Jak w temacie? Combofix wykrył jakiego¶ robaka typu rootkit czy jako¶ tak.
ComboFix 08-10-26.01 - Platon 2008-10-27 17:58:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.63 [GMT 1:00]
* Utworzono nowy punkt przywracania
[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.
((((((((((((((((((((((((( Pliki utworzone od 2008-09-27 do 2008-10-27 )))))))))))))))))))))))))))))))
.
2008-10-21 19:22 . 2008-10-21 19:24 & lt; DIR & gt; d-------- C:\Documents and Settings\Platon\Dane aplikacji\Tibia
2008-10-19 10:03 . 2008-10-19 10:03 & lt; DIR & gt; d-------- C:\Documents and Settings\Platon\DoctorWeb
2008-10-18 18:29 . 2008-10-18 18:29 & lt; DIR & gt; d-------- C:\Documents and Settings\All Users\Dane aplikacji\PrevxCSI
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 18:20 --------- d-----w C:\Program Files\Asprate
2008-10-07 06:36 --------- d-----w C:\Program Files\DivX
2008-10-07 06:26 --------- d-----w C:\Program Files\MarBit
.
((((((((((((((((((((((((((((( snapshot@2008-10-19_12.20.59.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 07:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 06:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
- 2008-10-04 12:43:31 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
+ 2008-10-26 19:42:26 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
- 2008-04-01 15:44:22 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-26 10:21:24 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-01 15:44:22 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
+ 2008-10-26 10:21:25 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2008-04-01 15:44:22 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-26 10:21:24 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-04-01 15:44:22 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
+ 2008-10-26 10:21:25 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
+ 2008-10-27 17:05:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_704.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawid?owe wpisy nie s? pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" swg " = " C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe " [2007-06-29 68856]
" MSMSGS " = " C:\Program Files\Messenger\msmsgs.exe " [2004-08-04 1667584]
" ctfmon.exe " = " C:\WINDOWS\system32\ctfmon.exe " [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" NeroFilterCheck " = " C:\WINDOWS\system32\NeroCheck.exe " [2001-07-09 155648]
" SunJavaUpdateSched " = " C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe " [2008-06-10 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " C:\WINDOWS\system32\CTFMON.EXE " [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
" AntiVirusDisableNotify " =dword:00000001
" UpdatesDisableNotify " =dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
" G:\\Remik\\Gadu-Gadu\\gg.exe " =
" C:\\WINDOWS\\system32\\sessmgr.exe " =
" C:\\Program Files\\Gadu-Gadu\\gg.exe " =
" C:\\Program Files\\Skype\\Phone\\Skype.exe " =
" C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe " =
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
" 8461:TCP " = 8461:TCP:GoD High Port
" 8462:TCP " = 8462:TCP:GoD Low Port
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);C:\WINDOWS\system32\DRIVERS\vacs2xkd.sys [2007-11-01 42880]
R3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2001-08-17 222336]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
.
.
------- Skan uzupe?niaj?cy -------
.
FireFox -: Profile - C:\Documents and Settings\Platon\Dane aplikacji\Mozilla\Firefox\Profiles\g6fqshhx.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 18:06:32
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie uko?czone
ukryte pliki: 0
**************************************************************************
.
------------------------ Pozosta?e uruchomione procesy ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Czas uko?czenia: 2008-10-27 18:10:55 - komputer zosta? uruchomiony ponownie
ComboFix-quarantined-files.txt 2008-10-27 17:10:36
ComboFix2.txt 2008-10-23 15:41:15
ComboFix3.txt 2008-10-19 10:22:53
Przed: 15,723,769,856 bajtów wolnych
Po: 15,863,386,112 bajtów wolnych
106