Faktycznie, pierwszy port DCOM RPC był na żółto, zamknąlem go. A czy możę być powodem wracania tego syfu, to że nie ma tu żadnego programu antywirusowego?
Daje logi:
ComboFix 08-08-26.02 - Administrator 2008-08-27 9:14:19.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.205 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
* Created a new restore point
[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]
FILE ::
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\44.tmp
C:\WINDOWS\system32\46.tmp
C:\WINDOWS\system32\47.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\C.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\44.tmp
C:\WINDOWS\system32\46.tmp
C:\WINDOWS\system32\47.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\C.tmp
.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.
2008-08-25 10:58 . 2008-08-26 18:39 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-08-24 21:57 . 2008-08-24 21:57 <DIR> d-------- C:\Program Files\Elfima
2008-08-24 21:57 . 2003-10-26 15:16 266,752 --a------ C:\WINDOWS\system32\mscomctl.oca
2008-08-20 01:35 . 2008-08-20 01:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-20 01:30 . 2008-08-20 02:00 <DIR> d-------- C:\SDFix
2008-08-20 00:12 . 2008-08-20 00:12 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-20 00:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 00:11 . 2008-08-20 00:11 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-20 00:11 . 2008-08-20 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 00:11 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 23:45 . 2008-08-19 23:45 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-08-13 13:54 . 2008-08-13 13:54 <DIR> d-------- C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57 <DIR> d-------- C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48 <DIR> d-------- C:\Program Files\a-squared HiJackFree
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 20:36 --------- d-----w C:\Program Files\Opera
2008-08-24 20:35 --------- d-----w C:\Program Files\Tlen.pl
2008-08-24 12:01 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Tlen.pl
2008-08-19 21:50 65,536 ----a-w C:\WINDOWS\DUMP3e28.tmp
2008-08-16 14:35 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49 --------- d-----w C:\Program Files\Trend Micro
2007-10-13 14:51 17,144 ----a-w C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02 31 ----a-w C:\Documents and Settings\Administrator\getfile.dat
2006-07-16 15:02 31 ----a-w C:\Documents and Settings\ASIA\getfile.dat
.
------- Sigcheck -------
2002-09-20 19:05 1015296 925387582296260489564ae2aa284322 C:\WINDOWS\explorer.exe
2002-09-20 19:05 1015296 1a99a4e504e5cbaa19d554b42f034594 C:\WINDOWS\system32\dllcache\explorer.exe
2002-09-20 19:05 23040 4187d9d4d94fcd138ce9ae352d5a9f3c C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05 23040 07f4a458e913beb87f1b75bc99987efd C:\WINDOWS\system32\dllcache\ctfmon.exe
2002-09-20 19:05 152064 23c0106b37d81b6e2606b500677e9061 C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05 152064 b42ad01455d2c18351b95d45c813b1ad C:\WINDOWS\system32\dllcache\wuauclt.exe
2002-09-20 19:05 32256 0d55bb6aec2e7361cad1d396b98f5a35 C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05 32256 edbe5fd297b5fdae18c2e29a3b9f1ad9 C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13 394680 --a------ C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"=
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-27 09:17:48
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-08-27 9:21:16
ComboFix-quarantined-files.txt 2008-08-27 07:20:12
ComboFix2.txt 2008-08-26 17:58:26
Pre-Run: 5,880,037,376 bajtów wolnych
Post-Run: 5,832,421,376 bajtów wolnych
129
[b]SDFix: Version 1.218 [/b]
Run by Administrator on 2008-08-27 at 09:32
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
No Trojan Files Found
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-27 09:40:01
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\regsvr32.exe"="C:\\WINDOWS\\System32\\regsvr32.exe:*:Enabled:Windows Update"
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"="C:\\WINDOWS\\system32\\NOTEPAD.EXE:*:Enabled:Windows Update"
[b]Remaining Files [/b]:
[b]Files with Hidden Attributes [/b]:
Wed 13 Aug 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Tue 26 Jun 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
[b]Finished![/b]