Regulamin forum
1. Każdy temat powinien odzwierciedlać treść wątku.2. W przypadku wklejania logów; należy je wykonać od razu przynajmniej z dwóch narzędzi: FRST oraz z GMER
3. Wszelkie logi proszę publikować na przeznaczonych do tego stronach a w poście wklejać tylko link.
4. Nie wskazane jest skracanie logów, należy wkleić cały - od początku, do końca.
5. Nie wskazane jest podczepianie się do tematów innych użytkowników - proszę założyć nowy temat w dziale Bezpieczeństwo, ułatwi to pomoc sprawdzającemu.
6. Osoby nie posiadające odpowiedniej wiedzy, nie powinny sprawdzać logów, ponieważ grozi to poważnym uszkodzeniem systemu lub aplikacji zainstalowanych na komputerze.
7. Należy dokładnie opisać problem, występujące objawy oraz wszelkie podjęte działania.
8. Każdy skrypt jest unikatowy, napisany dla każdego przypadku z osobna, więc nie może być stosowany przez innych.
9. W przypadku zamieszczenia zrzutu ekranu (screenshot'a) proszę korzystać z zewnętrznego serwisu oferującego hosting zdjęć.
Proszę o analizę loga ComboFix
09 Kwi 2008, 01:32
ComboFix 08-04-08.7 - Krzysiek 2008-04-09 1:12:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1356 [GMT 2:00]
Running from: C:\Documents and Settings\Krzysiek\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pbltr.dll
C:\WINDOWS\system32\rvid32.dll
.
---- Previous Run -------
.
C:\Autorun.inf
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.
2008-04-03 22:51 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-03 22:51 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 19:23 . 2008-03-29 19:23 <DIR> d-------- C:\Logs
2008-03-20 02:44 . 2008-03-20 02:44 <DIR> d-------- C:\WINDOWS\0674B216AB4642EBBEA960702316154E.TMP
2008-03-20 02:44 . 2008-04-09 01:10 4 --a------ C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
2008-03-20 02:44 . 2008-04-09 01:08 4 --a------ C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
2008-03-20 02:43 . 2008-03-20 02:43 <DIR> d-------- C:\Program Files\GFI
2008-03-19 20:14 . 2008-03-19 20:14 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-03-19 16:39 . 2008-03-19 16:42 <DIR> d-------- C:\bernatowicz new
2008-03-16 21:37 . 2008-04-09 01:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 21:37 . 2008-03-16 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iTunes
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iPod
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\QuickTime
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-13 18:14 . 2008-04-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PowerDesigner 12
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 23:11 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Skype
2008-04-08 23:08 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Azureus
2008-04-08 22:09 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\skypePM
2008-04-06 14:07 --------- d-----w C:\Program Files\Astral
2008-04-02 03:08 --------- d-----w C:\Program Files\Gadu-Gadu
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-26 17:27 --------- d-----w C:\Program Files\Java
2008-03-20 00:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-17 19:41 --------- d-----w C:\Program Files\Burn4Free
2008-03-15 13:57 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Apple Computer
2008-03-13 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 16:14 --------- d-----w C:\Program Files\Sybase
2008-03-07 11:53 --------- d-----w C:\Program Files\Azureus
2008-02-12 15:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-08 19:24 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-01-22 19:08 21,393 ----a-w C:\WINDOWS\AegisP.sys
2008-01-13 15:59 22,328 ----a-w C:\Documents and Settings\Krzysiek\Application Data\PnkBstrK.sys
2007-12-29 14:07 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 01:00 36864]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-04-17 19:31 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 22:57 8429568]
"nwiz"="nwiz.exe" [2007-05-11 22:57 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 22:57 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-05-11 22:57 81920 C:\WINDOWS\system32\nvmctray.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 17:10 405504 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848]
"CafeNews"="C:\Program Files\CafeNews\CN.exe" [ ]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate]
--a------ 2005-07-27 11:59 260096 C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\AppServer\\jdk\\jre\\bin\\java.exe"=
"C:\\AppServer\\lib\\appserv.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\rmiregistry.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\usr\\SMTP Server\\localsrv.exe"=
"C:\\usr\\apache\\Apache.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\AppServer\\jdk\\bin\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\tnameserv.exe"=
"C:\\Program Files\\Astral\\astral.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\orbd.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 8\\win32\\dbeng8.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Games\\World of Warcraft 2.3\\Repair.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 GFI LANguard N.S.S. 5.0 attendant service;GFI LANguard N.S.S. 5.0 attendant service;"C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service []
R2 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 4.1\my.ini" MySQL5 []
R2 named;ISC BIND;C:\WINDOWS\system32\dns\bin\named.exe [2005-12-14 13:28]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 XAudio;XAudio;C:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-08-04 23:39]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 01:00]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 18:45]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-06-01 13:57]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-05-30 16:50]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2008-01-24 00:30]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 04:54]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07f848af-c9f4-11dc-ac4b-001c238d0ee6}]
\Shell\AutoRun\command - H:\awda2.exe
\Shell\explore\Command - H:\awda2.exe
\Shell\open\Command - H:\awda2.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f68bcae-8c53-11dc-ab62-001c238d0ee6}]
\Shell\AutoRun\command - F:\EXPLORER.EXE
\Shell\explore\Command - F:\EXPLORER.EXE
\Shell\open\Command - F:\EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30f69568-ca78-11dc-ac4e-001c238d0ee6}]
\Shell\AutoRun\command - H:\awda2.exe
\Shell\explore\Command - H:\awda2.exe
\Shell\open\Command - H:\awda2.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55fb0010-c9ec-11dc-ac4a-001c238d0ee6}]
\Shell\AutoRun\command - H:\
\Shell\explore\Command - H:\awda2.exe
\Shell\open\Command - H:\awda2.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d288164-cfd5-11dc-ac5d-001c238d0ee6}]
\Shell\AutoRun\command - H:\h.cmd
\Shell\explore\Command - H:\h.cmd
\Shell\open\Command - H:\h.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bd876ed-8245-11dc-ab3b-001c238d0ee6}]
\Shell\AutoRun\command - H:\xn1i9x.com
\Shell\explore\Command - H:\xn1i9x.com
\Shell\open\Command - H:\xn1i9x.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d73b784-bdd5-11dc-abef-001c238d0ee6}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c90f0c14-c6d5-11dc-ac30-001c238d0ee6}]
\Shell\AutoRun\command - H:\m1t8ta.com
\Shell\explore\Command - H:\m1t8ta.com
\Shell\open\Command - H:\m1t8ta.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d064ac90-8e0d-11dc-ab6d-001c238d0ee6}]
\shell\Console\command - _Progs\Console2\Console.exe
\shell\Notepad\command - _Progs\Notepad++\notepad++.exe
\shell\PlayCS\command - CS1.6v28\hl.exe -nomaster -game cstrike
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 01:15:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:\usr/MYSQL/bin/mysqld.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 4.1\my.ini\" MySQL5"
.
Completion time: 2008-04-09 1:15:38
ComboFix-quarantined-files.txt 2008-04-08 23:15:30
Pre-Run: 658,755,584 bytes free
Post-Run: 798,777,344 bytes free
.
2008-03-17 20:03:24 --- E O F ---
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1356 [GMT 2:00]
Running from: C:\Documents and Settings\Krzysiek\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pbltr.dll
C:\WINDOWS\system32\rvid32.dll
.
---- Previous Run -------
.
C:\Autorun.inf
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.
2008-04-03 22:51 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-03 22:51 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 19:23 . 2008-03-29 19:23 <DIR> d-------- C:\Logs
2008-03-20 02:44 . 2008-03-20 02:44 <DIR> d-------- C:\WINDOWS\0674B216AB4642EBBEA960702316154E.TMP
2008-03-20 02:44 . 2008-04-09 01:10 4 --a------ C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
2008-03-20 02:44 . 2008-04-09 01:08 4 --a------ C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
2008-03-20 02:43 . 2008-03-20 02:43 <DIR> d-------- C:\Program Files\GFI
2008-03-19 20:14 . 2008-03-19 20:14 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-03-19 16:39 . 2008-03-19 16:42 <DIR> d-------- C:\bernatowicz new
2008-03-16 21:37 . 2008-04-09 01:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 21:37 . 2008-03-16 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iTunes
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iPod
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\QuickTime
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-13 18:14 . 2008-04-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PowerDesigner 12
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 23:11 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Skype
2008-04-08 23:08 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Azureus
2008-04-08 22:09 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\skypePM
2008-04-06 14:07 --------- d-----w C:\Program Files\Astral
2008-04-02 03:08 --------- d-----w C:\Program Files\Gadu-Gadu
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-26 17:27 --------- d-----w C:\Program Files\Java
2008-03-20 00:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-17 19:41 --------- d-----w C:\Program Files\Burn4Free
2008-03-15 13:57 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Apple Computer
2008-03-13 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 16:14 --------- d-----w C:\Program Files\Sybase
2008-03-07 11:53 --------- d-----w C:\Program Files\Azureus
2008-02-12 15:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-08 19:24 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-01-22 19:08 21,393 ----a-w C:\WINDOWS\AegisP.sys
2008-01-13 15:59 22,328 ----a-w C:\Documents and Settings\Krzysiek\Application Data\PnkBstrK.sys
2007-12-29 14:07 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 01:00 36864]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-04-17 19:31 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 22:57 8429568]
"nwiz"="nwiz.exe" [2007-05-11 22:57 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 22:57 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-05-11 22:57 81920 C:\WINDOWS\system32\nvmctray.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 17:10 405504 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848]
"CafeNews"="C:\Program Files\CafeNews\CN.exe" [ ]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate]
--a------ 2005-07-27 11:59 260096 C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\AppServer\\jdk\\jre\\bin\\java.exe"=
"C:\\AppServer\\lib\\appserv.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\rmiregistry.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\usr\\SMTP Server\\localsrv.exe"=
"C:\\usr\\apache\\Apache.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\AppServer\\jdk\\bin\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\tnameserv.exe"=
"C:\\Program Files\\Astral\\astral.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\orbd.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 8\\win32\\dbeng8.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Games\\World of Warcraft 2.3\\Repair.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 GFI LANguard N.S.S. 5.0 attendant service;GFI LANguard N.S.S. 5.0 attendant service;"C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service []
R2 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 4.1\my.ini" MySQL5 []
R2 named;ISC BIND;C:\WINDOWS\system32\dns\bin\named.exe [2005-12-14 13:28]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 XAudio;XAudio;C:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-08-04 23:39]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 01:00]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 18:45]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-06-01 13:57]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-05-30 16:50]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2008-01-24 00:30]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 04:54]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07f848af-c9f4-11dc-ac4b-001c238d0ee6}]
\Shell\AutoRun\command - H:\awda2.exe
\Shell\explore\Command - H:\awda2.exe
\Shell\open\Command - H:\awda2.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f68bcae-8c53-11dc-ab62-001c238d0ee6}]
\Shell\AutoRun\command - F:\EXPLORER.EXE
\Shell\explore\Command - F:\EXPLORER.EXE
\Shell\open\Command - F:\EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30f69568-ca78-11dc-ac4e-001c238d0ee6}]
\Shell\AutoRun\command - H:\awda2.exe
\Shell\explore\Command - H:\awda2.exe
\Shell\open\Command - H:\awda2.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55fb0010-c9ec-11dc-ac4a-001c238d0ee6}]
\Shell\AutoRun\command - H:\
\Shell\explore\Command - H:\awda2.exe
\Shell\open\Command - H:\awda2.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d288164-cfd5-11dc-ac5d-001c238d0ee6}]
\Shell\AutoRun\command - H:\h.cmd
\Shell\explore\Command - H:\h.cmd
\Shell\open\Command - H:\h.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bd876ed-8245-11dc-ab3b-001c238d0ee6}]
\Shell\AutoRun\command - H:\xn1i9x.com
\Shell\explore\Command - H:\xn1i9x.com
\Shell\open\Command - H:\xn1i9x.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d73b784-bdd5-11dc-abef-001c238d0ee6}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c90f0c14-c6d5-11dc-ac30-001c238d0ee6}]
\Shell\AutoRun\command - H:\m1t8ta.com
\Shell\explore\Command - H:\m1t8ta.com
\Shell\open\Command - H:\m1t8ta.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d064ac90-8e0d-11dc-ab6d-001c238d0ee6}]
\shell\Console\command - _Progs\Console2\Console.exe
\shell\Notepad\command - _Progs\Notepad++\notepad++.exe
\shell\PlayCS\command - CS1.6v28\hl.exe -nomaster -game cstrike
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 01:15:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:\usr/MYSQL/bin/mysqld.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 4.1\my.ini\" MySQL5"
.
Completion time: 2008-04-09 1:15:38
ComboFix-quarantined-files.txt 2008-04-08 23:15:30
Pre-Run: 658,755,584 bytes free
Post-Run: 798,777,344 bytes free
.
2008-03-17 20:03:24 --- E O F ---
10 Kwi 2008, 05:06
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
Plik
zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox
Wklej do notatnika:
- Kod:
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
Plik
zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox
Dzieki
10 Kwi 2008, 21:37
Dzieki wykonalem wszystkie instrukcje i umieszczam loga:
ComboFix 08-04-09.9 - Krzysiek 2008-04-10 21:34:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998 [GMT 2:00]
Running from: C:\Documents and Settings\Krzysiek\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.
2008-04-03 22:51 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-03 22:51 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 19:23 . 2008-03-29 19:23 <DIR> d-------- C:\Logs
2008-03-20 02:44 . 2008-03-20 02:44 <DIR> d-------- C:\WINDOWS\0674B216AB4642EBBEA960702316154E.TMP
2008-03-20 02:44 . 2008-04-10 21:34 4 --a------ C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
2008-03-20 02:44 . 2008-04-10 21:34 4 --a------ C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
2008-03-20 02:43 . 2008-03-20 02:43 <DIR> d-------- C:\Program Files\GFI
2008-03-19 20:14 . 2008-03-19 20:14 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-03-19 16:39 . 2008-03-19 16:42 <DIR> d-------- C:\bernatowicz new
2008-03-16 21:37 . 2008-04-09 17:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 21:37 . 2008-03-16 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iTunes
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iPod
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\QuickTime
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-13 18:14 . 2008-04-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PowerDesigner 12
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 19:28 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Skype
2008-04-10 16:34 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Azureus
2008-04-10 16:06 --------- d-----w C:\Program Files\Astral
2008-04-10 14:07 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\skypePM
2008-04-02 03:08 --------- d-----w C:\Program Files\Gadu-Gadu
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-26 17:27 --------- d-----w C:\Program Files\Java
2008-03-20 00:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-17 19:41 --------- d-----w C:\Program Files\Burn4Free
2008-03-15 13:57 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Apple Computer
2008-03-13 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 16:14 --------- d-----w C:\Program Files\Sybase
2008-03-07 11:53 --------- d-----w C:\Program Files\Azureus
2008-02-12 15:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-22 19:08 21,393 ----a-w C:\WINDOWS\AegisP.sys
2008-01-13 15:59 22,328 ----a-w C:\Documents and Settings\Krzysiek\Application Data\PnkBstrK.sys
2007-12-29 14:07 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((( snapshot@2008-04-09_ 1.15.25.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-10 19:35:25 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
- 2008-04-06 21:08:42 192,426 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-04-10 16:14:54 192,426 ----a-w C:\WINDOWS\system32\nvModes.dat
- 2008-04-07 11:53:39 97,014 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-09 15:59:20 97,014 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-07 11:53:39 513,736 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-09 15:59:20 513,736 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-09 13:36:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_138.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 01:00 36864]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-04-17 19:31 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 22:57 8429568]
"nwiz"="nwiz.exe" [2007-05-11 22:57 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 22:57 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-05-11 22:57 81920 C:\WINDOWS\system32\nvmctray.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 17:10 405504 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848]
"CafeNews"="C:\Program Files\CafeNews\CN.exe" [ ]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate]
--a------ 2005-07-27 11:59 260096 C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\AppServer\\jdk\\jre\\bin\\java.exe"=
"C:\\AppServer\\lib\\appserv.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\rmiregistry.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\usr\\SMTP Server\\localsrv.exe"=
"C:\\usr\\apache\\Apache.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\AppServer\\jdk\\bin\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\tnameserv.exe"=
"C:\\Program Files\\Astral\\astral.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\orbd.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 8\\win32\\dbeng8.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Games\\World of Warcraft 2.3\\Repair.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 GFI LANguard N.S.S. 5.0 attendant service;GFI LANguard N.S.S. 5.0 attendant service;"C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service []
R2 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 4.1\my.ini" MySQL5 []
R2 named;ISC BIND;C:\WINDOWS\system32\dns\bin\named.exe [2005-12-14 13:28]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 XAudio;XAudio;C:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-08-04 23:39]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 01:00]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 18:45]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-06-01 13:57]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-05-30 16:50]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2008-01-24 00:30]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 04:54]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 21:35:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:\usr/MYSQL/bin/mysqld.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 4.1\my.ini\" MySQL5"
.
Completion time: 2008-04-10 21:35:59
ComboFix-quarantined-files.txt 2008-04-10 19:35:46
ComboFix2.txt 2008-04-10 19:29:09
ComboFix3.txt 2008-04-08 23:15:39
Pre-Run: 932,114,432 bytes free
Post-Run: 919,179,264 bytes free
.
2008-03-17 20:03:24 --- E O F ---
ComboFix 08-04-09.9 - Krzysiek 2008-04-10 21:34:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998 [GMT 2:00]
Running from: C:\Documents and Settings\Krzysiek\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.
2008-04-03 22:51 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-03 22:51 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 19:23 . 2008-03-29 19:23 <DIR> d-------- C:\Logs
2008-03-20 02:44 . 2008-03-20 02:44 <DIR> d-------- C:\WINDOWS\0674B216AB4642EBBEA960702316154E.TMP
2008-03-20 02:44 . 2008-04-10 21:34 4 --a------ C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
2008-03-20 02:44 . 2008-04-10 21:34 4 --a------ C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
2008-03-20 02:43 . 2008-03-20 02:43 <DIR> d-------- C:\Program Files\GFI
2008-03-19 20:14 . 2008-03-19 20:14 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-03-19 16:39 . 2008-03-19 16:42 <DIR> d-------- C:\bernatowicz new
2008-03-16 21:37 . 2008-04-09 17:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 21:37 . 2008-03-16 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iTunes
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iPod
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\QuickTime
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-13 18:14 . 2008-04-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PowerDesigner 12
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 19:28 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Skype
2008-04-10 16:34 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Azureus
2008-04-10 16:06 --------- d-----w C:\Program Files\Astral
2008-04-10 14:07 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\skypePM
2008-04-02 03:08 --------- d-----w C:\Program Files\Gadu-Gadu
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-26 17:27 --------- d-----w C:\Program Files\Java
2008-03-20 00:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-17 19:41 --------- d-----w C:\Program Files\Burn4Free
2008-03-15 13:57 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Apple Computer
2008-03-13 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 16:14 --------- d-----w C:\Program Files\Sybase
2008-03-07 11:53 --------- d-----w C:\Program Files\Azureus
2008-02-12 15:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-22 19:08 21,393 ----a-w C:\WINDOWS\AegisP.sys
2008-01-13 15:59 22,328 ----a-w C:\Documents and Settings\Krzysiek\Application Data\PnkBstrK.sys
2007-12-29 14:07 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((( snapshot@2008-04-09_ 1.15.25.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-10 19:35:25 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
- 2008-04-06 21:08:42 192,426 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-04-10 16:14:54 192,426 ----a-w C:\WINDOWS\system32\nvModes.dat
- 2008-04-07 11:53:39 97,014 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-09 15:59:20 97,014 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-07 11:53:39 513,736 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-09 15:59:20 513,736 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-09 13:36:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_138.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 01:00 36864]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-04-17 19:31 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 22:57 8429568]
"nwiz"="nwiz.exe" [2007-05-11 22:57 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 22:57 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-05-11 22:57 81920 C:\WINDOWS\system32\nvmctray.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 17:10 405504 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848]
"CafeNews"="C:\Program Files\CafeNews\CN.exe" [ ]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate]
--a------ 2005-07-27 11:59 260096 C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\AppServer\\jdk\\jre\\bin\\java.exe"=
"C:\\AppServer\\lib\\appserv.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\rmiregistry.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\usr\\SMTP Server\\localsrv.exe"=
"C:\\usr\\apache\\Apache.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\AppServer\\jdk\\bin\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\tnameserv.exe"=
"C:\\Program Files\\Astral\\astral.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\orbd.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 8\\win32\\dbeng8.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Games\\World of Warcraft 2.3\\Repair.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 GFI LANguard N.S.S. 5.0 attendant service;GFI LANguard N.S.S. 5.0 attendant service;"C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service []
R2 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 4.1\my.ini" MySQL5 []
R2 named;ISC BIND;C:\WINDOWS\system32\dns\bin\named.exe [2005-12-14 13:28]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 XAudio;XAudio;C:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-08-04 23:39]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 01:00]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 18:45]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-06-01 13:57]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-05-30 16:50]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2008-01-24 00:30]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 04:54]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 21:35:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:\usr/MYSQL/bin/mysqld.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 4.1\my.ini\" MySQL5"
.
Completion time: 2008-04-10 21:35:59
ComboFix-quarantined-files.txt 2008-04-10 19:35:46
ComboFix2.txt 2008-04-10 19:29:09
ComboFix3.txt 2008-04-08 23:15:39
Pre-Run: 932,114,432 bytes free
Post-Run: 919,179,264 bytes free
.
2008-03-17 20:03:24 --- E O F ---
10 Kwi 2008, 21:43
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox
Wklej do notatnika:
- Kod:
File::
C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
Plik
zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox
13 Kwi 2008, 21:05
Ok wszystko poszlo dobrze , umieszczam loga:
ComboFix 08-04-10.5 - Krzysiek 2008-04-13 20:59:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.983 [GMT 2:00]
Running from: C:\Documents and Settings\Krzysiek\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Krzysiek\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.
2008-04-13 16:50 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-04-13 16:50 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-04-13 16:49 . 2008-04-13 16:49 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-13 16:49 . 2008-04-13 16:50 <DIR> d-------- C:\Program Files\Ahead
2008-04-13 16:49 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-04-13 16:49 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-04-13 16:49 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-04-13 16:49 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-04-13 16:49 . 2006-01-12 16:40 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-13 16:03 . 2008-04-13 16:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-03 22:51 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-03 22:51 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 19:23 . 2008-03-29 19:23 <DIR> d-------- C:\Logs
2008-03-20 02:44 . 2008-03-20 02:44 <DIR> d-------- C:\WINDOWS\0674B216AB4642EBBEA960702316154E.TMP
2008-03-20 02:43 . 2008-03-20 02:43 <DIR> d-------- C:\Program Files\GFI
2008-03-19 20:14 . 2008-03-19 20:14 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-03-19 16:39 . 2008-03-19 16:42 <DIR> d-------- C:\bernatowicz new
2008-03-16 21:37 . 2008-04-13 16:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 21:37 . 2008-03-16 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iTunes
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iPod
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\QuickTime
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-13 18:14 . 2008-04-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PowerDesigner 12
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 19:01 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Skype
2008-04-13 19:00 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Azureus
2008-04-13 18:34 --------- d-----w C:\Program Files\Astral
2008-04-13 14:02 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\skypePM
2008-04-02 03:08 --------- d-----w C:\Program Files\Gadu-Gadu
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-26 17:27 --------- d-----w C:\Program Files\Java
2008-03-20 00:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-17 19:41 --------- d-----w C:\Program Files\Burn4Free
2008-03-15 13:57 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Apple Computer
2008-03-13 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 16:14 --------- d-----w C:\Program Files\Sybase
2008-03-07 11:53 --------- d-----w C:\Program Files\Azureus
2008-01-22 19:08 21,393 -c--a-w C:\WINDOWS\AegisP.sys
2008-01-13 15:59 22,328 -c--a-w C:\Documents and Settings\Krzysiek\Application Data\PnkBstrK.sys
2007-12-29 14:07 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 01:00 36864]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-04-17 19:31 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 22:57 8429568]
"nwiz"="nwiz.exe" [2007-05-11 22:57 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 22:57 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-05-11 22:57 81920 C:\WINDOWS\system32\nvmctray.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 17:10 405504 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848]
"CafeNews"="C:\Program Files\CafeNews\CN.exe" [ ]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate]
--a--c--- 2005-07-27 11:59 260096 C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\AppServer\\jdk\\jre\\bin\\java.exe"=
"C:\\AppServer\\lib\\appserv.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\rmiregistry.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\usr\\SMTP Server\\localsrv.exe"=
"C:\\usr\\apache\\Apache.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\AppServer\\jdk\\bin\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\tnameserv.exe"=
"C:\\Program Files\\Astral\\astral.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\orbd.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 8\\win32\\dbeng8.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Games\\World of Warcraft 2.3\\Repair.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 GFI LANguard N.S.S. 5.0 attendant service;GFI LANguard N.S.S. 5.0 attendant service;"C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service []
R2 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 4.1\my.ini" MySQL5 []
R2 named;ISC BIND;C:\WINDOWS\system32\dns\bin\named.exe [2005-12-14 13:28]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 XAudio;XAudio;C:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-08-04 23:39]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 01:00]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 18:45]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-06-01 13:57]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-05-30 16:50]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2008-01-24 00:30]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 04:54]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 21:01:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:\usr/MYSQL/bin/mysqld.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 4.1\my.ini\" MySQL5"
.
Completion time: 2008-04-13 21:02:24
ComboFix-quarantined-files.txt 2008-04-13 19:02:13
ComboFix2.txt 2008-04-10 19:36:00
Pre-Run: 3,278,028,800 bytes free
Post-Run: 3,269,271,552 bytes free
.
2008-04-13 08:18:57 --- E O F ---
ComboFix 08-04-10.5 - Krzysiek 2008-04-13 20:59:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.983 [GMT 2:00]
Running from: C:\Documents and Settings\Krzysiek\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Krzysiek\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\fsdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
C:\WINDOWS\system32\msdbcrpt.kar.{de6af992-0620-498f-922f-79ce716e7a55}
.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.
2008-04-13 16:50 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-04-13 16:50 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-04-13 16:49 . 2008-04-13 16:49 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-13 16:49 . 2008-04-13 16:50 <DIR> d-------- C:\Program Files\Ahead
2008-04-13 16:49 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-04-13 16:49 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-04-13 16:49 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-04-13 16:49 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-04-13 16:49 . 2006-01-12 16:40 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-13 16:03 . 2008-04-13 16:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-03 22:51 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-03 22:51 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 19:23 . 2008-03-29 19:23 <DIR> d-------- C:\Logs
2008-03-20 02:44 . 2008-03-20 02:44 <DIR> d-------- C:\WINDOWS\0674B216AB4642EBBEA960702316154E.TMP
2008-03-20 02:43 . 2008-03-20 02:43 <DIR> d-------- C:\Program Files\GFI
2008-03-19 20:14 . 2008-03-19 20:14 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-03-19 16:39 . 2008-03-19 16:42 <DIR> d-------- C:\bernatowicz new
2008-03-16 21:37 . 2008-04-13 16:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 21:37 . 2008-03-16 21:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iTunes
2008-03-15 15:57 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\iPod
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Program Files\QuickTime
2008-03-15 15:56 . 2008-03-15 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 15:55 . 2008-03-15 15:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-13 18:14 . 2008-04-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PowerDesigner 12
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 19:01 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Skype
2008-04-13 19:00 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Azureus
2008-04-13 18:34 --------- d-----w C:\Program Files\Astral
2008-04-13 14:02 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\skypePM
2008-04-02 03:08 --------- d-----w C:\Program Files\Gadu-Gadu
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-26 17:27 --------- d-----w C:\Program Files\Java
2008-03-20 00:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-17 19:41 --------- d-----w C:\Program Files\Burn4Free
2008-03-15 13:57 --------- d-----w C:\Documents and Settings\Krzysiek\Application Data\Apple Computer
2008-03-13 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 16:14 --------- d-----w C:\Program Files\Sybase
2008-03-07 11:53 --------- d-----w C:\Program Files\Azureus
2008-01-22 19:08 21,393 -c--a-w C:\WINDOWS\AegisP.sys
2008-01-13 15:59 22,328 -c--a-w C:\Documents and Settings\Krzysiek\Application Data\PnkBstrK.sys
2007-12-29 14:07 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 01:00 36864]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-04-17 19:31 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 22:57 8429568]
"nwiz"="nwiz.exe" [2007-05-11 22:57 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 22:57 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-05-11 22:57 81920 C:\WINDOWS\system32\nvmctray.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 17:10 405504 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30 974848]
"CafeNews"="C:\Program Files\CafeNews\CN.exe" [ ]
"Onet.pl AutoUpdate"="C:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate]
--a--c--- 2005-07-27 11:59 260096 C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\AppServer\\jdk\\jre\\bin\\java.exe"=
"C:\\AppServer\\lib\\appserv.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\rmiregistry.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\usr\\SMTP Server\\localsrv.exe"=
"C:\\usr\\apache\\Apache.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\AppServer\\jdk\\bin\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\tnameserv.exe"=
"C:\\Program Files\\Astral\\astral.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_03\\bin\\orbd.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 8\\win32\\dbeng8.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Games\\World of Warcraft 2.3\\Repair.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 GFI LANguard N.S.S. 5.0 attendant service;GFI LANguard N.S.S. 5.0 attendant service;"C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service []
R2 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 4.1\my.ini" MySQL5 []
R2 named;ISC BIND;C:\WINDOWS\system32\dns\bin\named.exe [2005-12-14 13:28]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 XAudio;XAudio;C:\WINDOWS\system32\DRIVERS\xaudio.sys [2006-08-04 23:39]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 01:00]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 18:45]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-06-01 13:57]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-05-30 16:50]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2008-01-24 00:30]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 04:54]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 11:41:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 21:01:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:\usr/MYSQL/bin/mysqld.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 4.1\my.ini\" MySQL5"
.
Completion time: 2008-04-13 21:02:24
ComboFix-quarantined-files.txt 2008-04-13 19:02:13
ComboFix2.txt 2008-04-10 19:36:00
Pre-Run: 3,278,028,800 bytes free
Post-Run: 3,269,271,552 bytes free
.
2008-04-13 08:18:57 --- E O F ---
14 Kwi 2008, 03:23
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox
Wklej do notatnika:
- Kod:
Driver::
"GFI LANguard N.S.S. 5.0 attendant service"
named
msvsmon80
Plik
zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox