ComboFix 10-08-08.02 - Administrator 2010-08-09 22:47:03.15.1 - FAT32x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.1.1250.48.1045.18.512.376 [GMT 2:00] Uruchomiony z: c:\documents and settings\Administrator\Pulpit\afi\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Ustawienia lokalne\temp\ijua.old -- Poprzednie uruchomienie -- c:\windows\system32\qmgr.dll . . . jest zainfekowany!! c:\windows\system32\grpconv.exe . . . brak pliku!! c:\windows\system32\proquota.exe . . . brak pliku!! -------- c:\windows\system32\qmgr.dll . . . jest zainfekowany!! c:\windows\system32\grpconv.exe . . . brak pliku!! c:\windows\system32\proquota.exe . . . brak pliku!! . ((((((((((((((((((((((((( Pliki utworzone od 2010-07-09 do 2010-08-09 ))))))))))))))))))))))))))))))) . 2010-08-09 13:02 . 2010-08-09 13:02 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Ahead 2010-08-09 11:15 . 2010-08-09 11:15 -------- d-----w- c:\program files\mp3DirectCut 2010-08-04 22:21 . 2010-08-04 22:21 503808 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-71f2b4cd-n\msvcp71.dll 2010-08-04 22:21 . 2010-08-04 22:21 499712 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-71f2b4cd-n\jmc.dll 2010-08-04 22:21 . 2010-08-04 22:21 348160 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-71f2b4cd-n\msvcr71.dll 2010-08-04 22:21 . 2010-08-04 22:21 61440 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7667f714-n\decora-sse.dll 2010-08-04 22:21 . 2010-08-04 22:21 12800 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7667f714-n\decora-d3d.dll . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-10 05:15 . 2010-06-10 05:15 503808 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b6cc4ec-n\msvcp71.dll 2010-06-10 05:15 . 2010-06-10 05:15 499712 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b6cc4ec-n\jmc.dll 2010-06-10 05:15 . 2010-06-10 05:15 348160 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2b6cc4ec-n\msvcr71.dll 2010-06-10 05:15 . 2010-06-10 05:15 61440 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-53822d19-n\decora-sse.dll 2010-06-10 05:15 . 2010-06-10 05:15 12800 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-53822d19-n\decora-d3d.dll 2010-05-26 22:22 . 2010-05-26 22:22 503808 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\cache\6.0\46\f84c6ae-56a1a1b4-n\msvcp71.dll 2010-05-26 22:22 . 2010-05-26 22:22 499712 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\cache\6.0\46\f84c6ae-56a1a1b4-n\jmc.dll 2010-05-26 22:22 . 2010-05-26 22:22 348160 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\Deployment\cache\6.0\46\f84c6ae-56a1a1b4-n\msvcr71.dll . ------- Sigcheck ------- [-] 2004-07-09 02:27 . E393D47674124AB0754AC77B132C5DB7 . 1689600 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\system32\d3d9.dll c:\windows\System32\wscntfy.exe ... - brak elementu !! c:\windows\System32\xmlprov.dll ... - brak elementu !! . ((((((((((((((((((((((((((((( SnapShot_2010-05-04_22.11.05 ))))))))))))))))))))))))))))))))))))))))) . + 2010-08-09 20:53 . 2010-08-09 20:53 16384 c:\windows\temp\Perflib_Perfdata_400.dat + 2010-05-27 20:09 . 2010-05-27 20:09 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe + 2007-09-18 00:28 . 2010-06-03 19:43 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe + 2008-10-29 21:50 . 2010-04-29 13:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys + 2008-10-29 21:50 . 2010-04-29 13:39 19288 c:\windows\system32\drivers\mbam.sys + 2010-05-04 22:35 . 2010-08-09 17:04 32768 c:\windows\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat + 2005-02-07 18:32 . 2010-08-09 17:04 16384 c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat - 2005-02-07 18:32 . 2010-04-27 20:41 16384 c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat + 2010-08-09 13:42 . 2010-08-09 17:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2005-02-07 18:32 . 2010-04-27 20:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2010-06-16 23:05 . 2010-06-16 23:05 21504 c:\windows\Installer\7cbf63.msi + 2010-05-20 10:36 . 2010-05-20 10:36 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe + 2010-05-20 10:36 . 2010-05-20 10:36 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe + 2010-05-20 10:36 . 2010-05-20 10:36 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe + 2010-05-20 10:36 . 2010-05-20 10:36 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe + 2010-05-20 10:36 . 2010-05-20 10:36 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe + 2010-05-20 10:36 . 2010-05-20 10:36 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe + 2010-05-20 10:36 . 2010-05-20 10:36 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ARPPRODUCTICON.exe + 2010-01-27 01:07 . 2010-01-27 01:07 256280 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe + 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\system32\Macromed\Flash\FlashUtil10e.exe + 2010-06-10 05:14 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe + 2010-06-10 05:14 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe - 2009-11-23 17:17 . 2009-10-11 02:17 145184 c:\windows\system32\javaw.exe - 2009-11-23 17:17 . 2009-10-11 02:17 145184 c:\windows\system32\java.exe + 2010-06-10 05:14 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe + 2010-06-10 05:14 . 2010-04-12 15:29 411368 c:\windows\system32\deployJava1.dll + 2010-06-10 05:15 . 2010-06-10 05:15 180224 c:\windows\Installer\2253096.msi + 2010-01-27 01:07 . 2010-01-27 01:07 3884312 c:\windows\system32\Macromed\Flash\NPSWF32.dll + 2010-08-02 17:47 . 2010-08-02 17:47 2647552 c:\windows\Installer\1ea256.msi + 2010-05-20 10:36 . 2010-05-20 10:36 1235968 c:\windows\Installer\17085e16.msi . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-22 196608] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "midi9"=c:\docume~1\ADMINI~1\USTAWI~1\Temp\ijua.old 2yGGEBNEED [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vad25.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xce57.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Media Player.lnk] path=c:\documents and settings\Administrator\Menu Start\Programy\Autostart\Adobe Media Player.lnk backup=c:\windows\pss\Adobe Media Player.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Server4PC.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Server4PC.lnk backup=c:\windows\pss\Server4PC.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "110:TCP"= 110:TCP:svchost R0 YzIdiot;YzIdiot;c:\windows\system32\drivers\YzIdiot.sys [2008-04-17 26192] R2 ChannelRg;ChannelRg;c:\program files\Common Files\GoldenSoft\ChannelRg.exe [2008-04-17 86016] S0 Vad25;Vad25;c:\windows\System32\Drivers\Vad25.sys --> c:\windows\System32\Drivers\Vad25.sys [?] S0 Xce57;Xce57;c:\windows\System32\Drivers\Xce57.sys --> c:\windows\System32\Drivers\Xce57.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 136176] S2 sysbus32;32bit system bus driver;\??\c:\windows\System32\drivers\sysbus32.sys --> c:\windows\System32\drivers\sysbus32.sys [?] S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-02-21 151552] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232] . Zawartość folderu 'Zaplanowane zadania' 2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb0da84ca71038.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 10:32] . . ------- Skan uzupełniający ------- . uStart Page = about:blank mStart Page = about:blank uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-09 22:54 Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(380) c:\windows\System32\ODBC32.dll - - - - - - - > 'lsass.exe'(440) c:\windows\System32\dssenh.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\progra~1\Grisoft\AVG7\avgamsvr.exe c:\progra~1\Grisoft\AVG7\avgupsvc.exe c:\progra~1\Grisoft\AVG7\avgemc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe . ************************************************************************** . Czas ukończenia: 2010-08-09 22:56:20 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2010-08-09 20:56 ComboFix2.txt 2010-08-09 13:21 ComboFix3.txt 2010-06-07 05:39 ComboFix4.txt 2010-05-04 22:13 ComboFix5.txt 2010-08-09 13:40 Przed: 8 980 250 624 bajtów wolnych Po: 9 020 227 584 bajtów wolnych - - End Of File - - 8091F01D905C1D57A660983ECDBCF82C