Wigon.kt -potrzebna Pomoc, Analiza Loga

spider3k · 12 Lipca 2009

Witam, antywirus NOD32 wyswietla mi co jakis czas, C:\DOCUME~1\Pawel\USTAWI~1\Temp\BN7.tmp

jest to trojan i powoduje on spowolnianie internetu. Podczas skanowania TEMP antywirus nic nie wykrywa...

Na koncie brata ten problem nie wystepuje.

Log z HijackThis:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:58:14, on 2009-07-12Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Agnitum\OUTPOS~1\acs.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\RTHDCPL.EXEC:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Creative\ShareDLL\CtNotify.exeC:\WINDOWS\system32\LXSUPMON.EXEC:\Program Files\Creative\ShareDLL\MediaDet.exeC:\Program Files\Razer\DeathAdder\razerhid.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Razer\DeathAdder\razertra.exeC:\WINDOWS\regx32.exeC:\Program Files\Razer\DeathAdder\razerofa.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\system32\lexpps.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Gadu-Gadu\gg.exeC:\Program Files\uTorrent\uTorrent.exeC:\Program Files\Dropbox\Dropbox.exeC:\Program Files\Xfire\xfire.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Documents and Settings\Paweł\Paweł.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://pes.com.pl/indexP.php"]http://pes.com.pl/indexP.php[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO1 - Hosts: 217.112.88.118 pes6gate-ec.winning-eleven.netO1 - Hosts: 210.249.144.166 we9stun.winning-eleven.netO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: D - {992A5751-8C16-3090-94B8-82A670D272A0} - (no file)O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dllO3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXEO4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /runO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [Remove AtiHotKey] "c:\program files\AtiHotKey\AtiHotKey.exe" O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noserviceO4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startupO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exeO4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUNO4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exeO4 - HKLM\..\Run: [TrialReset] C:\WINDOWS\regx32.exeO4 - HKLM\..\Run: [C://j.jar] C://j.jarO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [GreedyTorrent] "C:\Program Files\GreedyTorrent\GTor.exe" -trayO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"O4 - HKCU\..\Run: [Paweł] C:\Documents and Settings\Paweł\Paweł.exe /iO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exeO4 - Startup: rncsys32.exeO4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exeO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{0D292497-ED2D-4AAD-A6ED-4DD2B08DDF31}: NameServer = 213.241.79.38,213.241.79.37O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dllO23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe--End of file - 8301 bytes

Prosilbym o pomoc.

ULLISSES · 12 Lipca 2009

1. Log umieszczamy w spoilerze.

2. Przeleć Spybot S&D w trybie awaryjnym.

Kolobos · 12 Lipca 2009

Masz zainfekowany system do tego piracki nod i po co Ci ten nod skoro i tak nie potrafi nic usunac? Zainstaluj jakis darmowy program antywirusowy. Daj log z combofix.

spider3k · 12 Lipca 2009

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log combofix"

ComboFix 09-07-12.01 - Paweł 2009-07-12 23:25.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1461 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Paweł\Moje dokumenty\Pobieranie\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Paweł\Paweł.exe
C:\install.exe
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet universal\dbtrans_verbose - 2009.02.22 19.38.17.log
c:\program files\FlashGet Network\FlashGet universal\dbtrans_verbose.log
c:\program files\FlashGet Network\FlashGet universal\fgoption.ini
c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\Profiles\config.dat
c:\program files\FlashGet Network\FlashGet universal\Profiles\tasks.dat
c:\program files\FlashGet Network\FlashGet universal\transaction - 2009.02.22 19.38.17.log
c:\program files\FlashGet Network\FlashGet universal\transaction.log
c:\windows\Installer\10f63ec.msi
c:\windows\Installer\1901ac.msi
c:\windows\system32\ATIODCLI.exe
c:\windows\system32\ATIODE.exe
c:\windows\system32\BReWErS.dll
c:\windows\system32\drivers\ws2_32sik.sys

----- BITS: Możliwe zainfekowane strony -----

hxxp://91.203.93.6
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_nicsk32
-------\Service_ws2_32sik

((((((((((((((((((((((((( Pliki utworzone od 2009-06-12 do 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-10 07:33 . 2008-12-07 18:08 795648 ----a-w- c:\windows\system32\xvidcore.dll
2009-07-10 07:33 . 2007-07-05 02:33 892928 ----a-w- c:\windows\system32\iconv.dll
2009-07-02 19:26 . 2009-07-02 19:26 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-07-01 15:01 . 2009-07-01 20:54 0 ----a-w- c:\windows\system32\drivers\3ada269d.sys
2009-06-18 18:25 . 2009-06-18 18:25 -------- d-----w- c:\program files\Grupa IMAGE

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 21:31 . 2004-08-04 12:00 41216 ----a-w- c:\windows\system32\drivers\systemntmi.sys
2009-07-12 21:29 . 2007-12-23 12:31 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000002-80651102}.dat
2009-07-12 21:29 . 2007-12-23 12:31 24 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000003-00001102-00000002-80651102}.dat
2009-07-12 07:56 . 2007-12-23 11:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 07:33 . 2009-02-13 13:35 -------- d-----w- c:\program files\ALLPlayer
2009-07-08 16:45 . 2007-12-25 16:23 138608 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-08 16:45 . 2007-12-25 16:22 189800 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-08 16:44 . 2008-03-29 14:04 -------- d-----w- c:\program files\Xfire
2009-06-20 17:31 . 2007-12-23 20:28 -------- d-----w- c:\program files\mIRC
2009-06-08 17:52 . 2009-06-08 17:52 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-06-08 17:52 . 2009-06-08 17:52 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-06-05 12:22 . 2009-04-25 18:00 -------- d-----w- c:\program files\Dropbox
2009-05-17 17:26 . 2007-12-27 09:54 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-16 03:58 . 2007-10-17 02:40 4069888 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-05-16 03:39 . 2007-12-23 11:22 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-05-16 03:38 . 2007-10-17 02:04 335872 ----a-w- c:\windows\system32\ati2dvag.dll
2009-05-16 03:18 . 2007-10-17 01:56 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-05-16 03:17 . 2007-10-17 01:56 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-05-16 03:17 . 2007-10-17 01:56 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-05-16 03:17 . 2007-10-17 01:55 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-05-16 03:17 . 2007-10-17 01:55 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-05-16 03:15 . 2007-10-17 01:54 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-05-16 03:14 . 2007-10-17 01:53 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-05-16 03:07 . 2007-10-17 01:44 2987136 ----a-w- c:\windows\system32\ati3duag.dll
2009-05-16 02:55 . 2008-09-24 02:09 11423744 ----a-w- c:\windows\system32\atioglxx.dll
2009-05-16 02:54 . 2007-10-17 01:33 2122624 ----a-w- c:\windows\system32\ativvaxx.dll
2009-05-16 02:54 . 2007-12-23 11:22 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-05-16 02:54 . 2007-12-23 11:22 3 ----a-w- c:\windows\system32\ativva5x.dat
2009-05-16 02:51 . 2007-12-23 11:22 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-05-16 02:38 . 2009-05-16 02:38 49664 ----a-w- c:\windows\system32\atimpc32.dll
2009-05-16 02:38 . 2008-02-26 02:29 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2009-05-16 02:33 . 2007-10-17 01:19 479232 ----a-w- c:\windows\system32\atikvmag.dll
2009-05-16 02:31 . 2008-05-12 15:03 139264 ----a-w- c:\windows\system32\atiadlxx.dll
2009-05-16 02:31 . 2007-10-17 01:17 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-05-16 02:30 . 2007-10-17 01:16 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-05-16 02:26 . 2007-10-17 01:15 376832 ----a-w- c:\windows\system32\atiok3x2.dll
2009-05-16 02:24 . 2007-10-17 01:11 651264 ----a-w- c:\windows\system32\ati2cqag.dll
2009-05-16 01:35 . 2009-02-04 02:43 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-05-16 01:34 . 2009-02-04 02:42 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-05-16 01:33 . 2009-02-04 02:40 3158016 ----a-w- c:\windows\system32\aticaldd.dll
2009-05-15 19:05 . 2007-12-23 11:22 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-05-05 19:33 . 2009-05-05 19:33 118784 ----a-w- c:\windows\system32\atibtmon.exe
2009-04-23 19:04 . 2007-12-23 11:22 189051 ----a-w- c:\windows\system32\atiicdxx.dat
2009-04-20 19:49 . 2009-04-20 19:49 737280 ----a-w- c:\windows\iun6002.exe
2009-04-16 15:32 . 2008-12-01 17:00 2272 ----a-w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat
2009-04-16 15:31 . 2004-08-04 12:00 82010 ----a-w- c:\windows\system32\perfc015.dat
2009-04-16 15:31 . 2004-08-04 12:00 391672 ----a-w- c:\windows\system32\perfh015.dat
2006-03-20 14:37 . 2008-02-04 13:18 5689344 ----a-w- c:\program files\mplayerc.exe
.

------- Sigcheck -------

[-] 2008-01-12 13:43 359040 7B11118B078B88F87183FE69EDA43137 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-25 20:01 361344 EAEC6EA32BDABD7622371C10B8D68A17 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-04-25 20:01 361344 EAEC6EA32BDABD7622371C10B8D68A17 c:\windows\system32\drivers\tcpip.sys

[-] 2007-12-23 11:56 504832 381221F69D1248864861889A64F100B6 c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 20:51 510464 51FD2E13D723857B9CA239AE77150F48 c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-25 13:49 510464 66ECFE388AD1BD281DD3391B756670CF c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-05-18 2127296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-09 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"Remove AtiHotKey"="c:\program files\AtiHotKey\AtiHotKey.exe" [2005-08-01 19968]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2007-12-20 961536]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2007-12-19 405504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-04 185896]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"TrialReset"="c:\windows\regx32.exe" [2008-07-03 285327]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Rafa\Menu Start\Programy\Autostart\
rncsys32.exe [2008-4-14 22016]

c:\documents and settings\Pawe\Menu Start\Programy\Autostart\
Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2009-4-9 25598505]
rncsys32.exe [2008-4-14 20992]
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-7-2 3190096]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paweł^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
path=c:\documents and settings\Paweł\Menu Start\Programy\Autostart\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"d:\\Gry\\Assassins Creed\\AssassinsCreed_Dx9.exe"=
"d:\\Gry\\Assassins Creed\\AssassinsCreed_Dx10.exe"=
"d:\\Gry\\Assassins Creed\\AssassinsCreed_Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Gry\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"d:\\Gry\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"d:\\Gry\\World in Conflict\\wic.exe"=
"d:\\Gry\\World in Conflict\\wic_online.exe"=
"d:\\Gry\\World in Conflict\\wic_ds.exe"=
"d:\\Gry\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Download\\uTorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"d:\\Gry\\Pro Evolution Soccer 2009\\pes2009.exe"=
"d:\\Gry\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Gry\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Gry\\Far Cry 2\\bin\\FC2Editor.exe"=
"d:\\Gry\\Pro Evolution Soccer 2009\\PES09\\pes2009.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"d:\\Gry\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"=
"d:\\Gry\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"=
"d:\\Gry\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Gry\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Gry\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"d:\\Gry\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:TCP"= 7303:TCP:BitComet 7303 TCP
"7303:UDP"= 7303:UDP:BitComet 7303 UDP
"3478:UDP"= 3478:UDP:stun
"3479:UDP"= 3479:UDP:stun 2
"6112:UDP"= 6112:UDP:stun 3
"5730:UDP"= 5730:UDP:game
"5739:UDP"= 5739:UDP:game 1
"9001:TCP"= 9001:TCP:game 2
"11881:TCP"= 11881:TCP:game 3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-08-18 34824]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2008-01-22 443424]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2008-01-22 200464]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-02 89600]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-11-19 22784]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-01-22 1232896]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2004-08-04 3584]
S2 systemntmi;systemntmi;c:\windows\system32\drivers\systemntmi.sys [2004-08-04 41216]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\PAWE~1\USTAWI~1\Temp\ALSysIO.sys --> c:\docume~1\PAWE~1\USTAWI~1\Temp\ALSysIO.sys [?]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-01-22 32896]
S3 FXDrv32;FXDrv32;c:\program files\FOXCONN\Fox LiveUpdate\FXDrv32.sys [2008-01-05 23872]
S3 gggen;Generic USB Flash Driver;c:\windows\system32\drivers\gggen.sys [2008-10-30 11648]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2007-12-07 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

BHO-{140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
BHO-{992A5751-8C16-3090-94B8-82A670D272A0} - (no file)
HKCU-Run-GreedyTorrent - c:\program files\GreedyTorrent\GTor.exe
HKLM-Run-Regedit32 - c:\windows\system32\regedit.exe
HKLM-Run-C://j.jar - C://j.jar

.
------- Skan uzupełniający -------
.
uStart Page = hxxp://pes.com.pl/indexP.php
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0D292497-ED2D-4AAD-A6ED-4DD2B08DDF31} = 213.241.79.38,213.241.79.37
FF - ProfilePath - c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\v3r1gxw2.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (pl)
FF - prefs.js: browser.startup.homepage - hxxp://google.pl/
FF - plugin: c:\documents and settings\All Users\Dane aplikacji\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCARDS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 23:30
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&8?????\??? ??? ???\???\???????????5?7~e?7~\???\???????0?`??????C@?\???\??????s????\??????s\????&8?A??s?&8??C@?x???`|?w\?????@
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?@ ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?? ????B???@?????P?????@?P ??????~?7~??????????@?E?????????????????B?????? ??????????????????????????r?B

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001A86FC-8DF0-530D-84AA-205629EC95DC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"panloneilmbnggpgdpkmahofopijjbbc"=hex:69,61,61,68,6f,64,6c,66,66,6a,70,61,62,
67,68,6f,69,67,00,00
"oahlmajefgbgibpahfnalkpenhmbee"=hex:69,61,6e,67,70,65,6c,68,6c,6f,65,70,63,65,
68,65,61,6d,00,00

[HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:56,3f,a1,97,5e,e0,4f,39,be,f3,e9,83,c0,e2,29,06,cd,3c,40,31,e5,f7,4f,
2a,94,a8,c6,2e,7c,96,ea,88,ad,62,f5,6e,94,cd,f0,1d,e3,28,58,2f,95,2a,f1,7f,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:32,84,1a,a5,a1,59,6c,8e,e6,6b,e6,e1,82,17,4a,6e,5b,65,3b,3b,37,
20,d6,f5,17,7a,e4,87,6c,d6,5b,88,a6,e1,08,bd,d5,a4,ed,d1,e1,91,88,89,e1,48,\
"rkeysecu"=hex:a1,fb,79,8e,18,ca,b0,3b,52,96,21,ab,fe,df,9c,79
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5344)
c:\program files\Xfire\xfire_toucan_37857.dll
c:\program files\Dropbox\DropboxExt.dll
c:\program files\Gadu-Gadu\ggwhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Creative\ShareDLL\MEDIADET.EXE
c:\program files\Razer\DeathAdder\razertra.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Czas ukończenia: 2009-07-12 23:34 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-07-12 21:34

Przed: 13 989 908 480 bajtów wolnych
Po: 22 111 866 880 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

372 --- E O F --- 2008-04-25 13:48

Kolobos · 12 Lipca 2009

Uzyj CFScript.txt z combofix:

File::

c:\windows\system32\drivers\3ada269d.sys

c:\windows\system32\drivers\systemntmi.sys

c:\documents and settings\Rafa\Menu Start\Programy\Autostart\rncsys32.exe

c:\documents and settings\Pawe\Menu Start\Programy\Autostart\rncsys32.exe

Driver::

systemntmi

ALSysIO

Po wykonaniu daj log.

Nastepnie zrob skan przy pomocy Dr.Web CureIt oraz Malwarebytes Anti-Malware.

spider3k · 13 Lipca 2009

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "combofix log"

ComboFix 09-07-12.01 - Paweł 2009-07-13 9:40.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1339 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Paweł\Moje dokumenty\Pobieranie\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\Paweł\Moje dokumenty\Pobieranie\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

FILE ::
"c:\documents and settings\Pawe\Menu Start\Programy\Autostart\rncsys32.exe"
"c:\documents and settings\Rafa\Menu Start\Programy\Autostart\rncsys32.exe"
"c:\windows\system32\drivers\3ada269d.sys"
"c:\windows\system32\drivers\systemntmi.sys"
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\3ada269d.sys
c:\windows\system32\drivers\systemntmi.sys

.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALSYSIO
-------\Legacy_SYSTEMNTMI
-------\Service_ALSysIO
-------\Service_systemntmi

((((((((((((((((((((((((( Pliki utworzone od 2009-06-13 do 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-10 07:33 . 2008-12-07 18:08 795648 ----a-w- c:\windows\system32\xvidcore.dll
2009-07-10 07:33 . 2007-07-05 02:33 892928 ----a-w- c:\windows\system32\iconv.dll
2009-07-02 19:26 . 2009-07-02 19:26 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-18 18:25 . 2009-06-18 18:25 -------- d-----w- c:\program files\Grupa IMAGE

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 07:45 . 2007-12-23 12:31 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000002-80651102}.dat
2009-07-13 07:45 . 2007-12-23 12:31 24 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000003-00001102-00000002-80651102}.dat
2009-07-12 07:56 . 2007-12-23 11:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 07:33 . 2009-02-13 13:35 -------- d-----w- c:\program files\ALLPlayer
2009-07-08 16:45 . 2007-12-25 16:23 138608 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-08 16:45 . 2007-12-25 16:22 189800 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-08 16:44 . 2008-03-29 14:04 -------- d-----w- c:\program files\Xfire
2009-06-20 17:31 . 2007-12-23 20:28 -------- d-----w- c:\program files\mIRC
2009-06-08 17:52 . 2009-06-08 17:52 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-06-08 17:52 . 2009-06-08 17:52 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-06-05 12:22 . 2009-04-25 18:00 -------- d-----w- c:\program files\Dropbox
2009-05-17 17:26 . 2007-12-27 09:54 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-16 03:58 . 2007-10-17 02:40 4069888 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-05-16 03:39 . 2007-12-23 11:22 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-05-16 03:38 . 2007-10-17 02:04 335872 ----a-w- c:\windows\system32\ati2dvag.dll
2009-05-16 03:18 . 2007-10-17 01:56 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-05-16 03:17 . 2007-10-17 01:56 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-05-16 03:17 . 2007-10-17 01:56 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-05-16 03:17 . 2007-10-17 01:55 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-05-16 03:17 . 2007-10-17 01:55 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-05-16 03:15 . 2007-10-17 01:54 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-05-16 03:14 . 2007-10-17 01:53 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-05-16 03:07 . 2007-10-17 01:44 2987136 ----a-w- c:\windows\system32\ati3duag.dll
2009-05-16 02:55 . 2008-09-24 02:09 11423744 ----a-w- c:\windows\system32\atioglxx.dll
2009-05-16 02:54 . 2007-10-17 01:33 2122624 ----a-w- c:\windows\system32\ativvaxx.dll
2009-05-16 02:54 . 2007-12-23 11:22 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-05-16 02:54 . 2007-12-23 11:22 3 ----a-w- c:\windows\system32\ativva5x.dat
2009-05-16 02:51 . 2007-12-23 11:22 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-05-16 02:38 . 2009-05-16 02:38 49664 ----a-w- c:\windows\system32\atimpc32.dll
2009-05-16 02:38 . 2008-02-26 02:29 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2009-05-16 02:33 . 2007-10-17 01:19 479232 ----a-w- c:\windows\system32\atikvmag.dll
2009-05-16 02:31 . 2008-05-12 15:03 139264 ----a-w- c:\windows\system32\atiadlxx.dll
2009-05-16 02:31 . 2007-10-17 01:17 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-05-16 02:30 . 2007-10-17 01:16 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-05-16 02:26 . 2007-10-17 01:15 376832 ----a-w- c:\windows\system32\atiok3x2.dll
2009-05-16 02:24 . 2007-10-17 01:11 651264 ----a-w- c:\windows\system32\ati2cqag.dll
2009-05-16 01:35 . 2009-02-04 02:43 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-05-16 01:34 . 2009-02-04 02:42 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-05-16 01:33 . 2009-02-04 02:40 3158016 ----a-w- c:\windows\system32\aticaldd.dll
2009-05-15 19:05 . 2007-12-23 11:22 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-05-05 19:33 . 2009-05-05 19:33 118784 ----a-w- c:\windows\system32\atibtmon.exe
2009-04-23 19:04 . 2007-12-23 11:22 189051 ----a-w- c:\windows\system32\atiicdxx.dat
2009-04-20 19:49 . 2009-04-20 19:49 737280 ----a-w- c:\windows\iun6002.exe
2009-04-16 15:32 . 2008-12-01 17:00 2272 ----a-w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat
2009-04-16 15:31 . 2004-08-04 12:00 82010 ----a-w- c:\windows\system32\perfc015.dat
2009-04-16 15:31 . 2004-08-04 12:00 391672 ----a-w- c:\windows\system32\perfh015.dat
2006-03-20 14:37 . 2008-02-04 13:18 5689344 ----a-w- c:\program files\mplayerc.exe
.

------- Sigcheck -------

[-] 2008-01-12 13:43 359040 7B11118B078B88F87183FE69EDA43137 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-25 20:01 361344 EAEC6EA32BDABD7622371C10B8D68A17 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-04-25 20:01 361344 EAEC6EA32BDABD7622371C10B8D68A17 c:\windows\system32\drivers\tcpip.sys

[-] 2007-12-23 11:56 504832 381221F69D1248864861889A64F100B6 c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 20:51 510464 51FD2E13D723857B9CA239AE77150F48 c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-25 13:49 510464 66ECFE388AD1BD281DD3391B756670CF c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-05-18 2127296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-09 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"Remove AtiHotKey"="c:\program files\AtiHotKey\AtiHotKey.exe" [2005-08-01 19968]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2007-12-20 961536]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2007-12-19 405504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-04 185896]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"TrialReset"="c:\windows\regx32.exe" [2008-07-03 285327]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]
"Regedit32"="c:\windows\system32\regedit.exe" [bU]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Rafa\Menu Start\Programy\Autostart\
rncsys32.exe [2008-4-14 22016]

c:\documents and settings\Pawe\Menu Start\Programy\Autostart\
Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2009-4-9 25598505]
rncsys32.exe [2008-4-14 20992]
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-7-2 3190096]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paweł^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
path=c:\documents and settings\Paweł\Menu Start\Programy\Autostart\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"d:\\Gry\\Assassins Creed\\AssassinsCreed_Dx9.exe"=
"d:\\Gry\\Assassins Creed\\AssassinsCreed_Dx10.exe"=
"d:\\Gry\\Assassins Creed\\AssassinsCreed_Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Gry\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"d:\\Gry\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"d:\\Gry\\World in Conflict\\wic.exe"=
"d:\\Gry\\World in Conflict\\wic_online.exe"=
"d:\\Gry\\World in Conflict\\wic_ds.exe"=
"d:\\Gry\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Download\\uTorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"d:\\Gry\\Pro Evolution Soccer 2009\\pes2009.exe"=
"d:\\Gry\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Gry\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Gry\\Far Cry 2\\bin\\FC2Editor.exe"=
"d:\\Gry\\Pro Evolution Soccer 2009\\PES09\\pes2009.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"d:\\Gry\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"=
"d:\\Gry\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"=
"d:\\Gry\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Gry\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Gry\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"d:\\Gry\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:TCP"= 7303:TCP:BitComet 7303 TCP
"7303:UDP"= 7303:UDP:BitComet 7303 UDP
"3478:UDP"= 3478:UDP:stun
"3479:UDP"= 3479:UDP:stun 2
"6112:UDP"= 6112:UDP:stun 3
"5730:UDP"= 5730:UDP:game
"5739:UDP"= 5739:UDP:game 1
"9001:TCP"= 9001:TCP:game 2
"11881:TCP"= 11881:TCP:game 3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-08-18 34824]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2008-01-22 443424]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2008-01-22 200464]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-02 89600]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-11-19 22784]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-01-22 1232896]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2004-08-04 3584]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-01-22 32896]
S3 FXDrv32;FXDrv32;c:\program files\FOXCONN\Fox LiveUpdate\FXDrv32.sys [2008-01-05 23872]
S3 gggen;Generic USB Flash Driver;c:\windows\system32\drivers\gggen.sys [2008-10-30 11648]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2007-12-07 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://pes.com.pl/indexP.php
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0D292497-ED2D-4AAD-A6ED-4DD2B08DDF31} = 213.241.79.38,213.241.79.37
FF - ProfilePath - c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\v3r1gxw2.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (pl)
FF - prefs.js: browser.startup.homepage - hxxp://google.pl/
FF - plugin: c:\documents and settings\All Users\Dane aplikacji\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCARDS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 09:46
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&8?????\??? ??? ???\???\???????????5?7~e?7~\???\???????(q`??????C@?\???\??????s????\??????s\????&8?A??s?&8??C@?x???`|?w\?????@
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?@ ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?? ????B???@?????P?????@?P ??????~?7~??????????@???????????????????B?????? ???????????????????`??????r?B

skanowanie ukrytych plików ...

c:\windows\TEMP\HTTFE.tmp 0 bytes

skanowanie pomyślnie ukończone
ukryte pliki: 1

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001A86FC-8DF0-530D-84AA-205629EC95DC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"panloneilmbnggpgdpkmahofopijjbbc"=hex:69,61,61,68,6f,64,6c,66,66,6a,70,61,62,
67,68,6f,69,67,00,00
"oahlmajefgbgibpahfnalkpenhmbee"=hex:69,61,6e,67,70,65,6c,68,6c,6f,65,70,63,65,
68,65,61,6d,00,00

[HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:56,3f,a1,97,5e,e0,4f,39,be,f3,e9,83,c0,e2,29,06,cd,3c,40,31,e5,f7,4f,
2a,94,a8,c6,2e,7c,96,ea,88,ad,62,f5,6e,94,cd,f0,1d,e3,28,58,2f,95,2a,f1,7f,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:32,84,1a,a5,a1,59,6c,8e,e6,6b,e6,e1,82,17,4a,6e,5b,65,3b,3b,37,
20,d6,f5,17,7a,e4,87,6c,d6,5b,88,a6,e1,08,bd,d5,a4,ed,d1,e1,91,88,89,e1,48,\
"rkeysecu"=hex:a1,fb,79,8e,18,ca,b0,3b,52,96,21,ab,fe,df,9c,79
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3456)
c:\program files\Xfire\xfire_toucan_37857.dll
c:\program files\Dropbox\DropboxExt.dll
c:\program files\Gadu-Gadu\ggwhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Creative\ShareDLL\MEDIADET.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Razer\DeathAdder\razertra.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\windows\system32\wscntfy.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Czas ukończenia: 2009-07-13 9:49 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-07-13 07:49
ComboFix2.txt 2009-07-12 21:35

Przed: 22 095 618 048 bajtów wolnych
Po: 22 060 253 184 bajtów wolnych

344 --- E O F --- 2008-04-25 13:48

Kolobos · 13 Lipca 2009

Usun recznie te pliki:

c:\documents and settings\Rafa\Menu Start\Programy\Autostart\rncsys32.exe

c:\documents and settings\Pawe\Menu Start\Programy\Autostart\rncsys32.exe

Oraz w hijackthis wpis:

"Regedit32"="c:\windows\system32\regedit.exe" [bU]

spider3k · 13 Lipca 2009

Zrobione. Czyli teraz powinno wszystko byc ok?

Kolobos · 13 Lipca 2009

Powinno.

spider3k · 13 Lipca 2009

Dziekuje za pomoc! Wyglada na to, ze wszystko jest OK!

Dziekuje ponownie!

Zaloguj się

Wigon.kt -potrzebna Pomoc, Analiza Loga

Rekomendowane odpowiedzi

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi

Udostępnij na innych stronach

Dołącz do dyskusji