ComboFix 11-10-16.03 - xp 2011-10-17 13:20:20.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1015.517 [GMT 2:00] Uruchomiony z: c:\documents and settings\xp\Pulpit\ComboFix.exe Użyto następujšcych komend :: c:\documents and settings\xp\Pulpit\CFScript.txt AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . FILE :: "c:\windows\749563319" . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735} c:\windows\assembly\GAC_MSIL\desktop.ini . . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_b76dad2c . . ((((((((((((((((((((((((( Pliki utworzone od 2011-09-17 do 2011-10-17 ))))))))))))))))))))))))))))))) . . 2011-10-17 11:11 . 2011-10-17 11:11 -------- d-----w- C:\Nowy folder 2011-10-17 09:30 . 2008-04-14 20:51 5632 ----a-w- c:\windows\system32\dllcache\cisvc.exe 2011-10-17 09:30 . 2008-04-14 20:51 5632 ----a-w- c:\windows\system32\cisvc.exe 2011-10-15 16:37 . 2011-10-15 16:37 -------- d-sh--w- c:\documents and settings\xp\Ustawienia lokalne\Dane aplikacji\b76dad2c 2011-10-13 10:40 . 2011-10-13 10:54 -------- d-----w- C:\Cameo Collection 1977 - 2002 FLAC 2011-10-12 05:59 . 2011-10-13 05:18 -------- d-----w- C:\boys - lody 2011-10-07 15:36 . 2011-10-07 15:37 -------- d-----w- C:\Jan Hammer . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-02 05:43 . 2011-05-02 16:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2008-04-13 . 607C976B22AEB2FCF8A7486BCCA1E3BF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys [-] 2007-10-15 . 0FB6743E937C7BB248B2530A5A77ABC6 . 360576 . . [5.1.2600.2892] . . c:\windows\$NtServicePackUninstall$\tcpip.sys . ((((((((((((((((((((((((((((( SnapShot@2011-10-17_10.06.27 ))))))))))))))))))))))))))))))))))))))))) . + 2001-10-26 20:15 . 2011-10-17 11:18 83322 c:\windows\system32\perfc015.dat - 2001-10-26 20:15 . 2011-10-17 09:34 83322 c:\windows\system32\perfc015.dat + 2001-08-18 01:30 . 2011-10-17 11:18 66886 c:\windows\system32\perfc009.dat - 2001-08-18 01:30 . 2011-10-17 09:34 66886 c:\windows\system32\perfc009.dat + 2001-10-26 20:15 . 2011-10-17 11:18 490784 c:\windows\system32\perfh015.dat - 2001-10-26 20:15 . 2011-10-17 09:34 490784 c:\windows\system32\perfh015.dat + 2001-08-18 01:30 . 2011-10-17 11:18 432750 c:\windows\system32\perfh009.dat - 2001-08-18 01:30 . 2011-10-17 09:34 432750 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyœlne, prawidłowe wpisy nie sš pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2007-10-17 16844800] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-04 198160] "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-03-22 74752] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMgBHADMASwAtADgANwBXAFUAVQAtADIAVABWAEgAQQAtAFgANgBEAEYAOAAtAEwANgBQAEEATgA&inst=NwA3AC0ANAAzADgAMQAxADUAMQAyADMALQBYAEwAKwAxAC0AVAA0AC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0ANAArADEALQBEAEQAVAArADAA&prod=90&ver=9.0.894" [?] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2009-03-08 128512] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ RaConfig.lnk - c:\windows\system32\RaConfig.exe [2009-6-19 380928] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableStatusMessages"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoSMHelp"= 1 (0x1) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^My applications^Tibia Client.exe] backup=c:\windows\pss\Tibia Client.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^xp^Menu Start^Programy^Autostart^VMLoad.lnk] backup=c:\windows\pss\VMLoad.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-11-29 15:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Companion] 2011-01-24 10:42 427008 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2011-03-22 18:37 74752 ----a-w- c:\program files\Winamp\winampa.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Gadu-Gadu 10\\gg.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\FlashGet\\FlashGet.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"= "c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"= "c:\\Program Files\\Java\\jre6\\launch4j-tmp\\VMLoad.exe"= "c:\\Program Files\\Winamp\\winamp.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\K2T\\WTW\\wtw.exe"= "c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"= "c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"= "c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Documents and Settings\\xp\\Pulpit\\tdsskiller.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "24337:TCP"= 24337:TCP:BitComet 24337 TCP "24337:UDP"= 24337:UDP:BitComet 24337 UDP "25374:TCP"= 25374:TCP:BitComet 25374 TCP "25374:UDP"= 25374:UDP:BitComet 25374 UDP "24390:TCP"= 24390:TCP:BitComet 24390 TCP "24390:UDP"= 24390:UDP:BitComet 24390 UDP . R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-02-22 22992] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-03-16 32592] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-01-07 248656] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-04-05 297168] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-07-08 218688] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-04-14 134480] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-02-10 24144] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-02-10 27216] R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2011-03-06 27632] S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?] S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 136176] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2011-03-04 13224] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 136176] S3 RT2400;RT2400 Wireless Driver;c:\windows\system32\drivers\RT2400.sys [2009-06-19 51712] S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2011-03-04 155344] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-08-17 717296] . Zawartoœć folderu 'Zaplanowane zadania' . 2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] . 2011-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 16:00] . 2011-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 16:00] . . ------- Skan uzupełniajšcy ------- . uStart Page = hxxp://www.google.pl/ uInternet Settings,ProxyOverride = local IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 IE: Pobierz wszystkie VIdeo za pomocš BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: Pobierz wszystko za pomocš BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: Pobierz za pomocš BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: Pobierz za pomocš Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm IE: Œcišgnij przy pomocy FlashGet'a - c:\program files\FlashGet\jc_link.htm IE: Œcišgnij wszystko przy pomocy FlashGet'a - c:\program files\FlashGet\jc_all.htm IE: ????3?? - c:\documents and settings\xp\Dane aplikacji\FlashGetBHO\GetUrl.htm IE: ????3?????? - c:\documents and settings\xp\Dane aplikacji\FlashGetBHO\GetAllUrl.htm LSP: mswsock.dll FF - ProfilePath - c:\documents and settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\bcgy9kmy.default\ FF - prefs.js: browser.search.selectedEngine - Allegro FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - prefs.js: network.proxy.type - 0 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-10-17 13:36 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . . c:\windows\749563319:1217549011.exe 816 bytes executable . . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_USERS\S-1-5-21-1409082233-1715567821-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(uë_f3* N}] @="c:\\Documents and Settings\\xp\\Dane aplikacji\\FlashGetBHO\\GetUrl.htm" "contexts"=dword:00000022 . [HKEY_USERS\S-1-5-21-1409082233-1715567821-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(uë_f3* N}hQčţ”Ľc] @="c:\\Documents and Settings\\xp\\Dane aplikacji\\FlashGetBHO\\GetAllUrl.htm" "contexts"=dword:000000f3 . [HKEY_USERS\S-1-5-21-1409082233-1715567821-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{21852CCB-77AA-C9F5-DB58-7AE8C903D781}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "nahcfegdjemgcpkgkbplllmglhem"=hex:6b,61,6c,65,61,68,64,6d,70,68,67,6f,66,6c, 62,69,64,6a,69,69,69,67,00,00 "mabchcbdglnfcnjknaoaipccmb"=hex:6b,61,6d,65,64,69,65,6c,6b,63,6a,70,61,69,62, 6e,62,69,61,69,64,61,00,00 "iahcfegdjemgcpkgkb"=hex:6b,61,6c,65,62,68,61,63,6a,6d,6e,66,6b,6e,6d,67,68,6b, 6c,6c,6f,6c,00,00 "habchcbdglnfcnjk"=hex:6b,61,6c,65,62,68,61,63,6a,6d,6e,66,6b,6e,6d,67,68,6b, 6c,6c,6f,6c,00,00 . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\749563319:1217549011.exe c:\windows\RTHDCPL.EXE c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2011-10-17 13:39:57 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2011-10-17 11:39 ComboFix2.txt 2011-10-17 10:11 . Przed: 16 224 649 216 bajtów wolnych Po: 16 207 773 696 bajtów wolnych . - - End Of File - - 6D713360275C2CF8BDD4D54D08860F4B