ComboFix.txt

C:\WINDOWS\TEMP\7za.exe jak się pozbyć robaka?

i z combofixa


ComboFix 10-10-31.04 - galante 2010-11-01 12:26:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2046.1559 [GMT 1:00]
Uruchomiony z: c:\documents and settings\galante\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 101101-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

((((((((((((((((((((((((( Pliki utworzone od 2010-10-01 do 2010-11-01 )))))))))))))))))))))))))))))))
.

Nie utworzono ?adnych nowych plików w tym okresie

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 10:23 . 2001-10-26 17:29 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-10-26 17:29 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-10-26 17:29 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-10-26 17:29 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:52 . 2002-09-20 16:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:52 . 2002-09-20 16:04 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:52 . 2002-09-20 16:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:52 . 2001-08-17 22:55 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 07:57 . 2002-09-20 15:41 1853056 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:03 . 2001-10-26 17:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:54 . 2001-10-26 17:29 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-27 01:43 . 2010-08-13 16:44 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 13:39 . 2001-08-18 06:24 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-23 16:12 . 2002-09-20 16:03 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2001-10-26 17:30 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2002-09-20 16:04 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-09 10:30 . 2010-08-09 10:30 51200 ----a-w- c:\windows\system32\OpenCL.dll
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyœlne, prawid3owe wpisy nie s1 pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" Gadu-Gadu 10 " = " d:\gadu-gadu 10\gg.exe " [2010-10-07 12661344]
" PMCRemote " = " d:\program files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe " [2007-09-18 257096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" avast! " = " d:\avast4\ashDisp.exe " [2008-05-15 79224]
" SpeedTouch USB Diagnostics " = " c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe " [2004-01-26 866816]
" StartCCC " = " d:\ati technologies\ATI.ACE\Core-Static\CLIStart.exe " [2010-09-10 98304]
" ATICustomerCare " = " c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe " [2010-05-04 311296]
" RTHDCPL " = " RTHDCPL.EXE " [2009-10-16 18782720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " c:\windows\System32\CTFMON.EXE " [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
" %windir%\\Network Diagnostic\\xpnetdiag.exe " =
" %windir%\\system32\\sessmgr.exe " =
" k:\\SopCast\\adv\\SopAdver.exe " =
" k:\\SopCast\\SopCast.exe " =
" c:\\Program Files\\Java\\jre6\\bin\\javaw.exe " =
" d:\\Gadu-Gadu 10\\gg.exe " =
" d:\\eMule\\emule.exe " =
" k:\\TVAnts\\Tvants.exe " =
" c:\\Documents and Settings\\galante\\Pulpit\\Tvants.exe " =
" c:\\WINDOWS\\system32\\config\\systemprofile\\Ustawienia lokalne\\Dane aplikacji\\Windows Internet Name Service\\wins.exe " =

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-10-31 685816]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-10-30 78416]
R2 Windows Internet Name Service;Windows Internet Name Service;c:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Windows Internet Name Service\wins.exe [2010-10-31 4627968]
R3 PhilCap;Pinnacle PCTV service;c:\windows\system32\drivers\PhilCap.sys [2007-07-17 908832]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-31 1684736]
.
.
------- Skan uzupe3niaj1cy -------
.
uStart Page = hxxp://www.onet.pl/
IE: E & ksport do programu Microsoft Excel - d:\micros~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\galante\Dane aplikacji\Mozilla\Firefox\Profiles\1ewv3m9h.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb & systemid=403 & q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\All Users\Dane aplikacji\Gadu-Gadu 10\_userdata\npgg.4.dll
FF - plugin: c:\documents and settings\galante\Dane aplikacji\Mozilla\plugins\np-mswmp.dll

---- FIREFOX - SPOSÓB POSTEPOWANIA ----
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--mgbaam7a8h " , true);
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--fiqz9s " , true); // Traditional
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--fiqs8s " , true); // Simplified
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--j6w193g " , true);
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--mgberp4a5d4ar " , true);
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--mgberp4a5d4a87g " , true);
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--mgbqly7c0a67fbc " , true);
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--mgbqly7cvafr " , true);
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--kpry57d " , true); // Traditional
d:\mozilla firefox\greprefs\all.js - pref( " network.IDN.whitelist.xn--kprw13d " , true); // Simplified
d:\mozilla firefox\defaults\pref\firefox.js - pref( " dom.ipc.plugins.enabled " , false);
.
- - - - USUNIETO PUSTE WPISY - - - -

HKLM-Run-DriverCD - N:\Run.exe
AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\program files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 12:28
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyœlnie ukonczone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= " FlashBroker "
" LocalizedString " = " @c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
" Enabled " =dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= " c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= " {FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= " IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= " {00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= " {FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
" Version " = " 1.0 "
.
--------------------- Pliki DLL 3adowane pod uruchomionymi procesami ---------------------

- - - - - - - & gt; 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Czas ukonczenia: 2010-11-01 12:29:38
ComboFix-quarantined-files.txt 2010-11-01 11:29

Przed: 21 451 702 272 bajtów wolnych
Po: 21 787 910 144 bajtów wolnych

- - End Of File - - CD5CFDE4109141C953390B4136844A04


Pobierz plik - link do postu