anemo / 9 lat, 2 miesiące temu | Download | Plaintext | Odpowiedz |

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
ComboFix 08-08-28.06 - Ja 2008-08-29  9:15:07.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1250.1.1045.18.617 [GMT 2:00]
Running from: C:\Documents and Settings\Ja\Pulpit\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system\services.exe

.
(((((((((((((((((((((((((   Files Created from 2008-07-28 to 2008-08-29  )))))))))))))))))))))))))))))))
.

2008-08-29 09:15 . 2008-08-29 09:15	6,736	--a------	C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-08-29 08:51 . 2008-08-29 08:51	<DIR>	d--------	C:\Program Files\CCleaner
2008-08-28 18:11 . 2008-08-28 18:11	<DIR>	d--------	C:\Program Files\HPDesignjet110PlusPrinterSeries
2008-08-21 13:41 . 2008-08-21 13:41	79,278	--a------	C:\acadminidump.dmp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 07:17	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-08-29 07:13	---------	d-----w	C:\Program Files\Kalendarz XP
2008-08-29 06:45	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-29 06:45	---------	d-----w	C:\Program Files\CyberLink DVD Solution
2008-08-29 06:44	---------	d-----w	C:\Program Files\hhh
2008-08-29 06:44	---------	d-----w	C:\Documents and Settings\Ja\Dane aplikacji\Lavasoft
2008-08-29 06:11	---------	d-----w	C:\Program Files\LT-Extender 2000
2008-08-29 05:36	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-07-30 15:42	23,888	----a-w	C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 15:28	706	----a-w	C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 15:28	10,537	----a-w	C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-23 10:57	---------	d-----w	C:\Program Files\ABBYY FineReader 4.0 Sprint
2008-07-23 10:54	---------	d-----w	C:\Program Files\ScanExpress A3 USB
2008-07-07 20:33	253,952	----a-w	C:\WINDOWS\system32\es.dll
2008-06-24 16:24	74,240	----a-w	C:\WINDOWS\system32\mscms.dll
2008-06-23 16:42	826,368	----a-w	C:\WINDOWS\system32\wininet.dll
2008-06-20 17:42	246,784	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-13 12:45	579,464	----a-w	C:\WINDOWS\system32\SymNeti.dll
2008-06-13 12:45	207,240	----a-w	C:\WINDOWS\system32\SymRedir.dll
2008-06-10 09:00	253,116	----a-w	C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_3484.exe
2008-06-10 09:00	14,290	----a-w	C:\Program Files\settings.dat
2008-06-05 07:19	60,800	----a-w	C:\WINDOWS\system32\S32EVNT1.DLL
2004-03-11 12:27	40,960	----a-w	C:\Program Files\Uninstall_CDS.exe
2006-07-07 06:51	56	--sh--r	C:\WINDOWS\system32\8737576B82.sys
2007-02-24 13:11	5	--sha-w	C:\WINDOWS\system32\cfcbab8_g.dll
2006-07-07 06:51	1,682	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Name of App"="C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2008-05-23 14:51 688217]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2006-12-26 09:08 196608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\ANDRZEJ KROK\osCheck.exe" [2007-08-24 22:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Gtwatch"="C:\WINDOWS\gtwatch.exe" [2001-08-24 11:18 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Kalendarz XP.lnk - C:\Program Files\Kalendarz XP\Kalendarz.exe [2006-07-07 09:04:10 882176]
Przyspieszenie uruchomienia programu AutoCAD LT.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 01:35:22 10872]
Watch.lnk - C:\WINDOWS\twain_32\L3U16\WATCH.exe [2008-07-23 12:54:35 364544]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Watch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Watch.lnk
backup=C:\WINDOWS\pss\Watch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gtwatch]
--a------ 2001-08-24 11:18 45056 C:\WINDOWS\Gtwatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 19:14 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skrót do strony właściwości High Definition Audio]
--------- 2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"comHost"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hitman Pro\\wget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Kmm4xNT;Kmm4xNT;C:\WINDOWS\system32\drivers\Kmm4xNT.sys [2000-11-25 09:38]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 14:15]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
R3 GT681x;%GrandTechICNameNT%;C:\WINDOWS\system32\DRIVERS\GT681x.SYS [2001-08-27 10:09]
S2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-08-31 12:49]
S3 KMM4xUSB;KMM4xUSB Driver (kmm4xusb.sys);C:\WINDOWS\system32\Drivers\KMM4xUSB.sys [2003-06-02 22:10]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1124c532-fc58-11db-a6b5-000fea69a9bc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{327b3f66-38e6-11dc-9680-000fea69a9bc}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7da6cc47-6f40-11dd-97fd-000fea69a9bc}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b889b29-7405-11dd-9803-000fea69a9bc}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c73477ee-a9de-11db-ba37-000fea69a9bc}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1c9adf3-de1a-11dc-9750-000fea69a9bc}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b935b8-4346-11dd-97b9-000fea69a9bc}]
\Shell\AutoRun\command - F:\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2007-12-06 C:\WINDOWS\Tasks\Norton Internet Security - Uruchom pełne skanowanie systemu - Ja.job
- C:\Program Files\ANDRZEJ KROK\Norton AntiVirus\Navw32.exe [2007-08-26 19:19]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.wp.pl/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
O8 -: E&ksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{BB089073-9397-4663-AD6C-245E4820B98E}: NameServer = 192.168.2.10,194.204.159.1
O18 -: Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 09:17:04
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-29  9:18:45
ComboFix-quarantined-files.txt  2008-08-29 07:18:20

Pre-Run: 16,036,241,408 bajtów wolnych
Post-Run: 22,084,702,208 bajtów wolnych

150	--- E O F ---	2008-08-14 12:40:19