Wiesz co to za plik? Jeśli nie to usuń.
Ogólnie czysto. Daj loga z Combofixa.
No tak, to dlaczego wyskakuje mi ten komunikat odnośnie Security Alert i prośby włączenia ochrony.
Plik zaraz usuwam i sprawdzam.
Log z Combo.
ComboFix 08-09-14.06 - Administrator 2008-09-15 14:35:46.9 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.222 [GMT 2:00]
Uruchomiony z: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
[color=red][b]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]
.
((((((((((((((((((((((((( Pliki utworzone od 2008-08-15 do 2008-09-15 )))))))))))))))))))))))))))))))
.
2008-09-15 11:57 . 2008-09-15 11:57 <DIR> d-------- C:\SmitfraudFix
2008-09-15 11:46 . 2008-09-15 12:02 2,614 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-15 11:34 . 2008-09-15 11:34 <DIR> d-------- C:\rsit
2008-09-15 10:31 . 2008-09-15 10:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-15 10:31 . 2008-09-15 10:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 10:31 . 2008-09-15 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-09-15 10:15 . 2008-09-15 10:15 86,016 --a------ C:\WINDOWS\system32\gjgpetyr.exe
2008-09-15 09:30 . 2008-09-15 14:27 4,912 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-09-15 08:53 . 2008-09-15 08:53 <DIR> d-------- C:\SAV32CLI
2008-09-13 02:53 . 2008-09-13 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ajqrsvut
2008-09-10 14:04 . 2008-09-10 14:04 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-09-09 12:35 . 2005-02-08 14:12 2,670,592 --------- C:\WINDOWS\UNNMP.exe
2008-09-09 12:35 . 2005-06-07 11:40 49,655 --------- C:\WINDOWS\UNNMP.cfg
2008-09-09 12:33 . 2008-09-09 12:33 <DIR> d-------- C:\Program Files\RealVNC
2008-09-09 12:33 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-09-09 12:32 . 2008-09-09 12:32 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-09-09 12:31 . 2008-09-09 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Ahead
2008-09-09 12:31 . 2005-04-20 13:32 2,916,352 --------- C:\WINDOWS\UNNeroVision.exe
2008-09-09 12:31 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-09-09 12:31 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-09-09 12:31 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-09-09 12:31 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-09-09 12:31 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-09-09 12:31 . 2005-06-07 11:40 154,855 --------- C:\WINDOWS\UNNeroVision.cfg
2008-09-09 12:31 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-09-09 12:31 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-09-09 12:30 . 2008-09-09 12:30 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-09-09 12:30 . 2008-09-09 12:30 <DIR> d-------- C:\Program Files\Ahead
2008-08-25 10:59 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-25 10:59 . 2008-08-25 10:59 21 --a------ C:\tmuninst.ini
2008-08-15 02:14 . 2008-05-01 16:37 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 02:13 . 2008-04-11 21:06 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 08:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-21 08:07 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-17 11:16 --------- d-----w C:\Program Files\Plustek
2008-07-17 11:16 --------- d-----w C:\Program Files\DI Capture
2008-07-17 11:16 --------- d-----w C:\Program Files\Common Files\iMpacct
2008-07-16 07:12 --------- d-----w C:\Program Files\MSECache
2008-07-07 20:29 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:29 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:46 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 08:42 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:23 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:23 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:48 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:48 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:48 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-15_ 8.35.28.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 17:20:40 506,368 ----a-w C:\WINDOWS\system32\dllcache\msxml.dll
+ 2008-04-14 17:20:40 701,440 ----a-w C:\WINDOWS\system32\dllcache\msxml2.dll
+ 2004-08-04 03:00:00 41,232 ----a-w C:\WINDOWS\system32\dllcache\msxml2r.dll
+ 2004-08-04 03:00:00 28,160 ----a-w C:\WINDOWS\system32\dllcache\msxmlr.dll
+ 2008-04-29 09:19:50 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
+ 2008-04-29 09:19:54 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
+ 2008-04-29 09:20:00 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-05-16 09:58:04 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2008-09-15 06:31:52 97,134 ----a-w C:\WINDOWS\system32\perfc015.dat
+ 2008-09-15 12:27:34 97,134 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2008-09-15 06:31:52 462,358 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-15 06:42:32 462,358 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-09-15 06:31:52 521,216 ----a-w C:\WINDOWS\system32\perfh015.dat
+ 2008-09-15 12:27:34 521,216 ----a-w C:\WINDOWS\system32\perfh015.dat
+ 2008-09-15 12:23:30 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_100.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"hlpadmapi"="C:\WINDOWS\system32\gjgpetyr.exe" [2008-09-15 86016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-09-06 710000]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
DocAction (Plustek SmartOffice PS256).lnk - C:\Program Files\Plustek\Plustek SmartOffice PS256\DocuAction.exe [2008-07-17 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hlpadmapi]
--a------ 2008-09-15 10:15 86016 C:\WINDOWS\system32\gjgpetyr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\JTSoft\\ATermPRO\\ATerm\\ATerm.exe"=
"C:\\applic\\sogm\\sogm\\SOGM.exe"=
R2 MSSQL$AKK;MSSQL$AKK;C:\Program Files\Microsoft SQL Server\MSSQL$AKK\Binn\sqlservr.exe [2002-12-17 7520337]
S3 SQLAgent$AKK;SQLAgent$AKK;C:\Program Files\Microsoft SQL Server\MSSQL$AKK\Binn\sqlagent.EXE [2002-12-17 311872]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a656ff2-7400-11dd-bf20-001321f312ee}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f01bacdf-58b3-11dd-bf1c-001321f312ee}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Skan uzupełniający -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.pl/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 14:36:59
Windows 5.1.2600 Dodatek Service Pack 3 FAT NTAPI
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
Czas ukończenia: 2008-09-15 14:37:27
ComboFix-quarantined-files.txt 2008-09-15 12:37:26
ComboFix5.txt 2008-09-15 12:35:30
ComboFix4.txt 2008-09-15 09:00:06
ComboFix3.txt 2008-09-15 09:31:50
ComboFix2.txt 2008-09-15 10:22:38
Przed: 16,307,355,648 bajt˘w wolnych
Po: 16,301,768,704 bajt˘w wolnych
165 --- E O F --- 2008-09-11 01:01:22
Plik zaczynający się na gjg usunąłem. Po restarcie komputera w programach uruchamiających się z systemem znowu się pojawił jako wpis, natomiast pliku nie ma.