Przeniosłem go na swoj komputer prawdopodobnie przez pamięć zewnętrzną. Zeskanowałem komputer. Potem program ComboFix wygenerował plik:
ComboFix 08-04-13.3 - Arek 2008-04-14 16:16:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.94 [GMT 2:00]
Running from: C:\Documents and Settings\Arek\Pulpit\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\newdotnet
C:\Program Files\newdotnet\nncore.dll
C:\Program Files\newdotnet\nnrun.exe
C:\WINDOWS\hosts
C:\WINDOWS\system32\ban_list.txt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NNSERV
-------\Service_NNServ
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.
2008-04-13 23:41 . 2008-03-01 15:02 6,066,176 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-13 23:41 . 2007-07-01 05:31 2,455,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-13 23:41 . 2007-07-01 05:36 1,036,288 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-13 23:41 . 2008-03-01 15:02 459,264 -----c— C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-13 23:41 . 2008-03-01 15:02 383,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-13 23:41 . 2008-03-01 15:02 267,776 -----c— C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-13 23:41 . 2008-03-01 15:02 63,488 -----c— C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-13 23:41 . 2008-03-01 15:02 52,224 -----c— C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-13 23:41 . 2008-02-22 12:00 13,824 -----c— C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-13 23:40 . 2008-04-13 23:42
2008-04-11 00:06 . 2008-04-11 01:29
2008-04-10 18:23 . 2007-07-09 15:11 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-10 18:10 . 2008-04-10 18:10
2008-04-10 18:10 . 2008-04-10 18:10
2008-04-10 17:56 . 2008-04-14 15:43
2008-04-10 17:56 . 2008-04-13 23:45 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-04-10 17:46 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-10 17:46 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-10 17:46 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-10 17:46 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-09 19:26 . 2008-04-09 19:26
2008-04-09 17:55 . 2008-04-09 17:55
2008-04-09 17:55 . 2008-04-09 17:57
2008-04-09 17:54 . 2008-04-09 17:54
2008-04-09 16:00 . 2008-04-09 16:37
2008-04-09 16:00 . 2008-04-09 18:59
2008-04-07 20:59 . 2008-04-08 12:08 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-03-31 19:18 . 2008-03-31 19:18 164 --a------ C:\WINDOWS\wininit.ini
2008-03-27 20:01 . 2008-04-05 19:22 45,056 --a------ C:\WINDOWS\system32\UTSCSI.EXE
2008-03-14 16:00 . 2003-06-23 02:44 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2008-03-14 16:00 . 2003-08-29 01:55 423,424 --a------ C:\WINDOWS\system32\WMAVDS32.ax
2008-03-14 16:00 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 00:17 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\Skype
2008-04-09 16:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-09 15:44 --------- d-----w C:\Program Files\hp deskjet 3820 series
2008-04-09 13:40 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-04-09 13:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 17:17 --------- d-----w C:\Program Files\GG Skin Manager
2008-03-31 17:17 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\Ashampoo Photo Commander 4
2008-03-29 11:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-09 19:39 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-03-09 14:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ashampoo
2008-02-28 13:51 20,496 -c–a-w C:\Documents and Settings\Arek\Dane aplikacji\GDIPFONTCACHEV1.DAT
2008-02-18 18:06 --------- d-----w C:\Program Files\ACD Systems
2008-02-16 12:57 --------- d-----w C:\Program Files\Common Files\Adobe
2005-11-28 17:37 37 -c–a-w C:\Documents and Settings\Arek\getfile.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]
“amva”=“C:\WINDOWS\system32\amvo.exe” []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SoundMan”=“SOUNDMAN.EXE” [2002-08-02 13:00 46592 C:\WINDOWS\SOUNDMAN.EXE]
“DiskeeperSystray”=“C:\Program Files\Executive Software\Diskeeper\DkIcon.exe” [2005-03-07 14:16 184408]
“AudioDeck”=“C:\Program Files\VIAudioi\SBADeck\ADeck.exe” [2008-01-16 16:45 495616]
“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe” [2002-03-28 11:20 188416]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 00:44 110592 C:\WINDOWS\system32\bthprops.cpl]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 14:06 40048]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” []
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44 15360]
C:\Documents and Settings\Arek\Menu Start\Programy\Autostart\
Diskeeper 9 Professional Edition Registration.lnk - C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe [2005-01-04 13:24:12 3674112]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”= sockspy.dll
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Gadu-Gadu\gg.exe”=
“C:\WINDOWS\system32\dplaysvr.exe”=
“C:\Program Files\Offroad\OffRoadNormal.exe”=
“C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-23 21:52]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 14:45]
S3 KS-959;MA-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-22 10:06]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0de589f0-0e9d-11da-b188-000d88323ea0}]
\Shell\AutoRun\command - F:\mgjpcfdg.cmd
\Shell\explore\Command - F:\mgjpcfdg.cmd
\Shell\open\Command - F:\mgjpcfdg.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{11007530-df20-11dc-b67d-0008f420b922}]
\Shell\AutoRun\command - F:\cayfq2.cmd
\Shell\explore\Command - F:\cayfq2.cmd
\Shell\open\Command - F:\cayfq2.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5efe00e0-2f18-11dc-b52b-0008f420b922}]
\Shell\AutoRun\command - F:\m9j.com
\Shell\explore\Command - F:\m9j.com
\Shell\open\Command - F:\m9j.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5efe00e1-2f18-11dc-b52b-0008f420b922}]
\Shell\AutoRun\command - G:\USBNB.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d8d61810-fce1-11dc-b6b7-0008f420b922}]
\Shell\AutoRun\command - F:\kxax.cmd
\Shell\explore\Command - F:\kxax.cmd
\Shell\open\Command - F:\kxax.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d8d61811-fce1-11dc-b6b7-0008f420b922}]
\Shell\AutoRun\command - G:\USBNB.exe
.
Contents of the ‘Scheduled Tasks’ folder
“2008-04-09 16:01:00 C:\WINDOWS\Tasks\Norton Security Scan.job”
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 16:22:54
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-
C:\Program Files\NetLimiter\nl_lsp.dll
-
C:\WINDOWS\system32\nl_msgc.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-04-14 16:28:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 14:28:16
Pre-Run: 3,491,033,088 bajtów wolnych
Post-Run: 3,421,888,512 bajt˘w wolnych
.
2008-04-14 13:46:15 — E O F —
Proszę o pomoc.