log.txt

Podejrzenie drobnych infekcji XP

Witam ;) Pod Winem XP home SP3, wydaje mi sie, ze jest troche niescislosci ;) Jestem pewny, ze jest tu kilka infekcji z pendrive (w tym cos co zmienia zawartosc folderow na pliki rozne dziwne, usuwajac stara zawartosc), ale mozliwe sa takze inne syfki ;) Prosze o sprawdzenie loga z ComboFixa


ComboFix 09-05-10.07 - DrGreen 2009-05-11 18:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.1535.1204 [GMT 2:00]
Uruchomiony z: c:\documents and settings\DrGreen\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

((((((((((((((((((((((((((((((((((((((( Usuni?to )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1ogf.exe
C:\autorun.inf
C:\boyedt.com
C:\i.cmd
C:\luk1ylq.com
C:\qwtb.com
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
D:\1ogf.exe
D:\2.bat
D:\2fiy.bat
D:\Autorun.inf
D:\boyedt.com
D:\dbrxubcw.com
D:\gi2ky.exe
D:\i.cmd
D:\i.com
D:\luk1ylq.com
D:\qwtb.com
D:\uxkl0apt.bat
D:\x2tpc.cmd
D:\xdw.com
D:\yh.cmd

.
((((((((((((((((((((((((( Pliki utworzone od 2009-04-11 do 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-05-05 09:57 . 2009-05-05 09:57 -------- d-----w c:\program files\Ventrilo
2009-05-05 09:57 . 2009-05-05 09:57 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 09:49 . 2009-05-05 09:58 -------- d-----w c:\documents and settings\DrGreen\Dane aplikacji\Ventrilo
2009-05-05 09:49 . 2009-05-05 09:49 -------- d-----w c:\program files\VentriloMIX
2009-05-02 11:07 . 2009-05-04 14:01 -------- d-----w c:\program files\Age of Empires 2
2009-04-30 19:52 . 2009-04-30 19:52 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Adobe Systems
2009-04-30 19:48 . 2009-04-30 19:48 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-30 10:28 . 2009-04-30 10:28 -------- d-----w c:\program files\MGrenda
2009-04-19 13:14 . 2009-04-19 13:14 -------- d-----w c:\program files\UnH Solutions
2009-04-16 19:41 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 19:36 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 19:36 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 19:36 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 19:36 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 19:36 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 19:36 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 19:36 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 19:36 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 19:36 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-13 14:53 . 2009-04-13 14:54 -------- d-----w c:\documents and settings\DrGreen\Dane aplikacji\Easy Macro Recorder
2009-04-13 14:53 . 2009-04-13 14:53 -------- d-----w c:\program files\Easy Macro Recorder
2009-04-13 13:33 . 2009-04-13 13:33 3120 ----a-w c:\windows\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
2009-04-13 13:33 . 2009-04-13 13:33 -------- d-----w c:\program files\AARONS CLIKER

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 16:17 . 2009-03-25 12:11 3478 --sha-r c:\windows\pagefile.sys.vbs
2009-05-11 16:17 . 2009-03-25 12:11 3478 --sha-r C:\pagefile.sys.vbs
2009-05-06 19:54 . 2004-08-04 12:00 49492 ----a-w c:\windows\system32\perfc015.dat
2009-05-06 19:54 . 2004-08-04 12:00 355486 ----a-w c:\windows\system32\perfh015.dat
2009-05-06 14:22 . 2009-03-30 18:51 -------- d-----w c:\program files\mIRC
2009-04-30 19:49 . 2009-03-29 21:30 -------- d-----w c:\program files\Common Files\Adobe
2009-04-10 18:01 . 2009-04-10 18:00 -------- d-----w c:\program files\Teamspeak2_RC2
2009-04-08 16:59 . 2009-03-18 17:35 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-08 16:59 . 2009-03-18 17:35 189784 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-05 12:36 . 2009-04-05 12:35 -------- d-----w c:\program files\WinPcap
2009-04-05 12:35 . 2009-04-05 12:35 -------- d-----w c:\program files\LineAge Utils
2009-04-05 01:40 . 2009-04-05 01:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 01:40 . 2009-03-18 17:14 -------- d-----w c:\program files\Java
2009-04-04 21:11 . 2009-03-18 16:59 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-01 14:05 . 2009-04-01 14:05 27988 ---ha-w c:\windows\system32\mlfcache.dat
2009-03-29 12:04 . 2009-03-28 21:27 -------- d-----w c:\program files\NAPI-PROJEKT
2009-03-28 21:20 . 2009-03-28 21:20 -------- d-----w c:\program files\Real Alternative
2009-03-28 19:36 . 2009-03-28 19:36 -------- d-----w c:\program files\Gmask 1.70 English
2009-03-26 22:59 . 2009-03-18 17:50 -------- d-----w c:\program files\Gadu-Gadu
2009-03-26 19:57 . 2009-03-18 17:35 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-26 14:28 . 2009-03-18 17:35 22328 ----a-w c:\documents and settings\DrGreen\Dane aplikacji\PnkBstrK.sys
2009-03-26 14:27 . 2009-03-18 17:35 2246144 ----a-w c:\windows\system32\pbsvc.exe
2009-03-25 07:13 . 2009-03-25 07:13 -------- d-----w c:\program files\Azure Gaming
2009-03-22 14:20 . 2009-03-22 14:20 34232 ----a-w c:\documents and settings\DrGreen\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-03-20 17:00 . 2009-03-20 17:00 -------- d-----w c:\program files\SubEdit-Player
2009-03-18 18:24 . 2009-03-18 18:23 -------- d-----w c:\program files\Winamp
2009-03-18 18:02 . 2009-03-18 18:02 -------- d-----w c:\program files\Opera
2009-03-18 17:30 . 2009-03-18 17:12 -------- d-----w c:\program files\Neostrada TP
2009-03-18 17:24 . 2009-03-18 17:24 -------- d-----w c:\program files\C-Media 3D Audio
2009-03-18 17:24 . 2009-03-18 17:14 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 17:23 . 2009-03-18 17:14 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-18 17:19 . 2009-03-18 17:19 0 ----a-w c:\windows\nsreg.dat
2009-03-18 17:14 . 2009-03-18 17:14 -------- d-----w c:\program files\Thomson
2009-03-18 17:14 . 2009-03-18 17:14 -------- d-----w c:\program files\Java Web Start
2009-03-18 17:00 . 2009-03-18 17:00 -------- d-----w c:\program files\microsoft frontpage
2009-03-18 16:59 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-18 16:58 . 2009-03-18 16:58 -------- d-----w c:\program files\Us?ugi online
2009-03-18 16:57 . 2009-03-18 16:57 21856 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-06 14:22 . 2004-08-04 12:00 285696 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:12 . 2004-08-04 12:00 668672 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:11 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-10 17:09 . 2004-08-04 00:38 2067328 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyœlne, prawid?owe wpisy nie s? pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" Gadu-Gadu " = " c:\program files\Gadu-Gadu\gg.exe " [2007-04-17 2113536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" IMJPMIG8.1 " = " c:\windows\IME\imjp8_1\IMJPMIG.EXE " [2004-08-04 208952]
" PHIME2002ASync " = " c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE " [2004-08-04 455168]
" PHIME2002A " = " c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE " [2004-08-04 455168]
" SpeedTouch USB Diagnostics " = " c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe " [2004-01-26 866816]
" WOOWATCH " = " c:\progra~1\NEOSTR~1\Watch.exe " [2003-10-16 20480]
" WOOTASKBARICON " = " c:\progra~1\NEOSTR~1\TaskbarIcon.exe " [2003-10-16 53248]
" NvCplDaemon " = " c:\windows\system32\NvCpl.dll " [2005-02-24 5537792]
" NvMediaCenter " = " c:\windows\system32\NvMcTray.dll " [2005-02-24 86016]
" MSRegInfo " = " c:\windows\pagefile.sys.vbs " [2009-05-11 3478]
" Adobe Reader Speed Launcher " = " c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe " [2009-02-27 35696]
" SunJavaUpdateSched " = " c:\program files\Java\jre6\bin\jusched.exe " [2009-04-05 148888]
" nwiz " = " nwiz.exe " - c:\windows\system32\nwiz.exe [2005-02-24 1495040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " c:\windows\system32\CTFMON.EXE " [2008-04-14 15360]

c:\documents and settings\DrGreen\Menu Start\Programy\Autostart\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
" AntiVirusOverride " =dword:00000001
" FirewallOverride " =dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
" %windir%\\system32\\sessmgr.exe " =
" c:\\WINDOWS\\system32\\PnkBstrA.exe " =
" c:\\WINDOWS\\system32\\PnkBstrB.exe " =
" c:\\Program Files\\Mozilla Firefox\\firefox.exe " =
" c:\\Program Files\\Gadu-Gadu\\gg.exe " =
" c:\\Program Files\\mIRC\\mirc.exe " =
" c:\\Program Files\\Opera\\opera.exe " =
" %windir%\\Network Diagnostic\\xpnetdiag.exe " =
" c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe " =
" c:\\WINDOWS\\system32\\java.exe " =
" c:\\WINDOWS\\system32\\dplaysvr.exe " =
" c:\\Program Files\\Age of Empires 2\\age2_x1\\age2_x1.exe " =
" c:\\Program Files\\Ventrilo\\Ventrilo.exe " =

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27de2dc0-3425-11de-914f-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a03ad7d8-1944-11de-b1c5-000e50564ca5}]
\Shell\AutoRun\command - F:\boyedt.com
\Shell\open\Command - F:\boyedt.com
.
- - - - USUNI?TO PUSTE WPISY - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Skan uzupe?niaj?cy -------
.
uStart Page = hxxp://www.neostrada.pl
IE: { - c:\program files\Messenger\msmsgs.exe
TCP: {228CB3D6-19D6-413C-86B2-D582289A9502} = 194.204.159.1 217.98.63.164
FF - ProfilePath - c:\documents and settings\DrGreen\Dane aplikacji\Mozilla\Firefox\Profiles\vhkhhx7b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.quakelive.com/
FF - plugin: c:\documents and settings\All Users\Dane aplikacji\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 18:20
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyœlnie uko?czone
ukryte pliki: 0

**************************************************************************
.
Czas uko?czenia: 2009-05-11 18:21
ComboFix-quarantined-files.txt 2009-05-11 16:21

Przed: 5 640 241 152 bajtów wolnych
Po: 5 640 310 784 bajtów wolnych

181 --- E O F --- 2009-04-17 01:28


Pobierz plik - link do postu