ComboFix 11-08-31.04 - Michał 2011-08-31 18:35:46.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2046.1544 [GMT 2:00] Uruchomiony z: D:\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\messenger\msmsgsin.exe c:\windows\ehome\medctrro.exe c:\windows\IsUn0415.exe . Zainfekowana kopia c:\windows\system32\drivers\ntfs.sys została znaleziona. Problem naprawiono Plik odzyskano z - c:\windows\ServicePackFiles\i386\ntfs.sys . . ((((((((((((((((((((((((( Pliki utworzone od 2011-07-28 do 2011-08-31 ))))))))))))))))))))))))))))))) . . 2011-08-30 09:07 . 2011-08-30 09:07 -------- d-----w- C:\spoolerlogs 2011-08-27 19:14 . 2011-08-27 19:14 -------- d-----w- C:\found.000 2011-08-11 14:14 . 2011-08-11 14:15 29358872 ----a-w- C:\TeamSpeak3-Client-win32-3.0.0.exe . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-11 13:47 . 2011-08-11 13:45 43453308 ----a-w- C:\AD1986A_32bit_V510014151.zip . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-11 3077528] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200] "NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "d:\\Program Files\\uTorrent\\uTorrent.exe"= "d:\\Gry\\Warcraft III\\Warcraft III.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57863:TCP"= 57863:TCP:Pando Media Booster "57863:UDP"= 57863:UDP:Pando Media Booster . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-08-25 64512] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-08-11 441176] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-08-11 309848] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-08-19 232512] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-08-11 19544] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-11 2255464] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-07-21 2151640] S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [2011-07-21 15232] . Zawartość folderu 'Zaplanowane zadania' . 2011-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 13:49] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ uInternet Settings,ProxyOverride = TCP: DhcpNameServer = 217.172.224.160 89.228.7.226 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-31 18:47 Windows 5.1.2600 Dodatek Service Pack 2 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . . c:\windows\system32\rp_rules.dat 44 bytes c:\windows\system32\rp_stats.dat 64 bytes . skanowanie pomyślnie ukończone ukryte pliki: 2 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(2744) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\AVAST Software\Avast\AvastSvc.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\RunDLL32.exe c:\windows\System32\wbem\unsecapp.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2011-08-31 18:51:56 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2011-08-31 16:51 . Przed: 150 420 631 552 bajtów wolnych Po: 150 997 434 368 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn . - - End Of File - - EE28744090E9164DD45AD5B487026237