF7E4C96C621EA4F5D3842533CE93890FED483FD0E32528DD118F474E9B0AEE5FE669E89C590CA1E0C0BCD666D938CF1D3103A47CF5181774F10778D3B109B82A9F41808B99127EB83EBE478A79586F34971348A85A1853BF5E626569CE3A080A28F51846196C24E437638A091A52EE6513C5E9B690C5A0186D7E198A291F7C405E12A8FEE29CAEAFED87A76AB9CA0523E7683D28AC82743808BB95510B7BE87271A79F8C14686EC6F58E9960"

.

Czas ukończenia: 2009-03-07 11:43:16

ComboFix-quarantined-files.txt 2009-03-07 10:43:14


Przed: 8 253 710 336 bajtów wolnych

Po: 8,243,314,688 bajtów wolnych


202	--- E O F ---	2008-09-21 10:55:21

(Leon$) #2

Logi wyglądają na czyste

Pobierz CCleaner http://www.filehippo.com/download_ccleaner/

przeskanuj nim i wyczyść rejestr.

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html gdy będą wirusy pokaż raport

:slight_smile: