ComboFix 11-09-16.01 - Kamil 09/17/2011 12:42:35.1.2 - x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.2046.1796 [GMT 2:00] Uruchomiony z: c:\documents and settings\Kamil\Desktop\ComboFix1.exe FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\IEActivex.exe.cccdbce.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\RegisterMCEApp.exe.19d07aaf.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL18A.tmp.2352c403.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL568.tmp.6eca8460.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL73.tmp.6c6639a5.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL89.tmp.1a1cd4ea.ini c:\documents and settings\All Users\Start Menu\Programs\System Recovery c:\documents and settings\All Users\Start Menu\Programs\System Recovery\Application & Driver Recovery.lnk c:\documents and settings\All Users\Start Menu\Programs\System Recovery\PC Recovery Disc Creator.lnk c:\documents and settings\All Users\Start Menu\Programs\System Recovery\PC Recovery.lnk c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\ehExtHost.exe.fa7bea74.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\ehExtHost.exe.fa7bea74.ini.inuse c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\ehshell.exe.a87fcbb.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\IEActivex.exe.cccdbce.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\onplay.exe.b7ddec13.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\RegisterMCEApp.exe.19d07aaf.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\SL18A.tmp.2352c403.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\SL568.tmp.6eca8460.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\SL73.tmp.6c6639a5.ini c:\documents and settings\Kamil\Local Settings\Application Data\ApplicationHistory\SL89.tmp.1a1cd4ea.ini c:\documents and settings\Kamil\My Documents\~WRL0005.tmp c:\documents and settings\Kamil\My Documents\~WRL0308.tmp c:\documents and settings\Kamil\WINDOWS c:\program files\Skype\Plugin Manager\SkypePM.exe c:\windows\$NtUninstallKB3255$ c:\windows\$NtUninstallKB3255$\1384732206 c:\windows\$NtUninstallKB3255$\485945278\@ c:\windows\$NtUninstallKB3255$\485945278\click.tlb c:\windows\$NtUninstallKB3255$\485945278\L\trbssmgb c:\windows\$NtUninstallKB3255$\485945278\loader.tlb c:\windows\$NtUninstallKB3255$\485945278\U\@00000001 c:\windows\$NtUninstallKB3255$\485945278\U\@000000c0 c:\windows\$NtUninstallKB3255$\485945278\U\@000000cb c:\windows\$NtUninstallKB3255$\485945278\U\@000000cf c:\windows\$NtUninstallKB3255$\485945278\U\@80000000 c:\windows\$NtUninstallKB3255$\485945278\U\@800000c0 c:\windows\$NtUninstallKB3255$\485945278\U\@800000cb c:\windows\$NtUninstallKB3255$\485945278\U\@800000cf c:\windows\3203397148 c:\windows\assembly\GAC_MSIL\desktop.ini c:\windows\IsUn0415.exe c:\windows\kb913800.exe c:\windows\system32\bfceffcd_g.dll c:\windows\system32\CddbCdda.dll c:\windows\system32\d3d9caps.dat D:\Autorun.inf . Zainfekowana kopia c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe została znaleziona. Problem naprawiono Plik odzyskano z - c:\system volume information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP913\A0139546.exe . Zainfekowana kopia c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe została znaleziona. Problem naprawiono Plik odzyskano z - c:\system volume information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP913\A0139546.exe . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_1cf6efbe . . ((((((((((((((((((((((((( Pliki utworzone od 2011-08-17 do 2011-09-17 ))))))))))))))))))))))))))))))) . . 2011-09-16 17:47 . 2011-09-16 17:57 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-09-16 17:45 . 2011-09-16 17:45 -------- d-----w- c:\documents and settings\Kamil\Application Data\Malwarebytes 2011-09-16 17:45 . 2011-09-16 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-09-16 17:18 . 2011-09-16 17:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2011-09-16 17:15 . 2011-09-16 17:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2011-09-15 21:22 . 2011-09-15 21:22 -------- d-----w- c:\program files\Enigma Software Group 2011-09-15 20:30 . 2011-09-15 21:28 -------- d-----w- C:\sh4ldr 2011-09-15 20:30 . 2011-09-15 20:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2011-09-15 18:45 . 2011-09-15 20:26 -------- d-----w- c:\program files\GridinSoft Trojan Killer 2011-09-15 18:08 . 2011-09-15 18:08 -------- d-----w- c:\program files\SkanerOnline 2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll 2011-09-02 20:36 . 2011-09-02 20:36 -------- d-----w- c:\documents and settings\Kamil\Local Settings\Application Data\MPlayer 2011-09-02 19:28 . 2011-09-02 19:29 -------- d-----w- c:\documents and settings\Kamil\Application Data\PMS 2011-09-02 19:27 . 2011-09-04 16:16 -------- d-----w- c:\program files\PS3 Media Server . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-09-09 09:12 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-07-15 13:29 . 2005-01-19 12:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02 . 2006-03-16 04:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-06-24 14:10 . 2006-03-16 04:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-23 18:36 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-06-23 18:36 . 2006-03-16 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-06-23 18:36 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-06-23 12:05 . 2006-03-16 04:00 385024 ----a-w- c:\windows\system32\html.iec 2011-06-20 17:44 . 2006-03-16 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-06-10 08:02 . 2011-06-10 08:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-30 149280] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016] "nwiz"="nwiz.exe" [2006-07-20 1519616] "MsmqIntCert"="mqrt.dll" [2009-06-25 177152] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-17 385024] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728] . c:\documents and settings\Default User\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msefejxt.dll, c:\docume~1\Kamil\APPLIC~1\irwxhhhl.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] 2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Gadu-Gadu\\gg.exe"= "c:\\Program Files\\3DO\\Heroes3\\h3wog.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/30/2007 8:56 PM 685816] S1 aswSP;avast! Self Protection; [x] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?] S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 10:39 PM 61952] S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 11:10 PM 32512] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ig mStart Page = uInternet Connection Wizard,ShellNext = iexplore IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 IE: E&xport to Microsoft Excel IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm TCP: DhcpNameServer = 188.122.20.62 188.122.20.1 DPF: {E5EE81D5-C49F-45E5-B42F-0B7AEEDD047C} - hxxp://lpstudent.lexpolonica.pl/lexpolonica/printTempl/export.cab FF - ProfilePath - c:\documents and settings\Kamil\Application Data\Mozilla\Firefox\Profiles\qqmycrf7.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-09-17 12:52 Windows 5.1.2600 Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hc??????`?@?????L?@ . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_USERS\S-1-5-21-4029204100-1811205545-4251373392-1005\Software\SecuROM\License information*] "datasecu"=hex:16,4d,ba,47,06,0d,10,ee,78,eb,ec,4a,17,71,ac,10,78,13,9b,13,d2, 98,9d,c5,40,32,11,33,9d,47,76,cc,c4,1a,72,95,7c,44,52,c4,34,15,20,b9,6e,b5,\ "rkeysecu"=hex:d6,08,b2,a9,d5,4b,6a,3a,2d,61,12,c3,4f,04,4c,ed . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(1748) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Czas ukończenia: 2011-09-17 12:57:28 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2011-09-17 10:57 . Przed: 19,907,608,576 bytes free Po: 19,832,971,264 bytes free . - - End Of File - - 70E305C8C89C1345837F23BD2000703C