ComboFix 11-11-10.01 - alfa 11-11-10 12:48:40.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.3071.2710 [GMT 1:00] Uruchomiony z: c:\documents and settings\alfa\Pulpit\ComboFix.exe AV: McAfee Anti-Virus i Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\alfa\Ustawienia lokalne\Dane aplikacji\f9a6b7bd\U c:\documents and settings\alfa\Ustawienia lokalne\Dane aplikacji\f9a6b7bd\U\80000000.@ c:\documents and settings\alfa\Ustawienia lokalne\Dane aplikacji\f9a6b7bd\U\800000cb.@ c:\documents and settings\alfa\Ustawienia lokalne\Dane aplikacji\f9a6b7bd\U\800000cf.@ c:\windows\$NtUninstallKB45540$ c:\windows\$NtUninstallKB45540$\3362076519 c:\windows\$NtUninstallKB45540$\4188452797\@ c:\windows\$NtUninstallKB45540$\4188452797\L\abmvflsg c:\windows\$NtUninstallKB45540$\4188452797\loader.tlb c:\windows\$NtUninstallKB45540$\4188452797\U\@00000001 c:\windows\$NtUninstallKB45540$\4188452797\U\@000000c0 c:\windows\$NtUninstallKB45540$\4188452797\U\@000000cb c:\windows\$NtUninstallKB45540$\4188452797\U\@000000cf c:\windows\$NtUninstallKB45540$\4188452797\U\@80000000 c:\windows\$NtUninstallKB45540$\4188452797\U\@800000c0 c:\windows\$NtUninstallKB45540$\4188452797\U\@800000cb c:\windows\$NtUninstallKB45540$\4188452797\U\@800000cf c:\windows\assembly\GAC_MSIL\desktop.ini c:\windows\iun6002.exe c:\windows\msmqinst.log c:\windows\pkunzip.pif c:\windows\pkzip.pif c:\windows\system32\ c:\windows\system32\zip32.dll . . ((((((((((((((((((((((((( Pliki utworzone od 2011-10-10 do 2011-11-10 ))))))))))))))))))))))))))))))) . . 2011-11-10 09:55 . 2011-11-10 09:56 -------- d-----w- C:\usbpack 2011-11-10 09:49 . 2011-11-10 09:49 -------- d-----w- C:\DriveKey 2011-11-06 21:00 . 2011-11-06 21:00 -------- d-----r- C:\MSOCache 2011-11-04 12:32 . 2011-11-09 11:11 -------- d-----w- C:\Downloads 2011-11-03 18:35 . 2011-11-03 20:52 -------- d-----w- C:\NVIDIA 2011-11-03 17:02 . 2011-11-09 20:56 -------- d-----r- C:\Program Files 2011-11-03 17:01 . 2011-11-06 15:01 -------- d-----w- C:\Documents and Settings . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-07 13:08 . 2008-10-07 12:33 163908 ----a-w- c:\windows\system32\nvsvc32.exe 2011-09-26 10:41 . 2011-09-26 10:41 614400 ------w- c:\windows\system32\uiautomationcore.dll 2011-08-15 09:00 . 2011-03-13 10:20 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-08-15 09:00 . 2011-03-13 10:20 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-11-09 14:31 . 2011-11-03 17:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF925EF3-7A87-44E4-9CAF-8D7B280BF616}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304] "H/PC Connection Agent"="c:\progra~1\MICROS~2\wcescomm.exe" [2006-11-13 1289000] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008] "DT GWY"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-25 81920] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "nwiz"="nwiz.exe" [2008-10-07 1630208] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552] "SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk * . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate] 2011-08-16 19:30 1379840 ----a-w- c:\program files\ALLPlayer\ALLUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2010-07-12 16:32 74752 ----a-w- c:\program files\Winamp\winampa.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\totalcmd\\TOTALCMD.EXE"= "f:\\BitSpirit\\BitSpirit.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\McAfee\\MSC\\mcsvrcnt.exe"= "c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"= "c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"= "c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"= "c:\\Program Files\\Common Files\\Mcafee\\MSC\\McUICnt.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\NOL3\\Notowania OnLine 3 BM Alior Bank\\NOL3.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service . R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11-11-03 20:29 89624] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11-11-03 20:29 214904] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11-11-03 20:29 214904] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11-11-03 20:29 214904] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [11-11-03 20:29 160344] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11-11-03 20:19 148520] R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [11-11-04 11:02 90112] R2 PDSched;PDScheduler;c:\program files\RAXCO\PerfectDisk\PDSched.exe [05-11-29 11:16 245760] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11-11-03 20:29 57432] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11-11-03 20:29 338040] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11-11-03 20:29 83688] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11-11-03 20:12 136176] S3 EverestDriver;Lavalys EVEREST Kernel Driver;f:\instalki\system\Everest_Aida32\EVEREST Ultimate Edition 4.50 Build 1378 Beta\kerneld.wnt [11-11-02 19:10 23152] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11-11-03 20:12 136176] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11-11-03 20:29 83688] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11-11-03 20:29 87808] S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [11-11-06 15:40 3567] . --- Inne Usługi/Sterowniki w Pamięci --- . *Deregistered* - mfeavfk01 . Zawartość folderu 'Zaplanowane zadania' . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-03 19:12] . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-03 19:12] . . ------- Skan uzupełniający ------- . uStart Page = https://aliorbank.pl/hades/do/Login IE: Pobierz z &BitSpirit - f:\bitspirit\bsurl.htm TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\documents and settings\alfa\Dane aplikacji\Mozilla\Firefox\Profiles\vahnb2ei.default\ FF - prefs.js: browser.search.selectedEngine - Bezpieczne wyszukiwanie FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p= FF - prefs.js: network.proxy.http - proxy.grs.net.pl FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.type - 1 . . ------- Skojarzenia plików ------- . txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1" . - - - - USUNIĘTO PUSTE WPISY - - - - . SafeBoot-68753880.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-10 12:54 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\f:\instalki\system\Everest_Aida32\EVEREST Ultimate Edition 4.50 Build 1378 Beta\kerneld.wnt" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F13\3&2411e6fe&0\LogConf] @DACL=(02 0000) "BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00, 00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\ "BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00, 00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(3728) c:\windows\system32\WININET.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\program files\RocketDock\RocketDock.dll c:\program files\Portrait Displays\Pivot Software\winphook.dll c:\windows\system32\webcheck.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\rundll32.exe c:\windows\system32\RUNDLL32.EXE c:\windows\SOUNDMAN.EXE c:\program files\Gateway\EzTune\DTHtml.exe c:\progra~1\MICROS~2\rapimgr.exe c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe c:\program files\Common Files\Portrait Displays\Shared\dtsrvc.exe c:\program files\Portrait Displays\Pivot Software\floater.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\program files\Common Files\McAfee\SystemCore\mcshield.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2011-11-10 12:56:12 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2011-11-10 11:56 . Przed: 93 029 543 936 bajtów wolnych Po: 93 511 589 888 bajtów wolnych . WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [Boot Loader] timeout=2 Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [Operating Systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="USB Repair NOT to Start Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 2A10A0AED7770EB110DDE8C337A6085B