ComboFix 11-11-10.03 - Prezes 2011-11-10 22:06:04.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1023.678 [GMT 1:00] Uruchomiony z: c:\documents and settings\Prezes\Pulpit\skrypty\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Prezes\Pulpit\skrypty\CFScript.txt AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} . FILE :: "c:\windows\new111.exe" "c:\windows\sysdriver32.exe" "c:\windows\sysdriver32_.exe" "c:\windows\Tasks\At1.job" "c:\windows\Tasks\At2.job" "c:\windows\Tasks\At3.job" "c:\windows\Tasks\At4.job" "c:\windows\unrar.exe" . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\av_ico c:\windows\av_ico\ico_comodo_start.ico c:\windows\av_ico\ico_mcafee_start.ico c:\windows\btc_client_iplist.txt c:\windows\front_ip_list.txt c:\windows\geoiplist c:\windows\geoiplist.rar c:\windows\info1 c:\windows\iplist.txt c:\windows\loader2.exe_ok c:\windows\new111.exe c:\windows\phoenix c:\windows\phoenix.rar c:\windows\phoenix\kernels\phatk\__init__.py c:\windows\phoenix\kernels\phatk\BFIPatcher.py c:\windows\phoenix\kernels\phatk\kernel.cl c:\windows\phoenix\kernels\poclbm\__init__.py c:\windows\phoenix\kernels\poclbm\BFIPatcher.py c:\windows\phoenix\kernels\poclbm\kernel.cl c:\windows\phoenix\phoenix.exe c:\windows\proc_list1.log c:\windows\rpcminer c:\windows\rpcminer.rar c:\windows\rpcminer\bitcoinminercuda_10.cubin c:\windows\rpcminer\bitcoinminercuda_11.cubin c:\windows\rpcminer\bitcoinminercuda_20.cubin c:\windows\rpcminer\bitcoinmineropencl.cl c:\windows\rpcminer\cudart32_32_16.dll c:\windows\rpcminer\curllib.dll c:\windows\rpcminer\libeay32.dll c:\windows\rpcminer\libsasl.dll c:\windows\rpcminer\openldap.dll c:\windows\rpcminer\rpcminer-4way.exe c:\windows\rpcminer\rpcminer-cpu.exe c:\windows\rpcminer\rpcminer-cuda.exe c:\windows\rpcminer\rpcminer-opencl.exe c:\windows\rpcminer\ssleay32.dll c:\windows\sysdriver32.exe c:\windows\sysdriver32_.exe c:\windows\Tasks\At1.job c:\windows\Tasks\At2.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\ufa c:\windows\ufa.rar c:\windows\ufa\ufa.exe c:\windows\unrar.exe c:\windows\update.3 c:\windows\update.5.0 c:\windows\update.5.0\svchost.exe c:\windows\update.tray-5-0-lnk c:\windows\update.tray-5-0-lnk\svchost.exe c:\windows\update.tray-5-0 c:\windows\update.tray-5-0\svchost.exe c:\windows\update.tray-9-0-lnk c:\windows\update.tray-9-0-lnk\svchost.exe c:\windows\update.tray-9-0 c:\windows\update.tray-9-0\svchost.exe c:\windows\winsetupapi.log . . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_SRVBTCCLIENT -------\Legacy_SRVSYSDRIVER32 . . ((((((((((((((((((((((((( Pliki utworzone od 2011-10-10 do 2011-11-10 ))))))))))))))))))))))))))))))) . . 2011-11-10 17:55 . 2011-11-10 17:55 -------- d-----w- C:\_OTL 2011-11-10 16:30 . 2011-11-10 16:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-10 16:29 . 2011-11-10 17:14 -------- d-----w- c:\program files\McAfee Security Scan 2011-11-10 16:00 . 2011-11-10 16:00 -------- d-----w- c:\program files\LSoft Technologies 2011-11-05 18:25 . 2011-11-05 18:25 -------- d--h--w- c:\windows\PIF 2011-11-03 21:21 . 2011-11-03 21:21 -------- d-----w- c:\documents and settings\Prezes\Ustawienia lokalne\Dane aplikacji\AskToolbar 2011-11-03 19:18 . 2011-11-03 19:18 -------- d-----w- C:\rsit 2011-11-03 19:18 . 2011-11-03 19:18 -------- d-----w- c:\program files\trend micro 2011-11-02 18:31 . 2011-11-02 18:31 -------- d-----w- c:\program files\COMODO 2011-11-02 18:31 . 2011-11-02 18:31 1060864 ----a-w- c:\windows\system32\mfc71.dll 2011-11-01 14:27 . 2011-11-01 14:27 -------- d-----w- c:\program files\ATI 2011-11-01 14:17 . 2011-11-01 14:28 -------- d-----w- c:\documents and settings\Prezes\Dane aplikacji\Sammsoft 2011-11-01 14:16 . 2011-11-01 14:16 -------- d-----w- C:\ATI 2011-10-17 15:47 . 2011-10-17 15:47 -------- d-----w- c:\windows\system32\drivers\NSS 2011-10-17 15:47 . 2011-10-17 15:47 -------- d-----w- c:\program files\Norton Security Scan 2011-10-17 15:47 . 2011-10-17 15:47 -------- d-----w- c:\program files\NortonInstaller . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-03 04:06 . 2011-03-05 10:41 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-10-03 01:37 . 2011-03-05 10:41 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-09-27 10:51 . 2011-09-27 10:51 98304 ----a-w- c:\windows\system32\CmdLineExt.dll 2011-09-26 09:41 . 2008-07-29 18:59 614400 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 09:41 . 2004-08-04 12:00 23040 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 09:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-09 09:12 . 2004-08-04 12:00 602624 ----a-w- c:\windows\system32\crypt32.dll 2011-09-06 14:10 . 2005-10-06 03:10 1859200 ----a-w- c:\windows\system32\win32k.sys 2011-08-22 23:40 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:40 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-08-22 23:40 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:58 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2011-08-20 19:47 . 2011-08-20 19:47 436792 ----a-w- c:\windows\system32\drivers\sptd.sys 2011-08-20 14:51 . 2011-08-20 14:51 138056 ----a-w- c:\documents and settings\Prezes\Dane aplikacji\PnkBstrK.sys 2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys . . ((((((((((((((((((((((((((((( SnapShot@2011-11-10_17.48.29 ))))))))))))))))))))))))))))))))))))))))) . + 2011-11-10 21:13 . 2011-11-10 21:13 16384 c:\windows\Temp\Perflib_Perfdata_628.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\Prezes\Menu Start\Programy\Autostart\ OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\documents and settings\All Users\Menu Start\Programy\Autostart\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableSecureUIAPaths"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "DisableThumbnailCache"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Prezes\\Ustawienia lokalne\\Dane aplikacji\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "f:\\Counter-Strike 1.6\\cstrike.exe"= "f:\\Counter-Strike 1.6\\hl.exe"= "c:\\Program Files\\Electronic Arts\\Need For Speed Road Challenge\\nfshsgame.exe"= "g:\\F1_Delux_2010\\F1 Delux 2010\\F1 DELUX 2010.exe.exe"= . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2011-08-20 436792] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2004-02-03 32768] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?] S2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-20 136176] S3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-20 136176] S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?] S4 AviraUpgradeService;Avira Upgrade Service;"c:\windows\TEMP\AVSETUP_4ebbd456\avupgsvc.exe" /TEMPSTART:""c:\windows\TEMP\AVSETUP_4ebbd456\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> c:\windows\TEMP\AVSETUP_4ebbd456\avupgsvc.exe [?] S4 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-05-26 154424] . Zawartość folderu 'Zaplanowane zadania' . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-20 11:12] . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-20 11:12] . 2011-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1532298954-839522115-1003Core.job - c:\documents and settings\Prezes\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2011-03-08 15:07] . 2011-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1532298954-839522115-1003UA.job - c:\documents and settings\Prezes\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2011-03-08 15:07] . 2011-10-17 c:\windows\Tasks\Norton Security Scan for Prezes.job - c:\progra~1\NORTON~2\Engine\360~1.31\Nss.exe [2011-10-17 15:22] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ uInternet Settings,ProxyServer = 89.25.208.70:80 IE: Free YouTube Download - c:\documents and settings\Prezes\Dane aplikacji\DVDVideoSoftIEHelpers\freeyoutubedownload.htm IE: Free YouTube to MP3 Converter - c:\documents and settings\Prezes\Dane aplikacji\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm TCP: DhcpNameServer = 85.14.85.14 85.14.85.2 89.25.208.1 FF - ProfilePath - c:\documents and settings\Prezes\Dane aplikacji\Mozilla\Firefox\Profiles\s56ihzsj.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-10 22:13 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'explorer.exe'(3948) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin . ************************************************************************** . Czas ukończenia: 2011-11-10 22:17:31 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2011-11-10 21:17 ComboFix2.txt 2011-11-10 17:52 . Przed: 16 544 526 336 bajtów wolnych Po: 16 593 104 896 bajtów wolnych . - - End Of File - - D9CB696F68CFDDB726AA9A2E95C85F2E