Logi - Analiza

#1 (permalink) Raportuj zły post
Stary Dzisiaj, 17:24
dawidEX dawidEX jest niedostępny
Junior Member


Zarejestrowany: Feb 2007
Posty: 3
Domyślnie svchost jakis vir,log cobofix
ComboFix 08-08-15.04 - Pawel 2008-08-16 21:38:50.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.419 [GMT 2:00]
Running from: C:\Documents and Settings\Pawel\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Pawel\Cookies\pawel@tradedoubler[2].txt
C:\pagefile.pif
C:\WINDOWS\system32\com\lsass.exe
C:\WINDOWS\system32\com\smss.exe
D:\Autorun.inf
D:\pagefile.pif
E:\Autorun.inf
E:\pagefile.pif

.
((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-08-16 19:24 . 2008-08-16 19:24 <DIR> d-------- C:\Documents and Settings\Pawel\Dane aplikacji\AdobeUM
2008-08-15 11:22 . 2008-08-15 11:22 <DIR> d-------- C:\Documents and Settings\Pawel\DoctorWeb
2008-08-15 11:20 . 2008-08-15 11:20 <DIR> d-------- C:\SOPHTEMP
2008-08-14 20:59 . 2008-08-14 20:59 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-14 12:52 . 2008-08-14 12:52 0 -ra------ C:\logwmemory.bin
2008-08-14 12:50 . 2008-08-14 12:50 <DIR> d-------- C:\Documents and Settings\Pawel\Dane aplikacji\Soldat
2008-08-07 14:17 . 2008-08-16 18:00 <DIR> d-------- C:\Documents and Settings\Pawel\Dane aplikacji\skypePM
2008-08-07 14:17 . 2008-08-07 14:17 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-07 14:10 . 2008-08-16 20:33 <DIR> d-------- C:\Documents and Settings\Pawel\Dane aplikacji\Skype
2008-08-07 13:52 . 2008-08-07 13:53 <DIR> d-------- C:\Program Files\Skype
2008-08-07 13:52 . 2008-08-07 13:52 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-07 13:49 . 2008-08-07 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-08-05 10:48 . 2008-08-05 10:59 833 --a------ C:\WINDOWS\Q3TA.ini
2008-08-01 18:36 . 2008-08-01 18:44 248 --a------ C:\WINDOWS\naglos.INI
2008-08-01 10:00 . 2008-08-05 10:56 31 --a------ C:\WINDOWS\Q3CDKey.ini
2008-08-01 09:48 . 2008-08-01 09:48 <DIR> d-------- C:\Program Files\Mplayer
2008-08-01 09:44 . 2008-08-05 10:52 711 --a------ C:\WINDOWS\QIII.INI
2008-08-01 09:20 . 2008-08-15 11:18 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-29 13:17 . 2008-08-16 09:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-24 17:51 . 2008-07-24 17:51 4 --a------ C:\WINDOWS\Pix11.dat
2008-07-21 14:15 . 2008-08-11 22:34 <DIR> d-------- C:\Documents and Settings\Pawel\Dane aplikacji\BearShare
2008-07-21 14:15 . 2007-11-22 16:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-08-15 09:18 315,392 ----a-w C:\WINDOWS\alcupd.exe
2008-08-15 09:18 217,088 ----a-w C:\WINDOWS\Alcrmv.exe
2008-08-05 09:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-04 10:31 --------- d-----w C:\Program Files\Sonic 3D
2008-07-20 20:17 --------- d-----w C:\Documents and Settings\Pawel\Dane aplikacji\DataLayer
2008-07-14 14:13 --------- d-----w C:\Documents and Settings\Pawel\Dane aplikacji\Nokia
2008-07-14 14:03 --------- d-----w C:\Documents and Settings\Pawel\Dane aplikacji\Nokia Multimedia Player
2008-07-14 13:53 --------- d-----w C:\Program Files\DIFX
2008-07-14 13:53 --------- d-----w C:\Documents and Settings\Pawel\Dane aplikacji\PC Suite
2008-07-14 13:53 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2008-07-14 13:52 --------- d-----w C:\Program Files\Nokia
2008-07-14 13:52 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-07-14 13:52 --------- d-----w C:\Program Files\Common Files\Nokia
2008-07-14 13:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Downloaded Installations
2008-07-08 08:42 --------- d-----w C:\Documents and Settings\Pawel\Dane aplikacji\Winamp
2008-07-08 08:37 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\OrbNetworks
2008-07-07 22:00 --------- d-----w C:\Program Files\Winamp Toolbar
2008-07-07 22:00 --------- d-----w C:\Program Files\Winamp Remote
2008-07-07 22:00 --------- d-----w C:\Program Files\Winamp
2008-07-07 22:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar
2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 18:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 18:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\phenomedia
2008-07-02 19:40 --------- d-----w C:\Program Files\directx
2008-06-26 14:27 --------- d-----w C:\Program Files\Gadu-Gadu
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:41 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-21 10:01 --------- d-----w C:\Documents and Settings\Pawel\Dane aplikacji\Shareaza
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 15:39 --------- d-----w C:\Program Files\Google
2008-06-16 21:27 --------- d-----w C:\Program Files\ffdshow
2008-06-16 11:47 --------- d-----w C:\Documents and Settings\Pawel\Dane aplikacji\Yahoo! Messenger
.

------- Sigcheck -------

2008-04-14 19:21 14336 8607d35d92528e2df386f19a960d23ce C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\svchost.exe
2004-08-03 23:44 14336 ba98327e90022dbd6ee76490e0622e2e C:\WINDOWS\system32\svchost.exe
2004-08-03 23:44 14336 ba98327e90022dbd6ee76490e0622e2e C:\WINDOWS\system32\dllcache\svchost.exe

2008-04-14 19:20 82432 c0aa2ab856680c44739b41e01f5bd4e9 C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\ws2_32.dll
2004-08-03 23:44 82944 ab82237486b727dd7dab36a76f38a3a2 C:\WINDOWS\system32\ws2_32.dll
2004-08-03 23:44 82944 ab82237486b727dd7dab36a76f38a3a2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2008-04-14 19:21 510464 51fd2e13d723857b9ca239ae77150f48 C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\winlogon.exe
2004-08-03 23:44 504832 0344407089b08548d4feba62bb0f32d0 C:\WINDOWS\system32\winlogon.exe
2004-08-03 23:44 504832 0344407089b08548d4feba62bb0f32d0 C:\WINDOWS\system32\dllcache\winlogon.exe

2008-04-13 21:20 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\ndis.sys
2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2008-04-13 20:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\ip6fw.sys
2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-14 19:21 109056 3e3ae424e27c4cefe4cab368c7b570ea C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\services.exe
2004-08-03 23:44 108544 3da8d964d2cc12ef8e8c342471a37917 C:\WINDOWS\system32\services.exe
2004-08-03 23:44 108544 3da8d964d2cc12ef8e8c342471a37917 C:\WINDOWS\system32\dllcache\services.exe

2008-04-14 19:21 13312 88296f7943f30a1ee3af735440b92268 C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\lsass.exe
2004-08-03 23:44 13312 f485fefc8cc4fd29243d800be5d275d1 C:\WINDOWS\system32\lsass.exe
2004-08-03 23:44 13312 f485fefc8cc4fd29243d800be5d275d1 C:\WINDOWS\system32\dllcache\lsass.exe

2008-04-14 19:21 15360 1bd41eda5b869afc99895c39a8de36e1 C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\ctfmon.exe
2004-08-03 23:44 15360 cbfa30492d70ce3938d8a7783d0c0436 C:\WINDOWS\system32\ctfmon.exe
2004-08-03 23:44 15360 cbfa30492d70ce3938d8a7783d0c0436 C:\WINDOWS\system32\dllcache\ctfmon.exe

2004-08-03 23:44 57856 bebe8a85954ff460374fd5a0cd21e19b C:\WINDOWS\SoftwareDistribution\Download\33b429ed3 9bc5e95ff7042a3b46c0314\backup\sp2gdr\spoolsv.exe
2004-08-03 23:44 57856 bebe8a85954ff460374fd5a0cd21e19b C:\WINDOWS\SoftwareDistribution\Download\33b429ed3 9bc5e95ff7042a3b46c0314\backup\sp2qfe\spoolsv.exe
2008-04-14 19:21 57856 dd69ec597ab942c39b950d9c3ce1375d C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\spoolsv.exe
2004-08-03 23:44 57856 bebe8a85954ff460374fd5a0cd21e19b C:\WINDOWS\system32\spoolsv.exe
2004-08-03 23:44 57856 bebe8a85954ff460374fd5a0cd21e19b C:\WINDOWS\system32\dllcache\spoolsv.exe

2008-04-14 19:21 26624 2a5b37d520508be6570a3ea79695f5b5 C:\WINDOWS\SoftwareDistribution\Download\dd64aa874 03cfac627c6c8f37d245aa4\userinit.exe
2004-08-03 23:44 25088 bd768099b4c44aa631728cb74eb54396 C:\WINDOWS\system32\userinit.exe
2004-08-03 23:44 25088 bd768099b4c44aa631728cb74eb54396 C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-03-20 00:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:44 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-05-21 12:49 2533888]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 03:54 507904]
"PcSync"="E:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-19 15:59 1449984]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-07-23 14:11 21738792]
"Gadu-Gadu"="E:\Program Files\Gadu-Gadu\gg.exe" [2006-02-17 15:03 2396160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-03-23 12:06 924160]
"NOD32POP3"="E:\Program Files\Eset\pop3scan.exe" [2002-01-11 14:37 68608]
"Nod32CC"="C:\WINDOWS\system32\nod32cc.exe" [2002-01-11 14:37 235008]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 20:49 36352]
"PCSuiteTrayApplication"="E:\PROGRA~1\Nokia\NOKIAP ~1\LAUNCH~1.EXE" [2006-06-15 12:36 229376]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 685568 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"D:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"D:\\quake3.exe"=
"D:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ts_lb;ts_lb;C:\WINDOWS\system32\drivers\ts_lb.sys [2007-06-19 23:35]
R2 NOD32Service;NOD32 Service;C:\WINDOWS\system32\nod32m2.exe [2001-04-10 10:19]
S2 NOD32ControlCenter;NOD32 Control Center Service;C:\WINDOWS\system32\nod32cc.exe [2002-01-11 14:37]
S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys [2006-12-07 22:04]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Pawel\Dane aplikacji\Mozilla\Firefox\Profiles\lehiqw01.defaul t\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7& query=


************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 21:44:46
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
************************************************** ************************
.
Completion time: 2008-08-16 21:47:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-16 19:47:38

Pre-Run: 4,727,517,184 bajtów wolnych
Post-Run: 4,847,808,512 bajt˘w wolnych

193 --- E O F --- 2008-08-15 20:54:56

Nie widzę tu nic szkodliwego.

ordynat