ComboFix 11-12-15.02 - waldek 2011-12-15 16:11:40.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1544 [GMT 1:00] Uruchomiony z: c:\documents and settings\waldek\Moje dokumenty\Pobieranie\ComboFix.exe AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} . UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\CSC\d6 c:\windows\pkunzip.pif c:\windows\pkzip.pif c:\windows\system32\winlogon.bak . . ((((((((((((((((((((((((( Pliki utworzone od 2011-11-15 do 2011-12-15 ))))))))))))))))))))))))))))))) . . 2011-12-14 19:21 . 2011-12-14 19:21 -------- d-----w- c:\documents and settings\waldek\Ustawienia lokalne\Dane aplikacji\GHISLER 2011-12-14 19:20 . 2010-12-17 06:56 545 ----a-w- c:\windows\UC.PIF 2011-12-14 19:20 . 2010-12-17 06:56 545 ----a-w- c:\windows\RAR.PIF 2011-12-14 19:20 . 2010-12-17 06:56 545 ----a-w- c:\windows\NOCLOSE.PIF 2011-12-14 19:20 . 2010-12-17 06:56 545 ----a-w- c:\windows\LHA.PIF 2011-12-14 19:20 . 2010-12-17 06:56 545 ----a-w- c:\windows\ARJ.PIF 2011-12-14 19:19 . 2011-12-14 19:20 -------- d-----w- C:\totalcmd 2011-12-14 19:19 . 2011-12-14 19:19 -------- d-----w- c:\documents and settings\waldek\Dane aplikacji\GHISLER 2011-12-14 19:13 . 2011-11-16 17:15 -------- d-----w- c:\windows\system32\NtmsData 2011-12-14 19:05 . 2011-12-14 19:05 -------- d-----w- c:\documents and settings\waldek\Ustawienia lokalne\Dane aplikacji\Mozilla 2011-12-14 18:54 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2011-12-14 18:35 . 2011-12-15 13:54 -------- d-----w- c:\documents and settings\domek 2011-11-18 11:09 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys 2011-11-18 11:09 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys 2011-11-16 17:14 . 2011-11-16 17:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-14 19:00 . 2004-08-04 12:00 504832 ----a-w- c:\windows\system32\winlogon.exe 2011-12-14 18:49 . 2004-08-04 12:00 504832 ----a-w- c:\windows\system32\winlogon.Del 2011-11-13 21:01 . 2011-11-13 19:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-13 17:49 . 2007-06-26 20:51 122880 ----a-w- c:\windows\system32\Oemdspif.dll 2011-11-13 17:49 . 2007-06-26 20:31 1519744 ----a-w- c:\windows\system32\ativvaxx.dll 2011-11-13 17:49 . 2001-11-09 10:01 24064 ----a-w- c:\windows\system32\ativcoxx.dll 2011-11-13 17:49 . 2007-06-26 20:51 143360 ----a-w- c:\windows\system32\atipdlxx.dll 2011-11-13 17:49 . 2007-06-26 20:19 5435392 ----a-w- c:\windows\system32\atioglxx.dll 2011-11-13 17:49 . 2007-06-26 20:16 17408 ----a-w- c:\windows\system32\atitvo32.dll 2011-11-13 17:49 . 2007-06-26 20:14 176128 ----a-w- c:\windows\system32\atiok3x2.dll 2011-11-13 17:49 . 2007-06-26 20:44 8232960 ----a-w- c:\windows\system32\atioglx2.dll 2011-11-13 17:49 . 2007-06-26 20:17 266240 ----a-w- c:\windows\system32\atikvmag.dll 2011-11-13 17:49 . 2007-06-26 20:59 344064 ----a-w- c:\windows\system32\ATIDEMGX.dll 2011-11-13 17:49 . 2007-06-26 20:58 269312 ----a-w- c:\windows\system32\ati2dvag.dll 2011-11-13 17:49 . 2007-06-26 20:58 2303488 ----a-w- c:\windows\system32\drivers\ati2mtag.sys 2011-11-13 17:49 . 2007-06-26 20:56 307200 ----a-w- c:\windows\system32\atiiiexx.dll 2011-11-13 17:49 . 2007-06-26 20:51 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe 2011-11-13 17:49 . 2007-06-26 20:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll 2011-11-13 17:49 . 2007-06-26 20:50 118784 ----a-w- c:\windows\system32\ati2evxx.dll 2011-11-13 17:49 . 2007-06-26 20:49 483328 ----a-w- c:\windows\system32\ati2evxx.exe 2011-11-13 17:49 . 2007-06-26 20:48 53248 ----a-w- c:\windows\system32\ATIDDC.DLL 2011-11-13 17:49 . 2007-06-26 20:41 2940992 ----a-w- c:\windows\system32\ati3duag.dll 2011-11-13 17:49 . 2007-06-26 20:15 49152 ----a-w- c:\windows\system32\drivers\ati2erec.dll 2011-11-13 17:49 . 2007-06-26 20:10 376832 ----a-w- c:\windows\system32\ati2cqag.dll 2011-11-13 17:46 . 2011-11-13 17:46 32768 ----a-w- c:\windows\inf\UpdateUSB.exe 2011-11-13 17:46 . 2011-11-13 17:47 53248 ----a-w- c:\windows\system32\CSVer.dll 2011-10-12 10:41 . 2011-11-13 20:15 315392 ----a-w- c:\windows\system32\SVCProxy.dll 2011-10-11 14:00 . 2011-11-13 19:24 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys 2011-10-11 14:00 . 2011-11-13 19:24 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-10-11 14:00 . 2011-11-13 19:24 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-10-10 14:22 . 2011-11-13 17:24 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2004-08-04 12:00 602624 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 10:41 . 2010-03-18 09:09 614400 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 10:41 . 2004-08-04 12:00 23040 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 10:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-11-05 07:31 . 2011-11-13 18:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2011-12-14 . 033DFD0B69AF3FBC60138C0AC5C75042 . 504832 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe [-] 2011-11-13 . 033DFD0B69AF3FBC60138C0AC5C75042 . 504832 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe [7] 2008-04-14 . 51FD2E13D723857B9CA239AE77150F48 . 510464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] . c:\documents and settings\domek\Menu Start\Programy\Autostart\ Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= . R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-13 36000] R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-11-13 86224] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] . Zawartość folderu 'Zaplanowane zadania' . 2011-11-18 c:\windows\Tasks\AdobeAAMUpdater-1.0-SYLWIA-domek.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-11-14 02:44] . 2011-12-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-SYLWIA-waldek.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-11-14 02:44] . 2011-12-15 c:\windows\Tasks\User_Feed_Synchronization-{E0DA4B03-6D5D-48D0-9FF1-843EE77F798E}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 03:31] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.kurupira.net/startpage/home/ mStart Page = hxxp://www.kurupira.net/startpage/home/ IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.3.1 FF - ProfilePath - c:\documents and settings\waldek\Dane aplikacji\Mozilla\Firefox\Profiles\86m4bm5w.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kurupira.net/startpage/home/ . - - - - USUNIĘTO PUSTE WPISY - - - - . HKU-Default-Run-KurupiraNet - c:\program files\Kurupira\WebFilter\kurupirawf.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-15 16:14 Windows 5.1.2600 Dodatek Service Pack 3 NTFS . skanowanie ukrytych procesów ... . skanowanie ukrytych wpisów autostartu ... . skanowanie ukrytych plików ... . skanowanie pomyślnie ukończone ukryte pliki: 0 . ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents] @Denied: (Full) (LocalSystem) "OOBETimer"=hex:7f,63,3e,be,ec,25,8e,19,be,a7,92,c6 "LastWPAEventLogged"=hex:db,07,0c,00,03,00,0e,00,12,00,35,00,13,00,13,02 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- . - - - - - - - > 'winlogon.exe'(668) c:\windows\system32\Ati2evxx.dll . Czas ukończenia: 2011-12-15 16:16:16 ComboFix-quarantined-files.txt 2011-12-15 15:16 . Przed: 70 385 373 184 bajtów wolnych Po: 70 683 197 440 bajtów wolnych . - - End Of File - - ECF207E38D0F7C8CE1CDB9BFF91AB07C