Jak w temacie proszę o sprawdzenie loga z combofixa:
ComboFix 09-01-21.04 - Admin 2009-01-25 13:59:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.2047.1633 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Admin\Pulpit\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Utworzono nowy punkt przywracania
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA
.
((((((((((((((((((((((((( Pliki utworzone od 2008-12-25 do 2009-01-25 )))))))))))))))))))))))))))))))
.
2009-01-25 12:08 . 2009-01-25 12:08
2009-01-23 14:17 . 2009-01-23 14:17
2009-01-23 11:49 . 2009-01-23 11:49
2009-01-19 10:53 . 2009-01-19 10:53
2009-01-18 22:06 . 2009-01-25 12:57
2009-01-18 22:06 . 2009-01-18 22:06
2009-01-17 20:43 . 2009-01-19 13:10
2009-01-13 14:36 . 2009-01-13 14:36
2009-01-12 22:19 . 2009-01-12 22:19
2009-01-12 19:39 . 2009-01-12 19:39
2009-01-12 19:37 . 2009-01-12 19:37
2009-01-12 19:37 . 2009-01-12 19:37
2009-01-12 19:37 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-12 19:14 . 2009-01-12 19:14
2009-01-12 19:03 . 2009-01-12 19:03
2009-01-12 18:46 . 2009-01-12 18:46
2009-01-12 18:42 . 2009-01-12 18:42
2009-01-12 18:42 . 2009-01-12 18:49 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-12 18:41 . 2009-01-12 18:42
2009-01-12 18:40 . 2009-01-12 18:40
2009-01-12 18:40 . 2009-01-12 19:52
2009-01-12 17:27 . 2008-06-14 18:36 273,024 -----c— c:\windows\system32\dllcache\bthport.sys
2009-01-12 17:26 . 2008-10-16 02:02 1,499,136 -----c— c:\windows\system32\dllcache\shdocvw.dll
2009-01-12 17:26 . 2008-10-16 02:02 668,672 -----c— c:\windows\system32\dllcache\wininet.dll
2009-01-12 17:26 . 2008-10-16 02:02 619,520 -----c— c:\windows\system32\dllcache\urlmon.dll
2009-01-12 17:26 . 2008-09-08 11:41 333,824 -----c— c:\windows\system32\dllcache\srv.sys
2009-01-12 17:26 . 2008-08-14 11:04 138,496 -----c— c:\windows\system32\dllcache\afd.sys
2009-01-12 17:24 . 2008-09-15 16:27 1,846,656 -----c— c:\windows\system32\dllcache\win32k.sys
2009-01-12 17:23 . 2008-08-14 14:26 2,190,464 -----c— c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-12 17:23 . 2008-08-14 14:26 2,146,816 -----c— c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-12 17:23 . 2008-08-14 14:26 2,067,328 -----c— c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-12 17:23 . 2008-08-14 14:26 2,025,472 -----c— c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-12 17:22 . 2009-01-12 17:22
2009-01-12 17:22 . 2009-01-12 17:22
2009-01-12 17:22 . 2008-12-12 18:03 3,088,896 -----c— c:\windows\system32\dllcache\mshtml.dll
2009-01-12 17:22 . 2008-04-11 20:06 691,712 -----c— c:\windows\system32\dllcache\inetcomm.dll
2009-01-12 17:22 . 2008-10-24 12:21 455,296 -----c— c:\windows\system32\dllcache\mrxsmb.sys
2009-01-12 17:22 . 2008-05-01 15:37 331,776 -----c— c:\windows\system32\dllcache\msadce.dll
2009-01-12 17:22 . 2008-05-08 15:02 203,136 -----c— c:\windows\system32\dllcache\rmcast.sys
2009-01-12 17:21 . 2008-09-04 18:17 1,106,944 -----c— c:\windows\system32\dllcache\msxml3.dll
2009-01-12 17:21 . 2008-10-15 17:36 337,408 -----c— c:\windows\system32\dllcache\netapi32.dll
2009-01-12 17:20 . 2009-01-12 17:20
2009-01-12 17:20 . 2009-01-12 17:20
2009-01-12 17:19 . 2009-01-12 19:18
2009-01-12 17:16 . 2009-01-13 17:05
2009-01-12 17:13 . 2009-01-12 17:23
2009-01-12 17:13 . 2009-01-12 17:13 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-01-12 17:03 . 2009-01-12 17:03
2009-01-12 17:03 . 2008-04-14 22:51 294,912 -----c— c:\windows\system32\dllcache\dlimport.exe
2009-01-12 17:01 . 2006-12-29 00:31 19,569 --a------ c:\windows\002703_.tmp
2009-01-12 16:59 . 2009-01-12 16:59
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-25 13:02 --------- d-----w c:\program files\neostrada tp
2009-01-24 16:38 --------- d-----w c:\program files\BitComet
2009-01-23 13:17 --------- d–h--w c:\program files\InstallShield Installation Information
2009-01-12 18:03 --------- d-----w c:\program files\Yahoo!
2009-01-12 15:59 --------- d-----w c:\documents and settings\Admin\Dane aplikacji\AVGTOOLBAR
2008-12-22 14:02 --------- d-----w c:\program files\BitTorrent
2008-12-22 14:00 --------- d-----w c:\documents and settings\Admin\Dane aplikacji\BitTorrent
2008-12-15 21:26 --------- d-----w c:\documents and settings\Admin\Dane aplikacji\gtk-2.0
2008-12-15 21:02 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\FLEXnet
2008-12-15 19:58 --------- d-----w c:\program files\Bonjour
2008-12-15 19:52 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-12-10 18:17 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\WEBREG
2008-12-10 18:17 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Hewlett-Packard
2008-12-10 18:15 --------- d-----w c:\program files\HP
2008-12-10 18:15 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\HPSSUPPLY
2008-12-10 18:15 --------- d-----w c:\documents and settings\Admin\Dane aplikacji\HPAppData
2008-12-10 18:14 --------- d-----w c:\program files\Hewlett-Packard
2008-12-10 18:14 --------- d-----w c:\program files\Common Files\HP
2008-12-10 18:14 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-12-10 18:14 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\HP Product Assistant
2008-12-10 18:14 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\HP
2008-12-09 15:09 --------- d-----w c:\program files\GIMP-2.0
2008-12-09 14:26 --------- d-----w c:\documents and settings\Admin\Dane aplikacji\Gadu-Gadu
2008-12-07 08:54 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-07 08:54 --------- d-----w c:\documents and settings\Admin\Dane aplikacji\Media Player Classic
2008-12-05 07:48 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Sports Interactive
2008-12-05 07:35 --------- d–h--w c:\program files\Zero G Registry
2008-12-05 07:31 --------- d-----w c:\documents and settings\Admin\Dane aplikacji\Sports Interactive
2008-12-04 19:53 --------- d-----w c:\program files\Gadu-Gadu
2008-12-04 19:44 --------- d-----w c:\program files\Thomson
2008-12-04 19:34 --------- d-----w c:\program files\Java
2008-12-04 19:28 --------- d-----w c:\program files\Kaspersky Lab
2008-12-04 19:27 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-12-02 12:36 --------- d-----w c:\program files\Realtek
2008-12-02 12:19 315,392 ----a-w c:\windows\HideWin.exe
2008-12-02 12:19 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-02 12:19 --------- d-----w c:\documents and settings\Admin\Dane aplikacji\InstallShield
2008-12-02 12:18 --------- d-----w c:\program files\ASUS
2008-12-02 11:55 --------- d-----w c:\program files\microsoft frontpage
2008-12-02 11:54 --------- d-----w c:\program files\Usługi online
.
((((((((((((((((((((((((((((( snapshot@2009-01-19_10.49.09,65 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“WOOWATCH”=“c:\progra~1\NEOSTR~1\Watch.exe” [2004-08-23 20480]
“WOOTASKBARICON”=“c:\progra~1\NEOSTR~1\GestMaj.exe” [2004-10-14 32768]
“SpeedTouch USB Diagnostics”=“c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 866816]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
–a------ 2002-12-28 16:33 1261336 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
–a------ 2008-04-14 22:51 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
–a------ 2008-12-29 11:40 687560 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
–a------ 2007-07-05 15:08 16380416 c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
–a------ 2007-06-15 15:45 1826816 c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\AVG\AVG8\avgemc.exe”=
“c:\Program Files\AVG\AVG8\avgupd.exe”=
“c:\Program Files\Gadu-Gadu\gg.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\BitComet\BitComet.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“14604:TCP”= 14604:TCP:BitComet 14604 TCP
“14604:UDP”= 14604:UDP:BitComet 14604 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2002-12-28 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2002-12-28 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2002-12-28 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2002-12-28 76040]
.
Zawartość folderu ‘Zaplanowane zadania’
2009-01-18 c:\windows\Tasks\Norton Security Scan for Admin.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://google.atcomet.com/b/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Pobierz wszystkie VIdeo za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Pobierz wszystko za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Pobierz za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: { - c:\program files\Messenger\msmsgs.exe
TCP: {95DC4B1D-C836-4122-86CB-8DEFE32740BD} = 194.204.159.1 217.98.63.164
FF - ProfilePath - c:\documents and settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\gfy721vj.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 14:03:03
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_USERS\S-1-5-21-606747145-1450960922-682003330-1003\Software\SecuROM\License information*]
“datasecu”=hex:74,d0,f7,af,57,e2,f2,6d,da,74,c8,5b,c1,cf,29,af,5c,e8,e6,c1,87,
fe,73,eb,9f,dd,57,42,46,67,5e,61,d4,d7,03,30,9d,46,b1,00,9c,89,5d,6b,ff,ab,\
“rkeysecu”=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
-
-
-
-
-
-
- ‘winlogon.exe’(712)
-
-
-
-
-
c:\windows\system32\Ati2evxx.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\FTRTSVC.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\NEOSTR~1\TaskBarIcon.exe
.
**************************************************************************
.
Czas ukończenia: 2009-01-25 14:05:52 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-01-25 13:05:50
ComboFix2.txt 2009-01-19 09:50:47
Przed: 40 068 669 440 bajtów wolnych
Po: 40,011,411,456 bajtów wolnych
216 — E O F — 2009-01-13 22:04:34