Skocz do zawartości
qNick

Prośba O Sprawdzenie Loga

Przez qNick, w Centrum Bezpieczeństwa

Rekomendowane odpowiedzi

qNick Newbie

qNick

Opublikowano
Opublikowano (edytowane)

Witam.

 

Ostatnio złapałem trojana vundo + pewnie jakieś dodatki (popup'y, blokada automatic update, wolne otwieranie stron). Troche z tym walczyłem nawet z dobrym efektem ale dla pewności proszę o sprawdzenie co jeszcze jest nie tak:

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Hijackthis"
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:09:29 PM, on 5/15/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\qNick\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [24f2973e] rundll32.exe "C:\WINDOWS\system32\ipubxopi.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210883055062

O17 - HKLM\System\CCS\Services\Tcpip\..\{A08C7FF7-8F14-47E1-BEF7-7621C84AC1AB}: NameServer = 192.168.1.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

 

--

End of file - 4765 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Combofix"
ComboFix 08-05-15.2 - qNick 2008-05-15 21:47:31.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1033.18.1661 [GMT -7:00]

Running from: C:\Documents and Settings\qNick\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\cookies.ini

C:\WINDOWS\system32\edyvpkvx.ini

C:\WINDOWS\system32\hgjmlUvw.ini

C:\WINDOWS\system32\hgjmlUvw.ini2

C:\WINDOWS\system32\ipoxbupi.ini

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\PWyIlUtv.ini

C:\WINDOWS\system32\PWyIlUtv.ini2

 

.

((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))

.

 

2008-05-15 21:49 . 2008-05-15 21:49 <DIR> d-------- C:\WINDOWS\system32\xircom

2008-05-15 21:49 . 2008-05-15 21:49 <DIR> d-------- C:\Program Files\microsoft frontpage

2008-05-15 21:17 . 2008-05-15 21:17 116,736 --a------ C:\WINDOWS\system32\ipubxopi.dll

2008-05-15 21:11 . 2008-05-15 21:11 95,232 --------- C:\WINDOWS\version.exe

2008-05-15 19:53 . 2008-05-15 19:53 <DIR> d-------- C:\Program Files\Common Files\Adobe

2008-05-15 18:02 . 2008-05-15 18:02 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\GARMIN

2008-05-15 18:01 . 2008-05-15 18:01 <DIR> d-------- C:\Program Files\Garmin

2008-05-15 16:50 . 2008-05-15 18:01 <DIR> d-------- C:\Garmin

2008-05-15 15:55 . 2008-05-15 15:57 <DIR> d-------- C:\Program Files\Microsoft Bootvis

2008-05-15 15:53 . 2008-05-15 15:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2

2008-05-15 15:52 . 2008-05-15 15:52 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2008-05-15 15:52 . 2008-05-15 15:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

2008-05-15 15:40 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-05-15 15:40 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2008-05-15 15:40 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-05-15 15:39 . 2008-05-15 15:39 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\skypePM

2008-05-15 15:39 . 2008-05-15 15:39 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-05-15 15:38 . 2008-05-15 15:38 <DIR> d-------- C:\Program Files\Skype

2008-05-15 15:38 . 2008-05-15 15:38 <DIR> d-------- C:\Program Files\Common Files\Skype

2008-05-15 15:38 . 2008-05-15 15:38 <DIR> d-------- C:\Documents and Settings\qNick\Gadu-Gadu

2008-05-15 15:38 . 2008-05-15 15:40 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\Skype

2008-05-15 15:38 . 2008-05-15 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype

2008-05-15 15:37 . 2008-05-15 15:37 <DIR> d-------- C:\Program Files\Gadu-Gadu

2008-05-15 15:36 . 2008-05-15 15:36 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-05-15 15:35 . 2008-05-15 15:35 <DIR> dr-h----- C:\MSOCache

2008-05-15 15:35 . 2008-05-15 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-05-15 15:31 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE

2008-05-15 15:25 . 2008-05-15 15:25 152 --a------ C:\WINDOWS\CoolPlay.ini

2008-05-15 15:18 . 2000-05-22 01:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx

2008-05-15 15:18 . 1999-10-10 10:00 41,984 --------- C:\WINDOWS\Ctregrun.exe

2008-05-15 15:14 . 2008-05-15 21:48 55,384 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000006-00000000-00000006-00001102-00000005-00211102}.rfx

2008-05-15 15:14 . 2008-05-15 21:48 55,384 --a------ C:\WINDOWS\system32\BMXState-{00000006-00000000-00000006-00001102-00000005-00211102}.rfx

2008-05-15 15:14 . 2008-05-15 15:14 1,024 --ah----- C:\Documents and Settings\Default User\NTUSER.dat.LOG

2008-05-15 15:14 . 2008-05-15 21:48 788 --a------ C:\WINDOWS\system32\DVCState-{00000006-00000000-00000006-00001102-00000005-00211102}.rfx

2008-05-15 15:13 . 2008-05-15 15:31 <DIR> d-------- C:\Program Files\Creative

2008-05-15 15:13 . 2008-05-15 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative

2008-05-15 15:13 . 2008-05-15 15:13 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll

2008-05-15 15:13 . 2008-05-15 15:13 110,592 --a------ C:\WINDOWS\system32\OpenAL32.dll

2008-05-15 15:13 . 2007-02-26 15:24 94,208 --a------ C:\WINDOWS\system32\cttele32.dll

2008-05-15 15:13 . 2008-04-14 00:15 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys

2008-05-15 15:12 . 2008-05-15 15:12 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\Creative

2008-05-15 15:06 . 2008-05-15 15:06 <DIR> d-------- C:\WINDOWS\system32\ENU

2008-05-15 15:06 . 2007-10-18 15:51 126,976 --a------ C:\WINDOWS\system32\Imsmudlg.exe

2008-05-15 15:04 . 2008-05-15 15:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2008-05-15 15:04 . 2008-05-15 15:06 <DIR> d-------- C:\Program Files\Intel

2008-05-15 15:04 . 2008-05-15 15:04 <DIR> d-------- C:\Intel

2008-05-15 15:04 . 2008-05-15 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd

2008-05-15 15:04 . 2007-07-26 16:15 53,248 --a------ C:\WINDOWS\system32\CSVer.dll

2008-05-15 15:03 . 2008-05-15 15:03 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\Logitech

2008-05-15 15:03 . 2008-05-15 15:03 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-05-15 15:03 . 2008-05-15 15:03 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

2008-05-15 15:03 . 2008-05-15 15:03 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\Logitech

2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\Common Files\Logishrd

2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech

2008-05-15 15:02 . 2008-01-09 12:26 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll

2008-05-15 15:02 . 2008-01-09 12:27 170,512 --a------ C:\WINDOWS\system32\kemutb.dll

2008-05-15 15:02 . 2008-01-09 12:28 141,840 --a------ C:\WINDOWS\system32\KemUtil.dll

2008-05-15 15:02 . 2008-01-09 12:28 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll

2008-05-15 15:02 . 2008-01-09 12:28 76,304 --a------ C:\WINDOWS\system32\KemXML.dll

2008-05-15 14:34 . 2008-05-15 14:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-05-15 14:34 . 2008-05-15 14:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-15 14:34 . 2008-05-15 14:34 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\SUPERAntiSpyware.com

2008-05-15 14:34 . 2008-05-15 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-05-15 13:52 . 2008-05-15 13:58 <DIR> d-------- C:\Program Files\PowerISO

2008-05-15 13:24 . 2008-05-15 13:24 <DIR> d--hs---- C:\Documents and Settings\qNick\UserData

2008-05-15 13:24 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2008-05-15 13:24 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-05-15 13:24 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-05-15 13:24 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-05-15 13:24 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-05-15 13:21 . 2008-05-15 13:21 <DIR> d-------- C:\Program Files\uTorrent

2008-05-15 13:21 . 2008-05-15 21:17 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\uTorrent

2008-05-15 13:19 . 2008-05-15 13:19 <DIR> d-------- C:\Program Files\ESET

2008-05-15 13:19 . 2008-05-15 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-15 13:16 . 2008-05-15 15:18 <DIR> d-------- C:\Program Files\Common Files\InstallShield

2008-05-15 13:10 . 2008-05-15 13:10 <DIR> d-------- C:\WINDOWS\OPTIONS

2008-05-15 13:10 . 2008-05-15 13:10 <DIR> d-------- C:\Program Files\Realtek

2008-05-15 13:10 . 2008-05-15 15:31 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

2008-05-15 13:10 . 2007-10-23 18:51 103,296 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys

2008-05-15 13:09 . 2008-05-15 13:09 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\InstallShield

2008-05-15 13:04 . 2008-05-15 13:04 <DIR> d---s---- C:\WINDOWS\system32\Microsoft

2008-05-15 13:04 . 2008-05-15 15:38 <DIR> d-------- C:\Documents and Settings\qNick

2008-05-15 13:04 . 2008-05-15 13:04 <DIR> d--hs---- C:\Documents and Settings\LocalService

2008-05-15 13:04 . 2008-05-15 21:49 86,016 --ah----- C:\Documents and Settings\qNick\ntuser.dat.LOG

2008-05-15 13:04 . 2008-05-15 21:49 1,024 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG

2008-05-15 13:01 . 2008-05-15 21:49 1,024 --ah----- C:\Documents and Settings\NetworkService\ntuser.dat.LOG

2008-05-15 13:00 . 2008-05-15 13:34 <DIR> d-------- C:\WINDOWS\system32\dllcache

2008-05-15 13:00 . 2008-05-15 15:53 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM

2008-05-04 16:00 . 2008-04-30 23:06 990,208 --a------ C:\WINDOWS\system32\syssetup.dll

2008-05-04 16:00 . 2007-09-29 23:03 308,248 --a------ C:\WINDOWS\system32\drivers\iaStor.sys

2008-04-30 23:06 . 2008-04-30 23:06 218,624 --a------ C:\WINDOWS\system32\uxtheme.dll

2008-04-30 23:06 . 2008-04-30 23:06 140,288 --a------ C:\WINDOWS\system32\sfc_os.dll

2008-04-30 22:29 . 2008-04-30 22:29 343 --a------ C:\WINDOWS\system32\prodspec.ini

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-14 14:40 1,296,669 ----a-r C:\WINDOWS\SET3.tmp

2008-04-14 14:34 16,535 ----a-r C:\WINDOWS\SET8.tmp

2008-04-14 14:34 1,088,840 ----a-r C:\WINDOWS\SET4.tmp

2008-04-14 12:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys

2008-04-14 12:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys

2008-04-14 12:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys

2008-04-14 12:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys

2008-04-14 12:41 451,072 ----a-w C:\WINDOWS\AppPatch\AcLayers.dll

2008-04-14 12:41 39,424 ----a-w C:\WINDOWS\AppPatch\AcAdProc.dll

2008-04-14 12:41 245,248 ----a-w C:\WINDOWS\AppPatch\AcSpecfc.dll

2008-04-14 12:41 141,312 ----a-w C:\WINDOWS\AppPatch\AcLua.dll

2008-04-14 12:41 116,224 ----a-w C:\WINDOWS\AppPatch\AcXtrnal.dll

2008-04-14 12:41 1,852,928 ----a-w C:\WINDOWS\AppPatch\AcGenral.dll

2008-04-14 07:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys

2008-04-14 07:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys

2008-04-14 07:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys

2008-04-14 07:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-14 07:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys

2008-04-14 07:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys

2008-04-14 07:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys

2008-04-14 07:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys

2008-04-14 07:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

2008-04-14 07:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-04-14 07:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys

2008-04-14 07:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-14 07:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys

2008-04-14 07:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys

2008-04-14 07:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys

2008-04-14 07:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys

2008-04-14 07:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys

2008-04-14 07:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-14 07:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys

2008-04-14 07:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-04-14 07:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys

2008-04-14 07:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys

2008-04-14 07:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-04-14 07:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys

2008-04-14 07:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys

2008-04-14 07:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys

2008-04-14 07:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys

2008-04-14 07:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys

2008-04-14 07:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys

2008-04-14 07:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys

2008-04-14 07:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys

2008-04-14 07:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys

2008-04-14 07:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys

2008-04-14 07:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys

2008-04-14 07:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys

2008-04-14 07:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys

2008-04-14 07:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys

2008-04-14 07:25 202,624 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys

2008-04-14 07:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys

2008-04-14 07:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys

2008-04-14 07:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys

2008-04-14 07:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-14 07:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys

2008-04-14 07:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys

2008-04-14 07:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys

2008-04-14 07:16 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys

2008-04-14 07:16 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys

2008-04-14 07:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys

2008-04-14 07:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys

2008-04-14 07:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys

2008-04-14 07:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys

2008-04-14 07:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys

2008-04-14 07:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys

2008-04-14 07:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys

2008-04-14 07:09 7,552 ----a-w C:\WINDOWS\system32\drivers\MSKSSRV.sys

2008-04-14 07:09 5,376 ----a-w C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2008-04-14 07:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys

2008-04-14 07:09 4,992 ----a-w C:\WINDOWS\system32\drivers\MSPQM.sys

2008-04-14 07:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys

2008-04-14 07:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys

2008-04-14 07:09 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys

2008-04-14 07:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys

2008-04-14 07:06 79,232 ----a-w C:\WINDOWS\system32\drivers\sdbus.sys

2008-04-14 07:06 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys

2008-04-14 07:06 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys

2008-04-14 07:06 37,248 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys

2008-04-14 07:06 187,776 ----a-w C:\WINDOWS\system32\drivers\acpi.sys

2008-04-14 07:06 120,192 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys

2008-04-14 07:04 163,584 ----a-w C:\WINDOWS\system32\drivers\nwrdr.sys

2008-04-14 07:03 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys

2008-04-14 07:03 129,792 ----a-w C:\WINDOWS\system32\drivers\fltMgr.sys

2008-04-14 07:02 66,048 ----a-w C:\WINDOWS\system32\drivers\udfs.sys

2008-04-14 07:02 30,848 ----a-w C:\WINDOWS\system32\drivers\npfs.sys

2008-04-14 07:02 196,224 ----a-w C:\WINDOWS\system32\drivers\rdpdr.sys

2008-04-14 07:02 19,072 ----a-w C:\WINDOWS\system32\drivers\msfs.sys

2008-04-14 07:02 180,608 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys

2008-04-14 07:01 92,288 ----a-w C:\WINDOWS\system32\drivers\ksecdd.sys

2008-04-14 07:01 36,352 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys

2008-04-14 05:09 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2008-04-14 05:09 142,592 ----a-w C:\WINDOWS\system32\drivers\aec.sys

2008-04-14 05:06 144,384 ----a-w C:\WINDOWS\system32\drivers\hdaudbus.sys

2008-04-14 00:10 96,512 ----a-w C:\WINDOWS\system32\drivers\atapi.sys

2008-04-14 00:10 57,600 ----a-w C:\WINDOWS\system32\drivers\redbook.sys

2008-04-14 00:10 24,960 ----a-w C:\WINDOWS\system32\drivers\pciidex.sys

2008-02-21 03:59 11,776 ----a-w C:\WINDOWS\INRES.DLL

2008-02-21 03:58 3,072 ----a-w C:\WINDOWS\CTXFIRES.DLL

2008-02-21 03:58 10,240 ----a-w C:\WINDOWS\CTDCRES.DLL

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]

"CTHelper"="CTHELPER.EXE" [2008-02-20 20:58 19456 C:\WINDOWS\system32\CtHelper.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 20:58 19968 C:\WINDOWS\system32\Ctxfihlp.exe]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"24f2973e"="C:\WINDOWS\system32\ipubxopi.dll" [2008-05-15 21:17 116736]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-15 15:02:55 789008]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 19:24]

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-02-25 09:44]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\SETUP.EXE

\Shell\configure\command - H:\SETUP.EXE

\Shell\install\command - H:\SETUP.EXE

 

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-15 21:49:36

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\CTxfispi.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

.

**************************************************************************

.

Completion time: 2008-05-15 21:50:03 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-16 04:50:00

 

Pre-Run: 45,518,159,872 bytes free

Post-Run: 45,900,177,408 bytes free

 

286

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Silent Runners"
"Silent Runners.vbs", revision 57, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"egui" = ""C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice" ["ESET"]

"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech, Inc."]

"IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"]

"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]

"CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"]

"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]

"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

"24f2973e" = "rundll32.exe "C:\WINDOWS\system32\ipubxopi.dll",b" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"

-> {HKLM...CLSID} = "Skype add-on (mastermind)"

\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension"

-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]

"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"

-> {HKLM...CLSID} = "KbLogiExt Class"

\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech, Inc."]

"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"

-> {HKLM...CLSID} = "LogiExt Class"

\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\MLSHEXT.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)

-> {HKLM...CLSID} = "SABShellExecuteHook Class"

\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]

<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]

<<!>> LBTWlgn\DLLName = "c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll" ["Logitech, Inc."]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

MSWPDShellNamespaceHandler\

"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = " "

-> {HKLM...CLSID} = "WPDShextAutoplay"

\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

 

 

Startup items in "qNick" & "All Users" startup folders:

-------------------------------------------------------

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech, Inc."]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{77BF5300-1474-4EC7-9980-D32B190E9B07}\

"ButtonText" = "Skype"

"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"

-> {HKLM...CLSID} = "Skype add-on (button)"

\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

 

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Creative Audio Service, CTAudSvcService, "C:\Program Files\Creative\Shared Files\CTAudSvc.exe" ["Creative Technology Ltd"]

Eset Service, ekrn, ""C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"" ["ESET"]

Intel® Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"]

 

 

---------- (launch time: 2008-05-15 22:17:22)

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 2 seconds.

---------- (total run time: 14 seconds)

Pozdrawiam Edytowane przez qNick

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi
Udostępnij na innych stronach
qNick Newbie

qNick

Opublikowano
Opublikowano

Dzięki @XAD_ vundofix już nic nie znalazł, nowy log:

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "ComboFix"
ComboFix 08-05-15.3 - qNick 2008-05-16 7:12:19.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1033.18.1661 [GMT -7:00]

Running from: C:\Documents and Settings\qNick\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))

.

 

2008-05-16 07:08 . 2008-05-16 07:08 <DIR> d-------- C:\VundoFix Backups

2008-05-16 07:04 . 2008-05-16 07:04 <DIR> d-------- C:\_OTMoveIt

2008-05-15 23:06 . 2008-05-15 23:06 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG

2008-05-15 21:49 . 2008-05-15 21:49 <DIR> d-------- C:\WINDOWS\system32\xircom

2008-05-15 21:49 . 2008-05-15 21:49 <DIR> d-------- C:\Program Files\microsoft frontpage

2008-05-15 21:49 . 2008-05-16 06:55 414 ---hs---- C:\WINDOWS\system32\ipoxbupi.ini

2008-05-15 19:53 . 2008-05-15 19:53 <DIR> d-------- C:\Program Files\Common Files\Adobe

2008-05-15 18:02 . 2008-05-15 18:02 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\GARMIN

2008-05-15 18:01 . 2008-05-15 18:01 <DIR> d-------- C:\Program Files\Garmin

2008-05-15 16:50 . 2008-05-15 18:01 <DIR> d-------- C:\Garmin

2008-05-15 15:55 . 2008-05-15 15:57 <DIR> d-------- C:\Program Files\Microsoft Bootvis

2008-05-15 15:53 . 2008-05-15 15:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2

2008-05-15 15:52 . 2008-05-15 15:52 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2008-05-15 15:52 . 2008-05-15 15:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

2008-05-15 15:40 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-05-15 15:40 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2008-05-15 15:40 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-05-15 15:39 . 2008-05-15 15:39 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\skypePM

2008-05-15 15:39 . 2008-05-15 15:39 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-05-15 15:38 . 2008-05-15 15:38 <DIR> d-------- C:\Program Files\Skype

2008-05-15 15:38 . 2008-05-15 15:38 <DIR> d-------- C:\Program Files\Common Files\Skype

2008-05-15 15:38 . 2008-05-15 15:38 <DIR> d-------- C:\Documents and Settings\qNick\Gadu-Gadu

2008-05-15 15:38 . 2008-05-15 15:40 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\Skype

2008-05-15 15:38 . 2008-05-15 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype

2008-05-15 15:37 . 2008-05-15 15:37 <DIR> d-------- C:\Program Files\Gadu-Gadu

2008-05-15 15:36 . 2008-05-15 15:36 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-05-15 15:35 . 2008-05-15 15:35 <DIR> dr-h----- C:\MSOCache

2008-05-15 15:35 . 2008-05-15 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-05-15 15:31 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE

2008-05-15 15:25 . 2008-05-15 15:25 152 --a------ C:\WINDOWS\CoolPlay.ini

2008-05-15 15:18 . 2000-05-22 01:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx

2008-05-15 15:18 . 1999-10-10 10:00 41,984 --------- C:\WINDOWS\Ctregrun.exe

2008-05-15 15:14 . 2008-05-15 23:10 55,384 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000006-00000000-00000006-00001102-00000005-00211102}.rfx

2008-05-15 15:14 . 2008-05-15 23:10 55,384 --a------ C:\WINDOWS\system32\BMXState-{00000006-00000000-00000006-00001102-00000005-00211102}.rfx

2008-05-15 15:14 . 2008-05-15 15:14 1,024 --ah----- C:\Documents and Settings\Default User\NTUSER.dat.LOG

2008-05-15 15:14 . 2008-05-15 23:10 788 --a------ C:\WINDOWS\system32\DVCState-{00000006-00000000-00000006-00001102-00000005-00211102}.rfx

2008-05-15 15:13 . 2008-05-15 15:31 <DIR> d-------- C:\Program Files\Creative

2008-05-15 15:13 . 2008-05-15 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative

2008-05-15 15:13 . 2008-05-15 15:13 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll

2008-05-15 15:13 . 2008-05-15 15:13 110,592 --a------ C:\WINDOWS\system32\OpenAL32.dll

2008-05-15 15:13 . 2007-02-26 15:24 94,208 --a------ C:\WINDOWS\system32\cttele32.dll

2008-05-15 15:13 . 2008-04-14 00:15 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys

2008-05-15 15:12 . 2008-05-15 15:12 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\Creative

2008-05-15 15:06 . 2008-05-15 15:06 <DIR> d-------- C:\WINDOWS\system32\ENU

2008-05-15 15:06 . 2007-10-18 15:51 126,976 --a------ C:\WINDOWS\system32\Imsmudlg.exe

2008-05-15 15:04 . 2008-05-15 15:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2008-05-15 15:04 . 2008-05-15 15:06 <DIR> d-------- C:\Program Files\Intel

2008-05-15 15:04 . 2008-05-15 15:04 <DIR> d-------- C:\Intel

2008-05-15 15:04 . 2008-05-15 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd

2008-05-15 15:04 . 2007-07-26 16:15 53,248 --a------ C:\WINDOWS\system32\CSVer.dll

2008-05-15 15:03 . 2008-05-15 15:03 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\Logitech

2008-05-15 15:03 . 2008-05-15 15:03 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-05-15 15:03 . 2008-05-15 15:03 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

2008-05-15 15:03 . 2008-05-15 15:03 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\Logitech

2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\Common Files\Logishrd

2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech

2008-05-15 15:02 . 2008-01-09 12:26 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll

2008-05-15 15:02 . 2008-01-09 12:27 170,512 --a------ C:\WINDOWS\system32\kemutb.dll

2008-05-15 15:02 . 2008-01-09 12:28 141,840 --a------ C:\WINDOWS\system32\KemUtil.dll

2008-05-15 15:02 . 2008-01-09 12:28 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll

2008-05-15 15:02 . 2008-01-09 12:28 76,304 --a------ C:\WINDOWS\system32\KemXML.dll

2008-05-15 14:34 . 2008-05-15 14:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-05-15 14:34 . 2008-05-15 14:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-15 14:34 . 2008-05-15 14:34 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\SUPERAntiSpyware.com

2008-05-15 14:34 . 2008-05-15 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-05-15 13:52 . 2008-05-15 13:58 <DIR> d-------- C:\Program Files\PowerISO

2008-05-15 13:24 . 2008-05-15 13:24 <DIR> d--hs---- C:\Documents and Settings\qNick\UserData

2008-05-15 13:24 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2008-05-15 13:24 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-05-15 13:24 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-05-15 13:24 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-05-15 13:24 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-05-15 13:21 . 2008-05-15 13:21 <DIR> d-------- C:\Program Files\uTorrent

2008-05-15 13:21 . 2008-05-15 21:17 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\uTorrent

2008-05-15 13:19 . 2008-05-15 13:19 <DIR> d-------- C:\Program Files\ESET

2008-05-15 13:19 . 2008-05-15 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-15 13:16 . 2008-05-15 15:18 <DIR> d-------- C:\Program Files\Common Files\InstallShield

2008-05-15 13:10 . 2008-05-15 13:10 <DIR> d-------- C:\WINDOWS\OPTIONS

2008-05-15 13:10 . 2008-05-15 13:10 <DIR> d-------- C:\Program Files\Realtek

2008-05-15 13:10 . 2008-05-15 15:31 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

2008-05-15 13:10 . 2007-10-23 18:51 103,296 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys

2008-05-15 13:09 . 2008-05-15 13:09 <DIR> d-------- C:\Documents and Settings\qNick\Application Data\InstallShield

2008-05-15 13:04 . 2008-05-15 13:04 <DIR> d---s---- C:\WINDOWS\system32\Microsoft

2008-05-15 13:04 . 2008-05-15 15:38 <DIR> d-------- C:\Documents and Settings\qNick

2008-05-15 13:04 . 2008-05-15 13:04 <DIR> d--hs---- C:\Documents and Settings\LocalService

2008-05-15 13:04 . 2008-05-16 07:12 61,440 --ah----- C:\Documents and Settings\qNick\ntuser.dat.LOG

2008-05-15 13:04 . 2008-05-16 06:56 1,024 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG

2008-05-15 13:01 . 2008-05-16 06:56 1,024 --ah----- C:\Documents and Settings\NetworkService\ntuser.dat.LOG

2008-05-15 13:00 . 2008-05-15 13:34 <DIR> d-------- C:\WINDOWS\system32\dllcache

2008-05-15 13:00 . 2008-05-15 15:53 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM

2008-05-04 16:00 . 2008-04-30 23:06 990,208 --a------ C:\WINDOWS\system32\syssetup.dll

2008-05-04 16:00 . 2007-09-29 23:03 308,248 --a------ C:\WINDOWS\system32\drivers\iaStor.sys

2008-04-30 23:06 . 2008-04-30 23:06 218,624 --a------ C:\WINDOWS\system32\uxtheme.dll

2008-04-30 23:06 . 2008-04-30 23:06 140,288 --a------ C:\WINDOWS\system32\sfc_os.dll

2008-04-30 22:29 . 2008-04-30 22:29 343 --a------ C:\WINDOWS\system32\prodspec.ini

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-14 12:55 1,804 ----a-w C:\WINDOWS\system32\Dcache.bin

2008-04-14 12:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-14 12:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll

2008-04-14 12:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll

2008-04-14 12:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys

2008-04-14 12:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys

2008-04-14 12:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys

2008-04-14 12:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll

2008-04-14 12:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys

2008-04-14 12:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll

2008-04-14 12:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll

2008-04-14 12:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll

2008-04-14 12:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll

2008-04-14 08:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys

2008-04-14 07:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys

2008-04-14 07:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-04-14 07:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys

2008-04-14 07:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys

2008-04-14 07:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-14 07:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys

2008-04-14 07:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys

2008-04-14 07:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys

2008-04-14 07:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys

2008-04-14 07:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

2008-04-14 07:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-04-14 07:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys

2008-04-14 07:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-14 07:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys

2008-04-14 07:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys

2008-04-14 07:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys

2008-04-14 07:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys

2008-04-14 07:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys

2008-04-14 07:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-14 07:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys

2008-04-14 07:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-04-14 07:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys

2008-04-14 07:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys

2008-04-14 07:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-04-14 07:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys

2008-04-14 07:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys

2008-04-14 07:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys

2008-04-14 07:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys

2008-04-14 07:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys

2008-04-14 07:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys

2008-04-14 07:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys

2008-04-14 07:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys

2008-04-14 07:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys

2008-04-14 07:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys

2008-04-14 07:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys

2008-04-14 07:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys

2008-04-14 07:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys

2008-04-14 07:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys

2008-04-14 07:25 202,624 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys

2008-04-14 07:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys

2008-04-14 07:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys

2008-04-14 07:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys

2008-04-14 07:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-14 07:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys

2008-04-14 07:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys

2008-04-14 07:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys

2008-04-14 07:16 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys

2008-04-14 07:16 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys

2008-04-14 07:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys

2008-04-14 07:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys

2008-04-14 07:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys

2008-04-14 07:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys

2008-04-14 07:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe

2008-04-14 07:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys

2008-04-14 07:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys

2008-04-14 07:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys

2008-04-14 07:09 7,552 ----a-w C:\WINDOWS\system32\drivers\MSKSSRV.sys

2008-04-14 07:09 5,376 ----a-w C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2008-04-14 07:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys

2008-04-14 07:09 4,992 ----a-w C:\WINDOWS\system32\drivers\MSPQM.sys

2008-04-14 07:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys

2008-04-14 07:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys

2008-04-14 07:09 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys

2008-04-14 07:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys

2008-04-14 07:06 79,232 ----a-w C:\WINDOWS\system32\drivers\sdbus.sys

2008-04-14 07:06 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys

2008-04-14 07:06 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys

2008-04-14 07:06 37,248 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys

2008-04-14 07:06 187,776 ----a-w C:\WINDOWS\system32\drivers\acpi.sys

2008-04-14 07:06 120,192 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys

2008-04-14 07:04 163,584 ----a-w C:\WINDOWS\system32\drivers\nwrdr.sys

2008-04-14 07:03 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys

2008-04-14 07:03 129,792 ----a-w C:\WINDOWS\system32\drivers\fltMgr.sys

2008-04-14 07:02 66,048 ----a-w C:\WINDOWS\system32\drivers\udfs.sys

2008-04-14 07:02 30,848 ----a-w C:\WINDOWS\system32\drivers\npfs.sys

2008-04-14 07:02 196,224 ----a-w C:\WINDOWS\system32\drivers\rdpdr.sys

2008-04-14 07:02 19,072 ----a-w C:\WINDOWS\system32\drivers\msfs.sys

2008-04-14 07:02 180,608 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys

2008-04-14 07:01 92,288 ----a-w C:\WINDOWS\system32\drivers\ksecdd.sys

2008-04-14 07:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll

2008-04-14 07:01 36,352 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys

2008-04-14 07:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll

2008-04-14 06:45 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll

2008-04-14 06:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll

2008-04-14 06:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll

2008-04-14 06:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-05-15_21.49.52.71 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-16 04:49:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-16 13:55:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]

"CTHelper"="CTHELPER.EXE" [2008-02-20 20:58 19456 C:\WINDOWS\system32\CtHelper.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 20:58 19968 C:\WINDOWS\system32\Ctxfihlp.exe]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-15 15:02:55 789008]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 19:24]

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-02-25 09:44]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\SETUP.EXE

\Shell\configure\command - H:\SETUP.EXE

\Shell\install\command - H:\SETUP.EXE

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-16 07:12:56

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-05-16 7:13:06

ComboFix-quarantined-files.txt 2008-05-16 14:13:05

ComboFix2.txt 2008-05-16 04:50:03

 

Pre-Run: 45,970,264,064 bytes free

Post-Run: 45,979,000,832 bytes free

 

273

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi
Udostępnij na innych stronach
Gość
Ten temat został zamknięty. Brak możliwości dodania odpowiedzi.
Tematy
×
×
  • Dodaj nową pozycję...