1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105.
106.
107.
108.
109.
110.
111.
112.
113.
114.
115.
116.
117.
118.
119.
120.
121.
122.
123.
124.
125.
126.
127.
128.
129.
130.
131.
132.
133.
134.
135.
136.
137.
138.
139.
140.
141.
142.
143.
144.
145.
146.
147.
148.
149.
150.
151.
152.
153.
154.
155.
156.
157.
158.
159.
160.
161.
162.
163.
164.
165.
166.
167.
168.
169.
170.
171.
172.
173.
174.
175.
176.
177.
178.
179.
180.
181.
182.
183.
184.
185.
186.
187.
188.
189.
190.
191.
192.
193.
194.
195.
196.
197.
198.
199.
200.
201.
202.
203.
204.
205.
206.
207.
208.
209.
210.
211.
212.
213.
214.
215.
216.
217.
218.
219.
220.
221.
222.
223.
224.
225.
226.
227.
228. | ComboFix 09-12-09.04 - Belmondo 2009-12-10 19:41:37.6.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.3327.2893 [GMT 1:00]
Uruchomiony z: c:\\documents and settings\\Belmondo\\Moje dokumenty\\Pobieranie\\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Zapora osobista *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\\documents and settings\\LocalService\\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\\windows\\system32\\config\\systemprofile\\oashdihasidhasuidhiasdhiashdiuasdhasd
Zainfekowana kopia c:\\windows\\system32\\Drivers\\atapi.sys została znaleziona. Problem naprawiono
Plik odzyskano z - c:\\windows\\system32\\drivers\\system32\\DRIVERS\\atapi.sys
.
((((((((((((((((((((((((( Pliki utworzone od 2009-11-10 do 2009-12-10 )))))))))))))))))))))))))))))))
.
2009-12-08 19:44 . 2009-12-08 19:44 -------- d-----w- c:\\program files\\Trend Micro
2009-12-04 17:34 . 2009-12-04 17:34 -------- d-----w- c:\\windows\\system32\\XPSViewer
2009-12-04 17:34 . 2009-12-04 17:34 -------- d-----w- c:\\program files\\Reference Assemblies
2009-12-04 17:29 . 2008-07-06 12:06 89088 ----a-w- c:\\windows\\system32\\Spool\\prtprocs\\w32x86\\filterpipelineprintproc.dll
2009-12-04 17:29 . 2008-07-06 12:06 89088 -c----w- c:\\windows\\system32\\dllcache\\filterpipelineprintproc.dll
2009-12-04 17:29 . 2008-07-06 12:06 575488 -c----w- c:\\windows\\system32\\dllcache\\xpsshhdr.dll
2009-12-04 17:29 . 2008-07-06 12:06 575488 ------w- c:\\windows\\system32\\xpsshhdr.dll
2009-12-04 17:29 . 2008-07-06 12:06 1676288 -c----w- c:\\windows\\system32\\dllcache\\xpssvcs.dll
2009-12-04 17:29 . 2008-07-06 12:06 1676288 ------w- c:\\windows\\system32\\xpssvcs.dll
2009-12-04 17:29 . 2008-07-06 12:06 117760 ------w- c:\\windows\\system32\\prntvpt.dll
2009-12-04 17:29 . 2008-07-06 10:50 597504 -c----w- c:\\windows\\system32\\dllcache\\printfilterpipelinesvc.exe
2009-12-04 17:29 . 2008-07-06 10:50 597504 ------w- c:\\windows\\system32\\Spool\\prtprocs\\w32x86\\printfilterpipelinesvc.exe
2009-12-04 12:00 . 2009-12-04 12:00 -------- d-----w- c:\\program files\\MSXML 4.0
2009-12-04 07:57 . 2009-12-04 07:57 116 ----a-w- c:\\windows\\system32\\fjhdyfhsn.bat
2009-12-04 05:33 . 2009-12-04 05:33 -------- d-----w- c:\\documents and settings\\LocalService\\Ustawienia lokalne\\Dane aplikacji\\ESET
2009-12-03 19:25 . 2009-12-03 19:25 -------- d-----w- c:\\documents and settings\\Belmondo\\Ustawienia lokalne\\Dane aplikacji\\ESET
2009-12-03 19:13 . 2009-12-03 19:13 -------- d-----w- c:\\windows\\system32\\Attansic
2009-12-03 19:13 . 2009-12-03 19:13 -------- d-----w- c:\\program files\\Attansic
2009-12-03 19:11 . 2006-10-31 10:10 35840 ----a-w- c:\\windows\\system32\\drivers\\atl01_xp.sys
2009-12-03 18:59 . 2009-12-03 18:59 -------- d-----w- c:\\documents and settings\\Belmondo\\Dane aplikacji\\ESET
2009-12-03 18:58 . 2009-12-03 18:58 -------- d-----w- c:\\program files\\ESET
2009-12-03 18:58 . 2009-12-03 18:58 -------- d-----w- c:\\documents and settings\\All Users\\Dane aplikacji\\ESET
2009-12-03 17:54 . 2009-12-03 17:54 2157568 ----a-w- c:\\windows\\MicCal.exe
2009-12-03 17:54 . 2009-12-03 17:54 129536 ----a-w- c:\\windows\\system32\\ntport.dll
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 18:32 . 2009-11-04 20:02 -------- d-----w- c:\\documents and settings\\Belmondo\\Dane aplikacji\\Skype
2009-12-10 17:13 . 2009-10-14 19:48 -------- d-----w- c:\\program files\\Mozilla Thunderbird
2009-12-09 21:44 . 2008-11-06 20:18 68456 ----a-w- c:\\documents and settings\\Belmondo\\Ustawienia lokalne\\Dane aplikacji\\GDIPFONTCACHEV1.DAT
2009-12-09 05:04 . 2008-04-15 12:00 566724 ----a-w- c:\\windows\\system32\\perfh015.dat
2009-12-09 05:04 . 2008-04-15 12:00 122540 ----a-w- c:\\windows\\system32\\perfc015.dat
2009-12-05 21:07 . 2009-12-04 07:57 16 ----a-w- c:\\documents and settings\\LocalService\\Dane aplikacji\\fvgqad.dat
2009-12-04 07:57 . 2009-12-04 07:57 4 ----a-w- c:\\documents and settings\\Belmondo\\Dane aplikacji\\avdrn.dat
2009-12-03 19:13 . 2008-11-03 20:56 -------- d--h--w- c:\\program files\\InstallShield Installation Information
2009-12-03 08:04 . 2009-10-13 12:48 -------- d-----w- c:\\program files\\msCRM
2009-12-03 04:50 . 2009-11-08 11:33 -------- d-----w- c:\\documents and settings\\Belmondo\\Dane aplikacji\\ipla
2009-11-21 16:03 . 2008-04-15 12:00 471552 ----a-w- c:\\windows\\AppPatch\\aclayers.dll
2009-11-13 17:53 . 2008-11-03 21:54 -------- d-----w- c:\\program files\\Winamp
2009-11-08 11:33 . 2009-11-08 11:33 -------- d-----w- c:\\documents and settings\\All Users\\Dane aplikacji\\ipla
2009-11-08 11:33 . 2009-11-08 11:33 -------- d-----w- c:\\program files\\ipla
2009-11-08 11:33 . 2009-11-08 11:33 1700352 ----a-w- c:\\windows\\system32\\gdiplus.dll
2009-11-04 20:02 . 2009-11-04 20:02 -------- d-----w- c:\\program files\\Common Files\\Skype
2009-11-04 20:02 . 2008-11-03 22:17 -------- d-----r- c:\\program files\\Skype
2009-11-04 18:43 . 2009-11-02 18:46 -------- d-----w- c:\\documents and settings\\All Users\\Dane aplikacji\\Skype
2009-11-04 18:40 . 2009-11-02 18:47 -------- d-----w- c:\\documents and settings\\Belmondo\\Dane aplikacji\\skypePM
2009-11-03 09:25 . 2009-10-30 16:29 -------- d-----w- c:\\documents and settings\\Belmondo\\Dane aplikacji\\12Voip
2009-11-02 18:47 . 2009-11-02 18:47 56 ---ha-w- c:\\windows\\system32\\ezsidmv.dat
2009-10-30 16:27 . 2009-10-30 16:27 -------- d-----w- c:\\program files\\12Voip.com
2009-10-29 05:26 . 2008-04-15 12:00 669696 ----a-w- c:\\windows\\system32\\wininet.dll
2009-10-21 05:40 . 2008-04-15 12:00 75776 ----a-w- c:\\windows\\system32\\strmfilt.dll
2009-10-21 05:40 . 2008-04-15 12:00 25088 ----a-w- c:\\windows\\system32\\httpapi.dll
2009-10-20 16:20 . 2008-04-15 12:00 265728 ----a-w- c:\\windows\\system32\\drivers\\http.sys
2009-10-15 04:58 . 2009-10-15 04:58 -------- d-----w- c:\\documents and settings\\Belmondo\\Dane aplikacji\\Thunderbird
2009-10-13 10:34 . 2008-04-15 12:00 271360 ----a-w- c:\\windows\\system32\\oakley.dll
2009-10-13 08:29 . 2004-09-05 03:14 3600384 ----a-w- c:\\windows\\system32\\vp3mpu1.dll
2009-10-12 13:40 . 2008-04-15 12:00 79872 ----a-w- c:\\windows\\system32\\raschap.dll
2009-10-12 13:40 . 2008-04-15 12:00 150016 ----a-w- c:\\windows\\system32\\rastls.dll
2009-10-09 07:32 . 2004-09-05 03:14 1495040 ----a-w- c:\\windows\\system32\\vp3epm.dll
2009-09-25 05:37 . 2008-04-15 12:00 81920 ----a-w- c:\\windows\\system32\\ieencode.dll
2009-09-25 03:05 . 2004-09-05 03:14 2617344 ----a-w- c:\\windows\\system32\\vp3mpu2.dll
2009-09-24 08:39 . 2004-09-05 03:15 2543616 ----a-w- c:\\windows\\system32\\vp3MPU.dll
2009-09-24 08:38 . 2006-08-23 00:56 1318912 ----a-w- c:\\windows\\system32\\vp3opt.dll
2009-09-23 07:33 . 2005-10-17 06:45 3592192 ----a-w- c:\\windows\\system32\\vp3sepm2.dll
2009-09-22 19:27 . 2009-09-22 19:27 2560 ----a-w- c:\\windows\\_MSRSTRT.EXE
2009-09-21 04:03 . 2006-06-07 03:49 2650112 ----a-w- c:\\windows\\system32\\vp3mpu5.dll
2009-09-21 04:01 . 2004-09-05 03:14 2260992 ----a-w- c:\\windows\\system32\\vp3sepm.dll
2009-09-16 06:31 . 2007-10-30 01:38 1826816 ----a-w- c:\\windows\\system32\\vp3190.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
\"12Voip\"=\"c:\\program files\\12Voip.com\\12Voip\\12Voip.exe -nosplash -minimized\" [X]
\"ctfmon.exe\"=\"c:\\windows\\system32\\ctfmon.exe\" [2008-04-15 15360]
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
\"NvCplDaemon\"=\"c:\\windows\\system32\\NvCpl.dll\" [2008-10-07 13574144]
\"nwiz\"=\"nwiz.exe\" [2008-10-07 1630208]
\"NvMediaCenter\"=\"c:\\windows\\system32\\NvMcTray.dll\" [2008-10-07 86016]
\"egui\"=\"c:\\program files\\ESET\\ESET Smart Security\\egui.exe\" [2009-04-09 2029640]
[HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
\"CTFMON.EXE\"=\"c:\\windows\\system32\\CTFMON.EXE\" [2008-04-15 15360]
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon\\notify\\wineyes]
2007-04-09 20:45 73785 ------r- c:\\windows\\system32\\welogon.dll
[HKLM\\~\\startupfolder\\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk]
path=c:\\documents and settings\\All Users\\Menu Start\\Programy\\Autostart\\Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk
backup=c:\\windows\\pss\\Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnkCommon Startup
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\12Voip]
c:\\program files\\12Voip.com\\12Voip\\12Voip.exe -nosplash -minimized [X]
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\\program files\\Microsoft Office\\Office12\\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\H/PC Connection Agent]
2006-11-13 13:57 1289000 ----a-w- c:\\program files\\Microsoft ActiveSync\\wcescomm.exe
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\IPLA!]
2009-10-13 13:21 6039960 ----a-w- c:\\program files\\ipla\\ipla.exe
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\MSMSGS]
2008-04-14 21:51 1695232 ------w- c:\\program files\\Messenger\\msmsgs.exe
[HKLM\\~\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile]
\"EnableFirewall\"= 0 (0x0)
[HKLM\\~\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\AuthorizedApplications\\List]
\"%windir%\\\\Network Diagnostic\\\\xpnetdiag.exe\"=
\"%windir%\\\\system32\\\\sessmgr.exe\"=
\"c:\\\\Program Files\\\\Microsoft Office\\\\Office12\\\\OUTLOOK.EXE\"=
\"c:\\\\Program Files\\\\Microsoft Office\\\\Office12\\\\GROOVE.EXE\"=
\"c:\\\\Program Files\\\\Microsoft Office\\\\Office12\\\\ONENOTE.EXE\"=
\"c:\\\\Program Files\\\\VoipDiscount.com\\\\VoipDiscount\\\\VoipDiscount.exe\"=
\"c:\\\\Program Files\\\\Gadu-Gadu\\\\gg.exe\"=
\"c:\\program files\\Microsoft ActiveSync\\rapimgr.exe\"= c:\\program files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
\"c:\\program files\\Microsoft ActiveSync\\wcescomm.exe\"= c:\\program files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
\"c:\\program files\\Microsoft ActiveSync\\WCESMgr.exe\"= c:\\program files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
\"c:\\\\WINDOWS\\\\system32\\\\dpvsetup.exe\"=
\"c:\\\\Program Files\\\\msCRM\\\\msCRM.exe\"=
\"c:\\\\Program Files\\\\12Voip.com\\\\12Voip\\\\12Voip.exe\"=
\"c:\\\\Program Files\\\\Skype\\\\Plugin Manager\\\\skypePM.exe\"=
\"c:\\\\Program Files\\\\Skype\\\\Phone\\\\Skype.exe\"=
[HKLM\\~\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\GloballyOpenPorts\\List]
\"26675:TCP\"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 ehdrv;ehdrv;c:\\windows\\system32\\drivers\\ehdrv.sys [2009-04-09 107256]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\\program files\\Common Files\\ABBYY\\FineReader\\9.00\\Licensing\\PE\\NetworkLicenseServer.exe [2007-12-06 660768]
R2 ekrn;ESET Service;c:\\program files\\ESET\\ESET Smart Security\\ekrn.exe [2009-04-09 731840]
R2 windoweyes;Window-Eyes;c:\\program files\\GW Micro\\Window-Eyes\\weserv.exe [2008-11-09 49152]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\\windows\\system32\\drivers\\atl01_xp.sys [2009-12-03 35840]
S3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\\windows\\system32\\drivers\\WlanBZXP.sys [2008-11-04 450560]
S3 SIWIO;SIWIO;\\??\\c:\\windows\\TEMP\\SiwIo.sys --> c:\\windows\\TEMP\\SiwIo.sys [?]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\\??\\c:\\windows\\system32\\ZDCndis5.SYS --> c:\\windows\\system32\\ZDCndis5.SYS [?]
S4 sptd;sptd;c:\\windows\\system32\\Drivers\\sptd.sys --> c:\\windows\\system32\\Drivers\\sptd.sys [?]
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://pracownik.mikrotech.pl/
IE: E&ksportuj do programu Microsoft Excel - c:\\progra~1\\MICROS~2\\Office12\\EXCEL.EXE/3000
TCP: {993925FC-9D3E-4C36-A50A-EF001E99B761} = 194.204.152.34
FF - ProfilePath - c:\\documents and settings\\Belmondo\\Dane aplikacji\\Mozilla\\Firefox\\Profiles\\f49bkex9.default\\
FF - prefs.js: browser.startup.homepage - hxxp://www.multimo.pl/sprawdz-dostepnosc-uslugi/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\\windows\\Microsoft.NET\\Framework\\v3.5\\Windows Presentation Foundation\\DotNetAssistantExtension\\
---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
c:\\program files\\Mozilla Firefox\\greprefs\\security-prefs.js - pref(\"security.ssl3.rsa_seed_sha\", true);
.
- - - - USUNIĘTO PUSTE WPISY - - - -
MSConfigStartUp-Outpost Firewall - c:\\progra~1\\Agnitum\\OUTPOS~1.0\\outpost.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 19:45
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > \'explorer.exe\'(1676)
c:\\program files\\GW Micro\\Window-Eyes\\GWM32INC.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\\windows\\system32\\astsrv.exe
c:\\windows\\system32\\nvsvc32.exe
c:\\windows\\system32\\RUNDLL32.EXE
c:\\program files\\12Voip.com\\12Voip\\12Voip.exe
c:\\progra~1\\MI3AA1~1\\rapimgr.exe
c:\\program files\\GW Micro\\Window-Eyes\\wineyes.exe
c:\\program files\\GW Micro\\Window-Eyes\\SPEECH32.EXE
c:\\program files\\GW Micro\\Window-Eyes\\GWM32.EXE
c:\\program files\\GW Micro\\Window-Eyes\\bdisplay.exe
c:\\windows\\system32\\wbem\\wmiapsrv.exe
.
**************************************************************************
.
Czas ukończenia: 2009-12-10 19:47:41 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-12-10 18:47
Przed: 38 315 896 832 bajtów wolnych
Po: 38 410 809 344 bajtów wolnych
- - End Of File - - 169B7373C0C3D38D4DB246107CA1755F
|
