wklejto.pl

Dodane przez: ~NVM (2008-07-09 21:56) -> text
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105.
106.
107.
108.
109.
110.
111.
112.
113.
114.
115.
116.
117.
118.
119.
120.
121.
122.
123.
124.
125.
126.
127.
128.
129.
130.
131.
132.
133.
134.
135.
136.
137.
138.
139.
140.
141.
142.
143.
144.
145.
146.
147.
148.
149.
150.
151.
152.
153.
154.
155.
156.
157.
158.
159.
160.
161.
162.
163.
164.
165.
166.
167.
168.
169.
170.
171.
172.
173.
174.
175.
176.
177.
178.
179.
180.
181.
182.
183.
184.
185.
186.
187.
188.
189.
190.
191.
192.
193.
194.
195.
196.
197.
198.
199.
200.
201.
202.
203.
204.
205.
206.
207.
208.
209.
210.
211.
212.
213.
214.
215.
216.
217.
218.
219.
ComboFix 08-07-05.1 - Administrator 2008-07-09 21:40:35.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.373 [GMT 2:00]
Running from: C:\\Documents and Settings\\Administrator\\Pulpit\\ComboFix.exe
Command switches used :: C:\\Documents and Settings\\Administrator\\Pulpit\\CFScript.txt
 * Created a new restore point
 * Resident AV is active
 
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
 
FILE ::
C:\\temp2772.tmp
C:\\temp3007.tmp
C:\\temp4050.tmp
C:\\temp5759.tmp
C:\\temp5764.tmp
C:\\temp6613.tmp
C:\\temp8002.tmp
C:\\temp9907.tmp
C:\\WINDOWS\\system32\\config\\SYSTEM~1\\USTAWI~1\\Temp\\18.tmp
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\\temp2772.tmp
C:\\temp3007.tmp
C:\\temp4050.tmp
C:\\temp5759.tmp
C:\\temp5764.tmp
C:\\temp6613.tmp
C:\\temp8002.tmp
C:\\temp9907.tmp
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\\Legacy_{DEF85C80-216A-43AB-AF70-1665EDBE2780}
-------\\Service_{DEF85C80-216A-43ab-AF70-1665EDBE2780}
 
 
(((((((((((((((((((((((((   Files Created from 2008-06-09 to 2008-07-09  )))))))))))))))))))))))))))))))
.
 
2008-07-08 22:17 . 2008-07-08 22:17     <DIR>   d--------       C:\\Program Files\\Yahoo!
2008-07-08 00:17 . 2008-07-08 00:16     512,096 --a------       C:\\WINDOWS\\system32\\drivers\\amon.sys
2008-07-08 00:17 . 2008-07-08 00:16     298,104 --a------       C:\\WINDOWS\\system32\\imon.dll
2008-07-08 00:17 . 2008-07-08 00:16     15,424  --a------       C:\\WINDOWS\\system32\\drivers\\nod32drv.sys
2008-07-07 20:55 . 2008-07-09 21:27     <DIR>   d--------       C:\\Program Files\\Eset
2008-07-07 20:55 . 2008-07-07 20:55     0       --a------       C:\\WINDOWS\\system32\\mapisvc.inf
2008-07-07 19:33 . 2008-07-07 19:33     <DIR>   d--------       C:\\Program Files\\Kaspersky Lab
2008-07-07 19:33 . 2008-07-07 20:08     <DIR>   d--------       C:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab
2008-07-07 19:32 . 2008-07-07 19:32     <DIR>   d--------       C:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files
2008-07-07 19:07 . 2008-07-07 19:07     <DIR>   d--------       C:\\Documents and Settings\\Administrator\\DoctorWeb
2008-07-07 19:05 . 2008-07-07 19:05     73,728  --a----t-       C:\\WINDOWS\\system32\\DRWEBSP.DLL
2008-07-07 16:41 . 2007-05-30 14:10     10,872  --a------       C:\\WINDOWS\\system32\\drivers\\AvgAsCln.sys
2008-07-07 15:55 . 2008-07-07 17:36     <DIR>   d--------       C:\\Documents and Settings\\All Users\\Dane aplikacji\\Avira
2008-07-06 21:09 . 2008-07-06 21:09     <DIR>   d--------       C:\\Documents and Settings\\Administrator\\Dane aplikacji\\Tibia
2008-07-02 14:50 . 2008-07-02 14:50     230     --a------       C:\\WINDOWS\\system32\\spupdsvc.inf
2008-07-02 14:18 . 2008-07-02 15:09     <DIR>   d--h-----       C:\\WINDOWS\\$hf_mig$
2008-06-25 23:35 . 2008-06-25 23:35     <DIR>   d--------       C:\\Documents and Settings\\Administrator\\.thumbnails
2008-06-24 22:55 . 2008-06-29 15:45     <DIR>   d--------       C:\\Documents and Settings\\Administrator\\Dane aplikacji\\gtk-2.0
2008-06-24 22:32 . 2008-07-02 16:55     <DIR>   d--------       C:\\Documents and Settings\\Administrator\\.gimp-2.4
2008-06-14 13:36 . 2008-06-14 13:36     <DIR>   d--------       C:\\Documents and Settings\\All Users\\Dane aplikacji\\TEMP
2008-06-13 17:45 . 2008-06-13 17:45     <DIR>   d--------       C:\\Program Files\\TaskSwitchXP
2008-06-13 17:45 . 2004-08-04 00:44     2,790,400       --a------       C:\\WINDOWS\\system32\\XPize_Logon.exe
2008-06-13 17:42 . 2008-06-27 20:08     <DIR>   d--h-----       C:\\WINDOWS\\XPize
2008-06-13 17:42 . 2006-05-19 13:48     219,648 --a------       C:\\WINDOWS\\system32\\uxtheme.backup
2008-06-13 17:42 . 2008-06-13 17:42     219,648 --a------       C:\\WINDOWS\\system32\\dllcache\\uxtheme.dll
2008-06-12 20:38 . 2008-06-12 20:38     <DIR>   d--------       C:\\Documents and Settings\\Administrator\\Dane aplikacji\\Grisoft
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 19:01        ---------       d-----w C:\\Program Files\\Wanadoo
2008-07-07 18:04        112,144 ----a-w C:\\WINDOWS\\system32\\drivers\\kl1.sys
2008-07-07 17:05        ---------       d--h--w C:\\Program Files\\InstallShield Installation Information
2008-07-07 16:12        ---------       d-----w C:\\Program Files\\Common Files\\YDP
2008-07-07 12:56        2,192   ----a-w C:\\Documents and Settings\\Administrator\\NONAME00.EXE
2008-07-07 11:42        ---------       d-----w C:\\Documents and Settings\\All Users\\Dane aplikacji\\Grisoft
2008-06-29 12:33        ---------       d-----w C:\\Documents and Settings\\Administrator\\Dane aplikacji\\Hamachi
2008-06-13 15:42        219,648 -c--a-w C:\\WINDOWS\\system32\\uxtheme.dll
2008-05-27 18:51        712,751 ----a-w C:\\WINDOWS\\system32\\Asn.er.dll
2008-05-27 18:46        ---------       d-----w C:\\Program Files\\Common Files\\Adobe
2008-05-13 17:05        ---------       d-----w C:\\Documents and Settings\\Administrator\\Dane aplikacji\\AdobeUM
2008-04-27 20:41        21,840  ----atw C:\\WINDOWS\\system32\\SIntfNT.dll
2008-04-27 20:41        17,212  ----atw C:\\WINDOWS\\system32\\SIntf32.dll
2008-04-27 20:41        12,067  ----atw C:\\WINDOWS\\system32\\SIntf16.dll
2004-10-01 13:00        40,960  ----a-w C:\\Program Files\\Uninstall_CDS.exe
.
 
------- Sigcheck -------
 
2007-06-13 15:23  1185280  5c0552fcbf86c00ad0f08e31ebda7147     C:\\WINDOWS\\explorer.exe
2007-06-13 15:23  1185280  5c0552fcbf86c00ad0f08e31ebda7147     C:\\WINDOWS\\system32\\dllcache\\explorer.exe
2007-06-13 15:23  1034752  029a562e81bbee088c61d418bf408f44     C:\\WINDOWS\\XPize\\Backup\\explorer.exe
 
2004-08-04 00:44  30208  87c1709bba3683bcb54cd14bf7cea7b5       C:\\WINDOWS\\system32\\ctfmon.exe
2004-08-04 00:44  30208  87c1709bba3683bcb54cd14bf7cea7b5       C:\\WINDOWS\\system32\\dllcache\\ctfmon.exe
2004-08-04 00:44  15360  cbfa30492d70ce3938d8a7783d0c0436       C:\\WINDOWS\\XPize\\Backup\\ctfmon.exe
.
(((((((((((((((((((((((((((((   snapshot@2008-07-09_11.50.23,42   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-09 04:21:55   2,048   --s-a-w C:\\WINDOWS\\bootstat.dat
+ 2008-07-09 18:59:46   2,048   --s-a-w C:\\WINDOWS\\bootstat.dat
+ 2005-10-20 18:02:28   163,328 ----a-w C:\\WINDOWS\\erdnt\\subs\\ERDNT.EXE
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
\"CTFMON.EXE\"=\"C:\\WINDOWS\\system32\\ctfmon.exe\" [2004-08-04 00:44 30208]
\"NBJ\"=\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\" [2006-02-10 21:40 2048000]
\"TaskSwitchXP\"=\"C:\\Program Files\\TaskSwitchXP\\TaskSwitchXP.exe\" [2006-08-05 00:29 62976]
\"Odkurzacz-MCD\"=\"D:\\Programy itp\\Odkurzacz\\odk_mcd.exe\" [2008-03-03 14:44 266240]
\"Gadu-Gadu\"=\"D:\\Programy itp\\Gadu\\gg.exe\" [2007-07-09 09:39 2119104]
 
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
\"Apoint\"=\"C:\\Program Files\\Apoint2K\\Apoint.exe\" [2005-04-16 17:08 172032]
\"FuncKey\"=\"C:\\Program Files\\Hotkey 1.0.4\\FuncKey.exe\" [2006-07-27 15:06 122880]
\"InCD\"=\"C:\\Program Files\\Ahead\\InCD\\InCD.exe\" [2005-07-08 17:25 1397760]
\"NeroFilterCheck\"=\"C:\\WINDOWS\\system32\\NeroCheck.exe\" [2001-07-09 11:50 155648]
\"WOOWATCH\"=\"C:\\PROGRA~1\\Wanadoo\\Watch.exe\" [2002-12-09 18:24 20480]
\"Ashampoo FireWall PRO\"=\"D:\\Programy itp\\Ashampoo FireWall PRO\\FireWall.exe\" [2006-12-21 02:10 3543552]
\"!AVG Anti-Spyware\"=\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" [2008-07-07 17:09 6731312]
\"nod32kui\"=\"C:\\Program Files\\Eset\\nod32kui.exe\" [2008-07-08 00:16 949376]
\"VTTimer\"=\"VTTimer.exe\" [2006-09-21 16:36 53248 C:\\WINDOWS\\system32\\VTTimer.exe]
\"S3Trayp\"=\"S3Trayp.exe\" [2006-10-10 05:14 176128 C:\\WINDOWS\\system32\\S3Trayp.exe]
 
[HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
\"CTFMON.EXE\"=\"C:\\WINDOWS\\system32\\CTFMON.EXE\" [2004-08-04 00:44 30208]
 
C:\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart\\
DSLMON.lnk - C:\\Program Files\\SAGEM\\SAGEM F@st 800-840\\dslmon.exe [2007-05-08 19:24:07 962661]
 
[HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\policies\\explorer]
\"NoBandCustomize\"= 0 (0x0)
 
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon]
\"UIHost\"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00
 
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\drivers32]
\"msacm.l3codecp\"= l3codecp.acm
 
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\services]
\"wuauserv\"=2 (0x2)
 
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run-disabled]
\"WOOTASKBARICON\"=C:\\PROGRA~1\\Wanadoo\\TaskbarIcon.exe
\"RemoteControl\"=\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\"
 
[HKLM\\~\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\AuthorizedApplications\\List]
\"%windir%\\\\system32\\\\sessmgr.exe\"=
\"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\"=
\"D:\\\\Programy itp\\\\Gadu\\\\gg.exe\"=
\"D:\\\\Programy itp\\\\Hamachi\\\\hamachi.exe\"=
 
R2 Pctspk;PCTEL Speaker Phone;C:\\WINDOWS\\system32\\pctspk.exe [2001-10-26 17:30]
R3 Capture;Active Capture Driver;C:\\WINDOWS\\system32\\DRIVERS\\capture.sys [2008-03-03 11:21]
R3 DrvFltIp;DrvFltIp;C:\\Documents and Settings\\Administrator\\Ustawienia lokalne\\TEMP\\DrvFltIp []
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\\WINDOWS\\system32\\DRIVERS\\klim5.sys [2007-04-04 14:58]
R3 S3GIGP;S3GIGP;C:\\WINDOWS\\system32\\DRIVERS\\S3gIGPm.sys [2006-11-15 09:38]
S1 avfwot;avfwot;C:\\WINDOWS\\system32\\DRIVERS\\avfwot.sys []
S3 avfwim;AvFw Packet Filter Miniport;C:\\WINDOWS\\system32\\DRIVERS\\avfwim.sys []
S3 Ptserli;PCTEL Serial Device Driver for INTEL;C:\\WINDOWS\\system32\\DRIVERS\\ptserli.sys [2001-08-17 21:28]
 
.
**************************************************************************
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 21:42:05
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
 
scanning hidden processes ... 
 
C:\\WINDOWS\\explorer.exe [2440] 0xFF865020
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\\system\\ControlSet001\\Services\\ASFWHide]
\"ImagePath\"=\"\\??\\C:\\Documents and Settings\\Administrator\\Ustawienia lokalne\\TEMP\\ASFWHide\"
 
[HKEY_LOCAL_MACHINE\\system\\ControlSet001\\Services\\DrvFltIp]
\"ImagePath\"=\"\\??\\C:\\Documents and Settings\\Administrator\\Ustawienia lokalne\\TEMP\\DrvFltIp\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
PROCESS: C:\\WINDOWS\\system32\\winlogon.exe
-> D:\\Programy itp\\Ashampoo FireWall PRO\\MD5.dll
 
PROCESS: C:\\WINDOWS\\system32\\lsass.exe
-> C:\\Program Files\\Eset\\pr_imon.dll
-> D:\\Programy itp\\Ashampoo FireWall PRO\\MD5.dll
 
PROCESS: C:\\WINDOWS\\system32\\csrss.exe
-> D:\\Programy itp\\Ashampoo FireWall PRO\\MD5.dll
.
Completion time: 2008-07-09 21:42:57
ComboFix-quarantined-files.txt  2008-07-09 19:42:53
ComboFix2.txt  2008-07-09 09:50:47
 
Pre-Run: 6,966,796,288 bajtów wolnych
Post-Run: 6,957,457,408 bajtów wolnych
 
178     --- E O F ---   2008-03-13 07:37:47
 
Wygenerowano w 0.073s, przy pomocy GeSHi 1.0.8
'
Podziel się na Facebook Podziel się na BLIP Podziel się na Twitter Podziel się na Buzz Podziel się na Flaker Dodaj zakładkę Google Podziel się na Delicious Wykop to!

Nowy Komentarz:

Komentarze:

Brak Komentarzy!