Prośba O Sprawdzenie Logów-virus Na Pendrivie.

falar · 25 Kwietnia 2009

Witam

Do mojego komputera podłączony był pendrive, na którym znajdował się trojan. Proszę o sprawdzenie logów.

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "HijackThis"

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:18:13, on 2009-04-25

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\antivirus\aswUpdSv.exe

C:\antivirus\ashServ.exe

C:\WINDOWS\RTHDCPL.EXE

C:\ANTIVI~1\ashDisp.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\antivirus\ashWebSv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

F:\instalatory\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Free Download Manager\iefdm2.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avast!] C:\ANTIVI~1\ashDisp.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download video with Free Download Manager - file://F:\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\OFFICE\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pobierz w Free Download Manager - file://F:\Free Download Manager\dllink.htm

O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://F:\Free Download Manager\dlall.htm

O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://F:\Free Download Manager\dlselected.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\OFFICE\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virussca...can_unicode.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193779393968

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1

O17 - HKLM\System\CS3\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O20 - AppInit_DLLs:

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\antivirus\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\antivirus\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\antivirus\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\antivirus\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 6898 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Combofix"

ComboFix 09-04-25.A3 - użytkownik 2009-04-25 22:13.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1556 [GMT 2:00]

Uruchomiony z: f:\instalatory\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning disabled* (Updated)

FW: COMODO Firewall *enabled*

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

.

((((((((((((((((((((((((( Pliki utworzone od 2009-05-25 do 2009-4-25 )))))))))))))))))))))))))))))))

.

2009-04-23 20:45 . 2009-04-23 20:45 -------- d-----w c:\program files\Common Files\PCSuite

2009-04-23 20:45 . 2009-04-23 20:45 -------- d-----w c:\program files\Common Files\Nokia

2009-04-23 20:44 . 2008-08-26 08:26 18816 ----a-w c:\windows\system32\drivers\pccsmcfd.sys

2009-04-23 20:44 . 2009-04-23 20:44 -------- d-----w c:\program files\PC Connectivity Solution

2009-04-22 19:02 . 2009-04-22 19:02 -------- d-----w c:\program files\FormatFactory

2009-04-19 16:13 . 2009-04-19 16:13 -------- d-----w c:\documents and settings\użytkownik\Ustawienia lokalne\Dane aplikacji\Opera

2009-04-19 16:13 . 2009-04-19 16:13 -------- d-----w c:\program files\Opera

2009-04-18 22:12 . 2009-04-18 22:12 -------- d-----w c:\program files\VUGames

2009-04-18 16:29 . 2009-04-18 16:29 52216 ---ha-w c:\windows\system32\mlfcache.dat

2009-04-18 16:27 . 2009-04-18 16:27 -------- d-----w c:\program files\Safari

2009-04-18 16:26 . 2009-04-18 16:26 -------- d-----w c:\documents and settings\użytkownik\Ustawienia lokalne\Dane aplikacji\Apple

2009-04-18 16:26 . 2009-04-18 16:26 -------- d-----w c:\program files\Apple Software Update

2009-04-18 16:26 . 2009-04-18 16:26 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Apple

2009-04-16 15:30 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-16 15:30 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-16 15:30 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe

2009-04-16 15:30 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-16 15:30 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-16 15:30 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-16 15:30 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-16 15:30 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-16 15:30 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-16 15:29 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb

2009-04-16 15:29 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-03-29 19:42 . 2009-03-29 19:56 -------- d-----w c:\program files\Battle for Wesnoth 1.6

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-25 20:05 . 2001-10-26 18:15 99364 ----a-w c:\windows\system32\perfc015.dat

2009-04-25 20:05 . 2001-10-26 18:15 526266 ----a-w c:\windows\system32\perfh015.dat

2009-04-23 20:45 . 2008-11-23 11:25 -------- d-----w c:\program files\Nokia

2009-04-23 20:43 . 2008-11-23 11:23 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Installations

2009-04-22 17:48 . 2009-03-22 16:55 -------- d-----w c:\documents and settings\użytkownik\Dane aplikacji\DC++

2009-04-18 22:21 . 2007-09-12 18:04 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-18 16:27 . 2007-09-17 17:53 -------- d-----w c:\documents and settings\użytkownik\Dane aplikacji\Apple Computer

2009-04-10 13:12 . 2008-12-20 22:00 -------- d-----w c:\program files\Odkurzacz

2009-04-10 13:07 . 2009-03-14 17:10 -------- d-----w c:\program files\Onimedia

2009-03-13 13:46 . 2007-09-30 16:14 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-03-13 13:45 . 2008-04-19 12:05 -------- d-----w c:\program files\AGEIA Technologies

2009-03-06 14:22 . 2004-08-03 22:44 285696 ----a-w c:\windows\system32\pdh.dll

2009-03-03 14:22 . 2008-07-10 15:00 155384 ----a-w c:\windows\system32\guard32.dll

2009-03-03 14:22 . 2008-07-10 15:00 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys

2009-03-03 00:10 . 2004-08-03 22:44 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-27 12:17 . 2008-03-07 20:14 -------- d-----w c:\program files\Microsoft Silverlight

2009-02-20 17:13 . 2004-08-03 22:44 78336 ----a-w c:\windows\system32\ieencode.dll

2009-02-09 14:07 . 2004-08-03 22:37 1847040 ----a-w c:\windows\system32\win32k.sys

2009-02-09 11:26 . 2004-08-04 00:39 2025472 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-09 11:26 . 2004-08-03 22:38 2146816 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-09 11:25 . 2004-08-03 22:44 111104 ----a-w c:\windows\system32\services.exe

2009-02-09 10:53 . 2004-08-03 22:44 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 10:53 . 2004-08-03 22:44 731136 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 10:53 . 2004-08-03 22:43 686592 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 10:53 . 2004-08-03 22:43 722944 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 05:37 . 2008-11-23 11:25 91136 ----a-w c:\windows\system32\nmwcdcls.dll

2009-02-06 10:39 . 2001-10-26 19:30 35328 ----a-w c:\windows\system32\sc.exe

2009-02-03 19:58 . 2004-08-03 22:44 56832 ----a-w c:\windows\system32\secur32.dll

2008-09-24 16:47 . 2007-09-14 17:46 72296 ----a-w c:\documents and settings\użytkownik\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2008-03-20 21:56 . 2008-03-20 21:56 22328 ----a-w c:\documents and settings\użytkownik\Dane aplikacji\PnkBstrK.sys

2008-03-07 20:02 . 2008-03-07 20:02 161824 ----a-w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat

2007-09-15 09:38 . 2007-09-15 09:38 135 ----a-w c:\documents and settings\użytkownik\Ustawienia lokalne\Dane aplikacji\fusioncache.dat

2008-09-23 17:48 . 2008-09-23 17:49 32768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008092320080924\index.dat

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-03-20 1312256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"avast!"="c:\antivi~1\ashDisp.exe" [2009-02-05 81000]

"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-03 1851128]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]

"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-03 1851128]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 00:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DualCoreCenter.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\DualCoreCenter.lnk

backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Image Zone - szybkie uruchamianie.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Image Zone - szybkie uruchamianie.lnk

backup=c:\windows\pss\HP Image Zone - szybkie uruchamianie.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Windows Search.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^użytkownik^Pulpit^skróty^Autostart^Adobe Gamma.lnk]

path=c:\documents and settings\użytkownik\Pulpit\skróty\Autostart\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"UPS"=3 (0x3)

"TapiSrv"=3 (0x3)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

"ose"=3 (0x3)

"iPod Service"=3 (0x3)

"Harmonogram automatycznej usługi LiveUpdate"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"CLTNetCnService"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"RichVideo"=2 (0x2)

"nTuneService"=2 (0x2)

"LBTServ"=3 (0x3)

"ERSvc"=2 (0x2)

"helpsvc"=2 (0x2)

"RemoteRegistry"=2 (0x2)

"seclogon"=2 (0x2)

"SCardSvr"=3 (0x3)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"f:\\DC++\\DCPlusPlus.exe"=

"f:\\Gadu-Gadu\\gg.exe"=

"f:\\totalcmd\\TOTALCMD.EXE"=

"f:\\gry\\burn\\BurnoutLauncher.exe"=

"f:\\gry\\burn\\BurnoutConfigTool.exe"=

"f:\\gry\\burn\\BurnoutParadise.exe"=

"c:\\Program Files\\VUGames\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=

"c:\\Program Files\\VUGames\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=

R3 CrystalSysInfo;CrystalSysInfo; [x]

R3 EverestDriver;Lavalys EVEREST Kernel Driver; [x]

S1 aswSP;avast! Self Protection; [x]

S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-03-03 110992]

S1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-02-22 24336]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caa51aa2-25aa-11dd-9076-0019dbb544af}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.wp.pl/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: Download video with Free Download Manager - file://f:\free download manager\dlfvideo.htm

IE: E&ksport do programu Microsoft Excel - f:\office\OFFICE11\EXCEL.EXE/3000

IE: Pobierz w Free Download Manager - file://f:\free download manager\dllink.htm

IE: Pobierz wszystkie pliki w Free Download Manager - file://f:\free download manager\dlall.htm

IE: Pobierz zaznaczone w Free Download Manager - file://f:\free download manager\dlselected.htm

TCP: {1C190836-0C23-4653-B98F-362834B21FA8} = 10.101.1.1,62.233.128.17,194.204.159.1

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\użytkownik\Dane aplikacji\Mozilla\Firefox\Profiles\wyuf9n5d.default\

FF - prefs.js: browser.startup.homepage - dobreprogramy.pl

FF - component: c:\documents and settings\użytkownik\Dane aplikacji\Mozilla\Firefox\Profiles\wyuf9n5d.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll

FF - plugin: f:\adobe\Reader\browser\nppdf32.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-25 22:15

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

detected NTDLL code modification:

ZwClose, ZwOpenFile

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-343818398-1336601894-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1336601894-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:aa,cf,30,64,9f,aa,3f,b5,69,4c,60,93,86,a7,14,7f,55,4f,c6,68,53,14,63,

82,e5,b4,ed,5b,55,34,12,e2,dc,eb,75,26,94,36,6d,fa,6d,49,e2,17,f1,a9,f0,b3,\

"??"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

[HKEY_USERS\S-1-5-21-343818398-1336601894-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:44,90,63,7d,c6,7f,c8,5d,c0,ba,4f,4b,be,e4,d7,4f,e1,e0,77,be,d0,

87,2a,79,6b,3a,49,21,59,00,4e,45,a9,b8,ab,c3,94,87,b7,d1,72,2b,18,eb,99,ee,\

"rkeysecu"=hex:bb,9d,a4,3d,54,9a,9b,c9,99,4c,3f,f7,0c,43,a9,03

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"