spider3k Opublikowano 12 Lipca 2009 Zgłoś Opublikowano 12 Lipca 2009 Witam, antywirus NOD32 wyswietla mi co jakis czas, C:\DOCUME~1\Pawel\USTAWI~1\Temp\BN7.tmp jest to trojan i powoduje on spowolnianie internetu. Podczas skanowania TEMP antywirus nic nie wykrywa... Na koncie brata ten problem nie wystepuje. Log z HijackThis: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:58:14, on 2009-07-12Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Agnitum\OUTPOS~1\acs.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\RTHDCPL.EXEC:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Creative\ShareDLL\CtNotify.exeC:\WINDOWS\system32\LXSUPMON.EXEC:\Program Files\Creative\ShareDLL\MediaDet.exeC:\Program Files\Razer\DeathAdder\razerhid.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Razer\DeathAdder\razertra.exeC:\WINDOWS\regx32.exeC:\Program Files\Razer\DeathAdder\razerofa.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\system32\lexpps.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Gadu-Gadu\gg.exeC:\Program Files\uTorrent\uTorrent.exeC:\Program Files\Dropbox\Dropbox.exeC:\Program Files\Xfire\xfire.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Documents and Settings\Paweł\Paweł.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://pes.com.pl/indexP.php"]http://pes.com.pl/indexP.php[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO1 - Hosts: 217.112.88.118 pes6gate-ec.winning-eleven.netO1 - Hosts: 210.249.144.166 we9stun.winning-eleven.netO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: D - {992A5751-8C16-3090-94B8-82A670D272A0} - (no file)O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dllO3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXEO4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /runO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [Remove AtiHotKey] "c:\program files\AtiHotKey\AtiHotKey.exe" O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noserviceO4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startupO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exeO4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUNO4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exeO4 - HKLM\..\Run: [TrialReset] C:\WINDOWS\regx32.exeO4 - HKLM\..\Run: [C://j.jar] C://j.jarO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [GreedyTorrent] "C:\Program Files\GreedyTorrent\GTor.exe" -trayO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"O4 - HKCU\..\Run: [Paweł] C:\Documents and Settings\Paweł\Paweł.exe /iO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exeO4 - Startup: rncsys32.exeO4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exeO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{0D292497-ED2D-4AAD-A6ED-4DD2B08DDF31}: NameServer = 213.241.79.38,213.241.79.37O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dllO23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe--End of file - 8301 bytes Prosilbym o pomoc. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
ULLISSES Opublikowano 12 Lipca 2009 Zgłoś Opublikowano 12 Lipca 2009 1. Log umieszczamy w spoilerze. 2. Przeleć Spybot S&D w trybie awaryjnym. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 12 Lipca 2009 Zgłoś Opublikowano 12 Lipca 2009 Masz zainfekowany system do tego piracki nod i po co Ci ten nod skoro i tak nie potrafi nic usunac? Zainstaluj jakis darmowy program antywirusowy. Daj log z combofix. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
spider3k Opublikowano 12 Lipca 2009 Zgłoś Opublikowano 12 Lipca 2009 » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log combofix" ComboFix 09-07-12.01 - Paweł 2009-07-12 23:25.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1461 [GMT 2:00] Uruchomiony z: c:\documents and settings\Paweł\Moje dokumenty\Pobieranie\ComboFix.exe AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Paweł\Paweł.exe C:\install.exe c:\program files\FlashGet Network c:\program files\FlashGet Network\FlashGet universal\dbtrans_verbose - 2009.02.22 19.38.17.log c:\program files\FlashGet Network\FlashGet universal\dbtrans_verbose.log c:\program files\FlashGet Network\FlashGet universal\fgoption.ini c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini c:\program files\FlashGet Network\FlashGet universal\Profiles\config.dat c:\program files\FlashGet Network\FlashGet universal\Profiles\tasks.dat c:\program files\FlashGet Network\FlashGet universal\transaction - 2009.02.22 19.38.17.log c:\program files\FlashGet Network\FlashGet universal\transaction.log c:\windows\Installer\10f63ec.msi c:\windows\Installer\1901ac.msi c:\windows\system32\ATIODCLI.exe c:\windows\system32\ATIODE.exe c:\windows\system32\BReWErS.dll c:\windows\system32\drivers\ws2_32sik.sys ----- BITS: Możliwe zainfekowane strony ----- hxxp://91.203.93.6 . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_nicsk32 -------\Service_ws2_32sik ((((((((((((((((((((((((( Pliki utworzone od 2009-06-12 do 2009-07-12 ))))))))))))))))))))))))))))))) . 2009-07-10 07:33 . 2008-12-07 18:08 795648 ----a-w- c:\windows\system32\xvidcore.dll 2009-07-10 07:33 . 2007-07-05 02:33 892928 ----a-w- c:\windows\system32\iconv.dll 2009-07-02 19:26 . 2009-07-02 19:26 41808 ----a-w- c:\windows\system32\xfcodec.dll 2009-07-01 15:01 . 2009-07-01 20:54 0 ----a-w- c:\windows\system32\drivers\3ada269d.sys 2009-06-18 18:25 . 2009-06-18 18:25 -------- d-----w- c:\program files\Grupa IMAGE . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-12 21:31 . 2004-08-04 12:00 41216 ----a-w- c:\windows\system32\drivers\systemntmi.sys 2009-07-12 21:29 . 2007-12-23 12:31 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000002-80651102}.dat 2009-07-12 21:29 . 2007-12-23 12:31 24 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000003-00001102-00000002-80651102}.dat 2009-07-12 07:56 . 2007-12-23 11:22 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-10 07:33 . 2009-02-13 13:35 -------- d-----w- c:\program files\ALLPlayer 2009-07-08 16:45 . 2007-12-25 16:23 138608 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-07-08 16:45 . 2007-12-25 16:22 189800 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-07-08 16:44 . 2008-03-29 14:04 -------- d-----w- c:\program files\Xfire 2009-06-20 17:31 . 2007-12-23 20:28 -------- d-----w- c:\program files\mIRC 2009-06-08 17:52 . 2009-06-08 17:52 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys 2009-06-08 17:52 . 2009-06-08 17:52 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys 2009-06-05 12:22 . 2009-04-25 18:00 -------- d-----w- c:\program files\Dropbox 2009-05-17 17:26 . 2007-12-27 09:54 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-05-16 03:58 . 2007-10-17 02:40 4069888 ----a-w- c:\windows\system32\drivers\ati2mtag.sys 2009-05-16 03:39 . 2007-12-23 11:22 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll 2009-05-16 03:38 . 2007-10-17 02:04 335872 ----a-w- c:\windows\system32\ati2dvag.dll 2009-05-16 03:18 . 2007-10-17 01:56 204800 ----a-w- c:\windows\system32\atipdlxx.dll 2009-05-16 03:17 . 2007-10-17 01:56 155648 ----a-w- c:\windows\system32\Oemdspif.dll 2009-05-16 03:17 . 2007-10-17 01:56 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe 2009-05-16 03:17 . 2007-10-17 01:55 43520 ----a-w- c:\windows\system32\ati2edxx.dll 2009-05-16 03:17 . 2007-10-17 01:55 155648 ----a-w- c:\windows\system32\ati2evxx.dll 2009-05-16 03:15 . 2007-10-17 01:54 602112 ----a-w- c:\windows\system32\ati2evxx.exe 2009-05-16 03:14 . 2007-10-17 01:53 53248 ----a-w- c:\windows\system32\ATIDDC.DLL 2009-05-16 03:07 . 2007-10-17 01:44 2987136 ----a-w- c:\windows\system32\ati3duag.dll 2009-05-16 02:55 . 2008-09-24 02:09 11423744 ----a-w- c:\windows\system32\atioglxx.dll 2009-05-16 02:54 . 2007-10-17 01:33 2122624 ----a-w- c:\windows\system32\ativvaxx.dll 2009-05-16 02:54 . 2007-12-23 11:22 887724 ----a-w- c:\windows\system32\ativva6x.dat 2009-05-16 02:54 . 2007-12-23 11:22 3 ----a-w- c:\windows\system32\ativva5x.dat 2009-05-16 02:51 . 2007-12-23 11:22 311296 ----a-w- c:\windows\system32\atiiiexx.dll 2009-05-16 02:38 . 2009-05-16 02:38 49664 ----a-w- c:\windows\system32\atimpc32.dll 2009-05-16 02:38 . 2008-02-26 02:29 49664 ----a-w- c:\windows\system32\amdpcom32.dll 2009-05-16 02:33 . 2007-10-17 01:19 479232 ----a-w- c:\windows\system32\atikvmag.dll 2009-05-16 02:31 . 2008-05-12 15:03 139264 ----a-w- c:\windows\system32\atiadlxx.dll 2009-05-16 02:31 . 2007-10-17 01:17 17408 ----a-w- c:\windows\system32\atitvo32.dll 2009-05-16 02:30 . 2007-10-17 01:16 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll 2009-05-16 02:26 . 2007-10-17 01:15 376832 ----a-w- c:\windows\system32\atiok3x2.dll 2009-05-16 02:24 . 2007-10-17 01:11 651264 ----a-w- c:\windows\system32\ati2cqag.dll 2009-05-16 01:35 . 2009-02-04 02:43 45056 ----a-w- c:\windows\system32\aticalrt.dll 2009-05-16 01:34 . 2009-02-04 02:42 45056 ----a-w- c:\windows\system32\aticalcl.dll 2009-05-16 01:33 . 2009-02-04 02:40 3158016 ----a-w- c:\windows\system32\aticaldd.dll 2009-05-15 19:05 . 2007-12-23 11:22 593920 ------w- c:\windows\system32\ati2sgag.exe 2009-05-05 19:33 . 2009-05-05 19:33 118784 ----a-w- c:\windows\system32\atibtmon.exe 2009-04-23 19:04 . 2007-12-23 11:22 189051 ----a-w- c:\windows\system32\atiicdxx.dat 2009-04-20 19:49 . 2009-04-20 19:49 737280 ----a-w- c:\windows\iun6002.exe 2009-04-16 15:32 . 2008-12-01 17:00 2272 ----a-w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat 2009-04-16 15:31 . 2004-08-04 12:00 82010 ----a-w- c:\windows\system32\perfc015.dat 2009-04-16 15:31 . 2004-08-04 12:00 391672 ----a-w- c:\windows\system32\perfh015.dat 2006-03-20 14:37 . 2008-02-04 13:18 5689344 ----a-w- c:\program files\mplayerc.exe . ------- Sigcheck ------- [-] 2008-01-12 13:43 359040 7B11118B078B88F87183FE69EDA43137 c:\windows\$NtServicePackUninstall$\tcpip.sys [-] 2008-04-25 20:01 361344 EAEC6EA32BDABD7622371C10B8D68A17 c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2008-04-25 20:01 361344 EAEC6EA32BDABD7622371C10B8D68A17 c:\windows\system32\drivers\tcpip.sys [-] 2007-12-23 11:56 504832 381221F69D1248864861889A64F100B6 c:\windows\$NtServicePackUninstall$\winlogon.exe [7] 2008-04-14 20:51 510464 51FD2E13D723857B9CA239AE77150F48 c:\windows\ServicePackFiles\i386\winlogon.exe [-] 2008-04-25 13:49 510464 66ECFE388AD1BD281DD3391B756670CF c:\windows\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-05-18 2127296] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-09 270128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080] "Remove AtiHotKey"="c:\program files\AtiHotKey\AtiHotKey.exe" [2005-08-01 19968] "OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2007-12-20 961536] "OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2007-12-19 405504] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-04 185896] "Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488] "LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "TrialReset"="c:\windows\regx32.exe" [2008-07-03 285327] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264] "WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Rafa\Menu Start\Programy\Autostart\ rncsys32.exe [2008-4-14 22016] c:\documents and settings\Pawe\Menu Start\Programy\Autostart\ Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2009-4-9 25598505] rncsys32.exe [2008-4-14 20992] Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-7-2 3190096] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Paweł^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=c:\documents and settings\Paweł\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "d:\\Gry\\Assassins Creed\\AssassinsCreed_Dx9.exe"= "d:\\Gry\\Assassins Creed\\AssassinsCreed_Dx10.exe"= "d:\\Gry\\Assassins Creed\\AssassinsCreed_Launcher.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\Gry\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"= "d:\\Gry\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"= "d:\\Gry\\World in Conflict\\wic.exe"= "d:\\Gry\\World in Conflict\\wic_online.exe"= "d:\\Gry\\World in Conflict\\wic_ds.exe"= "d:\\Gry\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "d:\\Download\\uTorrent.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\FlashFXP\\FlashFXP.exe"= "d:\\Gry\\Pro Evolution Soccer 2009\\pes2009.exe"= "d:\\Gry\\Far Cry 2\\bin\\FarCry2.exe"= "d:\\Gry\\Far Cry 2\\bin\\FC2Launcher.exe"= "d:\\Gry\\Far Cry 2\\bin\\FC2Editor.exe"= "d:\\Gry\\Pro Evolution Soccer 2009\\PES09\\pes2009.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"= "c:\\totalcmd\\TOTALCMD.EXE"= "c:\\Program Files\\Xfire\\xfire.exe"= "d:\\Gry\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"= "d:\\Gry\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"= "d:\\Gry\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"= "d:\\Gry\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"= "d:\\Gry\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"= "d:\\Gry\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7303:TCP"= 7303:TCP:BitComet 7303 TCP "7303:UDP"= 7303:UDP:BitComet 7303 UDP "3478:UDP"= 3478:UDP:stun "3479:UDP"= 3479:UDP:stun 2 "6112:UDP"= 6112:UDP:stun 3 "5730:UDP"= 5730:UDP:game "5739:UDP"= 5739:UDP:game 1 "9001:TCP"= 9001:TCP:game 2 "11881:TCP"= 11881:TCP:game 3 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-08-18 34824] R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2008-01-22 443424] R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224] R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2008-01-22 200464] R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-02 89600] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-11-19 22784] S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-01-22 1232896] S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2004-08-04 3584] S2 systemntmi;systemntmi;c:\windows\system32\drivers\systemntmi.sys [2004-08-04 41216] S3 ALSysIO;ALSysIO;\??\c:\docume~1\PAWE~1\USTAWI~1\Temp\ALSysIO.sys --> c:\docume~1\PAWE~1\USTAWI~1\Temp\ALSysIO.sys [?] S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-01-22 32896] S3 FXDrv32;FXDrv32;c:\program files\FOXCONN\Fox LiveUpdate\FXDrv32.sys [2008-01-05 23872] S3 gggen;Generic USB Flash Driver;c:\windows\system32\drivers\gggen.sys [2008-10-30 11648] S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2007-12-07 65024] S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?] . - - - - USUNIĘTO PUSTE WPISY - - - - BHO-{140BD8E3-C167-11D4-B4A3-080000180323} - (no file) BHO-{992A5751-8C16-3090-94B8-82A670D272A0} - (no file) HKCU-Run-GreedyTorrent - c:\program files\GreedyTorrent\GTor.exe HKLM-Run-Regedit32 - c:\windows\system32\regedit.exe HKLM-Run-C://j.jar - C://j.jar . ------- Skan uzupełniający ------- . uStart Page = hxxp://pes.com.pl/indexP.php IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {0D292497-ED2D-4AAD-A6ED-4DD2B08DDF31} = 213.241.79.38,213.241.79.37 FF - ProfilePath - c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\v3r1gxw2.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (pl) FF - prefs.js: browser.startup.homepage - hxxp://google.pl/ FF - plugin: c:\documents and settings\All Users\Dane aplikacji\id Software\QuakeLive\npquakezero.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCARDS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-12 23:30 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&8?????\??? ??? ???\???\???????????5?7~e?7~\???\???????0?`??????C@?\???\??????s????\??????s\????&8?A??s?&8??C@?x???`|?w\?????@ Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?@ ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?? ????B???@?????P?????@?P ??????~?7~??????????@?E?????????????????B?????? ??????????????????????????r?B skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001A86FC-8DF0-530D-84AA-205629EC95DC}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "panloneilmbnggpgdpkmahofopijjbbc"=hex:69,61,61,68,6f,64,6c,66,66,6a,70,61,62, 67,68,6f,69,67,00,00 "oahlmajefgbgibpahfnalkpenhmbee"=hex:69,61,6e,67,70,65,6c,68,6c,6f,65,70,63,65, 68,65,61,6d,00,00 [HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:56,3f,a1,97,5e,e0,4f,39,be,f3,e9,83,c0,e2,29,06,cd,3c,40,31,e5,f7,4f, 2a,94,a8,c6,2e,7c,96,ea,88,ad,62,f5,6e,94,cd,f0,1d,e3,28,58,2f,95,2a,f1,7f,\ "??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50 [HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\SecuROM\License information*] "datasecu"=hex:32,84,1a,a5,a1,59,6c,8e,e6,6b,e6,e1,82,17,4a,6e,5b,65,3b,3b,37, 20,d6,f5,17,7a,e4,87,6c,d6,5b,88,a6,e1,08,bd,d5,a4,ed,d1,e1,91,88,89,e1,48,\ "rkeysecu"=hex:a1,fb,79,8e,18,ca,b0,3b,52,96,21,ab,fe,df,9c,79 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(1016) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(5344) c:\program files\Xfire\xfire_toucan_37857.dll c:\program files\Dropbox\DropboxExt.dll c:\program files\Gadu-Gadu\ggwhook.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\windows\system32\ati2evxx.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\system32\PnkBstrA.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Creative\ShareDLL\MEDIADET.EXE c:\program files\Razer\DeathAdder\razertra.exe c:\program files\Razer\DeathAdder\razerofa.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Czas ukończenia: 2009-07-12 23:34 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-07-12 21:34 Przed: 13 989 908 480 bajtów wolnych Po: 22 111 866 880 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer 372 --- E O F --- 2008-04-25 13:48 Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 12 Lipca 2009 Zgłoś Opublikowano 12 Lipca 2009 Uzyj CFScript.txt z combofix: File:: c:\windows\system32\drivers\3ada269d.sys c:\windows\system32\drivers\systemntmi.sys c:\documents and settings\Rafa\Menu Start\Programy\Autostart\rncsys32.exe c:\documents and settings\Pawe\Menu Start\Programy\Autostart\rncsys32.exe Driver:: systemntmi ALSysIO Po wykonaniu daj log. Nastepnie zrob skan przy pomocy Dr.Web CureIt oraz Malwarebytes Anti-Malware. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
spider3k Opublikowano 13 Lipca 2009 Zgłoś Opublikowano 13 Lipca 2009 » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "combofix log" ComboFix 09-07-12.01 - Paweł 2009-07-13 9:40.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1339 [GMT 2:00] Uruchomiony z: c:\documents and settings\Paweł\Moje dokumenty\Pobieranie\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Paweł\Moje dokumenty\Pobieranie\CFScript.txt AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} FILE :: "c:\documents and settings\Pawe\Menu Start\Programy\Autostart\rncsys32.exe" "c:\documents and settings\Rafa\Menu Start\Programy\Autostart\rncsys32.exe" "c:\windows\system32\drivers\3ada269d.sys" "c:\windows\system32\drivers\systemntmi.sys" . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\3ada269d.sys c:\windows\system32\drivers\systemntmi.sys . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ALSYSIO -------\Legacy_SYSTEMNTMI -------\Service_ALSysIO -------\Service_systemntmi ((((((((((((((((((((((((( Pliki utworzone od 2009-06-13 do 2009-07-13 ))))))))))))))))))))))))))))))) . 2009-07-10 07:33 . 2008-12-07 18:08 795648 ----a-w- c:\windows\system32\xvidcore.dll 2009-07-10 07:33 . 2007-07-05 02:33 892928 ----a-w- c:\windows\system32\iconv.dll 2009-07-02 19:26 . 2009-07-02 19:26 41808 ----a-w- c:\windows\system32\xfcodec.dll 2009-06-18 18:25 . 2009-06-18 18:25 -------- d-----w- c:\program files\Grupa IMAGE . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-13 07:45 . 2007-12-23 12:31 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000002-80651102}.dat 2009-07-13 07:45 . 2007-12-23 12:31 24 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000003-00001102-00000002-80651102}.dat 2009-07-12 07:56 . 2007-12-23 11:22 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-10 07:33 . 2009-02-13 13:35 -------- d-----w- c:\program files\ALLPlayer 2009-07-08 16:45 . 2007-12-25 16:23 138608 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-07-08 16:45 . 2007-12-25 16:22 189800 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-07-08 16:44 . 2008-03-29 14:04 -------- d-----w- c:\program files\Xfire 2009-06-20 17:31 . 2007-12-23 20:28 -------- d-----w- c:\program files\mIRC 2009-06-08 17:52 . 2009-06-08 17:52 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys 2009-06-08 17:52 . 2009-06-08 17:52 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys 2009-06-05 12:22 . 2009-04-25 18:00 -------- d-----w- c:\program files\Dropbox 2009-05-17 17:26 . 2007-12-27 09:54 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-05-16 03:58 . 2007-10-17 02:40 4069888 ----a-w- c:\windows\system32\drivers\ati2mtag.sys 2009-05-16 03:39 . 2007-12-23 11:22 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll 2009-05-16 03:38 . 2007-10-17 02:04 335872 ----a-w- c:\windows\system32\ati2dvag.dll 2009-05-16 03:18 . 2007-10-17 01:56 204800 ----a-w- c:\windows\system32\atipdlxx.dll 2009-05-16 03:17 . 2007-10-17 01:56 155648 ----a-w- c:\windows\system32\Oemdspif.dll 2009-05-16 03:17 . 2007-10-17 01:56 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe 2009-05-16 03:17 . 2007-10-17 01:55 43520 ----a-w- c:\windows\system32\ati2edxx.dll 2009-05-16 03:17 . 2007-10-17 01:55 155648 ----a-w- c:\windows\system32\ati2evxx.dll 2009-05-16 03:15 . 2007-10-17 01:54 602112 ----a-w- c:\windows\system32\ati2evxx.exe 2009-05-16 03:14 . 2007-10-17 01:53 53248 ----a-w- c:\windows\system32\ATIDDC.DLL 2009-05-16 03:07 . 2007-10-17 01:44 2987136 ----a-w- c:\windows\system32\ati3duag.dll 2009-05-16 02:55 . 2008-09-24 02:09 11423744 ----a-w- c:\windows\system32\atioglxx.dll 2009-05-16 02:54 . 2007-10-17 01:33 2122624 ----a-w- c:\windows\system32\ativvaxx.dll 2009-05-16 02:54 . 2007-12-23 11:22 887724 ----a-w- c:\windows\system32\ativva6x.dat 2009-05-16 02:54 . 2007-12-23 11:22 3 ----a-w- c:\windows\system32\ativva5x.dat 2009-05-16 02:51 . 2007-12-23 11:22 311296 ----a-w- c:\windows\system32\atiiiexx.dll 2009-05-16 02:38 . 2009-05-16 02:38 49664 ----a-w- c:\windows\system32\atimpc32.dll 2009-05-16 02:38 . 2008-02-26 02:29 49664 ----a-w- c:\windows\system32\amdpcom32.dll 2009-05-16 02:33 . 2007-10-17 01:19 479232 ----a-w- c:\windows\system32\atikvmag.dll 2009-05-16 02:31 . 2008-05-12 15:03 139264 ----a-w- c:\windows\system32\atiadlxx.dll 2009-05-16 02:31 . 2007-10-17 01:17 17408 ----a-w- c:\windows\system32\atitvo32.dll 2009-05-16 02:30 . 2007-10-17 01:16 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll 2009-05-16 02:26 . 2007-10-17 01:15 376832 ----a-w- c:\windows\system32\atiok3x2.dll 2009-05-16 02:24 . 2007-10-17 01:11 651264 ----a-w- c:\windows\system32\ati2cqag.dll 2009-05-16 01:35 . 2009-02-04 02:43 45056 ----a-w- c:\windows\system32\aticalrt.dll 2009-05-16 01:34 . 2009-02-04 02:42 45056 ----a-w- c:\windows\system32\aticalcl.dll 2009-05-16 01:33 . 2009-02-04 02:40 3158016 ----a-w- c:\windows\system32\aticaldd.dll 2009-05-15 19:05 . 2007-12-23 11:22 593920 ------w- c:\windows\system32\ati2sgag.exe 2009-05-05 19:33 . 2009-05-05 19:33 118784 ----a-w- c:\windows\system32\atibtmon.exe 2009-04-23 19:04 . 2007-12-23 11:22 189051 ----a-w- c:\windows\system32\atiicdxx.dat 2009-04-20 19:49 . 2009-04-20 19:49 737280 ----a-w- c:\windows\iun6002.exe 2009-04-16 15:32 . 2008-12-01 17:00 2272 ----a-w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat 2009-04-16 15:31 . 2004-08-04 12:00 82010 ----a-w- c:\windows\system32\perfc015.dat 2009-04-16 15:31 . 2004-08-04 12:00 391672 ----a-w- c:\windows\system32\perfh015.dat 2006-03-20 14:37 . 2008-02-04 13:18 5689344 ----a-w- c:\program files\mplayerc.exe . ------- Sigcheck ------- [-] 2008-01-12 13:43 359040 7B11118B078B88F87183FE69EDA43137 c:\windows\$NtServicePackUninstall$\tcpip.sys [-] 2008-04-25 20:01 361344 EAEC6EA32BDABD7622371C10B8D68A17 c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2008-04-25 20:01 361344 EAEC6EA32BDABD7622371C10B8D68A17 c:\windows\system32\drivers\tcpip.sys [-] 2007-12-23 11:56 504832 381221F69D1248864861889A64F100B6 c:\windows\$NtServicePackUninstall$\winlogon.exe [7] 2008-04-14 20:51 510464 51FD2E13D723857B9CA239AE77150F48 c:\windows\ServicePackFiles\i386\winlogon.exe [-] 2008-04-25 13:49 510464 66ECFE388AD1BD281DD3391B756670CF c:\windows\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w- c:\program files\Dropbox\DropboxExt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-05-18 2127296] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-09 270128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080] "Remove AtiHotKey"="c:\program files\AtiHotKey\AtiHotKey.exe" [2005-08-01 19968] "OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2007-12-20 961536] "OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2007-12-19 405504] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-04 185896] "Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488] "LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "TrialReset"="c:\windows\regx32.exe" [2008-07-03 285327] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264] "Regedit32"="c:\windows\system32\regedit.exe" [bU] "WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Rafa\Menu Start\Programy\Autostart\ rncsys32.exe [2008-4-14 22016] c:\documents and settings\Pawe\Menu Start\Programy\Autostart\ Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2009-4-9 25598505] rncsys32.exe [2008-4-14 20992] Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-7-2 3190096] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Paweł^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=c:\documents and settings\Paweł\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "d:\\Gry\\Assassins Creed\\AssassinsCreed_Dx9.exe"= "d:\\Gry\\Assassins Creed\\AssassinsCreed_Dx10.exe"= "d:\\Gry\\Assassins Creed\\AssassinsCreed_Launcher.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\Gry\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"= "d:\\Gry\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"= "d:\\Gry\\World in Conflict\\wic.exe"= "d:\\Gry\\World in Conflict\\wic_online.exe"= "d:\\Gry\\World in Conflict\\wic_ds.exe"= "d:\\Gry\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "d:\\Download\\uTorrent.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\FlashFXP\\FlashFXP.exe"= "d:\\Gry\\Pro Evolution Soccer 2009\\pes2009.exe"= "d:\\Gry\\Far Cry 2\\bin\\FarCry2.exe"= "d:\\Gry\\Far Cry 2\\bin\\FC2Launcher.exe"= "d:\\Gry\\Far Cry 2\\bin\\FC2Editor.exe"= "d:\\Gry\\Pro Evolution Soccer 2009\\PES09\\pes2009.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"= "c:\\totalcmd\\TOTALCMD.EXE"= "c:\\Program Files\\Xfire\\xfire.exe"= "d:\\Gry\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"= "d:\\Gry\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"= "d:\\Gry\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"= "d:\\Gry\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"= "d:\\Gry\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"= "d:\\Gry\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7303:TCP"= 7303:TCP:BitComet 7303 TCP "7303:UDP"= 7303:UDP:BitComet 7303 UDP "3478:UDP"= 3478:UDP:stun "3479:UDP"= 3479:UDP:stun 2 "6112:UDP"= 6112:UDP:stun 3 "5730:UDP"= 5730:UDP:game "5739:UDP"= 5739:UDP:game 1 "9001:TCP"= 9001:TCP:game 2 "11881:TCP"= 11881:TCP:game 3 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-08-18 34824] R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2008-01-22 443424] R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224] R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2008-01-22 200464] R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-02 89600] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-11-19 22784] S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-01-22 1232896] S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2004-08-04 3584] S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-01-22 32896] S3 FXDrv32;FXDrv32;c:\program files\FOXCONN\Fox LiveUpdate\FXDrv32.sys [2008-01-05 23872] S3 gggen;Generic USB Flash Driver;c:\windows\system32\drivers\gggen.sys [2008-10-30 11648] S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2007-12-07 65024] S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://pes.com.pl/indexP.php IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {0D292497-ED2D-4AAD-A6ED-4DD2B08DDF31} = 213.241.79.38,213.241.79.37 FF - ProfilePath - c:\documents and settings\Paweł\Dane aplikacji\Mozilla\Firefox\Profiles\v3r1gxw2.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (pl) FF - prefs.js: browser.startup.homepage - hxxp://google.pl/ FF - plugin: c:\documents and settings\All Users\Dane aplikacji\id Software\QuakeLive\npquakezero.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCARDS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-13 09:46 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&8?????\??? ??? ???\???\???????????5?7~e?7~\???\???????(q`??????C@?\???\??????s????\??????s\????&8?A??s?&8??C@?x???`|?w\?????@ Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?@ ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?? ????B???@?????P?????@?P ??????~?7~??????????@???????????????????B?????? ???????????????????`??????r?B skanowanie ukrytych plików ... c:\windows\TEMP\HTTFE.tmp 0 bytes skanowanie pomyślnie ukończone ukryte pliki: 1 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001A86FC-8DF0-530D-84AA-205629EC95DC}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "panloneilmbnggpgdpkmahofopijjbbc"=hex:69,61,61,68,6f,64,6c,66,66,6a,70,61,62, 67,68,6f,69,67,00,00 "oahlmajefgbgibpahfnalkpenhmbee"=hex:69,61,6e,67,70,65,6c,68,6c,6f,65,70,63,65, 68,65,61,6d,00,00 [HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:56,3f,a1,97,5e,e0,4f,39,be,f3,e9,83,c0,e2,29,06,cd,3c,40,31,e5,f7,4f, 2a,94,a8,c6,2e,7c,96,ea,88,ad,62,f5,6e,94,cd,f0,1d,e3,28,58,2f,95,2a,f1,7f,\ "??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50 [HKEY_USERS\S-1-5-21-1614895754-790525478-725345543-1003\Software\SecuROM\License information*] "datasecu"=hex:32,84,1a,a5,a1,59,6c,8e,e6,6b,e6,e1,82,17,4a,6e,5b,65,3b,3b,37, 20,d6,f5,17,7a,e4,87,6c,d6,5b,88,a6,e1,08,bd,d5,a4,ed,d1,e1,91,88,89,e1,48,\ "rkeysecu"=hex:a1,fb,79,8e,18,ca,b0,3b,52,96,21,ab,fe,df,9c,79 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(1016) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3456) c:\program files\Xfire\xfire_toucan_37857.dll c:\program files\Dropbox\DropboxExt.dll c:\program files\Gadu-Gadu\ggwhook.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Creative\ShareDLL\MEDIADET.EXE c:\windows\system32\CTSVCCDA.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\windows\system32\PnkBstrA.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\MsPMSPSv.exe c:\program files\Razer\DeathAdder\razertra.exe c:\program files\Razer\DeathAdder\razerofa.exe c:\windows\system32\wscntfy.exe c:\program files\Mozilla Firefox\firefox.exe . ************************************************************************** . Czas ukończenia: 2009-07-13 9:49 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-07-13 07:49 ComboFix2.txt 2009-07-12 21:35 Przed: 22 095 618 048 bajtów wolnych Po: 22 060 253 184 bajtów wolnych 344 --- E O F --- 2008-04-25 13:48 Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 13 Lipca 2009 Zgłoś Opublikowano 13 Lipca 2009 Usun recznie te pliki: c:\documents and settings\Rafa\Menu Start\Programy\Autostart\rncsys32.exe c:\documents and settings\Pawe\Menu Start\Programy\Autostart\rncsys32.exe Oraz w hijackthis wpis: "Regedit32"="c:\windows\system32\regedit.exe" [bU] Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
spider3k Opublikowano 13 Lipca 2009 Zgłoś Opublikowano 13 Lipca 2009 Zrobione. Czyli teraz powinno wszystko byc ok? Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 13 Lipca 2009 Zgłoś Opublikowano 13 Lipca 2009 Powinno. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
spider3k Opublikowano 13 Lipca 2009 Zgłoś Opublikowano 13 Lipca 2009 Dziekuje za pomoc! Wyglada na to, ze wszystko jest OK! Dziekuje ponownie! Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...